Insecure Internet activity. Threat of virus attack

karolcia361 · 21 Marzec 2009 13:11

Od wczoraj mam problem z komputerem. Przy otwieraniu stron pokazuje się coś takiego: Insecure Internet activity. Threat of virus attack. Skanowałam już różnymi antywirusami, ale żaden nie może sobie z tym poradzic. Nie wiem co dalej robić, proszę o pomoc!

Leon1 · 21 Marzec 2009 13:16

Pobierz Combofix viewtopic.php?f=16&t=36654 przeskanuj system daj log

potem przeskanuj HijackThis 2.02 daj log

kolejność skanowania jak podałem

karolcia361 · 21 Marzec 2009 15:03

ComboFix 08-11-26.03 - Administrator 2009-03-21 15:58:20.1 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.696 [GMT 1:00]

Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe

* Utworzono nowy punkt przywracania

.

TRYB ZREDUKOWANEJ FUNKCJONALNOŚCI -

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\myglobalsearch

c:\program files\myglobalsearch\bar\History\search

c:\windows\wiaserviv.log

.

((((((((((((((((((((((((( Pliki utworzone od 2009-02-21 do 2009-03-21 )))))))))))))))))))))))))))))))

.

2009-03-21 13:11 . 2009-03-21 13:11 0 --------- c:\windows\PAVSHRB.INI

2009-03-21 11:04 . 2009-03-21 11:04

2009-03-21 10:24 . 2009-03-21 10:24

2009-03-21 10:23 . 2009-03-21 10:23

2009-03-20 23:57 . 2009-03-20 23:57

2009-03-20 12:38 . 2009-03-21 10:22 28,672 --a------ c:\program files\Common Files\file.exe

2009-03-20 12:37 . 2009-03-21 10:23 2,162,631 --a------ c:\program files\Common Files\InternetAntivirusPro.exe

2009-03-18 23:51 . 2005-03-05 22:32 25,600 --a------ c:\windows\system32\drivers\usbser.sys

2009-03-18 23:50 . 2009-03-18 23:50 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-03-18 23:50 . 2009-03-18 23:50 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf

2009-03-03 22:45 . 2009-03-03 22:45

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-16 15:48 --------- d-----w c:\program files\Liceum klasa 1 - Chemia podstawowa

2009-02-07 11:01 --------- d-----w c:\program files\Common Files\Borland Shared

2009-02-07 11:01 --------- d-----w c:\program files\Common Files\Athenasoft

2009-02-07 11:00 --------- d-----w c:\program files\Athenasoft

2009-02-01 17:44 --------- d-----w c:\program files\Konnekt

2009-02-01 17:44 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\stamina

2007-12-20 21:47 92,064 ----a-w c:\documents and settings\Administrator\mqdmmdm.sys

2007-12-20 21:47 9,232 ----a-w c:\documents and settings\Administrator\mqdmmdfl.sys

2007-12-20 21:47 79,328 ----a-w c:\documents and settings\Administrator\mqdmserd.sys

2007-12-20 21:47 66,656 ----a-w c:\documents and settings\Administrator\mqdmbus.sys

2007-12-20 21:47 6,208 ----a-w c:\documents and settings\Administrator\mqdmcmnt.sys

2007-12-20 21:47 5,936 ----a-w c:\documents and settings\Administrator\mqdmwhnt.sys

2007-12-20 21:47 4,048 ----a-w c:\documents and settings\Administrator\mqdmcr.sys

2007-12-20 21:47 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys

2007-12-20 21:47 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2004-08-03 15360]

“Konnekt”=“c:\program files\Konnekt\konnekt.exe” [2005-05-24 503808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Smapp”=“c:\program files\Analog Devices\SoundMAX\SMTray.exe” [2002-11-08 98304]

“WOOWATCH”=“c:\progra~1\WANADOO\Watch.exe” [2002-12-09 20480]

“WOOTASKBARICON”=“c:\progra~1\WANADOO\TaskbarIcon.exe” [2002-12-09 45056]

“avast!”=“d:\avast\ashDisp.exe” [2008-11-26 81000]

“NeroCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]

“QuickTime Task”=“c:\program files\QuickTime\qttask.exe” [2006-09-01 282624]

“BearShare”=“d:\program files\BearShare\BearShare.exe” [2006-08-01 3313664]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-03 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]

“iv”=“c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Internet Explorer\iv.exe” [2009-03-20 60416]

c:\documents and settings\Administrator\Menu Start\Programy\Autostart\

Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\

DSLMON.LNK - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-06-19 962661]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

–a------ 2007-05-19 11:39 35328 d:\winamp pl\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“UpdatesDisableNotify”=dword:00000001

“AntiVirusOverride”=dword:00000001

“FirewallOverride”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“d:\Gadu-Gadu\gg.exe”=

“d:\BearShare Applications\BearShare\BearShare.exe”=

“c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=

“d:\Program Files\BearShare\BearShare.exe”=

“c:\Program Files\Bonjour\mDNSResponder.exe”=

“c:\Program Files\Konnekt\konnekt.exe”=

“c:\Program Files\Skype\Phone\Skype.exe”=

“c:\WINDOWS\System32\dpvsetup.exe”=

“c:\WINDOWS\System32\RUNDLL32.EXE”=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-28 114768]

R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys []

