Trojan-GameThief.Winn32.Magania.cpmm


(Pedrossi) #1

Kasper ciągle pokazuje mi zainfekowanie w/w trojanem.

Log HJ do sprawdzenia.

Pomocy


(dadag90) #2

Zafixuj w HiJackThis te wpisy:

O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\Dorotka\USTAWI~1\Temp\herss.exe

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O23 - Service: ArcGIS License Manager - Unknown owner - C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe

O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)

Podaj log z OTL

Przestawiasz w nim Processes i Modules na All oraz wklejasz w dolne białe okienko Custom Scans/Fixes:

Klikasz Run Scan.


(Pedrossi) #3

Zrobione, skan z OTL


(dadag90) #4

Do okna Custom Scans/Fixes wklej:

:Processes

Explorer.exe



:OTL

O32 - AutoRun File - [2009-03-01 13:04:17 | 00,000,000 | ---D | M] - C:\Autodesk -- [NTFS]

O32 - AutoRun File - [2009-12-08 21:24:13 | 00,000,055 | RHS- | M] () - C:\autorun.inf -- [NTFS]

O32 - AutoRun File - [2009-03-01 18:27:09 | 21,474,86452 | ---- | M] () - D:\AutoCAD_Civil3D_2009_Polish_Win_32bit.exe -- [NTFS]

O32 - AutoRun File - [2009-12-08 21:24:13 | 00,000,055 | RHS- | M] () - D:\autorun.inf -- [NTFS]

O33 - MountPoints2\{14b3903f-62ea-11de-9488-001c2659eb62}\Shell\AutoRun\command - "" = F:\y6yol.exe -- File not found

O33 - MountPoints2\{14b3903f-62ea-11de-9488-001c2659eb62}\Shell\open\Command - "" = F:\y6yol.exe -- File not found

O33 - MountPoints2\{1af2f71a-95f9-11de-951a-000e50f7d44b}\Shell - "" = AutoRun

O33 - MountPoints2\{475eeab9-08d2-11de-95e8-001c2659eb62}\Shell\AutoRun\command - "" = hifdmgt.com

O33 - MountPoints2\{475eeab9-08d2-11de-95e8-001c2659eb62}\Shell\open\Command - "" = hifdmgt.com

O33 - MountPoints2\{8af293fd-6c80-11dd-b274-001c2659eb62}\Shell - "" = AutoRun

O33 - MountPoints2\{a599aa8a-b993-11dd-94a5-001c2659eb62}\Shell\AutoRun\command - "" = F:\xmor.exe -- File not found

O33 - MountPoints2\{a599aa8a-b993-11dd-94a5-001c2659eb62}\Shell\open\Command - "" = F:\xmor.exe -- File not found


:Files

C:\autorun.inf

C:\2id9.exe

C:\Documents and Settings\Dorotka\.rnd

C:\acadminidump.dmp

C:\WINDOWS\System32\6C9D066AF7.sys

D:\AutoCAD_Civil3D_2009_Polish_Win_32bit.exe

D:\autorun.inf


:Reg

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

"SuperHidden"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

"Hidden"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

"ShowSuperHidden"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]

"CheckedValue"=dword:00000001

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]

@=""


:Commands

[purity]

[emptytemp]

[start explorer]

[reboot]

Podaj log z usuwania i nowy z OTL.

Usuń zbędniki z autostartu. Lista2.

Masz infekcje na pendrivie lub innej przenośnej pamięci:

Flash Disinfector

Zainstaluj tę poprawkę:

klik

powinno być po problemach z pendrivami :wink:


(deFco247) #5

dadag90 , dlaczego usuwasz AutoCada ??

Nie wspominając już o sterowniku pochodzącym od DivX...


(dadag90) #6

Nie wiem dlaczego, jakaś zaćma.

Pozdrawiam.


(Pedrossi) #7

Co może spowodować usunięcie tych wpisów z AC??


(krzysiekx) #8

AutoCad może nie działać.


(Pedrossi) #9

To się kolego może zastanów wcześniej niż takie "dobre" rady będziesz dawał...