foraq
(Foraq)
11 Listopad 2007 19:44
#1
A więc po każdym starcie windy w folderze C:\DOCUME~1\foraq\USTAWI~1\Temp\ tworzy się folder ir_ext_temp a w nim plik autorun.exe Przy tym za każdym uruchomieniem windy mój firewall sugnalizuje że program ten chce się połączyć z siecią… Chciaciałbym się tego dziadostwa jakoś pozbyć, skanery antywirusowe nic nie znajdują:/
Oto log z hijackThis
Logfile of HijackThis v1.99.1 Scan saved at 20:37:51, on 2007-11-11 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\ASUS\Asus Probe\AsusProb.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\UPSMON\UPSMON_Service.Exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\UPSMON\UPSMON.EXE C:\WINDOWS\system32\updater\explorer.exe C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\UPSMON\UPSInt.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Program Files\Realtek\Rtl8180\RtlWake.exe C:\DOCUME~1\foraq\USTAWI~1\Temp\ir_ext_temp_2\autorun.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Alwil Software\Avast4\setup\avast.setup C:\Program Files\Opera\Opera.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.opera.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file) O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM…\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe O4 - HKLM…\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” O4 - HKLM…\Run: [uPSMON] C:\Program Files\UPSMON\UPSMON.EXE O4 - HKLM…\Run: [bootSkin Startup Jobs] “C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe” /StartupJobs O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime O4 - HKLM…\Run: [updater] C:\WINDOWS\system32\updater\explorer.exe O4 - HKCU…\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start O4 - HKCU…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O4 - Global Startup: RtlWake.lnk = ? O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Enqueue in Star Downloader - C:\Program Files\Star Downloader\sdieenq.htm O8 - Extra context menu item: Leech with Star Downloader - C:\Program Files\Star Downloader\leechie.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra ‘Tools’ menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://slimak.onet.pl/_m/wirusy/ArcaOnline.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: UPSMONService - Unknown owner - C:\Program Files\UPSMON\UPSMON_Service.Exe
Wszelka pomoc mile widziana:)
Gutek
(Gutek)
11 Listopad 2007 20:10
#2
usuń wpisy HJT, a folder ręcznie
Daj log z ComboFix
foraq
(Foraq)
11 Listopad 2007 20:37
#3
OK, w takim razie daje loga z ComboFix
ComboFix 07-11-08.1 - foraq 2007-11-11 21:30:41.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.391 [GMT 1:00] Running from: F:\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 ))))))))))))))))))))))))))))))) . 2007-11-09 17:34 2007-11-08 18:01 2007-11-08 17:42 2007-11-08 17:40 2007-11-08 16:52 2007-11-05 22:41 2007-11-05 16:56 2007-11-05 15:33 2007-11-05 15:26 2007-11-04 18:22 2007-11-04 16:32 2007-11-02 18:29 2007-11-02 18:29 2007-11-02 13:42 2007-10-26 21:19 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-11 19:35 --------- d-----w C:\Program Files\UPSMON 2007-11-09 17:35 --------- d-----w C:\Program Files\Star Downloader 2007-11-09 17:35 --------- d-----w C:\Program Files\Opera 2007-11-09 17:34 --------- d-----w C:\Program Files\MegauploadToolbar 2007-11-09 17:17 --------- d-----w C:\Program Files\Gadu-Gadu 2007-11-09 17:17 --------- d-----w C:\Program Files\DAEMON Tools 2007-11-08 19:24 --------- d-----w C:\Program Files\SkanerOnline 2007-11-05 21:40 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer 2007-11-05 14:26 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-02 18:27 --------- d-----w C:\Documents and Settings\foraq\Dane aplikacji\foobar2000 2007-11-02 12:42 --------- d-----w C:\Program Files\Apple Software Update 2007-11-01 15:47 20 —h–w C:\Documents and Settings\All Users\Dane aplikacji\PKP_DLec.DAT 2007-11-01 15:47 20 —h–w C:\Documents and Settings\All Users\Dane aplikacji\PKP_DLds.DAT 2007-10-28 16:51 --------- d-----w C:\Documents and Settings\foraq\Dane aplikacji\gtk-2.0 2007-10-24 18:20 --------- d-----w C:\Program Files\DOSBox-0.72 2007-10-08 13:15 --------- d-----w C:\Program Files\Java 2007-09-11 15:02 --------- d-----w C:\Program Files\WorldUnlock Codes Calculator 2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-08-29 10:28 33,176 ----a-w C:\Documents and Settings\foraq\Dane aplikacji\GDIPFONTCACHEV1.DAT 2007-08-24 09:30 4,734,976 ----a-w C:\WINDOWS\reloaded.scr . