Fałszywe okno alarmowe (Antyvirus XP 2k8)


(Chivago19300) #1

No więc, tak jak w temacie.

Okno z Łindołsia Łiśta, z alertem o zainfekowaniu.

Z tego co widzę, kilka osób też to złapało, więc nie jestem sam :slight_smile:

Oto mój log z Hijacka:

http://wklej.org/id/927/

Mam nadzieję, że ktoś mi pomoże..

Pozdrawiam, maslo.


(Chivago19300) #2

Pomoże mi ktoś z tym? :shock:


(Leon$) #3

wpisy

usuń HijackThisem >> Fix checked

Pobierz Combofix http://www.searchengines.pl/index.php?s ... ntry395642 ale nie włączaj.

Podczas pobierania i skanu Combofixem proszę wyłączyć wszelkie zapory i antywirysy

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri ... iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

podaj czy używasz aplikacji "Easy2Game"

:slight_smile:


(Chivago19300) #4

Zrobiłem tak jak powiedziałeś, chyba już go nie ma..

Easy2Game kiedyś używałem :slight_smile:

Teraz mam inny problem..

Po załadowaniu Łindołsa, kiedy dochodzi do logowania mam czarny ekran i mysz, czasem zaskoczy, ale kiedy najadę na ikonke, zawiesza sie..

Wie ktoś jak to naprawić?


(Leon$) #5

czekam

:slight_smile:


(Chivago19300) #6

Emm, pytanie, gdzie znajde tego loga?

Jestem zielony w tych sprawach ; o


(Leon$) #7

Start >> wyszukaj >> ComboFix.txt

:slight_smile:


(Chivago19300) #8

Dupa, przeszukałem całego kompa i nic nie znalazło ; (


(Leon$) #9

uruchom jeszcze raz dwuklikiem i pokaż log

:slight_smile:


(Chivago19300) #10

Za każdym razem, gdy uruchamiam pokazuje mi się okienko, że wykrywa rootkita..


(Leon$) #11

Pobierz i uruchom narzędzie The Avenger Zaznaczasz tekst podany do usunięcia na forum

kopiuj >> klikasz na Paste Script from Clipboard >> Execute >> Potwierdzasz i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

Pobierz program SDFix

-


(Chivago19300) #12

Oto log z avenger'a :

Logfile of The Avenger Version 2.0, (c) by Swandog46

http://swandog46.geekstogo.com


Platform: Windows XP


*******************


Script file opened successfully.

Script file read successfully.


Backups directory opened successfully at C:\Avenger


*******************


Beginning to process script file:


Rootkit scan active.


Hidden driver "tdssserv" found!

ImagePath: \systemroot\system32\drivers\tdssserv.sys 

Start Type: 4 (Disabled)


Rootkit scan completed.


File "C:\WINDOWS\system32\drivers\tdssserv.sys" deleted successfully.

File "C:\WINDOWS\system32\tdssadw.dll" deleted successfully.

File "C:\WINDOWS\system32\tdssl.dll" deleted successfully.

File "C:\WINDOWS\system32\tdssserf.dll" deleted successfully.

File "C:\WINDOWS\system32\tdssmain.dll" deleted successfully.

File "C:\WINDOWS\system32\tdssinit.dll" deleted successfully.

File "C:\WINDOWS\system32\tdsslog.dll" deleted successfully.

File "C:\WINDOWS\system32\tdssservers.dat" deleted successfully.

Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdssserv.sys" deleted successfully.

Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdssserv.sys" deleted successfully.

Driver "tdssserv" deleted successfully.


Warning: HKLM\Software did not load within MAX_WAIT_ITERATIONS



Error: registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!

Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

  --> the object does not exist



Error: registry key "HKLM\SOFTWARE\tdss" not found!

Deletion of registry key "HKLM\SOFTWARE\tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

  --> the object does not exist



Completed script processing.


*******************


Finished! Terminate.

Teraz mam użyć sdfixa?


(huber2t) #13

Pliki usunięte

Tak teraz


(Kambor4) #14

Tak, użyj SDFix'a.

