Błąd iexplorer,do tego wirus który ciągle jest - Worm.Graz


(Kantys) #1

Witam,

znowu zaczął się pojawiać problem z aplickają IE-tzn w ciągu dwóch dni kilka razy wystąpiły błędy i aplikacja zamknęła się-proszę o sprawdzenie logów i porady :slight_smile: dziękuję :smiley: Do tego od dłuższego czasu ewido ciągle wykrywa mi Worm.Graz, mimo usunięcia...co robić?


(Gutek) #2

Daj log z Combofix


(Kantys) #3

ComboFix 07-05.27.V - Running from: "D:\Documents and Settings\Kasia\Pulpit\waľne narz©dzia\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"D:\WINDOWS\system32\1_exception.nls"

Infected copy of D:\WINDOWS\system32\winlogon.exe was found & disinfected

Restored copy from - "D:\WINDOWS\system32\dllcache\winlogon.exe"

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_EXAMPLE

-------\LEGACY_NDNET1

-------\LEGACY_RUNTIME

-------\EXAMPLE

-------\NDnet1

-------\Runtime

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))

2007-05-26 09:56

2007-05-11 21:46

2007-05-11 12:11

2007-05-10 21:11

2007-05-10 20:08

2007-05-10 19:35

2007-05-10 10:52

2007-05-06 19:05 73,728 --a------ D:\WINDOWS\system32\pv.exe

2007-05-06 19:05 39,184 --a------ D:\WINDOWS\system32\Ntrights.exe

2007-05-06 19:05 175,616 --a------ D:\WINDOWS\system32\strings.exe

2007-05-06 19:05 16,384 --a------ D:\WINDOWS\system32\restart.exe

2007-05-06 19:05 126,976 --a------ D:\WINDOWS\system32\zip.exe

2007-05-06 19:05 11,254 --a------ D:\WINDOWS\system32\locate.com

2007-05-05 19:39 76,560 --a------ D:\WINDOWS\system32\drivers\tmcomm.sys

2007-05-05 19:39

2007-05-05 09:53 25,992 --a------ D:\WINDOWS\system32\pgdfgsvc.exe

2007-05-04 23:39

2007-05-04 22:02

2007-05-04 16:41

2007-05-02 21:30

2007-05-02 16:11 46,892 --a------ D:\WINDOWS\system32\adadix16.dll

2007-05-02 16:11 46,167 --a------ D:\WINDOWS\system32\drivers\adildr.sys

2007-05-02 16:11 4,981 --a------ D:\WINDOWS\system32\adadix2k.dll

2007-05-02 16:11 22,395 --a------ D:\WINDOWS\system32\drivers\fpga.bin

2007-05-02 16:11 155,648 --a------ D:\WINDOWS\system32\adadix32.dll

2007-05-02 16:11 143,360 --a------ D:\WINDOWS\autoclk.exe

2007-05-02 16:11 135,168 --a------ D:\WINDOWS\system32\unaddrv.exe

2007-05-02 16:11 127,497 --a------ D:\WINDOWS\system32\drivers\adiusbaw.sys

2007-05-02 16:11 127,456 --a------ D:\WINDOWS\system32\ipdetect.exe

2007-05-02 16:11 126,976 --a------ D:\WINDOWS\system32\coclassfast.dll

2007-05-02 16:11

2007-05-02 15:35

2007-05-02 15:35

2007-05-02 13:23

2007-05-02 12:59 3,145,728 --a------ D:\Documents and Settings\Kasia\ntuser.dat

2007-05-02 12:59 3,145,728 --a------ D:\DOCUME~1\Kasia\ntuser.dat

2007-05-01 17:45

2007-05-01 11:52

2007-05-01 11:46

2007-05-01 11:46

2007-05-01 11:45

2007-05-01 11:43

2007-05-01 11:43

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-26 07:58:36 12,400 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys

2007-04-27 20:39:52 26,622 ----a-w D:\WINDOWS\system32\lr86.exe

2007-04-16 14:58:40 0 ----a-w D:\WINDOWS\system32\CMMGR32.EXE

2007-04-14 17:02:50 726,920 ----a-w D:\Program Files\WindowsXP-KB935448-x86-PLK.exe

2007-04-14 16:57:24 4,709,688 ----a-w D:\Program Files\WindowsXP-KB922760-x86-PLK.exe

2007-04-14 15:43:24 49,492 ----a-w D:\WINDOWS\system32\perfc015.dat

2007-04-14 15:43:24 355,486 ----a-w D:\WINDOWS\system32\perfh015.dat

2007-04-14 14:50:36 23,016 ----a-w D:\WINDOWS\system32\emptyregdb.dat

2007-04-14 14:30:24 37,860,928 ----a-w D:\Program Files\iTunesSetup.exe

2007-04-10 18:54:30 -------- d-----w D:\DOCUME~1\Kasia\DANEAP~1\FunkyFarm

2007-04-10 18:32:16 -------- d-----w D:\Program Files\Play

2007-04-10 17:58:26 -------- d-----w D:\Program Files\Calaris

2007-04-06 09:53:20 -------- d-----w D:\Program Files\PITy

2007-03-30 15:00:22 -------- d-----w D:\Program Files\Microsoft.NET

2007-03-30 14:58:44 -------- d-----w D:\Program Files\Microsoft Works

2007-03-30 14:41:58 -------- d-----w D:\Program Files\Windows Messaging

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{089FD14D-132B-48FC-8861-0048AE113215}=D:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 17:41]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiteAdvisor"="D:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-03-30 17:42]

"WOOWATCH"="D:\PROGRA~1\WANADOO\Watch.exe" [2002-12-09 18:24]

