Backdoor trojan


(Jarf11) #1

Zadomowil sie u mnie Backdoor trojan i nie moge sie go pozbyc, prosze o pomoc, a to link z logiem z HijackThis.

http://www.wklej.org/id/f9a4715e17


(Cyba91) #2

Fix:

O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)

Wyłącz przywracanie na dyskach twardych


(Laszjwrz) #3
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?PL (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

To też fix, ale to raczej nie za wiele da. Pokaż log z ComboFix.


(Jarf11) #4

Faktycznie niewiele to dalo to jest log z ComboFix:

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-16 19:11 --------- d-----w C:\Users\FRĄCKI\AppData\Roaming\Skype

2008-04-16 19:06 6,736 ----a-w C:\Windows\system32\drivers\PROCEXP90.SYS

2008-04-16 18:34 --------- d—a-w C:\ProgramData\TEMP

2008-04-16 17:29 --------- d-----w C:\Program Files\Spyware Doctor

2008-04-16 17:24 2,560 ----a-w C:\Windows\system32\drivers\mchInjDrv.sys

2008-04-16 17:23 --------- d-----w C:\Users\FRĄCKI\AppData\Roaming\PC Tools

2008-04-16 17:23 --------- d-----w C:\Program Files\Google

2008-04-16 15:52 13,072 ----a-w C:\Users\FRĄCKI\AppData\Roaming\nvModes.dat

2008-04-16 14:41 --------- d-----w C:\Users\FRĄCKI\AppData\Roaming\skypePM

2008-04-14 09:44 --------- d-----w C:\Program Files\Opera

2008-04-10 08:12 --------- d-----w C:\Users\FRĄCKI\AppData\Roaming\Apple Computer

2008-04-09 13:40 286,720 ----a-w C:\Windows\iun507.exe

2008-04-09 13:40 --------- d-----w C:\Program Files\RescuePRO

2008-04-09 13:09 --------- d-----w C:\Program Files\QuickTime

2008-04-09 13:08 --------- d-----w C:\ProgramData\Apple Computer

2008-04-09 13:07 --------- d-----w C:\Program Files\OLYMPUS

2008-04-09 10:01 --------- d-----w C:\ProgramData\Microsoft Help

2008-04-09 10:01 --------- d-----w C:\Program Files\Windows Mail

2008-04-09 10:01 --------- d-----w C:\Program Files\Professor Fizzwizzle

2008-04-09 10:01 --------- d-----w C:\Program Files\Microsoft Works

2008-04-09 10:01 --------- d-----w C:\Program Files\Common Files\Skype

2008-04-09 09:03 --------- d-----w C:\Users\FRĄCKI\AppData\Roaming\PeerNetworking

2008-03-27 13:42 --------- d-----w C:\Program Files\a-squared Free trojan 1

2008-03-25 07:57 --------- d-----w C:\ProgramData\Symantec

2008-03-12 13:33 --------- d-----w C:\Users\FRĄCKI\AppData\Roaming\Auslogics

2008-03-12 13:33 --------- d-----w C:\Program Files\Auslogics

2008-03-12 13:27 --------- d-----w C:\Users\FRĄCKI\AppData\Roaming\LimeWire

2008-03-08 02:14 148,992 ----a-w C:\Windows\system32\drivers\ks.sys

2008-03-06 20:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf

2008-03-06 20:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys

2008-03-06 20:32 10,537 ----a-w C:\Windows\system32\drivers\COH_Mon.cat

2008-02-29 17:32 --------- d-----w C:\Users\FRĄCKI\AppData\Roaming\Nokia Multimedia Player

2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll

2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll

2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll

2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe

2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe

2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll

2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll

2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys

2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll

2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll

2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll

2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll

2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe

2008-02-13 19:10 194,560 ----a-w C:\Windows\System32\WebClnt.dll

2008-02-13 19:06 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe

2008-02-13 19:06 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe

2008-02-13 19:05 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-02-13 19:05 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2008-02-13 19:05 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll

2008-02-13 19:05 24,064 ----a-w C:\Windows\System32\netcfg.exe

2008-02-13 19:05 22,016 ----a-w C:\Windows\System32\netiougc.exe

2008-02-13 19:05 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll

2008-02-13 19:05 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll

2008-02-13 19:05 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2008-02-13 19:05 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll

