Jak wywalić Trojan Horse i W32.Silly FDC


(Onemail) #1

Wywalono moj wpis i kazano zalozyc temat wiec zakladam: Moj norton wykrywa Trojan Horse i W32.Silly FDC. Mam loga z Combofixa. wczesniej niemoglem otworzyc ikony dysku bo sie pojawiala opcja otworz za pomoca, teraz mam ciagle pokazane ukryte pliki nawet jak je wylacze. Bardzo prosze o pomoc bo juz mam dosc a nieznam sie na tym wszystkim za bardzo. Jak to wywalic w prosty sposob. Oto LOG :

ComboFix 09-08-07.04 - Administrator 2009-08-07 23:25.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2038.1570 [GMT 2:00]

Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

.

((((((((((((((((((((((((( Pliki utworzone od 2009-07-07 do 2009-08-07 )))))))))))))))))))))))))))))))

.

2009-08-07 21:15 . 2009-03-12 08:42 165240 ----a-r- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll

2009-08-07 19:59 . 2009-08-06 08:00 87888 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090807.007\NAVENG.SYS

2009-08-07 19:59 . 2009-08-06 08:00 875728 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090807.007\NAVEX15.SYS

2009-08-07 19:59 . 2009-08-06 08:00 371248 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090807.007\EECTRL.SYS

2009-08-07 19:59 . 2009-08-06 08:00 259368 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090807.007\ECMSVR32.DLL

2009-08-07 19:59 . 2009-08-06 08:00 2414128 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090807.007\CCERASER.DLL

2009-08-07 19:59 . 2009-08-06 08:00 177520 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090807.007\NAVENG32.DLL

2009-08-07 19:59 . 2009-08-06 08:00 1181040 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090807.007\NAVEX32A.DLL

2009-08-07 19:59 . 2009-08-06 08:00 101936 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090807.007\ERASER.SYS

2009-08-07 13:29 . 2009-07-11 23:15 533880 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\Scxpx86.dll

2009-08-07 13:29 . 2009-07-11 23:15 451960 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSxpx86.dll

2009-08-07 13:29 . 2009-07-11 23:15 397360 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSviA64.sys

2009-08-07 13:29 . 2009-07-11 23:15 293424 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSvix86.sys

2009-08-07 13:29 . 2009-07-11 23:15 276344 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys

2009-08-07 09:37 . 2009-08-07 09:37 -------- d--h--w- c:\windows\PIF

2009-08-07 09:35 . 2009-08-07 09:35 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Thunderbird

2009-08-07 09:35 . 2009-08-07 09:35 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Thunderbird

2009-08-07 09:34 . 2009-08-07 17:55 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-08-07 09:19 . 2009-08-07 21:14 -------- d-----w- c:\windows\system32\drivers\NIS

2009-08-07 09:19 . 2009-08-07 09:20 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Norton

2009-08-07 09:19 . 2009-08-07 09:20 -------- d-----w- c:\program files\Norton Internet Security

2009-08-07 09:19 . 2009-08-07 09:19 -------- d-----w- c:\program files\Windows Sidebar

2009-08-07 09:17 . 2009-08-07 09:17 -------- d-----w- c:\program files\NortonInstaller

2009-08-07 09:17 . 2009-08-07 09:17 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\NortonInstaller

2009-08-06 23:05 . 2001-08-17 21:59 3072 ----a-w- c:\windows\system32\drivers\audstub.sys

2009-08-06 23:04 . 2008-04-14 21:35 58880 ----a-w- c:\windows\system32\drivers\redbook.sys

2009-08-06 23:04 . 2008-04-14 22:50 77312 ----a-w- c:\windows\system32\usbui.dll

2009-08-06 23:02 . 2001-08-18 01:55 6144 -c--a-w- c:\windows\system32\dllcache\kbdlv1.dll

2009-08-06 23:01 . 2009-08-06 21:17 -------- d-----w- C:\Documents and Settings

2009-08-06 23:01 . 2009-08-06 21:13 -------- d--h--w- c:\documents and settings\Default User

2009-08-06 23:01 . 2009-08-06 21:12 -------- d-----w- c:\documents and settings\All Users

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-07 19:58 . 2009-08-07 09:20 -------- d-----w- c:\program files\Symantec

2009-08-07 19:58 . 2009-08-07 09:20 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-08-07 19:58 . 2009-08-07 09:20 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-08-07 19:58 . 2009-08-07 09:20 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-08-07 19:58 . 2009-08-07 09:20 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-08-07 09:37 . 2009-08-07 09:20 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-07 09:20 . 2009-08-07 09:20 1294680 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll

2009-08-07 09:20 . 2009-08-07 09:20 136840 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll

2009-08-07 09:20 . 2009-08-07 09:20 791920 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll

