2 trojany


(Dofek1) #1

Sprawdźcie log i dajcie lekarstwo :wink:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:01:40, on 2009-09-01

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\StkCSrv.exe

C:\WINDOWS\AhnRpta.exe

C:\Program Files\ATKOSD2\ATKOSD2.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\WINDOWS\ATK0100\HControl.exe

C:\Program Files\Wireless Console 2\wcourier.exe

C:\Program Files\Atheros\ACU.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\ATK0100\ATKOSD.exe

C:\Program Files\Nowe Gadu-Gadu\gg.exe

C:\Program Files\Nowe Gadu-Gadu\spellchecker_gg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"

O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe

O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe

O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [ATKHOTKEY] "C:\Program Files\ATK Hotkey\Hcontrol.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\Admin\USTAWI~1\Temp\herss.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O13 - Gopher Prefix: 

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O23 - Service: Usługa konfiguracji Atheros (ACS) - Atheros - C:\WINDOWS\system32\acs.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkCSrv.exe


--

End of file - 4195 bytes

(Umpfh) #2

Daj logi z OTL: http://www.forumpc.pl/index.php?showtopic=104338


(Dofek1) #3

Logi z OTLa

http://wklej.org/id/143888/

http://wklej.org/id/143890/


(Umpfh) #4

Poniższe wklejasz w okienko OTL i Run FIX, po restarcie daj nowego loga.

:Processes

explorer.exe


:OTL

PRC - [2008-04-15 14:00:00 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\AhnRpta.exe

O4 - HKU\S-1-5-21-507921405-1383384898-1177238915-1003..\Run: [cdoosoft] C:\Documents and Settings\Admin\Ustawienia lokalne\Temp\herss.exe ()

O13 - gopher Prefix: missing

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\msdaipp - No CLSID value found

O28 - HKLM ShellExecuteHooks: {BB4C402F-882A-4526-8C08-51278EA437C1} - C:\WINDOWS\System32\e8main0.dll 

O33 - MountPoints2\{0312d4ad-90e0-11de-9f5b-0015af66af5a}\Shell\AutoRun\command - "" = I:\i0yva6.exe -- File not found

O33 - MountPoints2\{0312d4ad-90e0-11de-9f5b-0015af66af5a}\Shell\open\Command - "" = I:\i0yva6.exe -- File not found

O33 - MountPoints2\{aaa834bc-90e8-11de-abea-806d6172696f}\Shell\AutoRun\command - "" = C:\i0yva6.exe -- [2009-09-01 19:34:20 | 00,113,455 | RHS- | M] ()

O33 - MountPoints2\{aaa834bc-90e8-11de-abea-806d6172696f}\Shell\open\Command - "" = C:\i0yva6.exe -- [2009-09-01 19:34:20 | 00,113,455 | RHS- | M] ()

O33 - MountPoints2\{aaa834bd-90e8-11de-abea-806d6172696f}\Shell\AutoRun\command - "" = D:\i0yva6.exe -- [2009-09-01 19:34:20 | 00,113,455 | RHS- | M] ()

O33 - MountPoints2\{aaa834bd-90e8-11de-abea-806d6172696f}\Shell\open\Command - "" = D:\i0yva6.exe -- [2009-09-01 19:34:20 | 00,113,455 | RHS- | M] ()

O33 - MountPoints2\{aaa834be-90e8-11de-abea-806d6172696f}\Shell\AutoRun\command - "" = E:\i0yva6.exe -- [2009-09-01 19:34:20 | 00,113,455 | RHS- | M] ()

O33 - MountPoints2\{aaa834be-90e8-11de-abea-806d6172696f}\Shell\open\Command - "" = E:\i0yva6.exe -- [2009-09-01 19:34:20 | 00,113,455 | RHS- | M] ()

O33 - MountPoints2\{aaa834bf-90e8-11de-abea-806d6172696f}\Shell\AutoRun\command - "" = F:\i0yva6.exe -- [2009-09-01 19:34:20 | 00,113,455 | RHS- | M] ()

O33 - MountPoints2\{aaa834bf-90e8-11de-abea-806d6172696f}\Shell\open\Command - "" = F:\i0yva6.exe -- [2009-09-01 19:34:20 | 00,113,455 | RHS- | M] ()

