Nepoznati servisi

Primetio sam da mi se u services pojavila 3 nova nepoznata servisa.
Evo slika
Ako neko zna sta bi ovo moglo da bude.

Prema nazivu servisa "smrdi na kilometar" da je u pitanju malware. Za pocetak preuzmi HiJackThis, skeniraj racunar i okaci nam log prema ovom uputstvu.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:19, on 14/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\VISTAR~1\Rainbar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Boss\Desktop\pups\pups.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Babylon IE plugin - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [vilaunch] C:\WINDOWS\system32\vilaunch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate this web page with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
O8 - Extra context menu item: Translate with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O9 - Extra 'Tools' menuitem: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia....ockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: CBMUFKXIYOJRO - Unknown owner - C:\WINDOWS\TEMP\CBMUFKXIYOJRO.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: RBWVMWYVJKYCRD - Unknown owner - C:\WINDOWS\TEMP\RBWVMWYVJKYCRD.exe (file missing)
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4956 bytes

Skini program Malwarebytes' Anti-Malware
Dvoklikom pokreni instalaciju
Na samom pocetku proveri da li su stiklirane ove opcije
Update Malwarebytes' Anti-Malware
Launch Malwarebytes Anti-Malware

Zatim klikni Finish.

Izaberi opciju Perform Quick Scan i klikni Scan.
Po završetku procesa klikni OK, Show Results: u listi detektovanog malware-a proveri da li su obelezene sve stavke i klikni Remove Selected.

Po zavrsetku ciscenja zakaci MBAM log na forum.

_{Uputstvo Copyright by Magna86}

Malwarebytes' Anti-Malware 1.44
Database version: 3559
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

14/01/2010 13:43:26
mbam-log-2010-01-14 (13-43-26).txt

Scan type: Quick Scan
Objects scanned: 112653
Time elapsed: 12 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (3) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Prve tri stavke nisam obelezio zato sto sam ja iskljucio da me obavestava,a cetvrtu jesam.
Ali i dalje u servisima stoje ona tri. A da probam fix sa HJT ona dva reda medju servisima?

Skini ovaj fajl raspakuj, pokreni dvoklikom, yes ok, restartuj.
Pokreni ovaj program http://download.bleepingcomputer.com/sUBs/dds.scr
Sacekaj da izbaci logove, klikni ok pa iskopiraj DDS.txt log na forum.

Skini ovaj program http://swandog46.geekstogo.com/avenger2/download.php
Raspakuj ga u folder
Dvoklikom pokreni avenger.exe
Iskopiraj ovaj tekst u beli prozor programa



Zatim klikni Execute pa dva puta Yes.
Kompjuter ce se restartovati, mozda dva puta.
posalji mi log fajl C:\avenger.txt

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Jan 14 23:29:33 2010

23:29:33: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\windows\temp\FFKUJC.exe" not found!
Deletion of file "c:\windows\temp\FFKUJC.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "FFKUJC" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Nema vise nijedan od ova tri servisa u services. Valjda je sad sve ok?

Jedino sto nismo proverili da li je FFKUJC stvarno pokretan iz "c:\windows\temp\FFKUJC.exe" ili sa nekog drugog mesta - najbolje da pretrazis sve diskove i potrazis FFKUJC, i obrises ga svugde gde se pojavljuje (ako ga uopste pronadjes). Za sad bi trebalo da je to to - a onaj drugi deo price nadam se da znas: azuriraj redovno AV program, krpi redovno Windows preko Windows Update, izbegavaj p2p, torente, warez, krekove, patcheve, XXX sajtove, nepoznate sajtove sa freeware-om...

Odradi ovo sto je @valjan napisao, ostalo je ok.

Ok,hvala.
Jedina lokacija za sva tri servisa je c:\windows\temp\, nema na drugim,trazio sam.
Nego,sad sam se tek setio da se ovo pojavilo kad sam pre nekoliko dana skenirao sa rootkit revealer-om.Da li je moguce da to ima neke veze sa njim? Znam da je kompjuter krenuo da krlja, dok je on skenirao,kad sam otisao u task,mislim da je ovaj CBMUFKXIYOJRO servis zauzimao skoro 100% cpu,ja sam ga iskljucio i na tome se zavrsilo,a posle sam otisao u services i otkrio ova 3 servisa. Dakle,da li je mozda RR napravio?

Ne znam, nisam radio sa tim programom, a za te servise nikakve informacije na google nisam nasao.

Valjda ce valjan da naidje...

Naisao sam ja, ali tesko da mogu nesto pomoci. Savremeni AV programi su krenuli da sakrivaju svoja imena koristeci random zb(i)rku slova i brojeva, pa je sad izgleda i malware krenuo to da radi da bi kao izbegao detekciju. Znaci ti nazivi servisa koji su se pojavili kod tebe su verovatno i jedinstveni i nece se nigde drugde pojaviti, sto otezava Googlanje. Najbolje bi bilo da si te exe fajlove poslao negde na analizu (mozda na virustotal ili neki slicni sajt), pa da znamo oprilike o cemu se radi, onda bismo mozda i znali odakle oni tu. Sto se rootkit revealera tice, moguce je da su ta tri procesa bila skrivena pa ih je RR "otkljucao" i ucinio vidljivim - nisi nam rekao ko je disableovao onaj srednji i stavio druga dva na manual, uglavnom takvi procesi imaju status "automatic" da bi uvek bili pokrenuti dok racunar radi. Moguce je recimo da je RR delimicno odradio popravku, tj. uklonio fajl od srednjeg servisa i disableovao ga...

Nisam mogao da proverim exe fajlove,jer nisu ni postojali.Cim sa video u services,otisao sam na putanju koja je pisala,ali ih tamo nije bilo.Onaj disabled sam ja disable-ovao,a inace su sva tri bila na manual.
Kao sto sam napisao,u tasku je pored RR-a,bio i ovaj nepoznati proces koji je prilicno dugo drzao cpu na 100% i da ga ja nisam "ubio" ko zna da li bi i stao.Mada da je malware ne znam da li bi tako lako popustio.Nadam se da je sad sve ok,posto su valjda svi logovi bili cisti.Jos jednom,hvala vam.