R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-06-28 20560]

R2 ITGrdEngine;Guard Service;c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\services.exe [2009-03-20 193024]

R2 Kmm4xNT;Kmm4xNT;c:\windows\system32\drivers\Kmm4xNT.sys [2009-02-07 95484]

R2 PavProc;Panda Process Protection Driver;??\c:\windows\system32\DRIVERS\PavProc.sys []

S3 KMM4xUSB;KMM4xUSB Driver (kmm4xusb.sys);c:\windows\system32\Drivers\KMM4xUSB.sys [2009-02-07 40256]

S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\DRIVERS\se46bus.sys [2007-12-23 61536]

S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;c:\windows\system32\DRIVERS\se46mdfl.sys [2007-12-23 9360]

S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;c:\windows\system32\DRIVERS\se46mdm.sys [2007-12-23 97088]

S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\se46mgmt.sys [2007-12-23 88624]

S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\DRIVERS\se46nd5.sys [2008-01-01 18704]

S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\se46obex.sys [2007-12-23 86432]

S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\DRIVERS\se46unic.sys [2008-01-01 90800]

S3 se59bus;Sony Ericsson Device 089 driver (WDM);c:\windows\system32\DRIVERS\se59bus.sys [2007-12-22 61536]

S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;c:\windows\system32\DRIVERS\se59mdfl.sys [2007-12-22 9360]

S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;c:\windows\system32\DRIVERS\se59mdm.sys [2007-12-22 97088]

S3 se59mgmt;Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\se59mgmt.sys [2007-12-22 88624]

S3 se59nd5;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS);c:\windows\system32\DRIVERS\se59nd5.sys [2007-12-22 18704]

S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\se59obex.sys [2007-12-22 86432]

S3 se59unic;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM);c:\windows\system32\DRIVERS\se59unic.sys [2007-12-22 90800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c581d084-4472-11dd-9baa-4d6564696130}]

\Shell\AutoRun\command - g:.system\S-1-6-21-2434476501-1644491937-600003330-1213\Autorun.exe

\Shell\open\command - g:.system\S-1-6-21-2434476501-1644491937-600003330-1213\Autorun.exe

*Newly Created Service* - CATCHME

*Newly Created Service* - PAVPROC

*Newly Created Service* - PAVPRSRV

*Newly Created Service* - SHLDDRV

.

- - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-AQQ - d:\wapster\AQQ\AQQ.exe

HKLM-Run-adiras - adiras.exe

Notify-WgaLogon - (no file)

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.neostrada.pl

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: {0145CF41-B793-4CEF-AFD8-829B09625BC4} = 194.204.159.1 217.98.63.164

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\OggX.ocx - O16 -: {1E53EA77-34F2-474E-9046-B2B0C86F1821}

hxxp://www.eska.pl/streamplayers/OggX.ocx

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-21 15:58:50

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

Czas ukończenia: 2009-03-21 15:59:46

ComboFix-quarantined-files.txt 2009-03-21 14:59:44

Przed: 58 986 823 680 bajtów wolnych

Po: 63,986,434,048 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect

154

– Dodane 21.03.2009 (So) 16:03 –

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:01:41, on 2009-03-21

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\avast\aswUpdSv.exe

D:\avast\ashServ.exe

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\PROGRA~1\WANADOO\TaskbarIcon.exe

D:\avast\ashDisp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\services.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

D:\avast\ashMaiSv.exe

D:\avast\ashWebSv.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Wanadoo\EspaceWanadoo.exe

C:\Program Files\Wanadoo\ComComp.exe

C:\Program Files\Wanadoo\Watch.exe

C:\Documents and Settings\Administrator\Pulpit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O4 - HKLM…\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\WANADOO\TaskbarIcon.exe

O4 - HKLM…\Run: [avast!] D:\avast\ashDisp.exe

O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime

O4 - HKLM…\Run: [bearShare] “D:\Program Files\BearShare\BearShare.exe” /pause

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [Konnekt] “C:\Program Files\Konnekt\konnekt.exe” /autostart

O4 - HKCU…\Policies\Explorer\Run: [iv] “C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Internet Explorer\iv.exe”

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O4 - Startup: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: DSLMON.LNK = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx

O17 - HKLM\System\CCS\Services\Tcpip…{0145CF41-B793-4CEF-AFD8-829B09625BC4}: NameServer = 194.204.159.1 217.98.63.164

O17 - HKLM\System\CS1\Services\Tcpip…{0145CF41-B793-4CEF-AFD8-829B09625BC4}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\avast\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - D:\avast\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - D:\avast\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - D:\avast\ashWebSv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Guard Service (ITGrdEngine) - Unknown owner - C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\services.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

–

End of file - 6068 bytes

Leon1 · 21 Marzec 2009 15:18

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku. przecież to staroć

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S … Tool.shtml

Flash Disinfector http://www.searchengines.pl/index.php?s … ntry369724

lub format

Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 ale nie włączaj

Podczas pobierania i skanu Combofixem proszę wyłączyć wszelkie zapory i antywirusy

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

karolcia361 · 21 Marzec 2009 16:10

Dziękuję bardzo za pomoc!

huber2t · 21 Marzec 2009 16:15

Daj log z usuwania z combofix

Leon1 · 21 Marzec 2009 16:16

czekam