Usuwanie wirusów

Usuwanie Gromozon Rootkit  ( LinkOptimizer )

Pojawił się nowy bardzo trudno wykrywalny Gromozon Rootkit, to gówno potrafi nawet wyłączyć narzędzia do wykrywania rootkitów!!!
Rotkit stosuje losowe nazwy usług które oczywiście są ukryte i nie widoczne.
Wskazówką może być pojawienie się wpisu w hijacku 02 , plik dll ma nazwę [ 5 liter] kończącą sie 1 lub [2 litery] kończącą się na aa i (file missing) , może pojawić się wpis w hijacku :


04 HKLM..Run: [[losowe4 litery]1.exe] C:\WINDOWS\Temp\[losowe4 litery]1.exe

kasowanie tego wpisu nic nie daje , odczuwalne jest spowolnienie kompa.

W logu z hijacka można zobaczyć takie wpisy:

O2 - BHO: Class - {E9F2DB15-AE58-AC0D-C62F-5E4DB3F6EE1F} - C:\WINDOWS\opvek1.dll (file missing)
O2 - BHO: Class - {A6383408-4BAA-8485-D72C-8D0E0C7A8EF1} - C:\WINDOWS\ndkcy1.dll
O2 - BHO: Class - {9887DFB1-9F53-89A1-32DB-770424A49D9C} - C:\WINDOWS\bkujl1.dll
O2 - BHO: Class - {0272F047-5AE8-E9DF-FE1E-79E2F50CA082} - C:\WINDOWS\waowc1.dll (file missing)
O2 - BHO: Class - {2379CF7C-4F56-CF5B-D132-D5430E7F9697} - C:\WINDOWS\ggilq1.dll (file missing)
O2 - BHO: Class - {20B632D1-BD22-2A3D-A98F-C12FA12AB963} - C:\WINDOWS\hfxkc1.dll (file missing)
O2 - BHO: Class - {8327DE87-F0B2-93DA-9083-CE5CF669572D} - C:\WINDOWS\ljded1.dll (file missing)
O2 - BHO: Class - {E92D9C09-4312-C8DC-BABF-368545329431} - C:\WINDOWS\wxynh1.dll (file missing)
O2 - BHO: Class - {E124AB30-63A9-096C-E96D-1FECC8D2CAA4} - C:\WINDOWS\hcjyu1.dll (file missing)
O2 - BHO: Class - {5CBC8F1D-3BA8-1ADF-A09E-A812352EDA81} - C:\WINNT\hlsva1.dll (file missing)
O2 - BHO: Class - {A9DB0BC1-9BA5-8840-A638-86FBA9755B3D} - C:\WINDOWS\naelq1.dll (file missing)
O2 - BHO: Class - {6EBA116E-AFA0-AFC9-64B3-9AA53F6D32B2} - C:\WINDOWS\kcvjd1.dll (file missing)
O2 - BHO: Class - {419A7804-DC44-F3D1-5067-C555901B681C} - C:\WINDOWS\mvpck1.dll (file missing)
O2 - BHO: Class - {1A06B098-0011-88C0-89F1-281F7413084A} - C:/WINDOWS/krctv1.dll (file missing)
O2 - BHO: Class - {346D8699-DAC7-DD78-5CD4-CA50A929983C} - C:\WINDOWS\ohrda1.dll (file missing)
 O2 - BHO: Class - {DA36F97E-F731-5AAC-3B72-50B8CD0205E7} - C:\WINDOWS\ctkbc1.dll

O4 - HKLM\..\Run: [erxl1.exe] C:\WINDOWS\TEMP\erxl1.exe
O4 - HKLM\..\Run: [nyln1.exe] C:\WINDOWS\TEMP\nyln1.exe
O4 - HKLM\..\Run: [qnkl1.exe] C:\WINDOWS\TEMP\qnkl1.exe
O4 - HKLM\..\Run: [ymqv1.exe] C:\WINDOWS\TEMP\ymqv1.exe
O4 - HKLM\..\Run: [deol1.exe] C:\WINDOWS\TEMP\deol1.exe
O4 - HKLM\..\Run: [twnh1.exe] C:\WINDOWS\TEMP\twnh1.exe
 O4 - HKLM\..\Run: [kktm1.exe] C:\WINDOWS\TEMP\kktm1.exe
O4 - HKLM\..\Run: [yuql1.exe] C:\WINDOWS\TEMP\yuql1.exe

O16 - DPF: {FAD1CBC8-8F6A-4E94-9DDC-825A0D92B35C} - hxxx://gromozon.com/9a9483ec/10002/1/xp/FreeAccess.ocx

