Problem z Trojan.VB.aqt

jaguarR · 14 Marzec 2008 16:37

witam

dzis robilem skany online i wykrylo mi Trojan.VB.aqt

C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\ctfmon.exe

C:\Recycled\ctfmon.exe

C:\Recycled\Recycled\ctfmon.exe

D:\Recycled\ctfmon.exe

Logfile of HijackThis v1.99.1 Scan saved at 17:25, on 2008-03-14 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\ctfmon.exe D:\bear\fire\comodo\cmdagent.exe C:\WINDOWS\system32\wscntfy.exe D:\inne\giegie\Gadu-Gadu\gg.exe D:\bear\fire\comodo\cfp.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\HJT\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hstv.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM…\Run: [skrót do strony właściwości High Definition Audio] HDAudPropShortcut.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM…\Run: [COMODO Firewall Pro] “D:\bear\fire\comodo\cfp.exe” -s O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU…\Run: [Gadu-Gadu] “D:\inne\giegie\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [EPSON Stylus Photo R285 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKE.EXE /FU “C:\WINDOWS\TEMP\E_S95.tmp” /EF “HKCU” O4 - Startup: ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar … vSniff.cab O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pe … stscan.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/vi … ebscan.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l … cfscan.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - D:\bear\fire\comodo\cmdagent.exe

addmir · 14 Marzec 2008 17:16

FIX w hijack:

Pokaż log z ComboFix

jaguarR · 14 Marzec 2008 17:55

ComboFix 08-03-14.2 - Administrator 2008-03-14 18:32:06.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.724 [GMT 1:00] Running from: D:\CF\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 ))))))))))))))))))))))))))))))) . 2008-02-28 22:49 . 2008-02-28 22:49 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-02 18:27 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent 2008-01-20 15:41 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Comodo 2008-01-20 15:39 79,096 ----a-w C:\WINDOWS\system32\drivers\cmdGuard.sys 2008-01-20 15:39 23,672 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys 2008-01-20 15:39 139,008 ----a-w C:\WINDOWS\system32\guard32.dll 2008-01-20 15:39 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Comodo 2007-04-23 14:22 16,505,799 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_22_18_05_23_full.dmp.zip 2007-04-10 21:25 16,433,806 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_10_23_23_27_full.dmp.zip 2007-03-31 13:20 16,263,313 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_31_14_54_23_full.dmp.zip 2007-07-28 13:53 9,270,048 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2007-07-28 13:53 315,936 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-06-01 12:32 94208] “Gadu-Gadu”=“D:\inne\giegie\Gadu-Gadu\gg.exe” [2006-02-17 14:03 2396160] “EPSON Stylus Photo R285 Series”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKE.exe” [2007-04-13 07:00 182272] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Skrót do strony właściwości High Definition Audio”=“HDAudPropShortcut.exe” [2004-03-17 14:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe] “SoundMan”=“SOUNDMAN.EXE” [2007-03-29 22:16 77824 C:\WINDOWS\SOUNDMAN.EXE] “AlcWzrd”=“ALCWZRD.EXE” [2007-03-29 22:16 2559488 C:\WINDOWS\ALCWZRD.EXE] “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 15:40 155648] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 02:43 83608] “COMODO Firewall Pro”=“D:\bear\fire\comodo\cfp.exe” [2008-01-20 16:39 1481984] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 02:44 15360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoInstrumentation”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”= C:\WINDOWS\system32\guard32.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] --a------ 2007-03-30 12:34 25263144 C:\Program Files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2006-06-21 18:14 35328 D:\inne\hvo\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] “UpdatesDisableNotify”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “D:\inne\giegie\Gadu-Gadu\gg.exe”= “D:\csik\CSCS\hl.exe”= “D:\Nowy folder (2)\Soldier of Fortune II - Double Helix MP TEST\SoF2MP-Test.exe”= “D:\GOLD\SoF2MP.exe”= “D:\bear\Nowy folder (3)\The All-Seeing Eye\eye.exe”= “D:\round + mousetrap sprawnySTARSZA WESRSJA\The All-Seeing Eye\eye.exe”= “D:\RedAlert\game.exe”= “D:\csik\CSCS\hlds.exe”= “D:\bear\utorrent\utorrent.exe”= “D:\programy do kompa\Magic Speed\MagicSpeed.exe”= R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-01-20 16:39] R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-01-20 16:39] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-14 18:45:08 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-03-14 18:46:17 ComboFix-quarantined-files.txt 2008-03-14 17:46:07 . 2008-01-05 09:53:42 — E O F — jeszcze jedno przec chwila mialem problem taki ze jak wpisywalem strone to wpisywala sie ona “od tylu” :C

addmir · 14 Marzec 2008 18:16

Wklej do notatnika:

File::

C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_22_18_05_23_full.dmp.zip

C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_10_23_23_27_full.dmp.zip

C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_31_14_54_23_full.dmp.zip


Folder::

C:\Recycled

Plik -> zapisz jako -> CFScript.txt

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum. Na http://www.wklej.org

Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie plik C: ** Qoobox**

jaguarR · 14 Marzec 2008 18:35

http://wklej.org/id/aa1bebd907

addmir · 14 Marzec 2008 18:42

W takim razie trzeba uruchomić CFScript.txt o zawartości (linię z X:\Recycled powiel tyle razy ile jest dysków twardych, pod X podstawiając prawidłowe litery):

Folder::

C:\Recycled

X:\Recycled

Plik -> zapisz jako -> CFScript.txt

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie plik C: ** Qoobox**

Leon1 · 15 Marzec 2008 16:47

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

potem usuń