irc.backdoor.trojan / trojan-rbot

08.03.07, 22:34
Witajcie!
Norton Antivirus wykazuje zainfekowanie wirusem "irc.backdoor.trojan",
natomiat Spy Sweeper "trojan-rbot". Komputer poza praca w trybie "safe mode"
niezdatny do uzytku, zamula, nie mozna uruchomic zadnego programu. W trybie
save skanuje wszystko, wywalam, skanuje ponownie (niby ok), restartuje,
uruchamiam w trybie normalnym, i nic sie nie zmienilo! Zupelnie jakby to co
robie w trybie safe nie mialo wplywu na normalna prace systemu.
Nie wiem juz co moge zrobic???
Ma ktos jakas rade?
Z gory dziekuje.
    • Gość: Kolobos Re: irc.backdoor.trojan / trojan-rbot IP: *.escom.net.pl 09.03.07, 08:22
      Wklej log z hijackthis + podaj nazwy zainfekowanych plikow.
    • marapi19 Re: irc.backdoor.trojan / trojan-rbot 09.03.07, 13:15
      Logfile of HijackThis v1.99.1
      Scan saved at 11:54:15, on 2007-03-09
      Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\SYSTEM32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
      C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
      C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
      C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
      C:\Program Files\Norton AntiVirus\navapsvc.exe
      C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
      C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
      C:\WINDOWS\system32\VTTimer.exe
      C:\Program Files\cFosSpeed\cFosSpeed.exe
      C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
      C:\Program Files\Common Files\Symantec Shared\ccApp.exe
      C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
      C:\Program Files\Gadu-Gadu\gg.exe
      C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
      C:\WINDOWS\SYSTEM32\taskmgr.exe
      C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\DOCUME~1\OEM\USTAWI~1\Temp\Rar$EX18.813\HijackThis.exe
      C:\Program Files\Messenger\msmsgs.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
      search.bearshare.com/sidebar.html?src=ssb
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
      search.bearshare.com/sidebar.html?src=ssb
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
      search.bearshare.com/sidebar.html?src=ssb
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      google.bearshare.com/pl/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      www.adax.pl/witamy
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      search.bearshare.com/sidebar.html?src=ssb
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
      O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} -
      C:\Program Files\BitComet\tools\BitCometBHO.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
      Files\Spybot - Search & Destroy\SDHelper.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
      Files\Java\jre1.5.0_10\bin\ssv.dll
      O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
      Files\Norton AntiVirus\NavShExt.dll
      O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
      C:\Program Files\Norton AntiVirus\NavShExt.dll
      O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [cFosSpeed] "C:\Program Files\cFosSpeed\cFosSpeed.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10
      \bin\jusched.exe"
      O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
      Shared\ccApp.exe"
      O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1
      \SNDMon.exe" /Consumer
      O4 - HKLM\..\Run: [Advanced WindowsCare] "C:\Program Files\IObit\Advanced
      WindowsCare V2\Awc.exe" /startup
      O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
      O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
      Sweeper\SpySweeperUI.exe" /startintray
      O4 - HKCU\..\Run: [Komunikator] "C:\Program Files\Tlen.pl\tlen.exe"
      O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
      O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-
      88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
      O4 - Startup: Skrót do Internet ADSL.lnk = ?
      O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
      \dslmon.exe
      O8 - Extra context menu item: Download all links using BitComet -
      res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
      O8 - Extra context menu item: Download all videos using BitComet -
      res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
      O8 - Extra context menu item: Download link using &BitComet - res://C:\Program
      Files\BitComet\BitComet.exe/AddLink.htm
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
      C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
      00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
      C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
      00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O14 - IERESET.INF: START_PAGE_URL=www.adax.pl/witamy
      O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
      Validation Tool) - go.microsoft.com/fwlink/?linkid=39204
      O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
      O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
      C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
      O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
      C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
      O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation -
      C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
      O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
      C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
      O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner -
      C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
      O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1
      \LUCOMS~1.EXE
      O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec
      Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
      O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec
      Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
      O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
      AntiVirus\SAVScan.exe
      O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
      C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
      O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
      Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
      O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program
      Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
      O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot
      Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



      Norton podaje, ze zainfekowane sa pliki C:\windows\temp\tmp128.tmp

      tmp128.tmp i inne numery tmp123.tmp itd

      Czy reinstalujac Windowsa pozbede sie problemu???
      Dzieki!
      • Gość: Kolobos Re: irc.backdoor.trojan / trojan-rbot IP: *.escom.net.pl 09.03.07, 13:25
        W hjt usun:
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
        search.bearshare.com/sidebar.html?src=ssb
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
        search.bearshare.com/sidebar.html?src=ssb
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
        search.bearshare.com/sidebar.html?src=ssb
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        google.bearshare.com/pl/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        www.adax.pl/witamy
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
        search.bearshare.com/sidebar.html?src=ssb

        Uzyj i wyczysc temp itd:
        www.atribune.org/content/view/25/2/
        Przeskanuj tez system przy pomocy ewido oraz:
        www.pandasoftware.com/activescan/pol/activescan_principal.htm
        www.spywareinfo.com/xscan.php
        www.bitdefender.com/scan8/ie.html
        > Czy reinstalujac Windowsa pozbede sie problemu???

        Pewnie tak ale to glupota reinstalowac system z powodu robakow.
        Skoro raz je zainstalowales to zrobisz to znowu i co? Znowu bedziesz reinstalowac system? ...
Pełna wersja