Jak usunąć Antivirus System PRO


(Mathew) #1

Nie mogę sobie poradzić z usunięciem tego szitu jakim jest Antivirus System PRO ;( próbowałem już wszystkiego.

Log z HijackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:05:11, on 2009-06-06

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\TUProgSt.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\RivaTuner v2.09\RivaTuner.exe

C:\Program Files\A4Tech\Mouse\Amoumain.exe

C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AutoConnect\AutoConnect.exe

C:\Program Files\SpeedFan\speedfan.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O1 - Hosts: ::1 localhost

O1 - Hosts: 209.44.111.57 alarm-security.microsoft.com

O1 - Hosts: 209.44.111.57 inetantivirus.com

O1 - Hosts: 209.44.111.57 www.inetantivirus.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /S

O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /T

O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\RunOnce: [PackFolders] C:\WINDOWS\BricoPackFoldersDelete.cmd

O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: speedfan.exe.lnk = C:\Program Files\SpeedFan\speedfan.exe

O8 - Extra context menu item: &Download All by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm

O8 - Extra context menu item: &Download by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2EAAF17C-61F7-43B1-A2EF-C716F2DEC75E}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe


--

End of file - 7064 bytes

(deFco247) #2

Fix w HiJackThis: ( Do a system scan only -> zaznaczasz pola przy podanych niżej wpisach -> Fix checked )

Wykonaj pełny skan Malwarebytes’ Anti-Malware - znalezione obiekty usuń, pokaż log z usuwania.


(Mathew) #3

Hijack fixnięty

log z AM:

Malwarebytes' Anti-Malware 1.37

Wersja bazy definicji: 2182

Windows 5.1.2600 Dodatek Service Pack 3


2009-06-07 00:11:53

mbam-log-2009-06-07 (00-11-53).txt


Typ skanowania: Szybkie skanowanie

Przeskanowane obiekty: 94130

Upłynęło: 5 minute(s), 30 second(s)


Zainfekowane procesy w pamięci: 0

Zainfekowane moduły pamięci: 0

Zainfekowane klucze rejestru: 7

Zainfekowane wartości rejestru: 1

Zainfekowane pliki rejestru: 4

Zainfekowane foldery: 0

Zainfekowane pliki: 3


Zainfekowane procesy w pamięci:

(Nie wykryto groźnych plików)


Zainfekowane moduły pamięci:

(Nie wykryto groźnych plików)


Zainfekowane klucze rejestru:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.


Zainfekowane wartości rejestru:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.


Zainfekowane pliki rejestru:

HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.


Zainfekowane foldery:

(Nie wykryto groźnych plików)


Zainfekowane pliki:

C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\iehelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\WINDOWS\Fonts\fontinst.exe (Worm.Archive) -> Quarantined and deleted successfully.

Dodane 09.06.2009 (Wt) 13:31

Sory, że dubluje posta ;*

Było kilka dni spokoju i znowu to samo ;( ocb?