Witam,
Mam zainfekowany system, wirus prawdopodbnie przedostał sie z pedndrive’a. Objawy: zablokowana mozliwość uruchomienia Firefoxa (nie łączy z żadną stroną www), zablokowana możliwość uruchomienia sknaera online (np. MKS), brak możliwości aktualizacji bazy danych programu antywirusowego i antyspewerowego, pliki ukryte sa niewidoczne.
Proszę o analizę loga i podpowiedź w jaki sposób mogę usunąć wirus z systemu i pendrive’a
Z góry dzięki !
ComboFix 08-08-04.01 - Laptop 2008-08-05 21:06:30.7 - NTFSx86
Running from: C:\Documents and Settings\Laptop\Pulpit\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.
2008-08-05 19:01 . 2008-08-05 19:01
2008-08-05 19:01 . 2008-08-05 19:01
2008-08-05 19:01 . 2008-08-05 19:01
2008-08-05 18:55 . 2008-08-05 18:55
2008-08-05 18:44 . 2008-08-05 18:44
2008-08-05 18:44 . 2008-08-05 18:44
2008-08-05 18:44 . 2008-08-05 21:02
2008-08-05 18:44 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-05 18:44 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-05 18:44 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-05 18:44 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-10 14:10 . 2008-07-10 14:10 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-07-07 15:16 . 2008-07-07 15:16
2008-07-06 22:59 . 2008-07-06 23:08 250 --a------ C:\WINDOWS\gmer.ini
2008-07-05 12:54 . 2008-07-06 23:01
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 21:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-03 22:59 --------- d-----w C:\Documents and Settings\Laptop\Dane aplikacji\Skype
2008-07-03 21:10 20 —h–w C:\Documents and Settings\All Users\Dane aplikacji\PKP_DLec.DAT
2008-06-29 11:09 --------- d-----w C:\Documents and Settings\Laptop\Dane aplikacji\Nokia Multimedia Player
2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:42 246,784 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:42 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-01 12:51 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2008-06-01 12:51 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:16 1,291,264 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-02-09 14:39 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((( snapshot@2008-08-05_13.27.46.64 )))))))))))))))))))))))))))))))))))))))))
.
-
2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
-
2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
-
2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-07-10 11:43:32 53,942 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-05 16:45:33 53,942 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-10 11:43:32 68,752 ----a-w C:\WINDOWS\system32\perfc015.dat
- 2008-08-05 16:45:33 68,752 ----a-w C:\WINDOWS\system32\perfc015.dat
- 2008-07-10 11:43:32 383,588 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-08-05 16:45:33 383,588 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-07-10 11:43:32 439,776 ----a-w C:\WINDOWS\system32\perfh015.dat
-
2008-08-05 16:45:33 439,776 ----a-w C:\WINDOWS\system32\perfh015.dat
-
2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll
-
2007-01-19 07:40:42 89,088 ----a-w C:\WINDOWS\system32\SkanerOnlineUninstall.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2004-09-28 11:49 774144]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2006-03-23 14:17 94208]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2006-03-23 14:13 77824]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2006-03-23 14:17 118784]
“ISTray”=“C:\Program Files\Spyware Doctor\pctsTray.exe” [2008-07-16 09:16 1166216]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 10:00 15360]
C:\Documents and Settings\Laptop\Menu Start\Programy\Autostart\
Rejestrowanie produkt˘w Corela.lnk - C:\Program Files\Corel\Graphics9\Register\Remind32.exe [2008-05-29 12:39:45 67584]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe [2008-05-29 12:29:13 82026]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 20:41 40960 C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\WINDOWS\SMINST\Scheduler.exe”=
“C:\Program Files\Gadu-Gadu\gg.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“138:UDP”= 138:UDP:@xpsp2res.dll,-22002
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2004-08-04 10:00]
R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-08-03 18:40]
R2 SprintPort;SprintPort Serial Driver;C:\Program Files\Sprint\PCS Connection Manager\SprintPort\WINPORT.SYS [2002-05-07 15:35]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
*Newly Created Service* - COMHOST
*Newly Created Service* - IKFILESEC
*Newly Created Service* - IKSYSFLT
*Newly Created Service* - IKSYSSEC
*Newly Created Service* - MCHINJDRV
*Newly Created Service* - SDAUXSERVICE
*Newly Created Service* - SDCORESERVICE
.
Contents of the ‘Scheduled Tasks’ folder
2008-06-20 C:\WINDOWS\Tasks\Norton AntiVirus - Uruchom pełne skanowanie systemu - Laptop.job
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-28 12:00]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Laptop\Dane aplikacji\Mozilla\Firefox\Profiles\j1us0w8p.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.wp.pl/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 21:10:05
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-05 21:11:48
ComboFix-quarantined-files.txt 2008-08-05 19:11:41
ComboFix2.txt 2008-08-05 11:28:10
ComboFix3.txt 2008-07-07 12:07:55
Pre-Run: 69,737,312,256 bajtów wolnych
Post-Run: 69,738,221,568 bajtów wolnych
141 — E O F — 2008-07-10 12:11:00