Critical Error podczas wchodzenia do folderu

Thyrrun · 7 Lipiec 2008 20:15

Witam.

Mam pewiem problem który wcześniej wspominałem w innym wątku, niestety z powodów złej znajomości regulaminu został przeniesiony (podpięcie).

Wchodząc do folderu wyskakuje mi komunikat:

Attention, …! Some dangerous viruses detected in your system. microsoft Windows XP files corrupted.This may lead to the destruction of improtant files in D:WINDOWS. Download protection software now!

W poprzednim wątku polecono mi zatrzymanie kilku procesów, niestety nie pomogło, a oto kolejny wpis z HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:02, on 2008-07-07

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\acs.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\agrsmsvc.exe

D:\Program Files\Intel\Wireless\Bin\EvtEng.exe

D:\WINDOWS\system32\PnkBstrA.exe

D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

D:\WINDOWS\system32\TCtrlIOHook.exe

D:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

D:\WINDOWS\system32\TDispVol.exe

D:\WINDOWS\system32\TPSMain.exe

D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

D:\Program Files\Synaptics\SynTP\SynTPEnh.exe

D:\Program Files\TOSHIBA\TouchPad\TPTray.exe

D:\WINDOWS\system32\TPSBattM.exe

D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

D:\Program Files\Synaptics\SynTP\SynToshiba.exe

D:\WINDOWS\RTHDCPL.EXE

D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

D:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe

D:\Program Files\Atheros\ACU.exe

D:\WINDOWS\system32\rundll32.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\TGTSoft\StyleXP\StyleXP.exe

D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

D:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe

D:\WINDOWS\system32\rundll32.exe

D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: AVG Safe Search - {1C1B8A44-61FE-411E-8F33-813A4E2E2984} - D:\WINDOWS\system32\avgsafe.dll

O2 - BHO: (no name) - {1FE4BFC2-60DB-461C-B734-1D40F120299A} - D:\WINDOWS\system32\ddcCRLFy.dll

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Program Files\FlashGet\jccatch.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {A5F6E49F-E978-46D4-BB08-F7CC4D6699CB} - D:\WINDOWS\system32\nnnkICRl.dll (file missing)

O2 - BHO: QXK Olive - {C396242E-B6B6-4B05-A755-72938F31ACB0} - D:\WINDOWS\kgqfweltnfv.dll

O4 - HKLM…\Run: [TCtryIOHook] TCtrlIOHook.exe

O4 - HKLM…\Run: [TFncKy] TFncKy.exe

O4 - HKLM…\Run: [TDispVol] TDispVol.exe

O4 - HKLM…\Run: [startCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM…\Run: [HWSetup] D:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP

O4 - HKLM…\Run: [TPSMain] TPSMain.exe

O4 - HKLM…\Run: [Apoint] D:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM…\Run: [synTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM…\Run: [TPNF] D:\Program Files\TOSHIBA\TouchPad\TPTray.exe

O4 - HKLM…\Run: [intelZeroConfig] “D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”

O4 - HKLM…\Run: [intelWireless] “D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless

O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”

O4 - HKLM…\Run: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

O4 - HKLM…\Run: [ACU] “D:\Program Files\Atheros\ACU.exe” -nogui

O4 - HKLM…\Run: [e0253768] rundll32.exe “D:\WINDOWS\system32\sesjhmaq.dll”,b

O4 - HKCU…\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [sTYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU…\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O4 - Startup: RocketDock.lnk = D:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe

O4 - Startup: TransBar.lnk = D:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: Bluetooth Monitor.lnk = D:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe

O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll

O13 - DefaultPrefix:

O13 - WWW Prefix:

O13 - Home Prefix:

O13 - Mosaic Prefix:

O13 - FTP Prefix:

O13 - Gopher Prefix:

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip…{0DD2A9EE-1CC4-4B36-95C3-6092AEBA22DB}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CCS\Services\Tcpip…{BBBBEF50-583A-43B3-A232-E9F6D787AF25}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS1\Services\Tcpip…{0DD2A9EE-1CC4-4B36-95C3-6092AEBA22DB}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS2\Services\Tcpip…{0DD2A9EE-1CC4-4B36-95C3-6092AEBA22DB}: NameServer = 194.204.159.1,194.204.152.34

O20 - Winlogon Notify: ddcCRLFy - D:\WINDOWS\SYSTEM32\ddcCRLFy.dll

O23 - Service: Usługa konfiguracji Atheros (ACS) - Atheros - D:\WINDOWS\system32\acs.exe

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - D:\WINDOWS\system32\agrsmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: OneStep Search Service - Unknown owner - D:\Program Files\OneStepSearch\onestep.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - D:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)

O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - D:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)

O23 - Service: StyleXPService - Unknown owner - D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

–

End of file - 8447 bytes

Z góry dziękuję

Gutek · 7 Lipiec 2008 20:21

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=253052

W HJT widać infekcję ale użyjemy automatu:

Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym użyj ComboFix

Thyrrun · 7 Lipiec 2008 21:17

Dziękuję, ta operacja powiodła się

Gutek · 7 Lipiec 2008 22:21

Daj log z COMBO

Thyrrun · 8 Lipiec 2008 07:34

http://wklejto.pl/txt5198

spandaupol · 8 Lipiec 2008 07:57

To nie jest cały log.

Thyrrun · 8 Lipiec 2008 14:15

Hmm, dziwne, nic więcej nie było w tym pliku (ComboFix.txt) .

Leon1 · 8 Lipiec 2008 14:55

więc przeskanuj jeszcze raz i daj log

Start >> wyszukaj >> ComboFix.txt