2008-02-13 19:05 1,686,528 ----a-w C:\Windows\System32\gameux.dll

2008-01-10 16:22 32 ----a-w C:\Users\All Users\ezsid.dat

2008-01-10 16:22 32 ----a-w C:\ProgramData\ezsid.dat

2007-08-31 09:32 174 --sha-w C:\Program Files\desktop.ini

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]

2008-02-01 12:21 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2008-02-01 18:22 21898024]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 09:39 2119104]

“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2007-08-31 16:46 1460560]

“OM2_Monitor”=“C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe” [2008-02-22 14:29 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvSvc”=“C:\Windows\system32\nvsvc.dll” [2007-01-13 10:40 90191]

“NvCplDaemon”=“C:\Windows\system32\NvCpl.dll” [2007-01-13 10:40 7766016]

“NvMediaCenter”=“C:\Windows\system32\NvMcTray.dll” [2007-01-13 10:40 81920]

“Camera Assistant Software”=“C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe” [2007-02-13 09:30 405504]

“ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2008-01-31 14:15 51048]

“SynTPStart”=“C:\Program Files\Synaptics\SynTP\SynTPStart.exe” [2007-07-27 06:00 204800]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-09-01 15:57 282624]

“OM2_Monitor”=“C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe” [2008-02-22 14:29 54576]

“ISTray”=“C:\Program Files\Spyware Doctor\pctsTray.exe” [2008-02-01 12:55 1103240]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“PcSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2006-11-09 17:15 1634304]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“UacDisableNotify”=dword:00000001

“InternetSettingsDisableNotify”=dword:00000001

“AutoUpdateDisableNotify”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

“{B0C1825B-B76D-4776-9A69-66EF251B1937}”= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype

“{E352CEC1-12D3-4EEB-9809-BB53860E9C43}”= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype

“{E7AC3494-377E-4CA1-BC7F-91DA57A65EC1}”= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire

“{B563AA54-9305-4174-A423-D906A0B601EB}”= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire

“{71BA0A6B-8741-4AEC-97A8-D399EE775B9B}”= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

“{54D8FA9A-7FF1-42AD-91F2-14FDAFF9E9FF}”= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

“DFSR-1”= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

“EnableFirewall”= 0 (0x0)

“DoNotAllowExceptions”= 1 (0x1)

R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 17:25]

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080411.001\IDSvix86.sys [2008-02-13 18:18]

R2 LiveUpdate Notice;LiveUpdate Notice;“C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe” /h ccCommon []

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2007-08-31 16:46]

R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-02 15:56]

R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-08-13 22:50]

R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 12:50]

R3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 17:32]

R3 UVCFTR;UVCFTR;C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-01-26 17:13]

S3 athr;Sterownik urządzenia rozszerzalnej bezprzewodowej sieci LAN Atheros;C:\Windows\system32\DRIVERS\athr.sys [2006-11-02 09:30]

S3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-03-06 22:32]

S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2007-01-18 16:40]

S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2007-01-18 16:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0801c5fa-dad9-11dc-b562-0016d4f86d4d}]

\shell\Auto\command - UFO.exe

\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

*Newly Created Service* - CATCHME

*Newly Created Service* - IKFILESEC

*Newly Created Service* - IKSYSFLT

*Newly Created Service* - IKSYSSEC

*Newly Created Service* - MCHINJDRV

.

Contents of the ‘Scheduled Tasks’ folder

“2008-04-07 18:35:46 C:\Windows\Tasks\Norton AntiVirus - Run Full System Scan - FRĄCKI.job”

  • C:\Program Files\Norton AntiVirus\Navw32.exe

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-16 21:11:34

Windows 6.0.6000 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-16 21:13:01

ComboFix-quarantined-files.txt 2008-04-16 19:12:45

System nie może znaleźć komunikatu dla numeru komunikatu 0x2379 w pliku komunikatów dla Application.

System nie może znaleźć komunikatu dla numeru komunikatu 0x2379 w pliku komunikatów dla Application.

.

2008-04-09 09:02:36 — E O F —


(Gutek) #5

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0801c5fa-dad9-11dc-b562-0016d4f86d4d}]

\shell\Auto\command - UFO.exe

\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

użyj http://www.brothersoft.com/prt-(perlovga-removal-tool)-60877.html


(Jarf11) #6

http://wklej.org/id/b782d12d05


(huber2t) #7

otwórz notatnik i wklej

zapisz jako typ wszystkie pliki i pod nazwą plik.reg

Uruchom ten plik, uruchom ponownie komputer