Upierdliwy trojan

niff · 30 Marzec 2008 13:34

witam. podczas przeglądania stron wyskoczył mi alert avasta o trojanie. próbowałem usunąć konia ale nie dało rady. po otearciu explorera wyświetla mi się nowy pasek narzędzi “security toolbar 7.1” i cały czas słychać klikanie. oto moje logi z hijackthis:

http://wklej.org/id/f0709f0712

prosze o pomoc!!

Monczkin · 30 Marzec 2008 13:36

Nazwij temat konkretnie, inaczej temat wyleci. Poczytaj zasady pisania na forum oraz regulamin.

huber2t · 30 Marzec 2008 13:52

fix w hijackthis

O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O3 - Toolbar: Internet Service - {DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40} - C:\Program Files\NetProject\wamdl.dll O4 - HKLM…\Run: [VTTimer] VTTimer.exe O4 - HKLM…\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe O4 - HKLM…\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing) O9 - Extra ‘Tools’ menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing) O22 - SharedTaskScheduler: enviva - {f43bfc6c-47cc-4798-8798-a0721b8ed7ab} - C:\WINDOWS\system32\baoohy.dll

Gutek · 30 Marzec 2008 16:08

Daj log z ComboFix

niff · 30 Marzec 2008 19:09

Teraz już chyba pousuwał się ten trojan, ale co chwile wywala chmurkę z errorem: “System perfomance monitor: Warning” generalnie błąd mówi o tym, że zwolnuł system i zwolnił internet, a jak plikam na ikonke w trayu to przenosi mnie do strony jakiegoś oprogramowania antywirusowego, żeby było śmieszniej to jest to to samo oprogramownie które pojawiało się do tej pory. ;/

DODANO:

Jeszcze zapomniałem dodać że w ustawieniach firewoll’a jest napisane że brakkuje oprogramowania antywirusowego, a od początku mam Avasta.

huber2t · 30 Marzec 2008 19:14

Daj log z Combofix

niff · 30 Marzec 2008 19:27

ComboFix 08-03-30.2 - User 2008-03-30 21:20:14.3 - NTFSx86

Leon1 · 30 Marzec 2008 19:47

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/Security-Related/PRT-Perlovga-Removal-Tool.shtml lub format

Otwórz notatnik i wklej

File:: C:\WINDOWS\system32\baoohy.dll Folder:: C:\WINDOWS\system32\375013 C:\Program Files\NetProject Driver:: DLPortIO jgameenp Registry:: [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{7C109800-A5D5-438F-9640-18D17E168B88}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] “{DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40}”=- [-HKEY_CLASSES_ROOT\clsid{db9fba9d-ab1b-4cc6-9745-f3b549d64e40}] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] “some”=- “start”=- [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Compete Toolbar] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Compete Toolbar Update] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Consumer Input Toolbar] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Consumer Input Toolbar Update] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

