Backdoory i wirusy.. Format nie pomaga!

Eye16 · 20 Sierpień 2008 08:24

Witam, mam bardzo poważny problem. Mój komputer jest zainfekowan wieloma wirusami i innymi robakami. Próbowałem walczyć z tym sam. Zainstalowałem antywirusa i zone alarm’a. To jednak nic nie pomogło… Spróbowałem formatu , niestety wirusy zostały… Co jakiś czas firwall blokuje ataki hakerskie. To tyle co wiem, proszę o pomoc i radę!

LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:12:57, on 2008-08-20

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20583)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe

C:\PROGRA~1\ARCABIT\ARCAUP~1\update.exe

C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe

C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe

C:\Documents and Settings\Administrator\lsass.exe

C:\WINDOWS\System32\Rundll32.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Gadu-Gadu2\gg.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

E:\VentriloMIX\Ventrilo 2.1.4.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

E:\Valve\Steam\Steam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM…\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”

O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”

O4 - HKLM…\Run: [AvMenu] C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe

O4 - HKLM…\Run: [ArcaCheck] C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup

O4 - HKLM…\Run: [LSA Shellu] C:\Documents and Settings\Administrator\lsass.exe

O4 - HKLM…\Run: [{08e8c7f8-e3cc-04ee-f876-e8be7ff0b0bd}] C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\izwvnhmqljynecqw.dll” DllStart

O4 - HKLM…\Run: [38e489fa] rundll32.exe “C:\WINDOWS\system32\uedjhpjj.dll”,b

O4 - HKLM…\Run: [bM3bd7ba66] Rundll32.exe “C:\WINDOWS\system32\icikbnny.dll”,s

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu2\gg.exe” /tray

O4 - HKCU…\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun

O4 - HKCU…\Run: [ares] “C:\Program Files\Ares\Ares.exe” -h

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-20…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS\S-1-5-18…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O4 - HKUS.DEFAULT…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘Default user’)

O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm

O9 - Extra button: ArcaVir >> - {40525A66-DB98-480D-BCF9-7AF88C1AF438} - C:\Program Files\ArcaBit\WebExtensions\ie\ArcaIEExt.dll

O9 - Extra ‘Tools’ menuitem: ArcaVir >> - {40525A66-DB98-480D-BCF9-7AF88C1AF438} - C:\Program Files\ArcaBit\WebExtensions\ie\ArcaIEExt.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: ArcaBit FileMonitor (ABFileMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe

O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe

O23 - Service: ArcaBit.Core.Configurator - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe

O23 - Service: ArcaBit.Core.LoggingService - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe

O23 - Service: ArcaBit.TaskScheduler - ArcaBit - C:\Program Files\ArcaBit\Common\TaskScheduler.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: ArcaBit Update Service (AVUpdate) - ArcaBit - C:\PROGRA~1\ARCABIT\ARCAUP~1\update.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UHJ5d2F0bnk\command.exe (file missing)

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

–

End of file - 6332 bytes

huber2t · 20 Sierpień 2008 08:29

fix w hijackthis

O4 - HKLM…\Run: [LSA Shellu] C:\Documents and Settings\Administrator\lsass.exe O4 - HKLM…\Run: [{08e8c7f8-e3cc-04ee-f876-e8be7ff0b0bd}] C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\izwvnhmqljynecqw.dll” DllStart O4 - HKLM…\Run: [38e489fa] rundll32.exe “C:\WINDOWS\system32\uedjhpjj.dll”,b O4 - HKLM…\Run: [bM3bd7ba66] Rundll32.exe “C:\WINDOWS\system32\icikbnny.dll”,s Pobierz ComboFix, ale nie uruchamiaj Otwórz notatnik i wklej do niego: File:: C:\Documents and Settings\Administrator\lsass.exe C:\WINDOWS\system32\izwvnhmqljynecqw.dll C:\WINDOWS\system32\uedjhpjj.dll C:\WINDOWS\system32\icikbnny.dll Driver:: Network Monitor cmdService Plik -> zapisz jako -> CFScript.txt. Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu-> Rozpocznie się usuwanie i powstanie log, który dasz na forum. Logi dajesz na http://wklejto.pl lub na http://wklej.org a w poście dajesz tylko link