O20 - AppInit_DLLs: \\?\C:\WINDOWS\lpt7.xlg

O23 - Service: WebTmx - Unknown owner - \\?\C:\Program Files\Common Files\System\lpt3.exe (file missing)
O23 - Service: WebKbr - Unknown owner - \\?\C:\Program Files\Common Files\System\lpt3.exe (file missing)
O23 - Service: WinMua - Unknown owner - \\?\C:\Program Files\Common Files\System\lpt3.exe (file missing)
O23 - Service: LogXon - Unknown owner - \\?\C:\Program Files\Common Files\Services\lpt7.exe (file missing)
O23 - Service: WinRkp - Unknown owner - \\?\C:\Program Files\Common Files\Services\lpt7.exe (file missing)
O23 - Service: LogSlp - Unknown owner - \\?\C:\Program Files\Common Files\System\lpt7.exe (file missing)
O23 - Service: WebZvz - Unknown owner - \\?\C:\Program Files\Common Files\System\lpt7.exe (file missing)
O23 - Service: UpdUlb - Unknown owner - \\?\C:\Program Files\Common Files\System\lpt9.exe (file missing)
O23 - Service: WinFra - Unknown owner - \\?\C:\Program Files\Common Files\Services\lpt9.exe (file missing)
O23 - Service: NetVvq - Unknown owner - \\?\C:\Program Files\Common Files\System\com2.exe (file missing)
O23 - Service: LogTmq - Unknown owner - \\?\C:\Program Files\Common Files\System\com3.exe (file missing)
O23 - Service: SysTcx - Unknown owner - \\?\C:\Program Files\Common Files\System\com4.exe (file missing)
O23 - Service: UpdIad - Unknown owner - \\?\C:\Program Files\Common Files\System\com6.exe (file missing)
O23 - Service: SrvGmc - Unknown owner - \\?\C:\Program Files\Windows NT\com6.exe (file missing)
O23 - Service: SysTpg - Unknown owner - \\?\C:\Program Files\Common Files\Services\com6.exe (file missing)
O23 - Service: LogZui - Unknown owner - \\?\C:\Program Files\Common Files\System\com9.exe (file missing)
O23 - Service: UpdZol - Unknown owner - \\?\C:\Program Files\Common Files\Services\com9.exe (file missing)
O23 - Service: LogLkb - Unknown owner - \\?\C:\Program Files\Windows NT\aux.exe (file missing)
O23 - Service: SecBnz - Unknown owner - \\?\C:\Program Files\Common Files\Services\lpt1.exe (file missing)
O23 - Service: LogJiy - Unknown owner - \\?\C:\Program Files\Common Files\Services\prn.exe (file missing)
O23 - Service: WebGxt - Unknown owner - \\?\C:\Program Files\Common Files\System\clock$.exe (file missing)
O23 - Service: WinChn - Unknown owner - \\?\C:\Program Files\Common Files\System\nul.exe (file missing)
O23 - Service: SecCen - Unknown owner - \\?\C:\Program Files\Common Files\System\lpt1.exe (file missing)


W logu silenta może to wyglądać tak:

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{74AD874A-E84F-BCD6-871F-E463F4BA7214}\(Default) = "JavaScript console"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\ndkcy1.dll"


W rejestrze znajdziemy jeszcze takie wpisy :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
"{E9F2DB15-AE58-AC0D-C62F-5E4DB3F6EE1F}"=""

[HKEY_USERS\S-1-5-21-1614895754-602162358-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\ {E9F2DB15-AE58-AC0D-C62F-5E4DB3F6EE1F}]

[HKEY_USERS\S-1-5-21-1614895754-602162358-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{E9F2DB15-AE58-AC0D-C62F-5E4DB3F6EE1F}\iexplore]

Aktualizacja:

 Pojawiły się nowe wpisy tego śmiecia (naniosłem stosowne poprawki) i tu bardzo pomocny okazuje się  ComboFix (nowa wersja z wbudowanym modułem GMERA   catchme ) bardzo ładnie pokazuje jego pliki:

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

detected NTDLL code modification:
ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = \\?\C:\WINDOWS\lpt7.xlg

scanning hidden files ...

C:\WINDOWS\ctkbc1.dll 73728 bytes
C:\WINDOWS\ctkbc1.upd 77824 bytes
C:\WINDOWS\lpt7.xlg 159744 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3

********************************************************************

Usuwanie:

Trudne i lepiej zrobić to automatem ,  bo można nieżle namieszać i się zamotać...
Pomoc znajdziemy na stonie  Prevx ,ściągamy usuwacz  Gromozon Rootkit Removal Tool  lub  Trojan.Linkoptimizer Removal Tool  i go odpalamy,"odchody " spłyną do kanału


A tak wygląda log z  Gromozon Rootkit Removal Tool po jego użyciu:
Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\ndkcy1.dll
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\system32\bfaa.dll
Removed!
Scanning: C:\Program Files\Common Files
Removing protected file: C:\Program Files\Common Files\System\bqPTE.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\DiNJL.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\HIhk.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\hMvC.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\LEDej.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\nfzk.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\nvG.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\qAYbOW.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\YoN.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ


Trojan.Gromozon Removed!