Открити Rootkit ITGRDEngine от SUPERAntiSpyware

[ares85ares]

Вчера SUPERAntiSpyware откри следното:

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 06/03/2009 at 07:42 PM

 

Application Version : 4.26.1004

 

Core Rules Database Version : 3921

Trace Rules Database Version: 1865

 

Scan type : Quick Scan

Total Scan Time : 00:07:33

 

Memory items scanned : 446

Memory threats detected : 0

Registry items scanned : 451

Registry threats detected : 0

File items scanned : 6317

File threats detected : 8

 

Rootkit.ITGRDEngine

D:\PROGRAMS\POLYGLOT7\BULTALK\FKBT.DLL

D:\PROGRAMS\POLYGLOT7\ENGLISH\FKBT.DLL

D:\PROGRAMS\POLYGLOT7\FRENCH\FKBT.DLL

D:\PROGRAMS\POLYGLOT7\GERMAN\FKBT.DLL

D:\PROGRAMS\POLYGLOT7\GREEK\FKBT.DLL

D:\PROGRAMS\POLYGLOT7\ITALIAN\FKBT.DLL

D:\PROGRAMS\POLYGLOT7\RUSSIAN\FKBT.DLL

D:\PROGRAMS\POLYGLOT7\SPANISH\FKBT.DLL

 

Изтрих ги и рестартирах. Пуснах втора проверка, при която резултата беше:

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 06/03/2009 at 08:04 PM

 

Application Version : 4.26.1004

 

Core Rules Database Version : 3921

Trace Rules Database Version: 1865

 

Scan type : Quick Scan

Total Scan Time : 00:07:07

 

Memory items scanned : 438

Memory threats detected : 0

Registry items scanned : 451

Registry threats detected : 0

File items scanned : 6324

File threats detected : 8

 

Rootkit.ITGRDEngine

D:\SYSTEM VOLUME INFORMATION\_RESTORE{EAB9C3DB-B228-4FA1-A6B7-1FF8525E038F}\RP65\A0012214.DLL

D:\SYSTEM VOLUME INFORMATION\_RESTORE{EAB9C3DB-B228-4FA1-A6B7-1FF8525E038F}\RP65\A0012215.DLL

D:\SYSTEM VOLUME INFORMATION\_RESTORE{EAB9C3DB-B228-4FA1-A6B7-1FF8525E038F}\RP65\A0012216.DLL

D:\SYSTEM VOLUME INFORMATION\_RESTORE{EAB9C3DB-B228-4FA1-A6B7-1FF8525E038F}\RP65\A0012217.DLL

D:\SYSTEM VOLUME INFORMATION\_RESTORE{EAB9C3DB-B228-4FA1-A6B7-1FF8525E038F}\RP65\A0012218.DLL

D:\SYSTEM VOLUME INFORMATION\_RESTORE{EAB9C3DB-B228-4FA1-A6B7-1FF8525E038F}\RP65\A0012219.DLL

D:\SYSTEM VOLUME INFORMATION\_RESTORE{EAB9C3DB-B228-4FA1-A6B7-1FF8525E038F}\RP65\A0012220.DLL

D:\SYSTEM VOLUME INFORMATION\_RESTORE{EAB9C3DB-B228-4FA1-A6B7-1FF8525E038F}\RP65\A0012221.DLL

 

И тях изтрих и пак рестартирах (т.е. програмата го направи сама).

Третата проверка показа, че няма заплахи. Сканирах с mbam и avast, също показаха, че няма заплахи. Странното е, че тези речници ги имам от около година и до сега не съм имала проблеми с тях. Иначе системата се държи нормално. Прикачих и снимка с резултатите, които показа SUPERAntiSpyware, защото там ясно се вижда, че гадинките са разпознати като Rootkit ITGRDEngine.

 

Та в тази връзка имам следните въпроси:

1. След като avast и mbam показват, че няма заплахи, а и самата SUPERAntiSpyware показа същото при последното сканиране, то означава ли, че тя е успяла да се справи с Rootkit-ите?

2. След изчистването им при второто сканиране (от папаката System volume informatoin) мога ли да разчитам, че са изчистени или задължително ще трябва да изтрия цялото съдържание на тази папка?

 

До колкото знам рууткитите се използват за прикривани на зловредни кодове, троянски коне и други подобни гадинки (може да греша). Затова се обръщам към вас с молба за помощ - искам да съм сигурна, че ОС е чиста.

 

Накрая ще приложа лог от Hijakthis с молба да ми кажете има ли нещо съмнително в него.

 

Logfile of HijackThis v1.99.1

Scan saved at 18:58:11, on 04.6.2009 г.

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\VM_STI.EXE

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\BitComet\BitComet.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

D:\programs\Download Master 5.3.3.1089\ИНСТАЛИРАНО\Download Master\dmaster.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wscntfy.exe

D:\programs\SAS\SUPERANTISPYWARE.EXE

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Opera\opera.exe

D:\programs\alabala.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: MyPlayCity Toolbar - {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - C:\Program Files\MyPlayCity\tbMyPl.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: MyPlayCity Toolbar - {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - C:\Program Files\MyPlayCity\tbMyPl.dll

O2 - BHO: IE 4.x-6.x BHO for Download Master - {9961627E-4059-41B4-8E0E-A7D6B3854ADF} - D:\programs\DOWNLO~1.108\CCC1~1\DOWNLO~1\dmiehlp.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O3 - Toolbar: MyPlayCity Toolbar - {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - C:\Program Files\MyPlayCity\tbMyPl.dll

O3 - Toolbar: DM Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3C} - D:\programs\Download Master 5.3.3.1089\ИНСТАЛИРАНО\Download Master\dmbar.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE PLEOMAX Web Camera

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [bitComet] "C:\Program Files\BitComet\BitComet.exe"

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"

O4 - HKCU\..\Run: [Download Master] D:\programs\Download Master 5.3.3.1089\ИНСТАЛИРАНО\Download Master\dmaster.exe -autorun

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Закачать ВСЕ при помощи Download Master - D:\programs\Download Master 5.3.3.1089\ИНСТАЛИРАНО\Download Master\dmieall.htm

O8 - Extra context menu item: Закачать при помощи Download Master - D:\programs\Download Master 5.3.3.1089\ИНСТАЛИРАНО\Download Master\dmie.htm

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - D:\programs\Download Master 5.3.3.1089\ИНСТАЛИРАНО\Download Master\dmaster.exe

O9 - Extra 'Tools' menuitem: &Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - D:\programs\Download Master 5.3.3.1089\ИНСТАЛИРАНО\Download Master\dmaster.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D8DE4514-FE3B-4EA0-AC80-BD3B4759AAAC}: NameServer = 212.56.1.100

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: !SASWinLogon - D:\programs\SAS\SASWINLO.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[Night_Raven]

Та в тази връзка имам следните въпроси:

1. След като avast и mbam показват, че няма заплахи, а и самата SUPERAntiSpyware показа същото при последното сканиране, то означава ли, че тя е успяла да се справи с Rootkit-ите?

2. След изчистването им при второто сканиране (от папаката System volume informatoin) мога ли да разчитам, че са изчистени или задължително ще трябва да изтрия цялото съдържание на тази папка?

1. Да, би трябвало.

2. Всичко трябва да е наред вече.

 

Логът е чист.

[ares85ares]

1. Да, би трябвало.

2. Всичко трябва да е наред вече.

 

Логът е чист.

 

Night_Raven, много ти благодаря, че ми отдели от времето си. Щом казваш, че всичко е наред, значи вече ще съм спокойна.