klisz
(Klisz)
29 Grudzień 2009 08:59
#1
Pomimo ostrzeżeń moich i avasta mój szef w końcu zainfekował kompa z jakiegoś pena pewnie. Na każdej partycji pojawiły się pliki jak w temacie. Autorun.inf i mranjm.exe
Nie bardzo mogę sobie z tym poradzić więc liczę na Waszą pomoc.
log z hijackthis http://wklej.org/id/249706/
klisz
(Klisz)
29 Grudzień 2009 09:27
#3
jessica
(jessica)
29 Grudzień 2009 09:45
#4
Uruchom OTL i w oknie Custom Scans/Fixes wklej to:
:OTL MOD - [2009-12-29 09:04:27 | 00,076,411 | RHS- | M] () – H:\Documents and Settings\Grafik 2\Ustawienia lokalne\Temp\cvasds0.dll O4 - HKCU…\Run: [cdoosoft] H:\Documents and Settings\Grafik 2\Ustawienia lokalne\Temp\herss.exe () O32 - AutoRun File - [2009-12-29 10:20:23 | 00,000,059 | RHS- | M] () - C:\autorun.inf – [NTFS] O32 - AutoRun File - [2009-12-29 10:20:23 | 00,000,059 | RHS- | M] () - D:\autorun.inf – [NTFS] O32 - AutoRun File - [2009-12-29 10:20:23 | 00,000,059 | RHS- | M] () - H:\autorun.inf – [NTFS] O32 - AutoRun File - [2009-12-29 10:20:23 | 00,000,059 | RHS- | M] () - I:\autorun.inf – [NTFS] O32 - AutoRun File - [2009-12-29 10:20:24 | 00,000,059 | RHS- | M] () - L:\autorun.inf – [NTFS] O32 - AutoRun File - [2009-12-29 10:20:24 | 00,000,059 | RHS- | M] () - M:\autorun.inf – [NTFS] O33 - MountPoints2##Sonar-1080373 #zlecenia\Shell - “” = AutoRun O33 - MountPoints2##Sonar-1080373 #zlecenia\Shell\Auto\command - “” = Z:\setup.exe – [2007-05-08 15:21:32 | 00,035,328 | RHS- | M] () O33 - MountPoints2{001ed05f-de4c-11de-862d-001fd03f73fa}\Shell\AutoRun\command - “” = wbj.exe O33 - MountPoints2{001ed05f-de4c-11de-862d-001fd03f73fa}\Shell\open\Command - “” = wbj.exe O33 - MountPoints2{0197206f-c205-11de-8603-001fd03f73fa}\Shell\AutoRun\command - “” = N:\wcgswa.exe – File not found O33 - MountPoints2{0197206f-c205-11de-8603-001fd03f73fa}\Shell\open\Command - “” = N:\wcgswa.exe – File not found O33 - MountPoints2{0d2779e6-e956-11de-863e-001fd03f73fa}\Shell\AutoRun\command - “” = N:\yudald.bat – File not found O33 - MountPoints2{0d2779e6-e956-11de-863e-001fd03f73fa}\Shell\open\Command - “” = N:\yudald.bat – File not found O33 - MountPoints2{0d2779f1-e956-11de-863e-001fd03f73fa}\Shell\AutoRun\command - “” = O:\USBNB.exe – File not found O33 - MountPoints2{2b9ee4f5-da5b-11de-8627-001fd03f73fa}\Shell\AutoRun\command - “” = N:\mje12tni.exe – File not found O33 - MountPoints2{2b9ee4f5-da5b-11de-8627-001fd03f73fa}\Shell\open\Command - “” = N:\mje12tni.exe – File not found O33 - MountPoints2{2dbf4e5e-7fff-11de-8598-001fd03f73fa}\Shell\AutoRun\command - “” = L:\rx.exe – File not found O33 - MountPoints2{2dbf4e5e-7fff-11de-8598-001fd03f73fa}\Shell\open\Command - “” = L:\rx.exe – File not found O33 - MountPoints2{3133d5a3-d103-11de-8616-001fd03f73fa}\Shell\AutoRun\command - “” = N:\w9uxx92.exe – File not found O33 - MountPoints2{3133d5a3-d103-11de-8616-001fd03f73fa}\Shell\open\Command - “” = N:\w9uxx92.exe – File not found O33 - MountPoints2{36e46f1c-1cfd-11de-a832-001fd03f73fa}\Shell\AutoRun\command - “” = J:\yftvl.com – File not found O33 - MountPoints2{36e46f1c-1cfd-11de-a832-001fd03f73fa}\Shell\open\Command - “” = J:\yftvl.com – File not found O33 - MountPoints2{3b21e0fc-d287-11de-8619-001fd03f73fa}\Shell\AutoRun\command - “” = 9b9w3.exe