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Smapp”=“C:\Program Files\Analog Devices\SoundMAX\SMTray.exe” [2007-11-09 18:14] “ASUS Probe”=“C:\Program Files\ASUS\Asus Probe\AsusProb.exe” [2007-11-09 18:14] “SmcService”=“C:\PROGRA~1\Sygate\SPF\smc.exe” [2004-06-30 16:56] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 11:06] “AtiPTA”=“atiptaxx.exe” [2005-11-23 02:05 C:\WINDOWS\system32\atiptaxx.exe] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 00:11] “UPSMON”=“C:\Program Files\UPSMON\UPSMON.EXE” [2007-11-09 18:26] “BootSkin Startup Jobs”=“C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe” [2004-04-26 15:21] “QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2007-10-19 20:16] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ASUS SmartDoctor”=“C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe” [2007-01-15 10:22] “DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2006-11-12 11:48] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “NBJ”=“C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” [2005-10-11 18:25] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04] NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-08-06 15:54:02] RtlWake.lnk - C:\Program Files\Realtek\Rtl8180\RtlWake.exe [2007-03-03 17:17:31] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] “UIHost”=“C:\WINDOWS\system32\logonuiX.exe” R1 atitray;atitray;??\C:\Program Files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.sys R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys R2 ScanDrv;ScanDrv;C:\WINDOWS\system32\drivers\ScanDrv.sys R3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8180.SYS R4 atidgllk;atidgllk;??\C:\Program Files\ASUS\SmartDoctor\atidgllk.sys S3 IrCOMM2k;Virtual IR COM Port;C:\WINDOWS\system32\DRIVERS\ircomm2k.sys S3 IrDAFw2k;IrDA Forward Adapter;C:\WINDOWS\system32\DRIVERS\irdafw2k.sys S3 KS-959;MA-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys . Contents of the ‘Scheduled Tasks’ folder “2007-11-05 20:06:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” - C:\Program Files\Apple Software Update\SoftwareUpdate.exe “2007-11-10 23:00:00 C:\WINDOWS\Tasks\At1.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-08-22 07:01:00 C:\WINDOWS\Tasks\At10.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-08-22 08:01:00 C:\WINDOWS\Tasks\At11.job” “2007-10-10 09:00:00 C:\WINDOWS\Tasks\At12.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-10-16 10:00:00 C:\WINDOWS\Tasks\At13.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-10-25 11:00:00 C:\WINDOWS\Tasks\At14.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-11-08 13:00:00 C:\WINDOWS\Tasks\At15.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-11-05 14:00:00 C:\WINDOWS\Tasks\At16.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-11-07 15:00:00 C:\WINDOWS\Tasks\At17.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-11-09 16:00:00 C:\WINDOWS\Tasks\At18.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-11-09 17:00:00 C:\WINDOWS\Tasks\At19.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-11-11 00:00:00 C:\WINDOWS\Tasks\At2.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-11-09 18:00:00 C:\WINDOWS\Tasks\At20.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-11-09 19:00:00 C:\WINDOWS\Tasks\At21.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-11-11 20:00:00 C:\WINDOWS\Tasks\At22.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-11-10 21:00:00 C:\WINDOWS\Tasks\At23.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-11-10 22:00:00 C:\WINDOWS\Tasks\At24.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-08-11 16:48:33 C:\WINDOWS\Tasks\At3.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-08-11 16:48:33 C:\WINDOWS\Tasks\At4.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-08-11 16:48:33 C:\WINDOWS\Tasks\At5.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-08-11 16:48:33 C:\WINDOWS\Tasks\At6.job” “2007-08-11 16:48:33 C:\WINDOWS\Tasks\At7.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-08-11 16:48:33 C:\WINDOWS\Tasks\At8.job” - C:\WINDOWS\system32\4mWqm2N4.exe “2007-08-11 16:48:33 C:\WINDOWS\Tasks\At9.job” - C:\WINDOWS\system32\4mWqm2N4.exe . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-11 21:33:24 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … ************************************************************************** . Completion time: 2007-11-11 21:35:23 C:\ComboFix-quarantined-files.txt … 2007-07-30 19:25 C:\ComboFix2.txt … 2007-07-30 19:26 . — E O F —
Gutek
(Gutek)
11 Listopad 2007 20:46
#4
Start>>>wszystkie programy>>>akcesoria>>>narzędzia systemowe>>>zplanowane zadania i Skasuj wszystkie wymienione At
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo
foraq
(Foraq)
11 Listopad 2007 21:05
#5
Bardzo Ci dziękuję! Nie wiem co bym zrobił gdyby nie Twoja rada…