niff · 30 Marzec 2008 20:00

ComboFix 08-03-30.2 - User 2008-03-30 21:52:47.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.143 [GMT 2:00] Running from: C:\Documents and Settings\User\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\User\Pulpit\CFScript.txt WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED FILE :: C:\WINDOWS\system32\baoohy.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\NetProject C:\Program Files\NetProject\ot.ico C:\Program Files\NetProject\sbmdl.dll C:\Program Files\NetProject\sbmntr.exe C:\Program Files\NetProject\sbsm.exe C:\Program Files\NetProject\scit.exe C:\Program Files\NetProject\scm.exe C:\Program Files\NetProject\ts.ico C:\Program Files\NetProject\wamdl.dll C:\Program Files\NetProject\waun.exe C:\WINDOWS\system32\375013 C:\WINDOWS\system32\baoohy.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_DLPORTIO -------\Legacy_JGAMEENP -------\Service_DLPortIO -------\Service_jgameenp ((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 ))))))))))))))))))))))))))))))) . 2008-03-04 18:03 . 2008-03-04 18:03 2008-03-04 18:03 . 2008-03-04 18:03 2008-03-04 18:02 . 2008-03-04 18:02 2008-02-24 20:52 . 2008-03-21 18:39 171 --a------ C:\WINDOWS\wcx_ftp.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-30 19:55 --------- d-----w C:\Program Files\Neostrada TP 2008-03-13 22:19 --------- d–h--w C:\Program Files\InstallShield Installation Information 2008-02-24 23:00 --------- d-----w C:\Documents and Settings\User\Dane aplikacji\Skype 2008-02-18 21:15 --------- d-----w C:\Documents and Settings\User\Dane aplikacji\Apple Computer 2008-01-03 18:29 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr 2005-05-15 19:13 8 --sh–r C:\WINDOWS\system32\138CD8189D.sys 2005-05-15 19:31 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ------- Sigcheck ------- 2005-05-25 21:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS$hf_mig$\KB893066\SP2QFE\tcpip.sys 2006-01-13 19:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS$hf_mig$\KB913446\SP2QFE\tcpip.sys 2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS$hf_mig$\KB917953\SP2QFE\tcpip.sys 2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS$NtUninstallKB893066$\tcpip.sys 2005-05-25 21:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS$NtUninstallKB913446$\tcpip.sys 2006-01-13 04:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS$NtUninstallKB917953$\tcpip.sys 2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\system32\dllcache\tcpip.sys 2006-04-20 13:51 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((( snapshot@2008-03-30_21.18.50.39 ))))))))))))))))))))))))))))))))))))))))) . + 2000-08-31 06:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE + 2008-03-30 19:55:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_580.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2004-11-15 12:20 77824 C:\WINDOWS\SOUNDMAN.EXE] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe” [2005-08-26 18:14 36975] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 19:07 24576] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 12:38 866816] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 19:07 20480] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 15:00 79224] “MSConfig”=“C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe” [2004-08-04 01:44 159744] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 01:44 15360] C:\Documents and Settings\User\Menu Start\Programy\Autostart\ Neostrada TP.lnk - C:\Program Files\Neostrada TP\NeostradaTP.exe [2006-01-19 21:43:47 626688] [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Kodak EasyShare software.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Kodak EasyShare software.lnk backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Kodak software updater.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Kodak software updater.lnk backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup [HKLM~\startupfolder\C:^Documents and Settings^User^Menu Start^Programy^Autostart^Girder3.lnk] path=C:\Documents and Settings\User\Menu Start\Programy\Autostart\Girder3.lnk backup=C:\WINDOWS\pss\Girder3.lnkStartup [HKLM~\startupfolder\C:^Documents and Settings^User^Menu Start^Programy^Autostart^Ubisoft register.lnk] path=C:\Documents and Settings\User\Menu Start\Programy\Autostart\Ubisoft register.lnk backup=C:\WINDOWS\pss\Ubisoft register.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] --a------ 2007-07-02 12:27 219520 D:\Alcohol 120\axcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] --a------ 2006-08-01 17:04 3313664 C:\Program Files\BearShare\BearShare.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] --a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-15 04:22 267048 D:\qt\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] --a------ 2005-12-13 09:49 217088 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync] --a------ 2005-11-30 17:56 1306624 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] --a------ 2006-07-21 13:06 20036648 C:\Program Files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-01-07 19:59 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] “AntiVirusDisableNotify”=dword:00000001 “UpdatesDisableNotify”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “D:\media\eMule\emule.exe”= “C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe”= “D:\media\Kazaa Lite K++\KazaaLite.kpp”= “D:\Win Program Files\WinVnc\winvnc.exe”= “C:\Program Files\Java\jre1.5.0_05\bin\javaw.exe”= “D:\Q3\quake3.exe”= “C:\Program Files\The All-Seeing Eye\eye.exe”= “D:\Gadu-Gadu\gg.exe”= “C:\Program Files\FlashGet\flashget.exe”= “C:\Program Files\BearShare\BearShare.exe”= “D:\stalker\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe”= “D:\stalker\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe”= “C:\Program Files\Bonjour\mDNSResponder.exe”= “D:\qt\iTunes.exe”= “C:\totalcmd\TOTALCMD.EXE”= “C:\Program Files\Skype\Phone\Skype.exe”= R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys [2003-06-12 20:31] R1 UserPort;UserPort;C:\WINDOWS\system32\Drivers\UserPort.sys [2000-11-28 22:47] R2 io.sys;IO.DLL Driver;C:\WINDOWS\system32\drivers\io.sys [2007-02-04 13:06] R2 port_nt;port_nt;C:\WINDOWS\system32\Drivers\port_nt.sys [2001-11-08 18:02] S3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);C:\WINDOWS\system32\drivers\ES1370MP.sys [2001-08-17 20:19] S3 SF-620;Kingsun SF-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\SF-620.sys [2004-08-12 04:18] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{E4066320-E4AE-11CF-B1B0-00AA00BBAD66}] rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\fpxpress.inf,PerUserstub . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-30 21:55:38 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\brss01a.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\crypserv.exe C:\WINDOWS\system32\drivers\KodakCCS.exe D:\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\UAService7.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe . ************************************************************************** . Completion time: 2008-03-30 21:57:00 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-30 19:56:51 ComboFix2.txt 2008-03-30 19:21:37 Pre-Run: 947,384,320 bajtów wolnych Post-Run: 824,688,640 bajt˘w wolnych Teraz tak…

Leon1 · 31 Marzec 2008 14:33

W logu już nic nie widzę

usuń ręcznie folder C: \Qoobox

usuń instalkę Combofix z dysku.

przeskanuj tym http://www.kaspersky.pl/virusscanner.html

jeśli coś znajdzie pokaż raport

jeśli nic nie znajdzie włącz przywracanie systemu

Gutek · 31 Marzec 2008 19:05

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350