Prosze wskazac czy widac tu slady infekcji. Login z drugiego dysku. Na pierwszym dysku Kaspersky on-line odnalazl digiwet.dll w system32
w temporary internet files
load.exe oraz readme.pdf
gmerk:
hjmjklskd.sys w system32/drivers
Kaspersky: 1054.dll w system32
ponadto Kaspersky w uzytkownik/ustawienia loklane/temp
pliki arc2.tmp
pdfupd.exe
próba wyłączenia ZA skutkowała komunikatami
wtsapi32.dll nie jest poprawnym obrazem systemu windows NT
faultrep.dll nie jest poprawnym obrazem systemu windows NT
itp. w rodzaju plik nie jet prawidłową aplikacją systemuWIN 32
ponadto
C:\RECYCLER\S-1-5-21-789336058-838170752-1801674531-1004\Dc1.dll is infected with Hacktool.Proxy
win32.buzus.amit
win32.tdss.rtk
to pousuwane. mysle, ze dysk C,D beda wymagaly formatu, pytanie na ile infekcja zostala przeniesiona na drugi dysk (G,H) (o ile wpisy w logu moga tu cos wskazac)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:15:07, on 2009-04-24
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
G:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
G:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\VTTimer.exe
G:\WINDOWS\system32\VTtrayp.exe
G:\Program Files\VIAudioi\SBADeck\ADeck.exe
G:\WINDOWS\system32\taskswitch.exe
G:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
G:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Windows Media Player\WMPNSCFG.exe
G:\Program Files\OpenOffice.ux.pl 3\program\soffice.exe
G:\Program Files\OpenOffice.ux.pl 3\program\soffice.bin
G:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\caav.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - G:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - G:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM…\Run: [VTTimer] VTTimer.exe
O4 - HKLM…\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM…\Run: [AudioDeck] G:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM…\Run: [CoolSwitch] G:\WINDOWS\system32\taskswitch.exe
O4 - HKLM…\Run: [sunJavaUpdateSched] “G:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM…\Run: [ZoneAlarm Client] “G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM…\Run: [CAVRID] “G:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe”
O4 - HKLM…\Run: [eTrust PestPatrol Active Protection] “G:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe”
O4 - HKCU…\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [WMPNSCFG] G:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: OpenOffice.ux.pl 3.0.lnk = G:\Program Files\OpenOffice.ux.pl 3\program\quickstart.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar … vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows … 1628256032
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/vi … ebscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip…{6DEA74D6-71C9-4A16-ABC7-5B10E2FC05B3}: NameServer = 217.30.129.149 217.30.137.200
O17 - HKLM\System\CS1\Services\Tcpip…{6DEA74D6-71C9-4A16-ABC7-5B10E2FC05B3}: NameServer = 217.30.129.149 217.30.137.200
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - G:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - G:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - G:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - G:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - G:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mSejfService - Ux Systems - G:\Program Files\Ux Systems\mSejf\mSejfService.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - G:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - G:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - G:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - G:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - G:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
–
End of file - 7000 bytes