O33 - MountPoints2{3b21e0fc-d287-11de-8619-001fd03f73fa}\Shell\open\Command - “” = 9b9w3.exe O33 - MountPoints2{4fd1cab4-8c9f-11de-85ac-001fd03f73fa}\Shell\AutoRun\command - “” = fooool.exe O33 - MountPoints2{4fd1cab4-8c9f-11de-85ac-001fd03f73fa}\Shell\explore\Command - “” = fooool.exe O33 - MountPoints2{4fd1cab4-8c9f-11de-85ac-001fd03f73fa}\Shell\open\Command - “” = fooool.exe O33 - MountPoints2{528d60be-36f6-11de-a850-001fd03f73fa}\Shell\AutoRun\command - “” = J:\flash.exe – File not found O33 - MountPoints2{528d60be-36f6-11de-a850-001fd03f73fa}\Shell\Explore\command - “” = J:\flash.exe – File not found O33 - MountPoints2{528d60be-36f6-11de-a850-001fd03f73fa}\Shell\Open\command - “” = J:\flash.exe – File not found O33 - MountPoints2{54acc315-f06b-11de-864d-001fd03f73fa}\Shell - “” = AutoRun O33 - MountPoints2{54acc315-f06b-11de-864d-001fd03f73fa}\Shell\AutoRun\command - “” = N:\LaunchU3.exe – File not found O33 - MountPoints2{54acc316-f06b-11de-864d-001fd03f73fa}\Shell\AutoRun\command - “” = O:\mranjm.exe – File not found O33 - MountPoints2{54acc316-f06b-11de-864d-001fd03f73fa}\Shell\open\Command - “” = O:\mranjm.exe – File not found O33 - MountPoints2{54acc320-f06b-11de-864d-001fd03f73fa}\Shell\AutoRun\command - “” = N:\mranjm.exe – File not found O33 - MountPoints2{54acc320-f06b-11de-864d-001fd03f73fa}\Shell\open\Command - “” = N:\mranjm.exe – File not found O33 - MountPoints2{54acc322-f06b-11de-864d-001fd03f73fa}\Shell\AutoRun\command - “” = N:\mranjm.exe – File not found O33 - MountPoints2{54acc322-f06b-11de-864d-001fd03f73fa}\Shell\open\Command - “” = N:\mranjm.exe – File not found O33 - MountPoints2{594c1331-cab0-11de-8610-001fd03f73fa}\Shell\AutoRun\command - “” = N:\ukvr.bat – File not found O33 - MountPoints2{594c1331-cab0-11de-8610-001fd03f73fa}\Shell\open\Command - “” = N:\ukvr.bat – File not found O33 - MountPoints2{5c191dcf-9922-11de-85bd-001fd03f73fa}\Shell\AutoRun\command - “” = L:\t8s2x.exe – File not found O33 - MountPoints2{5c191dcf-9922-11de-85bd-001fd03f73fa}\Shell\open\Command - “” = L:\t8s2x.exe – File not found O33 - MountPoints2{5deaf983-b4ab-11de-85ee-001fd03f73fa}\Shell\AutoRun\command - “” = i0yva6.exe O33 - MountPoints2{5deaf983-b4ab-11de-85ee-001fd03f73fa}\Shell\open\Command - “” = i0yva6.exe O33 - MountPoints2{71a9043a-4b7b-11de-a86d-001fd03f73fa}\Shell - “” = AutoRun O33 - MountPoints2{71a9043a-4b7b-11de-a86d-001fd03f73fa}\Shell\AutoRun\command - “” = L:\LaunchU3.exe – File not found O33 - MountPoints2{76cf3cdd-615a-11de-a894-001fd03f73fa}\Shell\AutoRun\command - “” = J:\PMB_P.exe – File not found O33 - MountPoints2{7dababa8-9d16-11de-85c3-001fd03f73fa}\Shell\autopLay\coMmaND - “” = jdpho.pif O33 - MountPoints2{7dababa8-9d16-11de-85c3-001fd03f73fa}\Shell\AutoRun\command - “” = jdpho.pif O33 - MountPoints2{7dababa8-9d16-11de-85c3-001fd03f73fa}\Shell\exploRe\ComMaNd - “” = jdpho.pif O33 - MountPoints2{7dababa8-9d16-11de-85c3-001fd03f73fa}\Shell\open\cOmmand - “” = jdpho.pif O33 - MountPoints2{8a2651da-f3b3-11de-8650-001fd03f73fa}\Shell\AutoRun\command - “” = N:\mranjm.exe – File not found O33 - MountPoints2{8a2651da-f3b3-11de-8650-001fd03f73fa}\Shell\open\Command - “” = N:\mranjm.exe – File not found O33 - MountPoints2{8a9160d9-efa1-11de-8648-001fd03f73fa}\Shell - “” = AutoRun O33 - MountPoints2{8a9160d9-efa1-11de-8648-001fd03f73fa}\Shell\AutoRun\command - “” = N:\AutoRunCardDetector.exe – File not found O33 - MountPoints2{8a9160da-efa1-11de-8648-001fd03f73fa}\Shell\AutoRun\command - “” = N:\mranjm.exe – File not found O33 - MountPoints2{8a9160da-efa1-11de-8648-001fd03f73fa}\Shell\open\Command - “” = N:\mranjm.exe – File not found O33 - MountPoints2{8cf57f42-d04a-11de-8615-001fd03f73fa}\Shell\AutoRun\command - “” = N:\mbdm.exe – File not found O33 - MountPoints2{8cf57f42-d04a-11de-8615-001fd03f73fa}\Shell\open\Command - “” = N:\mbdm.exe – File not found O33 - MountPoints2{967ecfb9-be0e-11de-85fd-001fd03f73fa}\Shell\aUTopLaY\coMmAnD - “” = N:\pxwlwk.pif – File not found O33 - MountPoints2{967ecfb9-be0e-11de-85fd-001fd03f73fa}\Shell\AutoRun\command - “” = N:\pxwlwk.pif – File not found O33 - MountPoints2{967ecfb9-be0e-11de-85fd-001fd03f73fa}\Shell\explOrE\ComMand - “” = N:\pxwlwk.pif – File not found O33 - MountPoints2{967ecfb9-be0e-11de-85fd-001fd03f73fa}\Shell\oPEn\CommanD - “” = N:\pxwlwk.pif – File not found O33 - MountPoints2{989b55e4-2915-11de-a83c-001fd03f73fa}\Shell - “” = AutoRun O33 - MountPoints2{99af58c2-cf62-11de-8614-001fd03f73fa}\Shell - “” = AutoRun O33 - MountPoints2{99af58c2-cf62-11de-8614-001fd03f73fa}\Shell\AutoRun\command - “” = N:\LaunchU3.exe – File not found O33 - MountPoints2{9f361024-eedb-11de-8647-001fd03f73fa}\Shell\AutoRun\command - “” = N:\mranjm.exe – File not found O33 - MountPoints2{9f361024-eedb-11de-8647-001fd03f73fa}\Shell\open\Command - “” = N:\mranjm.exe – File not found O33 - MountPoints2{9f361028-eedb-11de-8647-001fd03f73fa}\Shell - “” = AutoRun O33 - MountPoints2{9f361028-eedb-11de-8647-001fd03f73fa}\Shell\AutoRun\command - “” = N:\LaunchU3.exe – File not found O33 - MountPoints2{9f361029-eedb-11de-8647-001fd03f73fa}\Shell\AutoRun\command - “” = O:\mranjm.exe – File not found O33 - MountPoints2{9f361029-eedb-11de-8647-001fd03f73fa}\Shell\open\Command - “” = O:\mranjm.exe – File not found O33 - MountPoints2{b07e5764-ba2a-11de-85f5-001fd03f73fa}\Shell\AutoRun\command - “” = N:\2sm66r.exe – File not found O33 - MountPoints2{b07e5764-ba2a-11de-85f5-001fd03f73fa}\Shell\open\Command - “” = N:\2sm66r.exe – File not found O33 - MountPoints2{b116196e-f8ec-11dd-a7d9-001fd03f73fa}\Shell\Open(&0)\command - “” = J:\Recycled\ctfmon.exe – File not found O33 - MountPoints2{b116196f-f8ec-11dd-a7d9-001fd03f73fa}\Shell\AutoRun\command - “” = K:\6l6w8.com – File not found O33 - MountPoints2{b116196f-f8ec-11dd-a7d9-001fd03f73fa}\Shell\explore\Command - “” = K:\6l6w8.com – File not found O33 - MountPoints2{b116196f-f8ec-11dd-a7d9-001fd03f73fa}\Shell\open\Command - “” = K:\6l6w8.com – File not found O33 - MountPoints2{b1c5bfc2-d4ea-11de-861d-001fd03f73fa}\Shell\AutoRun\command - “” = wbj.exe O33 - MountPoints2{b1c5bfc2-d4ea-11de-861d-001fd03f73fa}\Shell\open\Command - “” = wbj.exe O33 - MountPoints2{b41a0cf1-7698-11de-858a-001fd03f73fa}\Shell\AutoRun\command - “” = N:\EmDesk.exe – File not found O33 - MountPoints2{b41a0cf1-7698-11de-858a-001fd03f73fa}\Shell\EmDesk\command - “” = N:\EmDesk.exe – File not found O33 - MountPoints2{bdc93178-33f2-11de-a84d-001fd03f73fa}\Shell\AuToplAy\COmmAND - “” = N:\nkmoy.cmd – File not found O33 - MountPoints2{bdc93178-33f2-11de-a84d-001fd03f73fa}\Shell\AutoRun\command - “” = N:\nkmoy.cmd – File not found O33 - MountPoints2{bdc93178-33f2-11de-a84d-001fd03f73fa}\Shell\eXplore\commAnD - “” = N:\nkmoy.cmd – File not found O33 - MountPoints2{bdc93178-33f2-11de-a84d-001fd03f73fa}\Shell\oPen\COmmaNd - “” = N:\nkmoy.cmd – File not found O33 - MountPoints2{cf234b3f-95fc-11de-85b9-001fd03f73fa}\Shell\AutoRun\command - “” = n68mqcra.exe O33 - MountPoints2{cf234b3f-95fc-11de-85b9-001fd03f73fa}\Shell\open\Command - “” = n68mqcra.exe O33 - MountPoints2{e231c06a-871d-11de-85a3-001fd03f73fa}\Shell\AutoRun\command - “” = L:\rx.exe – File not found O33 - MountPoints2{e231c06a-871d-11de-85a3-001fd03f73fa}\Shell\open\Command - “” = L:\rx.exe – File not found O33 - MountPoints2{ef939e30-71d6-11de-8581-001fd03f73fa}\Shell\default\command - “” = p.exe O33 - MountPoints2{f4cf4a42-4cf0-11de-a871-001fd03f73fa}\Shell\AutoPlay\cOmManD - “” = J:\ctsuj.cmd – File not found O33 - MountPoints2{f4cf4a42-4cf0-11de-a871-001fd03f73fa}\Shell\AutoRun\command - “” = J:\ctsuj.cmd – File not found O33 - MountPoints2{f4cf4a42-4cf0-11de-a871-001fd03f73fa}\Shell\eXplOre\CoMManD - “” = J:\ctsuj.cmd – File not found O33 - MountPoints2{f4cf4a42-4cf0-11de-a871-001fd03f73fa}\Shell\OpEn\cOmmanD - “” = J:\ctsuj.cmd – File not found [2009-12-29 09:04:55 | 00,116,665 | RHS- | C] () – H:\mranjm.exe [2009-12-29 09:04:55 | 00,000,059 | RHS- | C] () – H:\autorun.inf :Files z:\autorun.inf c:\mranjm.exe d:\mranjm.exe i:\mranjm.exe m:\mranjm.exe l:\mranjm.exe y:\mranjm.exe :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “SuperHidden”=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “Hidden”=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “ShowSuperHidden”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] “CheckedValue”=dword:00000001 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden] @="" :Commands [emptytemp] [Reboot]
Kliknij w Run Fix . Zatwierdź restart komputera.
Następnie uruchom OTL ponownie, tym razem wywołaj opcję Run Scan.
Pokaż nowy log OTL.txt oraz log z czyszczenia.
jessi
klisz
(Klisz)
29 Grudzień 2009 10:04
#5
Log z czyszczenia http://wklej.org/id/249752/
Nowy OTL http://wklej.org/id/249754/
Wygląda na to, że chyba git.
kamil_w
(kamil_w)
29 Grudzień 2009 10:24
#6
Na przyszłość dobra rada:
Jeśli z komputera korzystają nieodpowiedzialni i nierozgarnięci użytkownicy zrób kopię partycji systemowej za pomocą Norton Ghost’a, Acronis True Image lub podobnego. Dzięki temu jak ci się system całkiem posypie nie będziesz musiał się męczyć ze wszystkim od nowa.
jessica
(jessica)
29 Grudzień 2009 10:25
#7
Tak, czysto.
W OTL kliknij na przycisk “CleanUp” - to go usunie razem z jego kwarantanną…
Usuń kopie szkodników z folderu “System Volume Information” poprzez chwilowe wyłączenie “Przywracania Systemu”:
>START>Panel Sterowania>System>Przywracanie Systemu>>zaznacz w okienku przy “Wyłącz przywracanie na wszystkich dyskach”>Zastosuj>OK. (W czasie tego chwilowego wyłączenia te kopie usuną się samoczynnie, więc nie ma potrzeby zaglądania do folderu.) Potem możesz powrócić do poprzedniego ustawienia (czyli usunąć zaznaczenie z okienka).
Użyj szczepionki >Panda Vaccine
jessi