x-awier
(x-awier)
13 Grudzień 2006 14:06
#1
Witam,
Avast wykrył mi wirusa, ale nie wiem czy go unieszkodliwił, a w dodatku na IRC’u pokazało mi się takie coś You have been kicked from #bali by Shearer ([exp\ma] You are infected with an IRC trojan/virus. [xt©])
Logfile of HijackThis v1.99.1 Scan saved at 15:10:14, on 2006-12-13 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\avast\aswUpdSv.exe D:\Program Files\avast\ashServ.exe C:\WINDOWS\system32\oodag.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\htpatch.exe D:\PROGRA~1\avast\ashDisp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\PROGRA~1\AQQ\AQQ.exe F:\Foobar\FOOBAR\foobar\foobar2000\foobar2000.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\Program Files\Opera\Opera.exe C:\DOCUME~1\Radek\USTAWI~1\Temp\Rar$EX28.953\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [avast!] D:\PROGRA~1\avast\ashDisp.exe O4 - HKLM…\Run: [unlockerAssistant] “C:\Program Files\Unlocker\UnlockerAssistant.exe” O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKCU…\Run: [AQQ] D:\PROGRA~1\AQQ\AQQ.exe O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\avast\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\avast\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - (no file) O23 - Service: avast! Web Scanner - Unknown owner - (no file) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
Joan
(Joan Sunshine)
13 Grudzień 2006 14:14
#2
Pierwsza czynność to reinstalacja antywira, bo z tego co widzę nie ma niektórych plików.
Ten log jest czysty, daj Silenta.
W jakim pliku wykrywa tego wirusa?
x-awier
(x-awier)
13 Grudzień 2006 14:16
#3
A ja tam pamiętam
Nie wiem.
Avast’a już za chwile reinstallne
Ale muszę czekać aż zupa mi się plik :shock:
adam9870
(adam9870)
13 Grudzień 2006 14:21
#4
x-awier:
A ja tam pamiętam
W takim razie po przeinstalowaniu avasta proszę przeskanować nim system albo http://www.ewido.net/en/ i pokazać raport.
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
x-awier
(x-awier)
13 Grudzień 2006 16:06
#5
“Silent Runners.vbs”, revision 43, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “AQQ” = “D:\PROGRA~1\AQQ\AQQ.exe” [“AQQ Sp. z o.o.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “HTpatch” = “C:\WINDOWS\htpatch.exe” [null data] “AtiPTA” = “atiptaxx.exe” [“ATI Technologies, Inc.”] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “avast!” = “D:\PROGRA~1\avast\ashDisp.exe” [null data] “UnlockerAssistant” = ““C:\Program Files\Unlocker\UnlockerAssistant.exe”” [file not found] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = “SSVHelper Class” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{35786D3C-B075-49b9-88DD-029876E11C01}” = “Portable Devices” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\wpdshext.dll” [MS] “{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8}” = “Portable Devices Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\wpdshext.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {CLSID}\InProcServer32(Default) = “D:\Program Files\avast\ashShell.dll” [“ALWIL Software”] “{611AD258-4138-4348-A534-9856FA6BA398}” = “IconPackager Icon Handler” -> {CLSID}\InProcServer32(Default) = “D:\Program Files\Stardock\Object Desktop\IconPackager\shellext.dll” [“Stardock.net , Inc”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{54D9498B-CF93-414F-8984-8CE7FDE0D391}” = “ewido shell guard” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\shellhook.dll” ["TODO: "] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\System\CurrentControlSet\Control\Session Manager\ INFECTION WARNING! “BootExecute” = “autocheck autochk * OODBS” [file not found], [MS], [file not found], [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] INFECTION WARNING! WgaLogon\DLLName = “WgaLogon.dll” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {CLSID}\InProcServer32(Default) = “D:\Program Files\avast\ashShell.dll” [“ALWIL Software”] ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\context.dll” [“ewido networks”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\context.dll” [“ewido networks”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {CLSID}\InProcServer32(Default) = “D:\Program Files\avast\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Radek\Dane aplikacji\Opera\Opera\profile\skin\00251_vancouveratnight_1024x768.bmp” Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” -> launches: “D:\Program Files\tu\SystemOptimizer.exe /schedulestart” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ Missing lines (compared with English-language version): HIJACK WARNING! “TuneUp” = “file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““D:\Program Files\avast\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““D:\Program Files\avast\aswUpdSv.exe”” [null data] ewido security suite control, ewido security suite control, “C:\Program Files\ewido anti-malware\ewidoctrl.exe” [“ewido networks”] ewido security suite guard, ewido security suite guard, “C:\Program Files\ewido anti-malware\ewidoguard.exe” [“ewido networks”] SecuROM User Access Service (V7), UserAccess7, “C:\WINDOWS\system32\UAService7.exe” [“Sony DADC Austria AG.”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 750 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 253 seconds. ---------- (total run time: 1676 seconds)
Ewido nic nie znalazło (skanowałem tylko momory).
Co do worms doors cleaner’a to już go używałem
adam9870
(adam9870)
13 Grudzień 2006 16:09
#6
Proszę otworzyć Notatnik i wkleić w nim to:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] “BootExecute”=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\ 00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.
x-awier
(x-awier)
14 Grudzień 2006 11:11
#7
adam9870 dodałem to do rejestru w awaryjnym, ale nadal nie wiem w jakim celu :roll:
Joan
(Joan Sunshine)
14 Grudzień 2006 11:46
#8
Uataliłeś wartość “BootExecute” na domyślną. Zrób full skan Ewido