Internet zamula Komp tez


(Rendolf) #1

Witam! Od kilku dni mam problem z komputerem oraz internetem... komputer zwolnil , dlugo otwieraja sie aplikacje oraz internet... na otwarcie przegladarki czasami czekam po 2minuty... czesto tez system sie zawiesza. Uzylem kilku programow do robali, wyskoczylo mi kilka np: win32.trojan.agent ale "niby" zostaly usuniete. Uzywam Avasta oraz Ad-Aware SE Personal ale w tym momencie juz nic niewykrywaja a problem pozostal... Oto logi HJT.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:22:35, on 2007-12-17

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe

C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

C:\Program Files\SAGEM WiFi manager\WLANUTL.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O1 - Hosts: 208.109.206.98 L2authd.Lineage2.com

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [248a4bec] rundll32.exe "C:\WINDOWS\system32\flskupxo.dll",b

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

O4 - HKCU\..\Run: [Fraps] C:\DOCUMENTS AND SETTINGS\RENDOLF\PULPIT\FRAPS 2.9_UP_BY_.EIO\FRAPS.EXE

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk = ?

O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O21 - SSODL: E404Helper - {9edfe7f1-8e4d-4c07-81f6-cb1ae705eb75} - e404d.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe


--

End of file - 5354 bytes

(Gutek) #2

Użyj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone.

Daj log z ComboFix


(Rendolf) #3

Niestety nic niewykryly dwa pierwsze... oto wydruk z tego ostatniego

[12/23/2007, 21:40:23] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Rendolf\Pulpit\VirtumundoBeGone.exe" )

[12/23/2007, 21:40:28] - Detected System Information:

[12/23/2007, 21:40:28] - Windows Version: 5.1.2600, Dodatek Service Pack 2

[12/23/2007, 21:40:28] - Current Username: Rendolf (Admin)

[12/23/2007, 21:40:28] - Windows is in NORMAL mode.

[12/23/2007, 21:40:28] - Searching for Browser Helper Objects:

[12/23/2007, 21:40:28] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[12/23/2007, 21:40:28] - BHO 2: {1515B906-999A-48F3-8BF4-B7EC61BF5B38} ()

[12/23/2007, 21:40:28] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:28] - Checking for HKLM\...\Winlogon\Notify\efcayvw

[12/23/2007, 21:40:28] - Found: HKLM\...\Winlogon\Notify\efcayvw - This is probably Virtumundo.

[12/23/2007, 21:40:28] - Assigning {1515B906-999A-48F3-8BF4-B7EC61BF5B38} MSEvents Object

[12/23/2007, 21:40:28] - BHO list has been changed! Starting over...

[12/23/2007, 21:40:28] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[12/23/2007, 21:40:28] - BHO 2: {1515B906-999A-48F3-8BF4-B7EC61BF5B38} (MSEvents Object)

[12/23/2007, 21:40:28] - ALERT: Found MSEvents Object!

[12/23/2007, 21:40:28] - BHO 3: {1e73fd96-c728-48ea-a752-1091a9c7bd35} ()

[12/23/2007, 21:40:28] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:28] - No filename found. Continuing.

[12/23/2007, 21:40:28] - BHO 4: {22A94A39-A565-4371-AAD5-6F2EFD0938AD} ()

[12/23/2007, 21:40:28] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:28] - Checking for HKLM\...\Winlogon\Notify\awtqn

[12/23/2007, 21:40:28] - Key not found: HKLM\...\Winlogon\Notify\awtqn, continuing.

[12/23/2007, 21:40:28] - BHO 5: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)

[12/23/2007, 21:40:28] - BHO 6: {3991A47A-980E-497B-9CFF-D8DA7181D7C9} ()

[12/23/2007, 21:40:28] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:28] - No filename found. Continuing.

[12/23/2007, 21:40:28] - BHO 7: {4222BA82-4C78-46D4-9DCC-DEEB1D72E398} ()

[12/23/2007, 21:40:28] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:28] - No filename found. Continuing.

[12/23/2007, 21:40:28] - BHO 8: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)

[12/23/2007, 21:40:28] - BHO 9: {7018d562-e319-44a3-8c69-263e34d66aae} ()

[12/23/2007, 21:40:28] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:28] - Checking for HKLM\...\Winlogon\Notify\txpmykdd

[12/23/2007, 21:40:28] - Key not found: HKLM\...\Winlogon\Notify\txpmykdd, continuing.

[12/23/2007, 21:40:29] - BHO 10: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[12/23/2007, 21:40:29] - BHO 11: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()

[12/23/2007, 21:40:29] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:29] - No filename found. Continuing.

[12/23/2007, 21:40:29] - BHO 12: {CEA7643A-75AB-4862-8C8E-BBA0DBC34E37} ()

[12/23/2007, 21:40:29] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:29] - No filename found. Continuing.

[12/23/2007, 21:40:29] - Finished Searching Browser Helper Objects

[12/23/2007, 21:40:29] - *** Detected MSEvents Object

[12/23/2007, 21:40:29] - Trying to remove MSEvents Object...