"WOOTASKBARICON"="D:\PROGRA~1\WANADOO\TaskbarIcon.exe" [2002-12-09 18:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Odkurzacz-MCD"="D:\Program Files\Odkurzacz\odk_mcd.exe" [2007-05-03 10:02]

"Spyware Doctor"="D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe" [2007-03-26 21:09]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]

"Spyware Doctor"="D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe" /Q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk]

path=c:\Documents and Settings\All Users\Menu Start\Programy\Autostart\DSLMON.lnk

backup=D:\WINDOWS\pss\DSLMON.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^VIA RAID TOOL.lnk]

backup=D:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^Kasia^Menu Start^Programy^Autostart^Trend Micro Anti-Spyware.lnk]

backup=D:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"D:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]

"D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe" /Q

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-29 21:21:36

Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: D:\WINDOWS\

please note that you need administrator rights to perform deep scan

********************************************************************

Completion time: 2007-05-29 21:24:04 - machine was rebooted

D:\ComboFix-quarantined-files.txt ... 2007-05-29 21:23

--- E O F ---

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"D:\WINDOWS\system32\1_exception.nls"

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_EXAMPLE

-------\LEGACY_NDNET1

-------\LEGACY_RUNTIME

-------\EXAMPLE

-------\NDnet1

-------\Runtime

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))

2007-05-29 21:24 49˙152 --a------ D:\WINDOWS\nircmd.exe

2007-05-10 19:35

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-26 07:58:36 12,400 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys

2007-04-27 20:39:52 26,622 ----a-w D:\WINDOWS\system32\lr86.exe

2007-04-16 14:58:40 0 ----a-w D:\WINDOWS\system32\CMMGR32.EXE

2007-04-14 17:02:50 726,920 ----a-w D:\Program Files\WindowsXP-KB935448-x86-PLK.exe

2007-04-14 16:57:24 4,709,688 ----a-w D:\Program Files\WindowsXP-KB922760-x86-PLK.exe

2007-04-14 15:43:24 49,492 ----a-w D:\WINDOWS\system32\perfc015.dat

2007-04-14 15:43:24 355,486 ----a-w D:\WINDOWS\system32\perfh015.dat

2007-04-14 14:50:36 23,016 ----a-w D:\WINDOWS\system32\emptyregdb.dat

2007-04-14 14:30:24 37,860,928 ----a-w D:\Program Files\iTunesSetup.exe

2007-04-10 18:54:30 -------- d-----w D:\DOCUME~1\Kasia\DANEAP~1\FunkyFarm

2007-04-10 18:32:16 -------- d-----w D:\Program Files\Play

2007-04-10 17:58:26 -------- d-----w D:\Program Files\Calaris

2007-04-06 09:53:20 -------- d-----w D:\Program Files\PITy

2007-03-30 15:00:22 -------- d-----w D:\Program Files\Microsoft.NET

2007-03-30 14:58:44 -------- d-----w D:\Program Files\Microsoft Works

2007-03-30 14:41:58 -------- d-----w D:\Program Files\Windows Messaging

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{089FD14D-132B-48FC-8861-0048AE113215}=D:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 17:41]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk]

path=c:\Documents and Settings\All Users\Menu Start\Programy\Autostart\DSLMON.lnk

backup=D:\WINDOWS\pss\DSLMON.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^VIA RAID TOOL.lnk]

backup=D:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^Kasia^Menu Start^Programy^Autostart^Trend Micro Anti-Spyware.lnk]

backup=D:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"D:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]

"D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe" /Q

Złączono Posta : 29.05.2007 (Wto) 21:29

2007-04-29 18:57 0 --a------ D:\Qoobox\Quarantine\D\WINDOWS\system32\1_exception.nls.vir

2007-05-01 21:02 432640 --a------ D:\Qoobox\Quarantine\D\WINDOWS\system32\winlogon.exe.vir

2007-05-29 21:19 1208 --a------ D:\Qoobox\Quarantine\Registry_backups\LEGACY_EXAMPLE.reg.cf

2007-05-29 21:19 1310 --a------ D:\Qoobox\Quarantine\Registry_backups\LEGACY_NDNET1.reg.cf

2007-05-29 21:19 1322 --a------ D:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME.reg.cf

2007-05-29 21:19 58 --a------ D:\Qoobox\Quarantine\catchme.log

2007-05-29 21:19 620 --a------ D:\Qoobox\Quarantine\Registry_backups\services_Runtime.reg.cf

2007-05-29 21:19 676 --a------ D:\Qoobox\Quarantine\Registry_backups\services_NDnet1.reg.cf

2007-05-29 21:19 750 --a------ D:\Qoobox\Quarantine\Registry_backups\services_EXAMPLE.reg.cf



Zmienna PATH folderu dla woluminu PROGRAMY

Numer seryjny woluminu: 71F5E346 1F46:1CEB

D:\QOOBOX

\---Quarantine

    | catchme.log

    |   

    +---Registry_backups

    | LEGACY_EXAMPLE.reg.cf

    | LEGACY_NDNET1.reg.cf

    | LEGACY_RUNTIME.reg.cf

    | services_EXAMPLE.reg.cf

    | services_NDnet1.reg.cf

    | services_Runtime.reg.cf

    |       

    \---D

        \---WINDOWS

            \---system32

                    1_exception.nls.vir

                    winlogon.exe.vir

Złączono Posta : 29.05.2007 (Wto) 21:31

Na koniec pokazało się, że wystąpił jakiś błąd, że nie można odnaleźć jakiego pliku...już po skanowaniu Combo, tuż po wejściu w plik combofix.txt