Awast wykrywa wirusy ale nie jest w stanie ich usunac

marcinp91 · 22 Lipiec 2007 18:31

oto log z hijackthjis

Logfile of HijackThis v1.99.1 Scan saved at 20:26:46, on 2007-07-22 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\ALCMTR.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\Lexmark 4300 Series\lxcemon.exe C:\Program Files\Lexmark 4300 Series\ezprint.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\BearShare\BearShare.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Kalendarz XP\Kalendarz.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\lxcecoms.exe C:\WINDOWS\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Documents and Settings\ADRIAN\Moje dokumenty\MOJE\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM…\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [lxcemon.exe] “C:\Program Files\Lexmark 4300 Series\lxcemon.exe” O4 - HKLM…\Run: [EzPrint] “C:\Program Files\Lexmark 4300 Series\ezprint.exe” O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16 O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [MRT] “C:\WINDOWS\system32\MRT.exe” /R O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU…\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NeroScoutOptions.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe O23 - Service: Prime95 Service - Unknown owner - C:\Program Files\Prime95\prime95.exe (file missing)

prosze o szybką odpowiedz

z gory dziekuje

Kuba11 · 22 Lipiec 2007 18:54

Ogólnie ten plik kiedys był od jeefo,który infekuje wszystkie exeki…

i teraz jest pytanie czy to jest jeefo,czy cos innego?

Dlatego przeskanuj ten plik na http://www.virustotal.con i wklej raport.

Zwróc uwage na lokalizacje masz przeskanowac plik z lokalizacji C:\WINDOWS\ a nie C:\WINDOWS\system32\

To jest napewno syf,ale z ciekawosci chce sie dowiedziec czy to jest jeefo.

W Hijackthis sfixuj te wpisy

Wyrzuc folder na czerwono z dysku.(plik C:\WINDOWS\ svchost.exe ) zostanie automatycznie usuniety przez ComboFix także go nie ruszaj.

Następnie daj logi z ComboFix,Hijackthis i silentrunners.

Podaj lokalizacje gdzie Avast wykrywa wirusy.

marcinp91 · 22 Lipiec 2007 21:24

zaczne od tego ze na stronie http://www.virustotal.com nie moglem znalezc pliku C:\windows\svchost

nastepnie nie moge znalezc w logu do sfixowania C:\windows\svchost

oto log z programu combofix:

“ADRIAN” - 2007-07-22 21:26:30 - ComboFix 07-07-14.6 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\ADRIAN\Pulpit.\internet explorer.lnk C:\WINDOWS\svchost.exe C:\WINDOWS\system32_000009_.tmp.dll ((((((((((((((((((((((((( Files Created from 2007-06-22 to 2007-07-22 ))))))))))))))))))))))))))))))) 2007-07-22 21:26 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-22 20:56 2007-07-22 20:56 2007-07-22 20:16 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-07-22 20:16 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-07-22 20:16 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-07-22 20:16 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-07-22 20:16 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-07-22 20:16 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-07-22 20:16 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-07-22 20:15 2007-07-22 19:30 2007-07-22 19:29 2007-07-22 19:24 2007-07-22 18:49 2007-07-22 18:29 2007-07-04 21:23 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-22 18:21:03 -------- d-----w C:\Program Files\Common Files\Onet.pl 2007-07-22 18:09:17 -------- d-----w C:\Program Files\Google 2007-07-22 17:13:07 -------- d-----w C:\Program Files\Common Files\Ahead 2007-07-22 16:48:37 -------- d-----w C:\Program Files\Elaborate Bytes 2007-07-22 14:59:46 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-07-22 14:32:57 -------- d-----w C:\Program Files\Kalendarz XP 2007-07-22 07:16:15 -------- d-----w C:\Program Files\Lx_cats 2007-07-08 09:00:18 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-07-07 16:09:55 -------- d-----w C:\DOCUME~1\ADRIAN\DANEAP~1\BearShare 2007-07-01 13:55:43 -------- d-----w C:\Program Files\BearShare 2007-06-16 08:54:09 -------- d-----w C:\Program Files\BearShare applications 2007-05-20 06:46:31 1,277 ----a-w C:\WINDOWS\mozver.dat 2007-05-19 20:08:25 86,016 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll 2007-05-16 15:18:58 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-04-28 06:30:50 0 ----a-w C:\WINDOWS\nsreg.dat 2007-04-25 14:23:30 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-01-25 11:53:22 18,224 ----a-w C:\DOCUME~1\ADRIAN\DANEAP~1\GDIPFONTCACHEV1.DAT ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2006-10-23 00:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] 2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{9CB65201-89C4-402c-BA80-02D8C59F9B1D}] 2007-07-22 18:29 57344 --a------ C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL [HKEY_LOCAL_MACHINE~\Browser Helper Objects{AA58ED58-01DD-4d91-8333-CF10577473F7}] 2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar3.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “High Definition Audio Property Page Shortcut”=“HDAShCut.exe” [2005-01-07 18:07 C:\WINDOWS\system32\HdAShCut.exe] “RTHDCPL”=“RTHDCPL.EXE” [2005-04-13 08:21 C:\WINDOWS\RTHDCPL.EXE] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2005-05-12 22:05] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 18:05] “lxcemon.exe”=“C:\Program Files\Lexmark 4300 Series\lxcemon.exe” [2005-08-02 19:47] “EzPrint”=“C:\Program Files\Lexmark 4300 Series\ezprint.exe” [2005-07-26 14:17] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2006-11-21 19:38] “Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2005-06-07 00:46] “BearShare”=“C:\Program Files\BearShare\BearShare.exe” [2007-05-15 13:58] “RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-05-10 16:36] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2007-07-22 20:09] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce] “NeroHomeFirstStart”=C:\Program Files\Common Files\Ahead\Lib\NeroScoutOptions.exe [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “swg”=C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e9db47df-ba87-11db-8cfc-00132082d0fd}] Auto\command- sxs.exe AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe *Newly Created Service* - POWERMANAGER ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-22 21:27:22 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-22 21:27:53 C:\ComboFix-quarantined-files.txt … 2007-07-22 21:27 — E O F —

{\quote]

silent runners nie moglem znalezc do pobrania:/

oto log z hijackthis po tych czynnosciach:

Cytat:

awast wykrywal C:windows\svchost

Gutek · 23 Lipiec 2007 00:25

do usunicia

Pobierz program SDFix

marcinp91 · 23 Lipiec 2007 06:54

sory za problemy to jest jednak wirus jeefo bo awast znajdywal go we wszystkich plikach typu *.exe. wlasciciel komputera(znajomy ktoremu pomagalem) zdecydowal sie na format dysku. przepraszam za utrudnienia.

Teamat do zamkniecia