[12/23/2007, 21:40:30] - Terminating Process: IEXPLORE.EXE

[12/23/2007, 21:40:30] - Terminating Process: RUNDLL32.EXE

[12/23/2007, 21:40:30] - Disabling Automatic Shell Restart

[12/23/2007, 21:40:30] - Terminating Process: EXPLORER.EXE

[12/23/2007, 21:40:30] - Suspending the NT Session Manager System Service

[12/23/2007, 21:40:30] - Terminating Windows NT Logon/Logoff Manager

[12/23/2007, 21:40:31] - Re-enabling Automatic Shell Restart

[12/23/2007, 21:40:31] - File to disable: C:\WINDOWS\system32\efcayvw.dll

[12/23/2007, 21:40:31] - Removing HKLM\...\Browser Helper Objects\{1515B906-999A-48F3-8BF4-B7EC61BF5B38}

[12/23/2007, 21:40:31] - Removing HKCR\CLSID\{1515B906-999A-48F3-8BF4-B7EC61BF5B38}

[12/23/2007, 21:40:31] - Adding Kill Bit for ActiveX for GUID: {1515B906-999A-48F3-8BF4-B7EC61BF5B38}

[12/23/2007, 21:40:31] - Deleting ATLEvents/MSEvents Registry entries

[12/23/2007, 21:40:31] - Removing HKLM\...\Winlogon\Notify\efcayvw

[12/23/2007, 21:40:31] - Searching for Browser Helper Objects:

[12/23/2007, 21:40:31] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[12/23/2007, 21:40:31] - BHO 2: {1e73fd96-c728-48ea-a752-1091a9c7bd35} ()

[12/23/2007, 21:40:31] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:31] - No filename found. Continuing.

[12/23/2007, 21:40:31] - BHO 3: {22A94A39-A565-4371-AAD5-6F2EFD0938AD} ()

[12/23/2007, 21:40:31] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:31] - Checking for HKLM\...\Winlogon\Notify\awtqn

[12/23/2007, 21:40:31] - Key not found: HKLM\...\Winlogon\Notify\awtqn, continuing.

[12/23/2007, 21:40:31] - BHO 4: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)

[12/23/2007, 21:40:31] - BHO 5: {3991A47A-980E-497B-9CFF-D8DA7181D7C9} ()

[12/23/2007, 21:40:32] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:32] - No filename found. Continuing.

[12/23/2007, 21:40:32] - BHO 6: {4222BA82-4C78-46D4-9DCC-DEEB1D72E398} ()

[12/23/2007, 21:40:32] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:32] - No filename found. Continuing.

[12/23/2007, 21:40:32] - BHO 7: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)

[12/23/2007, 21:40:32] - BHO 8: {7018d562-e319-44a3-8c69-263e34d66aae} ()

[12/23/2007, 21:40:32] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:32] - Checking for HKLM\...\Winlogon\Notify\txpmykdd

[12/23/2007, 21:40:32] - Key not found: HKLM\...\Winlogon\Notify\txpmykdd, continuing.

[12/23/2007, 21:40:32] - BHO 9: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[12/23/2007, 21:40:32] - BHO 10: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()

[12/23/2007, 21:40:32] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:32] - No filename found. Continuing.

[12/23/2007, 21:40:32] - BHO 11: {CEA7643A-75AB-4862-8C8E-BBA0DBC34E37} ()

[12/23/2007, 21:40:32] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/23/2007, 21:40:32] - No filename found. Continuing.

[12/23/2007, 21:40:32] - Finished Searching Browser Helper Objects

[12/23/2007, 21:40:32] - Finishing up...

[12/23/2007, 21:40:32] - A restart is needed.

[12/23/2007, 21:40:37] - Attempting to Restart via STOP error (Blue Screen!)


[12/23/2007, 21:44:54] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Rendolf\Pulpit\VirtumundoBeGone.exe" )

[12/23/2007, 21:45:00] - User choose NOT to continue. Exiting...

Spybot - Search & Destroy wykrywa Virtumonde i niby go usuwa ale po restarcie kompa znow to samo... niemam juz zdrowia do tego...


(Gutek) #4

Daj log z ComboFix


(Rendolf) #5
ComboFix 07-12-21.4 - Rendolf 2007-12-24 15:26:34.1 - NTFSx86

(Rendolf) #6

Dodam ze ping w BattleField 2 skacze mi co 3-4min do ok 1000 po czym po ok 1min wraca do normy. Internet wywala mi co ok godzine a w procesach tworzy sie EXPLORER.EXE jakes 5 razy na raz. Uzycie powyzszych programow na awaryjnym systemie a pozniej ComboFix nic niedaje. Po odpaleniu normalnie nadal wyskakuje wirus i nadal jest to samo. Vundo juz niewyskakuje tylko

Trojan.Agent. Prosze o pomoc.


(Gutek) #7

Wklej do Notatnika:

File::

C:\WINDOWS\Lrx85.sys

C:\WINDOWS\system32\qdxphvwr.ini

C:\WINDOWS\system32\baexoqqa.ini 

C:\WINDOWS\system32\oxpukslf.ini

C:\WINDOWS\system32\uolvanac.ini

C:\WINDOWS\system32\oeyvtmgc.ini

C:\WINDOWS\system32\Drivers\Lrx85.sys 


Driver::

Lrx85


Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcayvw]

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po tym nowy log z Combo


(Rendolf) #8

Antywir juz nic niewykrywa , ping wrocil do normy, zadnymch nieznanych procesow niewidze... Najprawdopodobniej wirus to juz historia. WIELKIE DZIEKI! Pozdro


(Gutek) #9

Wklej do Notatnika:

Driver::

FRK

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po tym nowy log z Combo