2009-08-07 09:20 . 2009-08-07 09:20 288104 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CPDOEM\CPDOEM.dll

2009-08-06 21:24 . 2009-08-06 21:23 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-06 21:24 . 2009-08-06 21:24 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\InstallShield

2009-08-06 21:23 . 2009-08-06 21:23 -------- d-----w- c:\program files\Realtek

2009-08-06 21:23 . 2009-08-06 21:23 -------- d-----w- c:\program files\Common Files\InstallShield

2009-08-06 21:19 . 2001-10-26 19:15 49712 ----a-w- c:\windows\system32\perfc015.dat

2009-08-06 21:19 . 2001-10-26 19:15 355830 ----a-w- c:\windows\system32\perfh015.dat

2009-08-06 21:13 . 2009-08-06 21:13 -------- d-----w- c:\program files\microsoft frontpage

2009-08-06 21:12 . 2009-08-06 21:12 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-08-06 21:11 . 2009-08-06 21:11 -------- d-----w- c:\program files\Usługi online

2009-08-06 21:09 . 2009-08-06 21:09 21856 ----a-w- c:\windows\system32\emptyregdb.dat

2009-08-06 21:09 . 2009-08-06 21:09 -------- d-----w- c:\program files\Windows Media Connect 2

2009-08-06 18:29 . 2009-08-06 18:29 12328 ----a-w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2009-08-06 18:29 . 2009-08-06 18:29 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\LightScribe

2009-08-06 18:26 . 2009-08-06 18:26 -------- d-----w- c:\program files\Common Files\LightScribe

2009-08-06 18:25 . 2009-08-06 18:25 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Ahead

2009-08-06 18:25 . 2009-08-06 18:25 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Ahead

2009-08-06 18:24 . 2009-08-06 18:21 -------- d-----w- c:\program files\Common Files\Ahead

2009-08-06 18:21 . 2009-08-06 18:21 -------- d-----w- c:\program files\Nero

2009-08-06 18:21 . 2009-08-06 18:21 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Nero

2009-08-06 17:52 . 2009-08-06 15:58 -------- d-----w- c:\program files\NAPI-PROJEKT

2009-08-06 17:51 . 2009-08-06 17:51 -------- d-----w- c:\program files\ALLPlayer

2009-08-06 15:58 . 2009-08-06 15:58 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-08-06 15:58 . 2009-08-06 15:58 -------- d-----w- c:\program files\Java

2009-08-06 15:58 . 2009-08-06 15:58 152576 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\jre1.6.0_11\lzma.dll

2009-08-06 15:53 . 2009-08-06 15:53 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Gadu-Gadu

2009-08-06 15:50 . 2009-08-06 15:50 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Media Player Classic

2009-08-06 15:48 . 2009-08-06 15:48 -------- d-----w- c:\program files\Gadu-Gadu

2009-08-06 15:47 . 2009-08-06 15:47 -------- d-----w- c:\program files\K-Lite Codec Pack

2009-08-06 15:45 . 2009-08-06 15:45 -------- d-----w- c:\program files\IrfanView

2009-08-06 15:44 . 2009-08-06 15:44 -------- d-----w- c:\program files\Winamp

2009-08-06 15:41 . 2009-08-06 15:41 0 ----a-w- c:\windows\nsreg.dat

2009-07-11 23:15 . 2009-08-07 09:20 397360 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys

2009-07-11 23:15 . 2009-08-07 09:20 293424 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys

2009-07-11 23:15 . 2009-08-07 09:20 276344 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys

2009-07-11 23:15 . 2009-08-07 09:20 533880 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll

2009-07-11 23:15 . 2009-08-07 09:20 451960 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll

.

------- Sigcheck -------

[-] 2008-04-25 14:09 1571840 C8BDAD4065118558B3DC360FC96D81DB c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]

"ALLUpdate"="c:\program files\ALLPlayer\ALLUpdate.exe" [2009-06-04 869888]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-16 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-16 178712]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-16 150040]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 136600]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-10-28 17331200]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe"=

"%windir%\system32\sessmgr.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SymEFA.sys [2009-08-07 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1005000.087\BHDrvx86.sys [2009-08-07 258608]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1005000.087\cchpx86.sys [2009-08-07 482352]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys [2009-08-07 276344]

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-08-07 115560]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-06 101936]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

.

------- Skan uzupełniający -------

.

FF - ProfilePath - c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\wb8xgshg.default\

FF - component: c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Dane aplikacji\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-07 23:27

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"

.

Czas ukończenia: 2009-08-07 23:28

ComboFix-quarantined-files.txt 2009-08-07 21:27

Przed: 116 845 273 088 bajtów wolnych

Po: 116 838 182 912 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

163


(Henio Mazurek) #2

Nic tu nie ma. Napisz w jakim pliku Norton coś wykrywa (dokładna lokalizacja).