Kasper ciągle pokazuje mi zainfekowanie w/w trojanem.
Log HJ do sprawdzenia.
Pomocy
Zafixuj w HiJackThis te wpisy:
O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\Dorotka\USTAWI~1\Temp\herss.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O23 - Service: ArcGIS License Manager - Unknown owner - C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
Podaj log z OTL
Przestawiasz w nim Processes i Modules na All oraz wklejasz w dolne białe okienko Custom Scans/Fixes:
Klikasz Run Scan.
Do okna Custom Scans/Fixes wklej:
:Processes
Explorer.exe
:OTL
O32 - AutoRun File - [2009-03-01 13:04:17 | 00,000,000 | ---D | M] - C:\Autodesk -- [NTFS]
O32 - AutoRun File - [2009-12-08 21:24:13 | 00,000,055 | RHS- | M] () - C:\autorun.inf -- [NTFS]
O32 - AutoRun File - [2009-03-01 18:27:09 | 21,474,86452 | ---- | M] () - D:\AutoCAD_Civil3D_2009_Polish_Win_32bit.exe -- [NTFS]
O32 - AutoRun File - [2009-12-08 21:24:13 | 00,000,055 | RHS- | M] () - D:\autorun.inf -- [NTFS]
O33 - MountPoints2\{14b3903f-62ea-11de-9488-001c2659eb62}\Shell\AutoRun\command - "" = F:\y6yol.exe -- File not found
O33 - MountPoints2\{14b3903f-62ea-11de-9488-001c2659eb62}\Shell\open\Command - "" = F:\y6yol.exe -- File not found
O33 - MountPoints2\{1af2f71a-95f9-11de-951a-000e50f7d44b}\Shell - "" = AutoRun
O33 - MountPoints2\{475eeab9-08d2-11de-95e8-001c2659eb62}\Shell\AutoRun\command - "" = hifdmgt.com
O33 - MountPoints2\{475eeab9-08d2-11de-95e8-001c2659eb62}\Shell\open\Command - "" = hifdmgt.com
O33 - MountPoints2\{8af293fd-6c80-11dd-b274-001c2659eb62}\Shell - "" = AutoRun
O33 - MountPoints2\{a599aa8a-b993-11dd-94a5-001c2659eb62}\Shell\AutoRun\command - "" = F:\xmor.exe -- File not found
O33 - MountPoints2\{a599aa8a-b993-11dd-94a5-001c2659eb62}\Shell\open\Command - "" = F:\xmor.exe -- File not found
:Files
C:\autorun.inf
C:\2id9.exe
C:\Documents and Settings\Dorotka\.rnd
C:\acadminidump.dmp
C:\WINDOWS\System32\6C9D066AF7.sys
D:\AutoCAD_Civil3D_2009_Polish_Win_32bit.exe
D:\autorun.inf
:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
@=""
:Commands
[purity]
[emptytemp]
[start explorer]
[reboot]
Podaj log z usuwania i nowy z OTL.
Usuń zbędniki z autostartu. Lista2.
Masz infekcje na pendrivie lub innej przenośnej pamięci:
Zainstaluj tę poprawkę:
powinno być po problemach z pendrivami
dadag90 , dlaczego usuwasz AutoCada ??
Nie wspominając już o sterowniku pochodzącym od DivX…
Nie wiem dlaczego, jakaś zaćma.
Pozdrawiam.
Co może spowodować usunięcie tych wpisów z AC??
AutoCad może nie działać.
To się kolego może zastanów wcześniej niż takie “dobre” rady będziesz dawał…