==============

K.


(Chivago19300) #15

Oto log : )

[b]SDFix: Version 1.219 [/b]

Run by Crushrr on 2008-08-26 at 12:04


Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix


[b]Checking Services [/b]:


[b]Name [/b]: 

sysrest.sys


[b]Path [/b]:

\??\C:\WINDOWS\system32\sysrest.sys 


sysrest.sys - Deleted




Restoring Default Security Values

Restoring Default Hosts File

Restoring Default Desktop Wallpaper  

Restoring Default ScreenSaver value


Rebooting



[b]Checking Files [/b]: 


Trojan Files Found:


C:\WINDOWS\system32\lphcv6pj0ej7a.exe - Deleted

C:\WINDOWS\system32\phcv6pj0ej7a.bmp - Deleted

C:\WINDOWS\system32\blphcv6pj0ej7a.scr - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\GLF4A.tmp.dll - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\GLF52.tmp.dll - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\GLF9.tmp.dll - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt1.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt10.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt13.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt14.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt15.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt19.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt1B.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt1D.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt1E.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt2.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt24.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt25.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt29.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt2C.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt3.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt30.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt32.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt4.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt42.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt48.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt5.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt52.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt5A.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt5C.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt5F.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt6.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt62.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt67.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt6A.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt6E.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt6F.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt7.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt73.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt77.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt8.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt9.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.ttA.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.ttB.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.ttC.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt1.tmp.vbs - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt2.tmp.vbs - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt3.tmp.vbs - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt4.tmp.vbs - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt5.tmp.vbs - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt5C.tmp.vbs - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt6.tmp.vbs - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.ttA.tmp.vbs - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.ttB.tmp.vbs - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\tds5B.tmp - Deleted

C:\DOCUME~1\Crushrr\USTAWI~1\Temp\tmp2D.tmp - Deleted

C:\WINDOWS\system32\a.exe - Deleted

C:\WINDOWS\system32\sysrest32.exe - Deleted

C:\WINDOWS\system32\sysrest.sys - Deleted




Folder C:\Documents and Settings\Crushrr\Dane aplikacji\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed



Removing Temp Files


[b]ADS Check [/b]:




                                 [b]Final Check [/b]:


catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-26 12:21:35

Windows 5.1.2600 Dodatek Service Pack 2 NTFS


scanning hidden processes ...


C:\WINDOWS\system32\svchost.exe [1840] 0x8199E5F8


scanning hidden services & system hive ...


scanning hidden registry entries ...


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="\x21e7€\xffff\xffffŔ\32Ŕ\aP,E:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,E:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,E:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll"

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710


scanning hidden files ...



scan completed successfully

hidden processes: 1

hidden services: 0

hidden files: 0



[b]Remaining Services [/b]:





Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

"C:\\WINDOWS\\system32\\rlvknlg.exe"="C:\\WINDOWS\\system32\\rlvknlg.exe:*:Enabled:rlvknlg.exe"

"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"E:\\Program Files\\Pando\\pando.exe"="E:\\Program Files\\Pando\\pando.exe:*:Enabled:Pando Application"

"C:\\Documents and Settings\\Crushrr\\Ustawienia lokalne\\Temp\\.tt19.tmp"="C:\\Documents and Settings\\Crushrr\\Ustawienia lokalne\\Temp\\.tt19.tmp:*:Enabled:enable"

"C:\\WINDOWS\\system32\\sysrest32.exe"="C:\\WINDOWS\\system32\\sysrest32.exe:*:Enabled:enable"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[b]Remaining Files [/b]:



File Backups: - C:\SDFix\backups\backups.zip


[b]Files with Hidden Attributes [/b]:


Thu 8 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Thu 8 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\73fc42f2eafe6354baf20e4a4ddb509a\BITD.tmp"


[b]Finished![/b]

Bardzo dziękuję za pomoc, wszystko wróciło do normy (chyba...), mogę już zmieniać tapetę, i komputer działa normalnie : )


(huber2t) #16

Sdfix usunał syf

Spróbuj teraz dac log z Combofix