Mergix
(Misza11111)
30 Listopad 2007 21:18
#1
Witam,
Mam podobny problem. W menu start pojawia się ikonka Live Security Center, co chwila pojawia się komunikat o wirusie, otwiera się przeglądarka i komp próbuje pobrać jakieś pliki.
Oto log z ComboFixa:
ComboFix 07-11-19.4C - user 2007-11-30 21:30:17.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.503 [GMT 1:00] Running from: C:\Documents and Settings\user\Pulpit\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\user\Dane aplikacji\DriveCleaner Free C:\Documents and Settings\user\Dane aplikacji\DriveCleaner Free\Logs\update.log C:\Documents and Settings\user\Dane aplikacji\errorsafefreeinstall_pl[1].exe C:\Program Files\Common Files\drivecleaner free C:\Program Files\Common Files\drivecleaner free\udcpas.exe C:\Program Files\Common Files\drivecleaner free\udcsdr.exe C:\Program Files\instant access C:\Program Files\instant access\Center\FOOT FOR YOU.lnk C:\Program Files\instant access\Center\FOOT FOR YOU.upd C:\Program Files\instant access\Center\tray1.ico C:\Program Files\instant access\DesktopIcons\FOOT FOR YOU.lnk C:\Program Files\instant access\Multi\20061216161226\Common\module.php C:\Program Files\instant access\Multi\20061216161226\Common\module.php_0.loginvis C:\Program Files\instant access\Multi\20061216161226\dialerexe.ini C:\Program Files\instant access\Multi\20061216161226\js\js_api_dialer.php C:\Program Files\instant access\Multi\20061216161226\medias\dialer.ico C:\WINDOWS\dialerexe.ini c:\WINDOWS\system32\graxpza.dat c:\windows\system32\graxpza.exe C:\WINDOWS\system32\graxpza_nav.dat c:\WINDOWS\system32\graxpza_navps.dat C:\WINDOWS\system32\nvs2.inf C:\WINDOWS\tmlpcert2007 . ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 ))))))))))))))))))))))))))))))) . 2007-11-24 19:07 2007-11-24 19:05 2007-11-10 17:11 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-30 20:31 29,725,728 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2007-11-30 20:31 1,392,928 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2007-11-30 20:29 --------- d-----w C:\Program Files\Neostrada TP 2007-11-30 20:10 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Skype 2007-11-30 19:56 400,484 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-11-30 19:56 136,616 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2007-11-23 13:32 12,800 --s-a-w C:\WINDOWS\system32\ivrllc.dll 2005-05-11 21:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll 2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{F44D8E66-7BB6-49BD-A924-5E0368C00FD1}] 2007-11-30 20:57 14336 --a------ C:\Program Files\Video Add-on\isfmdl.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{EFAF6EA3-615D-4F83-8748-2F7A576FCEA6}”= C:\Program Files\Video Add-on\ictmdl.dll [2007-11-24 19:05 78336] [HKEY_CLASSES_ROOT\clsid{efaf6ea3-615d-4f83-8748-2f7a576fcea6}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] “{EFAF6EA3-615D-4F83-8748-2F7A576FCEA6}”= C:\Program Files\Video Add-on\ictmdl.dll [2007-11-24 19:05 78336] [HKEY_CLASSES_ROOT\clsid{efaf6ea3-615d-4f83-8748-2f7a576fcea6}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NBJ”=“C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” [2005-10-11 17:25] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-06-08 17:08] “ares”=“D:\Program Files\Ares\Ares.exe” [] “PowerBar”=“C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe” [2004-04-21 09:26] “OM_Monitor”=“D:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe” [] “Error Safe”=“C:\Program Files\Error Safe Free\ers.exe” [] “updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [2006-03-30 15:45] “Gadu-Gadu”=“D:\Documents and Settings\user\Pulpit\Gadu-Gadu\gg.exe” [2007-04-19 16:43] “DAEMON Tools”=“d:\Program Files\DAEMON Tools\daemon.exe” [] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “RTHDCPL”=“RTHDCPL.EXE” [2005-05-04 10:28 C:\WINDOWS\RTHDCPL.EXE] “ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2005-08-12 13:43] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 09:50] “RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 19:24] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 17:07] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 17:07] “WOOTASKBARICON”=“C:\Program Files\Neostrada TP\taskbaricon.exe” [2003-10-16 17:07] “HP Software Update”=“D:\HP\HP Software Update\HPWuSchd2.exe” [2005-05-11 22:12] “OM_Monitor”=“D:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe” [] “kav”=“D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe” [2006-03-24 19:09] “WinampAgent”=“D:\Program Files\Winamp\winampa.exe” [] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 23:44] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-07-31 10:57:32] HP Digital Imaging Monitor.lnk - D:\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26] HP Image Zone - szybkie uruchamianie.lnk - D:\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24] C:\WINDOWS\system32\klogon.dll 2006-03-24 19:08 28778 C:\WINDOWS\system32\klogon.dll R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys R1 oreans32;oreans32;??\C:\WINDOWS\system32\drivers\oreans32.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f0fbb3ba-1e36-11db-bbb0-806d6172696f}] \Shell\AutoRun\command - E:\VM_RP_D3.exe *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-30 21:31:50 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-30 21:32:15 . — E O F —
Byłbym wdzięczny za pomoc.
Gutek
(Gutek)
30 Listopad 2007 23:04
#2
Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym nowy log z Combofix
Temat wydzielam
Mergix
(Misza11111)
7 Grudzień 2007 17:02
#3
Dzieki, chyba pomoglo ale teraz nie moge korzystac z neta, mam neostradę i pojawia się komunikat: Wystąpił problem z aplikacją Generic Host Process for Win32 Services i zostanie ona zamknięta. Przepraszamy za kłopoty. Potem net przesaje dzialac.
