BRONTOK blokujacy dostep do opcji folderow

abstractman · 27 Październik 2007 08:42

witam!

kolega mi przyniósł komórkę, żebym mu na kartę pliki przerzucił. był tam jakiś .exe’k w ikonie foldera, kliknąłem w niego - i mi sie Brontok zainstalował. tutaj Wam daje logi, żebyście poradzili, co mam wywalić.

tak, wiem, mam spory syf, ale nie ruszam go.

PS: to mój pierwszy wirus, jaki złapałem od zainstalowania tego systemu (14.10.2005). 8)

PS2: jak usunąć Yahoo Bar z IE?

Logfile of HijackThis v1.98.2 Scan saved at 10:40:33, on 2007-10-27 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\tgtsoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\Ati2evxx.exe E:\programs\Sygate Personal Firewall\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\WINDOWS\system32\svchost.exe E:\Programs\NOKIAP~1\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\Programs\AutoConnect\AutoConnect.exe C:\Program Files\PerfectDisk\PDSched.exe E:\Programs\Tlen.pl\tlen.exe E:\Programs\Nokia PC Suite\Nokia PC Suite 6\PcSync2.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe E:\Programs\RealPlayer\RealPlay.exe E:\Programs\Konnekt\konnekt.exe C:\Program Files\Mozilla Firefox\firefox.exe E:\Instalki\hijackthis1982.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def … earch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def … .yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def … .yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def … earch.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def … .yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def … .yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: Shell=explorer.exe “c:\windows\eksplorasi.exe” O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Programs\GetRight\xx2gr.dll O2 - BHO: (no name) - {81A99149-F047-4090-8AAD-D11FF4EFB734} - (no file) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM…\Run: [smcService] E:\programs\SYGATE~1\smc.exe -startgui O4 - HKLM…\Run: [HideSRHi] AUTOHSRHI.EXE O4 - HKLM…\Run: [lsassxp] C:\WINDOWS\lsassxp.exe O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [PCSuiteTrayApplication] E:\Programs\NOKIAP~1\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [bron-Spizaetus] “C:\WINDOWS\ShellNew\sempalong.exe” O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU…\Run: [AutoConnect] E:\Programs\AutoConnect\AutoConnect.exe O4 - HKCU…\Run: [Komunikator] “E:\Programs\Tlen.pl\tlen.exe” --confdir=home O4 - HKCU…\Run: [PcSync] E:\Programs\Nokia PC Suite\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - Global Startup: Adobe Reader Speed Launch.lnk = ? O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: Download with GetRight - E:\Programs\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - E:\Programs\GetRight\GRbrowse.htm O8 - Extra context menu item: Web&2Pic Pro - E:\Programs\Web2Pic Pro\Dll\web2pic_url.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\J2SE RE 5\bin\npjpi150_01.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\J2SE RE 5\bin\npjpi150_01.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O17 - HKLM\System\CCS\Services\Tcpip…{6D251C95-C834-43A3-818A-5F088A53BE3D}: NameServer = 194.204.159.1 217.98.63.164

jessica · 27 Październik 2007 13:27

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Ściągnij -->ComboFix.

Wklej do Notatnika :

File::

C:\windows\eksplorasi.exe

C:\WINDOWS\lsassxp.exe

C:\WINDOWS\ShellNew\sempalong.exe

c:\WINDOWS\system32\AUTOHSRHI.EXE

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Daj ten log.

O Brontoku –http://wirusy.antivirenkit.pl/pl/opis/Email-Worm.Win32.Brontok.c.html

jessi

abstractman · 27 Październik 2007 14:23

ComboFix 07-10-23.2 - Norbert 2007-10-27 16:22:09.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.392 [GMT 2:00] Running from: G:\ComboFix.exe Command switches used :: G:\CFScript.txt * Created a new restore point FILE:: C:\windows\eksplorasi.exe C:\WINDOWS\lsassxp.exe C:\WINDOWS\ShellNew\sempalong.exe c:\WINDOWS\system32\AUTOHSRHI.EXE . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\WINDOWS\system32\AUTOHSRHI.EXE . ((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 ))))))))))))))))))))))))))))))) . 2007-10-27 16:21 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-27 11:24 2007-10-27 11:21 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe 2007-10-27 11:19 2007-10-27 11:19 2007-10-27 11:19 2007-10-23 15:29 2007-10-23 15:29 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-27 09:20 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-09-21 19:47 74,752 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-09-21 19:47 253,952 ------w C:\WINDOWS\Setup1.exe 2007-08-28 13:52 --------- d-----w C:\Program Files\SkanerOnline 2005-07-14 20:31:20 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll 2005-06-26 23:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-22 06:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SmcService”=“E:\programs\SYGATE~1\smc.exe” [2004-06-30 16:56] “PCSuiteTrayApplication”=“E:\Programs\NOKIAP~1\NOKIAP~1\LAUNCH~1.exe” [2006-06-15 12:36] “SpeedTouch USB Diagnostics”=“C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” [2002-06-06 11:15] “SoundMan”=“SOUNDMAN.EXE” [2005-06-20 22:42 C:\WINDOWS\SOUNDMAN.EXE] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2005-11-04 20:04] “ATIModeChange”=“Ati2mdxx.exe” [2005-12-11 22:35 C:\WINDOWS\system32\Ati2mdxx.exe] “ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2005-08-12 14:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “AutoConnect”=“E:\Programs\AutoConnect\AutoConnect.exe” [2006-12-03 01:14] “Komunikator”=“E:\Programs\Tlen.pl\tlen.exe” [2006-05-12 14:13] “PcSync”=“E:\Programs\Nokia PC Suite\Nokia PC Suite 6\PcSync2.exe” [2006-06-27 16:21] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoLowDiscSpaceChecks”=000000000000f03f [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “Authentication Packages”= msv1_0 relog_ap *Newly Created Service* - CATCHME [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{44BBA844-CC51-11CF-AAFA-AABBCCDDEE02}] rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\skrzynka.inf,profil.d . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-27 16:23:39 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-27 16:24:21 . — E O F —

jessica · 27 Październik 2007 14:45

Widzę, że się niepotrzebnie trudziłam, bo Brontok został już wcześniej usunięty.

Jest OK!.

jessi