ojojoj
28 Maj 2007 21:50
#1
Po właczeniu pendrive’a antywirus stwierdził że pojawił się wirus.Zeskanowałam system AVG Anti-Spyware i okazało się, że mam niby Trojana. Chodzi o plik ctfmon.exe który podobno jest na każdym dysku w folderze Recycled, tyle że takiego folderu tam nie ma.Ten ctfmon.exe jest na kompie ale w kataligu WINDOWS/system32 i nie wydaje mi się żeby to był wirus… A avast nic nie wykrył…
Załączam raport z AVG
Gutek
28 Maj 2007 22:07
#2
Opróżnij KOSZ. Daj log z Combofix
ojojoj
28 Maj 2007 22:20
#3
i jeszcze: jeżeli chcę wejść na dyski z eksploratora wyskakuje czasem info, że:
Malware found…AVG Anti-Spyware detected a suspicious file on your computer…
kosz był pusty:)
log z ComboFix:
“aaa” - 2007-05-29 0:12:40 Dodatek Service Pack 2 ComboFix 07-05.27.V - Running from: “C:\Documents and Settings\aaa\Pulpit” ((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 )))))))))))))))))))))))))))))))))) 2007-05-24 21:45 2007-05-06 16:18 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-16 15:25:42 79,606 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-05-16 15:25:42 458,260 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-05-08 15:43:48 -------- d-----w C:\DOCUME~1\aaa\DANEAP~1\HP 2007-05-06 16:41:52 -------- d-----w C:\Program Files\Messenger 2007-03-28 20:26:20 -------- d-----w C:\Program Files\Borland 2006-09-24 16:44:14 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-06-07 12:09] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56] {53707962-6F74-2D53-2644-206D7942484F}=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 04:25] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-05-23 18:01] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2004-12-22 23:40] “BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 00:44 C:\WINDOWS\system32\bthprops.cpl] “SoundMan”=“SOUNDMAN.EXE” [] “AlcWzrd”=“ALCWZRD.EXE” [] “PCMService”=“D:\Program Files\Home Cinema\PowerCinema\PCMService.exe” [2005-03-10 20:20] “w810MmHk”=“C:\Program Files\Arima\LED Display Utility\w810MmHk.exe” [2005-02-18 17:59] “avast!”=“D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-01-15 19:28] “QuickTime Task”=“D:\Program Files\QuickTime\qttask.exe” [2007-03-05 22:55] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-05-23 18:01] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2006-09-28 16:13] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] “D:\Program Files\Home Cinema\PowerDVD\PDVDServ.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “CyberLink Media Library Service”=2 (0x2) “CLSched”=2 (0x2) “CLCapSvc”=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs BthServ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{030b7346-4bc7-11db-abc2-000e35e7671d}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe Open(&0)\command- I:\Recycled\ctfmon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4fba3254-abcb-11db-ac71-0010c674e1de}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe Open(&0)\command- I:\Recycled\ctfmon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{86cd91c2-7dea-11db-ac33-0010c674e1de}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{a08e02a2-7e5d-11db-ac36-0010c674e1de}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b977818c-5129-11db-abe2-000325242046}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe Open(&0)\command- I:\Recycled\ctfmon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d57047e4-7298-11db-ac1c-0010c674e1de}] AutoRun\command- H:\Setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e5da7f7c-0089-11dc-acf4-0010c674e1de}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe *Newly Created Service* -PROCEXP90 ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20070506-161141-356 O4 - Startup: PowerReg SchedulerV2.exe backup-20070506-161005-372 O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE Contents of the ‘Scheduled Tasks’ folder 2007-05-28 22:00:02 C:\WINDOWS\tasks\HPpromotions journeysoftware.job ******************************************************************** catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-29 00:14:34 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001000-0000-1000-8000-00805f9b34fb}] [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001105-0000-1000-8000-00805f9b34fb}] [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001115-0000-1000-8000-00805f9b34fb}] Completion time: 2007-05-29 0:16:03 — E O F —
Złączono Posta : 29.05.2007 (Wto) 16:57
odmowa dostępu do dysku E
Gutek
29 Maj 2007 16:58
#4
Log czysty
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa
