Nie mogę usunąć antiv.exe

Dla specjalistów Bezpieczeństwo
#1

Witam.

Czy ktoś mi pomoże?

Po formacie mam pełno syfu, co chwila wywala ftp.exe że wykonał nieprawidłowa operacje czy coś takiego.

Strasznie mam przeciążony proc…

to moj log

Logfile of HijackThis v1.99.1

Scan saved at 01:04:54, on 2008-03-08

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Tlen.pl\tlen.exe

C:\WINDOWS\system32\antiv.exe

C:\WINDOWS\System32\taskmgr.exe

D:\Instalki\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exe

O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINDOWS\System32\pbutxvp.exe

O4 - HKLM\..\Run: [Microsoft Anivirus Monitor Process] antiv.exe

O4 - HKLM\..\RunServices: [Microsoft Anivirus Monitor Process] antiv.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204933694040

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204933681844

O17 - HKLM\System\CCS\Services\Tcpip\..\{4513B62A-5FB4-4D96-81CE-22D7E79B5853}: NameServer = 213.241.79.37 83.238.255.76
#2

Pobierz program SDFix

#3

Też mam to samo, proszę o pomoc, wklejam logi z hijacka i i SDFixa

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:13:54, on 2008-03-14

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\ThreatFire\TFService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ThreatFire\TFTray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\taskmgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\tftp.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’)

O4 - HKUS\S-1-5-21-343818398-790525478-725345543-1003…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User ‘?’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O17 - HKLM\System\CCS\Services\Tcpip…{8B593369-F06E-4C9B-8BFB-12AA996BEEB6}: NameServer = 83.238.255.76 213.241.79.37

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

End of file - 2903 bytes

SDFix: Version 1.157

Run by Cybber KTX on 2008-03-14 at 17:47

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Checking Services :

Name:

Distributed Allocated Memory Unit

zeqwur

Path:

“C:\WINDOWS\system32\dllcache\mravsc32.exe”

??\C:\WINDOWS\Help\zeqwur.chm

Distributed Allocated Memory Unit - Deleted

zeqwur - Deleted

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\SCR32.EXE - Deleted

C:\ADWARE.EXE - Deleted

C:\WINDOWS\system32\TFTP2356 - Deleted

C:\WINDOWS\system32\TFTP2764 - Deleted

C:\WINDOWS\system32\TFTP2772 - Deleted

C:\WINDOWS\system32\TFTP2836 - Deleted

C:\WINDOWS\system32\TFTP2900 - Deleted

C:\WINDOWS\system32\TFTP3304 - Deleted

C:\WINDOWS\system32\TFTP3404 - Deleted

C:\WINDOWS\system32\TFTP3436 - Deleted

C:\WINDOWS\system32\TFTP520 - Deleted

C:\WINDOWS\system32\i - Deleted

C:\WINDOWS\system32\tkcom32.dll - Deleted

C:\WINDOWS\help\zeqwur.chm - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-14 17:50:34

Windows 5.1.2600 NTFS

detected NTDLL code modification:

ZwOpenFile

scanning hidden processes …

scanning hidden services & system hive …

scanning hidden registry entries …

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]

“Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,…

scanning hidden files …

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

“C:\WINDOWS\System32\msmmssenger.exe”=“C:\WINDOWS\System32\msmmssenger.exe:*:Enabled:msmmssenger”

Remaining Files :

Files with Hidden Attributes :

Fri 14 Mar 2008 70,657 A…H. — “C:\WINDOWS\system32\isfrgafw.exe”

Thu 13 Mar 2008 64,000 A…H. — “C:\WINDOWS\system32\miiduk.exe”

Thu 13 Mar 2008 1,179,648 A.SH. — “C:\WINDOWS\system32\tepmlayer.exe”

Finished!