Trojan autorun.inf


(Poodle4) #1

Witam, tak się składa że mam identyczny problem jak autor tego wątku, czy mogłabym również prosić o pomoc??

Logi nie są długie więc wklejam je tutaj:

ComboFix:

ComboFix 09-02-02.04 - Anulka 2009-02-03 9:02:48.1 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.127.46 [GMT 1:00]

Uruchomiony z: c:\documents and settings\Anulka\Pulpit\ComboFix.exe

* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!

.

((((((((((((((((((((((((( Pliki utworzone od 2009-01-03 do 2009-02-03 )))))))))))))))))))))))))))))))

.

2009-02-02 14:16 . 2009-02-02 14:16

2009-02-02 14:16 . 2009-02-02 14:16

2009-02-02 14:16 . 2009-02-02 14:16

2009-01-30 16:43 . 2003-03-18 21:20 1,060,864 --a------ c:\windows\system32\MFC71.dll

2009-01-29 15:04 . 2009-02-02 18:29 69 --a------ c:\windows\NeroDigital.ini

2009-01-26 21:21 . 2009-01-26 21:21

2009-01-26 13:43 . 2009-01-26 13:43 427 --a------ c:\windows\ODBC.INI

2009-01-26 13:40 . 2009-01-26 13:40

2009-01-26 13:39 . 2009-01-26 13:39

2009-01-26 13:33 . 2009-01-26 13:33

2009-01-26 13:33 . 2009-01-26 13:33

2009-01-26 12:57 . 2005-09-01 12:03 127,488 --------- c:\windows\system32\drivers\imagesrv.sys

2009-01-26 12:57 . 2005-09-01 12:03 5,888 --------- c:\windows\system32\drivers\imagedrv.sys

2009-01-26 12:56 . 2009-01-26 12:56

2009-01-26 12:56 . 2004-07-26 17:16 1,568,768 --------- c:\windows\system32\ImagX7.dll

2009-01-26 12:56 . 2004-07-26 17:16 476,320 --------- c:\windows\system32\ImagXpr7.dll

2009-01-26 12:56 . 2004-07-26 17:16 471,040 --------- c:\windows\system32\ImagXRA7.dll

2009-01-26 12:56 . 2004-07-09 09:43 364,544 --------- c:\windows\system32\TwnLib4.dll

2009-01-26 12:56 . 2004-07-26 17:16 262,144 --------- c:\windows\system32\ImagXR7.dll

2009-01-26 12:56 . 2006-01-12 16:40 155,648 --a------ c:\windows\system32\NeroCheck.exe

2009-01-26 12:56 . 2000-06-26 11:45 106,496 --a------ c:\windows\system32\TwnLib20.dll

2009-01-26 12:42 . 2003-03-19 04:14 499,712 --a------ c:\windows\system32\msvcp71.dll

2009-01-26 12:42 . 2004-01-11 23:00 348,160 --a------ c:\windows\system32\msvcr71.dll

2009-01-26 12:27 . 2009-01-26 12:27

2009-01-26 12:23 . 2009-01-26 12:23

2009-01-26 12:21 . 2003-12-03 06:01 545 --a------ c:\windows\UC.PIF

2009-01-26 12:21 . 2003-12-03 06:01 545 --a------ c:\windows\RAR.PIF

2009-01-26 12:21 . 2003-12-03 06:01 545 --a------ c:\windows\PKZIP.PIF

2009-01-26 12:21 . 2003-12-03 06:01 545 --a------ c:\windows\PKUNZIP.PIF

2009-01-26 12:21 . 2003-12-03 06:01 545 --a------ c:\windows\NOCLOSE.PIF

2009-01-26 12:21 . 2003-12-03 06:01 545 --a------ c:\windows\LHA.PIF

2009-01-26 12:21 . 2003-12-03 06:01 545 --a------ c:\windows\ARJ.PIF

2009-01-26 12:21 . 2009-01-26 21:18 333 --a------ c:\windows\wincmd.ini

2009-01-26 12:20 . 2009-01-26 12:20

2009-01-26 12:20 . 2009-01-26 12:20

2009-01-26 12:20 . 2009-01-26 12:20

2009-01-26 12:20 . 2009-01-26 12:20 77,824 --a------ c:\windows\system32\qttask.exe

2009-01-26 12:20 . 2001-08-17 22:03 24,960 --a------ c:\windows\system32\drivers\usbccgp.sys

2009-01-26 12:20 . 2001-08-17 22:03 24,960 --a------ c:\windows\system32\dllcache\usbccgp.sys

2009-01-26 12:19 . 2009-01-26 12:19

2009-01-26 12:19 . 2008-03-16 14:47 872,192 --a------ c:\windows\system32\drivers\mod7700.sys