O33 - MountPoints2\C\Shell\AutoRun\command - "" = C:\b.bat -- [2009-08-29 22:04:00 | 00,112,225 | RHS- | M] ()

O33 - MountPoints2\C\Shell\open\Command - "" = C:\b.bat -- [2009-08-29 22:04:00 | 00,112,225 | RHS- | M] ()

O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\b.bat -- [2009-08-29 22:04:00 | 00,112,225 | RHS- | M] ()

O33 - MountPoints2\D\Shell\open\Command - "" = D:\b.bat -- [2009-08-29 22:04:00 | 00,112,225 | RHS- | M] ()

O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\b.bat -- [2009-08-29 22:04:00 | 00,112,225 | RHS- | M] ()

O33 - MountPoints2\E\Shell\open\Command - "" = E:\b.bat -- [2009-08-29 22:04:00 | 00,112,225 | RHS- | M] ()

O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\b.bat -- [2009-08-29 22:04:00 | 00,112,225 | RHS- | M] ()

O33 - MountPoints2\F\Shell\open\Command - "" = F:\b.bat -- [2009-08-29 22:04:00 | 00,112,225 | RHS- | M] ()


:Files

C:\WINDOWS\AhnRpta.exe

C:\WINDOWS\System32\e8main0.dll

C:\i0yva6.exe

C:\mt2.exe

C:\frg89pi.bat

C:\pkkwng.exe

C:\WINDOWS\PEV.exe

C:\Qoobox

C:\b.bat

C:\t8s2x.exe

C:\hx.exe

C:\oobbyju.exe

C:\WINDOWS\System32\olhrwef.exe

C:\WINDOWS\System32\nmdfgds0.dll

C:\3j2h0tf.bat

C:\autorun.inf

C:\oobbyju.exe


:Commands

[emptytemp]

[start explorer]

[Reboot]

Następnie musisz usunąć klucz: MountPoints2.

Wejdź w: Start>>>Uruchom>>> wpisz: regedit

poszukaj klucza: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\MountPoints2

Usuwasz MountPoints2


(Dofek1) #5

http://wklej.org/id/143902/

http://wklej.org/id/143903/

co dalej?


(Umpfh) #6

Wklej w okienko OTL i daj run fix:

:Processes

explorer.exe


O32 - AutoRun File - [2009-09-01 23:09:27 | 00,000,059 | RHS- | M] () - D:\autorun.inf -- [NTFS]

O32 - AutoRun File - [2009-09-01 23:09:27 | 00,000,059 | RHS- | M] () - E:\autorun.inf -- [NTFS]

O32 - AutoRun File - [2009-09-01 23:09:27 | 00,000,059 | RHS- | M] () - F:\autorun.inf -- [NTFS]


:Commands

[emptytemp]

[start explorer]

[Reboot]

I ponownie:

Następnie musisz usunąć klucz: MountPoints2.

Wejdź w: Start>>>Uruchom>>> wpisz: regedit

poszukaj klucza: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\MountPoints2

Usuwasz MountPoints2 i reset.

Przeskanuj komputer tym: http://www.programosy.pl/program,malwar ... lware.html usuń wszystko co znajdzie i daj loga po kasowaniu (loga z Malware)


(Henio Mazurek) #7

Umpfh , dlaczego nie usuwasz infekcji ze wszystkich partycji tylko z systemowej?

Do wklejenia następujący skrypt

Klikasz Run Fix. Do pokazania log z usuwania i nowy z OTL.


(Dofek1) #8

zrobiłem tak jak mówił ciemnowidz + usunięcie logu z rejestru (po restarcie powraca)

http://wklej.org/id/144007/

http://wklej.org/id/144006/


(Henio Mazurek) #9

Klucz mountpoints2 będzie wracał zaraz po skasowaniu, chodzi tylko o to by wykasować zapisy infekcji które są w jego podkluczach. Poza tym już go dałem na usuwanie przez OTL.

W logu nic już nie widać. Kroki końcowe.

Kliknij w OTL CleanUp.

Wyłącz na chwilę przywracanie systemu - XP/Vista

Wykonaj pełny skan Malwarebytes Anti-Malware, jeśli coś znajdzie - usuń i wklej log.

Przeczyść dysk i rejestr CCleaner'em.

Podepnij pamięci przenośne i zastosuj FlashDisinfector