No więc, tak jak w temacie.
Okno z Łindołsia Łiśta, z alertem o zainfekowaniu.
Z tego co widzę, kilka osób też to złapało, więc nie jestem sam
Oto mój log z Hijacka:
Mam nadzieję, że ktoś mi pomoże…
Pozdrawiam, maslo.
No więc, tak jak w temacie.
Okno z Łindołsia Łiśta, z alertem o zainfekowaniu.
Z tego co widzę, kilka osób też to złapało, więc nie jestem sam
Oto mój log z Hijacka:
Mam nadzieję, że ktoś mi pomoże…
Pozdrawiam, maslo.
Pomoże mi ktoś z tym? :shock:
wpisy
usuń HijackThisem >> Fix checked
Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 ale nie włączaj.
Podczas pobierania i skanu Combofixem proszę wyłączyć wszelkie zapory i antywirysy
Otwórz notatnik i wklej
zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe
http://img.wklej.org/images/88953CFScri … iemoes.gif
Powinno rozpocząć się usuwanie
Potem log z usuwania Combofix
podaj czy używasz aplikacji “Easy2Game”
Zrobiłem tak jak powiedziałeś, chyba już go nie ma…
Easy2Game kiedyś używałem
Teraz mam inny problem…
Po załadowaniu Łindołsa, kiedy dochodzi do logowania mam czarny ekran i mysz, czasem zaskoczy, ale kiedy najadę na ikonke, zawiesza sie…
Wie ktoś jak to naprawić?
czekam
Emm, pytanie, gdzie znajde tego loga?
Jestem zielony w tych sprawach ; o
Start >> wyszukaj >> ComboFix.txt
■■■■, przeszukałem całego kompa i nic nie znalazło ; (
uruchom jeszcze raz dwuklikiem i pokaż log
Za każdym razem, gdy uruchamiam pokazuje mi się okienko, że wykrywa rootkita…
Pobierz i uruchom narzędzie The Avenger Zaznaczasz tekst podany do usunięcia na forum
kopiuj >> klikasz na Paste Script from Clipboard >> Execute >> Potwierdzasz i zgadzasz się na restart klikając OK.
Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt
Pobierz program SDFix
Oto log z avenger’a :
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
Hidden driver "tdssserv" found!
ImagePath: \systemroot\system32\drivers\tdssserv.sys
Start Type: 4 (Disabled)
Rootkit scan completed.
File "C:\WINDOWS\system32\drivers\tdssserv.sys" deleted successfully.
File "C:\WINDOWS\system32\tdssadw.dll" deleted successfully.
File "C:\WINDOWS\system32\tdssl.dll" deleted successfully.
File "C:\WINDOWS\system32\tdssserf.dll" deleted successfully.
File "C:\WINDOWS\system32\tdssmain.dll" deleted successfully.
File "C:\WINDOWS\system32\tdssinit.dll" deleted successfully.
File "C:\WINDOWS\system32\tdsslog.dll" deleted successfully.
File "C:\WINDOWS\system32\tdssservers.dat" deleted successfully.
Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdssserv.sys" deleted successfully.
Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdssserv.sys" deleted successfully.
Driver "tdssserv" deleted successfully.
Warning: HKLM\Software did not load within MAX_WAIT_ITERATIONS
Error: registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!
Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKLM\SOFTWARE\tdss" not found!
Deletion of registry key "HKLM\SOFTWARE\tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
Teraz mam użyć sdfixa?
Pliki usunięte
Tak teraz
Tak, użyj SDFix’a.
==============
K.
Oto log : )
[b]SDFix: Version 1.219 [/b]
Run by Crushrr on 2008-08-26 at 12:04
Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:
[b]Name [/b]:
sysrest.sys
[b]Path [/b]:
\??\C:\WINDOWS\system32\sysrest.sys
sysrest.sys - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default ScreenSaver value
Rebooting
[b]Checking Files [/b]:
Trojan Files Found:
C:\WINDOWS\system32\lphcv6pj0ej7a.exe - Deleted
C:\WINDOWS\system32\phcv6pj0ej7a.bmp - Deleted
C:\WINDOWS\system32\blphcv6pj0ej7a.scr - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\GLF4A.tmp.dll - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\GLF52.tmp.dll - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\GLF9.tmp.dll - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt1.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt10.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt13.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt14.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt15.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt19.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt1B.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt1D.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt1E.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt2.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt24.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt25.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt29.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt2C.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt3.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt30.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt32.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt4.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt42.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt48.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt52.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt5A.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt5C.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt5F.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt6.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt62.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt67.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt6A.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt6E.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt6F.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt7.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt73.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt77.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt8.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt9.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.ttA.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.ttB.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.ttC.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt1.tmp.vbs - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt2.tmp.vbs - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt3.tmp.vbs - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt4.tmp.vbs - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt5.tmp.vbs - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt5C.tmp.vbs - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.tt6.tmp.vbs - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.ttA.tmp.vbs - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\.ttB.tmp.vbs - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\tds5B.tmp - Deleted
C:\DOCUME~1\Crushrr\USTAWI~1\Temp\tmp2D.tmp - Deleted
C:\WINDOWS\system32\a.exe - Deleted
C:\WINDOWS\system32\sysrest32.exe - Deleted
C:\WINDOWS\system32\sysrest.sys - Deleted
Folder C:\Documents and Settings\Crushrr\Dane aplikacji\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 12:21:35
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
C:\WINDOWS\system32\svchost.exe [1840] 0x8199E5F8
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="\x21e7€\xffff\xffffŔ\32Ŕ\aP,E:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,E:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,E:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
scanning hidden files ...
scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\WINDOWS\\system32\\rlvknlg.exe"="C:\\WINDOWS\\system32\\rlvknlg.exe:*:Enabled:rlvknlg.exe"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"E:\\Program Files\\Pando\\pando.exe"="E:\\Program Files\\Pando\\pando.exe:*:Enabled:Pando Application"
"C:\\Documents and Settings\\Crushrr\\Ustawienia lokalne\\Temp\\.tt19.tmp"="C:\\Documents and Settings\\Crushrr\\Ustawienia lokalne\\Temp\\.tt19.tmp:*:Enabled:enable"
"C:\\WINDOWS\\system32\\sysrest32.exe"="C:\\WINDOWS\\system32\\sysrest32.exe:*:Enabled:enable"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[b]Remaining Files [/b]:
File Backups: - C:\SDFix\backups\backups.zip
[b]Files with Hidden Attributes [/b]:
Thu 8 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 8 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\73fc42f2eafe6354baf20e4a4ddb509a\BITD.tmp"
[b]Finished![/b]
Bardzo dziękuję za pomoc, wszystko wróciło do normy (chyba…), mogę już zmieniać tapetę, i komputer działa normalnie : )
Sdfix usunał syf
Spróbuj teraz dac log z Combofix