2009-01-26 12:19 . 2008-03-17 11:56 103,168 --a------ c:\windows\system32\drivers\ewusbfake.sys

2009-01-26 12:19 . 2008-03-17 11:03 101,376 -ra------ c:\windows\system32\drivers\ewusbmdm.sys

2009-01-26 12:19 . 2008-01-22 15:09 100,992 --a------ c:\windows\system32\drivers\ewusbnet.sys

2009-01-26 12:19 . 2007-08-09 04:13 24,448 -ra------ c:\windows\system32\drivers\ewdcsc.sys

2009-01-26 12:17 . 2009-01-26 12:18

2009-01-26 12:17 . 2009-01-26 12:17 0 --a------ c:\windows\nsreg.dat

2009-01-26 12:09 . 2009-01-26 12:09

2009-01-26 12:07 . 2009-01-26 12:07

2009-01-26 12:05 . 2009-01-26 12:05

2009-01-26 12:03 . 2009-01-26 12:03

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-02 13:15 133,120 ----a-w c:\windows\system32\sfc_os.dll

2009-01-26 10:47 --------- d-----w c:\program files\microsoft frontpage

2009-01-26 10:41 --------- d-----w c:\program files\Usługi online

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTogg.dll" [2008-11-23 1784856]

[HKEY_CLASSES_ROOT\clsid{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

2008-11-23 23:03 1784856 --a------ c:\program files\ToggleEN\tbTogg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTogg.dll" [2008-11-23 1784856]

[HKEY_CLASSES_ROOT\clsid{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{038CB5C7-48EA-4AF9-94E0-A1646542E62B}"= "c:\program files\ToggleEN\tbTogg.dll" [2008-11-23 1784856]

[HKEY_CLASSES_ROOT\clsid{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="e:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2001-10-26 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= c:\progra~1\ffdshow\ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2001-08-02 07:14 1077277 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2006-01-12 16:40 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2008-08-04 00:02 36352 e:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-02 75856]

.

  • USUNIĘTO PUSTE WPISY - - - -

MSConfigStartUp-Client Server Runtime Process - c:\windows\System32\csrs.exe

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://search.conduit.com?SearchSource= ... =CT2077543

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

TCP: {0AEB4FB1-D55F-45A7-B1EF-B5941711B43A} = 89.108.195.20 89.108.195.21

FF - ProfilePath - c:\documents and settings\Anulka\Dane aplikacji\Mozilla\Firefox\Profiles\hkv8xz1q.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3q=

FF - prefs.js: browser.startup.homepage - www.google.pl

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... ource=2q=

FF - plugin: e:\program files\Real Alternative\browser\plugins\nppl3260.dll

FF - plugin: e:\program files\Real Alternative\browser\plugins\nprpjplug.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-03 09:04:31

Windows 5.1.2600 FAT NTAPI

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_USERS\S-1-5-21-1454471165-436374069-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.*C`*Z%]

@Class="Shell"

[HKEY_USERS\S-1-5-21-1454471165-436374069-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.*C`*Z%\OpenWithList]

@Class="Shell"

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

  • 'winlogon.exe'(520)

c:\windows\system32\ODBC32.dll

  • 'lsass.exe'(576)

c:\windows\system32\mswsock.dll

c:\windows\System32\wshtcpip.dll

c:\windows\System32\dssenh.dll

.

Czas ukończenia: 2009-02-03 9:06:02

ComboFix-quarantined-files.txt 2009-02-03 08:06:00

Przed: 6 352 588 800 bajtów wolnych

Po: 6,351,093,760 bajtów wolnych

148

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:00:27, on 2009-02-03

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

e:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

E:\Program Files\PLAY ONLINE\PLAY ONLINE.exe

E:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Anulka\Pulpit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource= ... =CT2077543

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTogg.dll

F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\SCtri.exe

O2 - BHO: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTogg.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTogg.dll

O4 - HKLM..\Run: [avast!] e:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O17 - HKLM\System\CCS\Services\Tcpip..{0AEB4FB1-D55F-45A7-B1EF-B5941711B43A}: NameServer = 89.108.195.20 89.108.195.21

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashServ.exe

--

End of file - 2661 bytes

Co mam teraz zrobić?


(Gutek) #2

Pobierz program SDFix

-


(Poodle4) #3

Dr Web - NIE ZNALEZIONO WIRUSÓW

Raport SDFix:

SDFix: Version 1.240

Run by Administrator on 2009-02-03 at 09:38

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-03 09:41:20

Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files :

Files with Hidden Attributes :

Finished!


(Kambor4) #4

Ja nie widzę w tych wszystkich logach (HJT, SDFix, CF) nic ciekawego - czysto.

================

K.