Atak trojana win32 prosze o pomoc

sylvio71 · 26 Maj 2008 10:22

Witam prosze o sprawdzenie loga

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:35:05, on 2008-05-26 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe D:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Seekmo\bin\10.0.341.0\OEAddOn.exe C:\Program Files\Seekmo\bin\10.0.341.0\SeekmoSA.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\OpenOffice.ux.pl 2.0.3\program\soffice.exe C:\Program Files\OpenOffice.ux.pl 2.0.3\program\soffice.BIN C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe C:\Program Files\Microsoft SQL Server\MSSQL$ADBS\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL$APKAT\Binn\sqlservr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Seekmo /fleok=1D8A83A5C7E3197E91AD612A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Seekmo\bin\10.0.341.0\HostIE.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O3 - Toolbar: Seekmo - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Seekmo\bin\10.0.341.0\HostIE.dll O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ADKATAutostartmsde] c:\Program Files\Microsoft SQL Server\80\Tools\Binn\scm.exe -Action 1 -Silent 1 -Service MSSQL$Adbs O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe” O4 - HKLM…\Run: [DAEMON Tools] “D:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [abADBS] C:\Program Files\ADP\ADBS\abadbs.exe O4 - HKLM…\Run: [seekmoOE] C:\Program Files\Seekmo\bin\10.0.341.0\OEAddOn.exe O4 - HKLM…\Run: [seekmoSA] “C:\Program Files\Seekmo\bin\10.0.341.0\SeekmoSA.exe” O4 - HKLM…\Run: [sCMAPkat] c:\Program Files\Microsoft SQL Server\80\Tools\Binn\scm.exe -Action 1 -Silent 1 -Service MSSQL$Apkat O4 - HKCU…\Run: [MsgCenterExe] “C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe” -osboot O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Startup: OpenOffice.ux.pl 2.0.3.lnk = C:\Program Files\OpenOffice.ux.pl 2.0.3\program\quickstart.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 1380828218 O17 - HKLM\System\CCS\Services\Tcpip…{3BE45BC6-1D39-410B-8A09-0838F7E685BC}: NameServer = 193.41.112.18 193.41.112.14 O17 - HKLM\System\CS1\Services\Tcpip…{3BE45BC6-1D39-410B-8A09-0838F7E685BC}: NameServer = 193.41.112.18 193.41.112.14 O17 - HKLM\System\CS2\Services\Tcpip…{3BE45BC6-1D39-410B-8A09-0838F7E685BC}: NameServer = 193.41.112.18 193.41.112.14 O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe – End of file - 7494 bytes

Kloss-J23 · 26 Maj 2008 13:16

Zamknij IE, start, ustawienia, panel sterowanie, dodaj usuń programy, odinstaluj SeekMo jeśli tam jest.

W Hijackthis fix:

O2 - BHO: Seekmo /fleok=1D8A83A5C7E3197E91AD612A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Seekmo\bin\10.0.341.0\HostIE.dll

O3 - Toolbar: Seekmo - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Seekmo\bin\10.0.341.0\HostIE.dll

O4 - HKLM\..\Run: [abADBS] C:\Program Files\ADP\ADBS\abadbs.exe

O4 - HKLM\..\Run: [SeekmoOE] C:\Program Files\Seekmo\bin\10.0.341.0\OEAddOn.exe

O4 - HKLM\..\Run: [SeekmoSA] "C:\Program Files\Seekmo\bin\10.0.341.0\SeekmoSA.exe"

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Pobierz Combofix, ale nie uruchamiaj. Wklej do notatnika:

File::

C:\Program Files\Seekmo\bin\10.0.341.0\OEAddOn.exe

C:\Program Files\Seekmo\bin\10.0.341.0\SeekmoSA.exe

C:\Program Files\ADP\ADBS\abadbs.exe

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe.

Potem wrzuć log z Combofix z usuwania.

Gutek · 27 Maj 2008 08:02

Kloss-J23 co ty tworzysz

sylvio71 - Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

Daj log z ComboFix