Comhost.exe - virus?

lignar · 13 Styczeń 2014 19:54

Parę dni temu Avast zaczął blokować jedną z instancji svchost.exe, w jej folderze znalazłem plik comhost.exe, który jest również widoczny jako proces w menedżerze zadań. Nie mam i nie miałem zainstalowanego Nortona ani firewalla od Symantec.

OTL: http://www.wklej.org/id/1235265/

Extras: http://www.wklej.org/id/1235268/

+skan z VirusTotal: https://www.virustotal.com/pl/file/a3ea1231b2e2b84f6e383b543b602432701272732d10e85bf2f665ecc2bb097a/analysis/1389636342/

Atis · 13 Styczeń 2014 20:02

Do okna Własne opcje skanowania / skrypt wklej:

:OTL
O4 - HKLM..\Run: [windows COM Host] C:\{$3483-6183-1568-3845$}\comhost.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-21-2349166268-1143097919-154880440-1000..\RunOnce: [Windows Base Branding] C:\Users\Janusz\AppData\Roaming\Macromedia\AMD External Events Client.exe (AMD)
O4 - HKU\S-1-5-21-2349166268-1143097919-154880440-1179..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\Janusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.com.url ()
F3:64bit: - HKU\S-1-5-21-2349166268-1143097919-154880440-1000 WinNT: Load - (C:\ProgramData\{$3483-6183-1568-3845$}\svhost.exe) - C:\ProgramData\{$3483-6183-1568-3845$}\svhost.exe ()
F3 - HKU\S-1-5-21-2349166268-1143097919-154880440-1000 WinNT: Load - (C:\ProgramData\{$3483-6183-1568-3845$}\svhost.exe) - C:\ProgramData\{$3483-6183-1568-3845$}\svhost.exe ()
O27:64bit: - HKLM IFEO\avcenter.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\avguard.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\avp.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\bdagent.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\ccuac.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\ComboFix.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\egui.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\hijackthis.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\keyscrambler.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\mbam.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\MpCmdRun.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\MSASCui.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\MsMpEng.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\msseces.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\spybotsd.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\wireshark.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\zlclient.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\avcenter.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\avguard.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\avp.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\bdagent.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\ccuac.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\ComboFix.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\egui.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\hijackthis.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\keyscrambler.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\mbam.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\MpCmdRun.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\MSASCui.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\MsMpEng.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\msseces.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\spybotsd.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\wireshark.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\zlclient.exe: Debugger - nsjw.exe File not found
[2014-01-12 13:51:00 | 000,000,000 | -H-D | C] -- C:\ProgramData\{$3483-6183-1568-3845$}
[2014-01-11 16:23:11 | 000,000,000 | -H-D | C] -- C:\{$3483-6183-1568-3845$}
[2011-06-26 18:27:24 | 958,597,938 | ---- | C] (Gothic 3 CPT) -- C:\Users\Janusz\Go.exe
[2014-01-13 20:20:47 | 000,197,100 | ---- | M] () -- C:\Users\Janusz\AppData\Roaming\msconfig.ini
[2014-01-11 06:23:34 | 000,346,624 | RHS- | M] () -- C:\ProgramData\335936624.exe
:Commands
[emptytemp]

Kliknij Wykonaj skrypt i zatwierdź restart.

Pokaż raport z usuwania i nowy log Skanuj.

lignar · 13 Styczeń 2014 20:29

Raport: http://www.wklej.org/id/1235311/

OTL: http://www.wklej.org/id/1235333/

Atis · 13 Styczeń 2014 20:39

Wszystkie programy > Akcesoria > Wiersz polecenia > Kliknij prawym i wybierz Uruchom jako administrator

Wklej i zatwierdź enterem: netsh winsock reset

Do okna Własne opcje skanowania / skrypt wklej:

:OTL
F3:64bit: - HKU\S-1-5-21-2349166268-1143097919-154880440-1000 WinNT: Load - (C:\ProgramData\{$3483-6183-1568-3845$}\svhost.exe) - File not found
F3 - HKU\S-1-5-21-2349166268-1143097919-154880440-1000 WinNT: Load - (C:\ProgramData\{$3483-6183-1568-3845$}\svhost.exe) - File not found
:Files
C:\ProgramData\{$3483-6183-1568-3845$}
C:\{$3483-6183-1568-3845$}
C:\ProgramData\*.exe
:Commands
[emptytemp]

Kliknij Wykonaj skrypt i zatwierdź restart.

Pokaż raport z usuwania i nowy log Skanuj.