Nie wiem czy to ma związek z wczesniejszym problemem. Log z ComboFixa:
ComboFix 07-12-07.3 - user 2007-12-07 17:56:43.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.543 [GMT 1:00] Running from: C:\Documents and Settings\user\Pulpit\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-11-07 to 2007-12-07 ))))))))))))))))))))))))))))))) . 2007-12-07 17:13 . 2007-12-07 17:16 2,496 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-07 17:12 . 2007-11-30 21:32 2007-12-07 17:12 . 2006-07-28 11:26 2007-12-07 17:12 . 2006-07-28 09:39 2007-12-07 17:12 . 2006-07-28 11:26 2007-12-07 17:12 . 2006-07-28 11:26 2007-12-07 17:12 . 2006-07-28 11:26 2007-12-07 17:12 . 2006-07-28 11:26 2007-12-07 17:12 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-12-07 17:12 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-12-07 17:12 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-12-07 17:12 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-12-07 17:12 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-11-11 08:41 . 2007-11-11 08:41 28,536,366 --a------ C:\HSV.fm 2007-11-10 17:11 . 2007-11-10 17:12 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-07 16:58 29,928,224 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-07 16:58 1,401,376 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2007-12-07 16:57 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Skype 2007-12-07 16:48 403,652 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-07 16:48 137,456 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2007-12-07 16:44 --------- d-----w C:\Program Files\Neostrada TP 2005-05-11 21:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll 2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((( snapshot@2007-11-30_21.31.54,15 ))))))))))))))))))))))))))))))))))))))))) . - 2007-11-08 15:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe + 2007-11-27 02:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe + 2007-12-07 16:55:16 7,156 ----a-w C:\WINDOWS\system32\dbnetlii.dat - 2007-11-30 20:30:09 6,392 ----a-w C:\WINDOWS\system32\mmutiose.dat + 2007-12-07 16:46:12 7,528 ----a-w C:\WINDOWS\system32\mmutiose.dat - 2007-11-30 20:15:23 9,824 ----a-w C:\WINDOWS\system32\MSJTER3D.dat + 2007-12-07 16:55:16 12,557 ----a-w C:\WINDOWS\system32\MSJTER3D.dat - 2007-11-30 20:30:09 5,456 ----a-w C:\WINDOWS\system32\scriptjw.dat + 2007-12-07 16:26:50 6,080 ----a-w C:\WINDOWS\system32\scriptjw.dat - 2007-11-30 20:15:23 8,888 ----a-w C:\WINDOWS\system32\sendmaul.dat + 2007-12-07 16:55:13 11,109 ----a-w C:\WINDOWS\system32\sendmaul.dat + 2007-12-07 16:40:35 3,216 ----a-w C:\WINDOWS\system32\shlwaoiy.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{F44D8E66-7BB6-49BD-A924-5E0368C00FD1}] C:\Program Files\Video Add-on\isfmdl.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Offline Files] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\resutilr] @={3A45C9C9-C957-F6EF-B4CE-60782ACECAB4} [HKEY_CLASSES_ROOT\CLSID{3A45C9C9-C957-F6EF-B4CE-60782ACECAB4}] 2004-08-03 23:44 71168 --a------ C:\WINDOWS\system32\resutilr.dIl [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NBJ”=“C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” [2005-10-11 17:25] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-06-08 17:08] “ares”=“D:\Program Files\Ares\Ares.exe” [] “PowerBar”=“C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe” [2004-04-21 09:26] “OM_Monitor”=“D:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe” [] “Error Safe”=“C:\Program Files\Error Safe Free\ers.exe” [] “updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [2006-03-30 15:45] “Gadu-Gadu”=“D:\Documents and Settings\user\Pulpit\Gadu-Gadu\gg.exe” [2007-04-19 16:43] “DAEMON Tools”=“d:\Program Files\DAEMON Tools\daemon.exe” [] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “RTHDCPL”=“RTHDCPL.EXE” [2005-05-04 10:28 C:\WINDOWS\RTHDCPL.EXE] “ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2005-08-12 13:43] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 09:50] “RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 19:24] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 17:07] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 17:07] “WOOTASKBARICON”=“C:\Program Files\Neostrada TP\taskbaricon.exe” [2003-10-16 17:07] “HP Software Update”=“D:\HP\HP Software Update\HPWuSchd2.exe” [2005-05-11 22:12] “OM_Monitor”=“D:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe” [] “kav”=“D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe” [2006-03-24 19:09] “WinampAgent”=“D:\Program Files\Winamp\winampa.exe” [] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 23:44] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-07-31 10:57:32] HP Digital Imaging Monitor.lnk - D:\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26] HP Image Zone - szybkie uruchamianie.lnk - D:\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24] R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys R1 oreans32;oreans32;??\C:\WINDOWS\system32\drivers\oreans32.sys . ************************************************************************** catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-07 17:58:11 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-07 17:58:40 C:\ComboFix2.txt … 2007-11-30 21:32 . — E O F —
Z góry dzieki.
Gutek
(Gutek)
7 Grudzień 2007 17:13
#4
Użyj jeszcze - RVAXO - http://home.hetnet.nl/~stefsmeenk/RVAXO.exe gdy rozpakujesz użyj plik RVAXO.cmd , który uruchamiamy. Mogą uruchomić się deinstalatory szkodliwych programów, nie zamykać ich. Po tym nowy log z Combo
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable. Po użyciu tego narzędzia wymagany jest reset sysa.
Gutek
(Gutek)
8 Grudzień 2007 16:09
#6
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo