Komputer rozsyła spam

carlsberg · 20 Luty 2008 16:34

Prosze o sprawdzenie loga. Avast zgłasza, że komputer rozsyła mi spam.

Logfile of HijackThis v1.99.1

Scan saved at 17:33:07, on 2008-02-20

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\PROGRA~1\Wanadoo\TaskbarIcon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\aspimgr.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Microsoft SQL Server\MSSQL$INSERTGT\Binn\sqlservr.exe

C:\Program Files\OpenOffice.ux.pl 2.0\program\soffice.exe

C:\Program Files\OpenOffice.ux.pl 2.0\program\soffice.BIN

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\InsERT\InsERT GT\Subiekt.exe

C:\Program Files\InsERT\InsERT GT\MUZ.exe

C:\Program Files\Wanadoo\EspaceWanadoo.exe

C:\Program Files\Wanadoo\ComComp.exe

C:\Program Files\Wanadoo\Watch.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\IZArc\IZArc.exe

C:\DOCUME~1\Admin\USTAWI~1\Temp\ARC1E\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Startup: Neostrada Plus.lnk = C:\Program Files\Wanadoo\EspaceWanadoo.exe

O4 - Startup: OpenOffice.ux.pl 2.0.lnk = C:\Program Files\OpenOffice.ux.pl 2.0\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176289609828

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/sezam/components/SignActivX.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{06B94D71-DC7F-4AD1-B141-4C99BEF3130B}: NameServer = 194.204.159.1 217.98.63.164

O17 - HKLM\System\CS1\Services\Tcpip\..\{06B94D71-DC7F-4AD1-B141-4C99BEF3130B}: NameServer = 194.204.159.1 217.98.63.164

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Leon1 · 20 Luty 2008 16:47

start >> uruchom >> cmd

sc stop aspimgr

sc delete aspimgr

pobierz Combofix http://www.bezpieczenstwosystemow.pl/index.php?topic=18.0

otwórz notatnik i wklej

File:: 

C:\WINDOWS\system32\aspimgr.exe

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania

Po restarcie jeśli wszystko będzie OK usuń ręcznie folder C: \Qoobox

carlsberg · 20 Luty 2008 17:08

Zrobiłem wszystko zgodnie z zaleceniami. Tu masz log z Combofix.

ComboFix 08-02-20.2 - Admin 2008-02-20 17:56:08.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.39 [GMT 1:00]

Running from: C:\Documents and Settings\Admin\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Admin\Pulpit\CFScript.txt

 * Created a new restore point


[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [/b][/color]


FILE ::

C:\WINDOWS\system32\aspimgr.exe

.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.


C:\WINDOWS\g32.txt

C:\WINDOWS\s32.txt

C:\WINDOWS\system32\aspimgr.exe

C:\WINDOWS\ws386.ini


.

((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))

.


No new files created in this timespan


.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-20 16:28	---------	d-----w	C:\Program Files\Wanadoo

2008-02-20 08:52	---------	d-----w	C:\Documents and Settings\Admin\Dane aplikacji\OpenOffice.ux.pl2

2008-02-16 12:15	---------	d-----w	C:\Program Files\Lexmark X1100 Series

2008-02-01 17:42	---------	d-----w	C:\Documents and Settings\Admin\Dane aplikacji\Skype

2007-12-07 02:14	824,832	----a-w	C:\WINDOWS\system32\wininet.dll

2007-12-04 18:42	550,912	----a-w	C:\WINDOWS\system32\oleaut32.dll

2007-12-04 13:04	837,496	----a-w	C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54	95,608	----a-w	C:\WINDOWS\system32\AVASTSS.scr

.


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 12:29 68856]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"WOOWATCH"="C:\PROGRA~1\Wanadoo\Watch.exe" [2002-12-09 18:24 20480]

"WOOTASKBARICON"="C:\PROGRA~1\Wanadoo\TaskbarIcon.exe" [2002-12-09 18:24 45056]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-25 17:42 180269]

"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 10:09 57344]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]


C:\Documents and Settings\Admin\Menu Start\Programy\Autostart\

Neostrada Plus.lnk - C:\Program Files\Wanadoo\EspaceWanadoo.exe [2006-01-23 14:09:12 450560]

OpenOffice.ux.pl 2.0.lnk - C:\Program Files\OpenOffice.ux.pl 2.0\program\quickstart.exe [2005-10-26 13:36:02 61440]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 14:44:06 29696]

DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-01-23 14:08:28 962661]

Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 16:23:32 74308]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2003-10-02 14:19 118784 C:\WINDOWS\system32\hkcmd.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2003-10-02 14:37 155648 C:\WINDOWS\system32\igfxtray.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

--a------ 2004-08-04 13:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

--a------ 2004-08-04 13:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

--a------ 2004-08-04 13:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

--a------ 2004-08-04 13:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f4c26fd-2bbe-11dc-bbb1-4d6564696130}]

\Shell\Auto\command - activexdebugger32.exe f

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f

\Shell\explore\Command - activexdebugger32.exe f

\Shell\open\Command - activexdebugger32.exe f


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be6115a7-4ca2-11dc-bbd8-4d6564696130}]

\Shell\AutoRun\command - F:\setupSNK.exe


.

**************************************************************************


catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-20 17:59:21

Windows 5.1.2600 Dodatek Service Pack 2 NTFS


scanning hidden processes ... 


scanning hidden autostart entries ...


scanning hidden files ... 


scan completed successfully 

hidden files: 0 


**************************************************************************

.

Completion time: 2008-02-20 18:01:48

ComboFix-quarantined-files.txt 2008-02-20 17:01:36

.

2008-02-13 17:57:34	--- E O F ---  

[/code]

jessica · 20 Luty 2008 17:26

Masz tylko (lub “aż”) infekcję na pendrive.

Możesz dowiedzieć się o niej więcej >>http://wklej.org/id/20ca476d39

Do Notatnika wklej:

Windows Registry Editor Version 5.00


[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f4c26fd-2bbe-11dc-bbb1-4d6564696130}]

Z menu Notatnika >>> Plik >>> Zapisz jako >>> Ustaw rozszerzenie na: “Wszystkie pliki” >>> Zapisz jako FIX.REG >>>

plik uruchom (dwuklik i OK).

Zrestartuj komputer.

jessi