Norton oszalał-3-4 wirusy Trojan.Vundo

Underek · 19 Październik 2007 14:13

Witam, mój norton oszalał cały czas komunikuje jakiś wirus w system32/rwpqjiwy.dll

Logfile of HijackThis v1.99.1

Scan saved at 16:09:04, on 2007-10-19

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

F:\Program Files\a-squared Free\a2service.exe

F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

G:\Program Files\Norton AntiVirus\navapsvc.exe

G:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\WINDOWS\V0220Mon.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\RSSoft\RedSwoosh.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

G:\PROGRA~1\NORTON~1\navw32.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\pina\Pulpit\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: GigaSize toolbar - {B8A7839C-51E8-4067-ADA3-CA74BABC1976} - F:\Program Files\GigaSize.com Inc\GigaSize Toolbar\Kenciatb.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - G:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - G:\Program Files\ivo\Expressivo\IH_iexplore.dll

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\rwpqjiwy.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S158.tmp" /EF "HKLM"

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\vlyfviig.dll",sitypnow

O4 - HKCU\..\Run: [Red Swoosh] C:\Program Files\RSSoft\RedSwoosh.exe /S

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {0015690D-1D8A-45bc-81A7-B7C63E9CABCD} - F:\Program Files\GigaSize.com Inc\GigaSize Toolbar\Kenciatb.dll

O9 - Extra 'Tools' menuitem: GigaSize toolbar - {0015690D-1D8A-45bc-81A7-B7C63E9CABCD} - F:\Program Files\GigaSize.com Inc\GigaSize Toolbar\Kenciatb.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: (no name) - {18955D47-882E-48fc-B903-A4BDD030E7FD} - (no file)

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [INTERNATIONAL] International*

O17 - HKLM\System\CCS\Services\Tcpip\..\{0407C77E-51FF-42CC-BC68-8ADC49002F6B}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS1\Services\Tcpip\..\{0407C77E-51FF-42CC-BC68-8ADC49002F6B}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS2\Services\Tcpip\..\{0407C77E-51FF-42CC-BC68-8ADC49002F6B}: NameServer = 194.204.159.1,194.204.152.34

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - F:\Program Files\Spik\url_wpmsg.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - F:\Program Files\a-squared Free\a2service.exe

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\pina\USTAWI~1\Temp\hpdj.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: Usługa Auto-Protect programu Norton AntiVirus (navapsvc) - Symantec Corporation - G:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - G:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Usługa Norton Protection Center (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - G:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

adam9870 · 19 Październik 2007 14:23

W logu:

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Użyj VundoFix + FixVundo + VirtumundoBeGone. Wszystkie narzędzia należy uruchomić w trybie awaryjnym.
Wybierz Start => Uruchom => wpisz services.msc => zatrzymaj i wyłącz usługę hpdj, a następnie użyj ATF-Cleaner.
Wykonaj i wklej log z ComboFix.

Pytanie - czy sam instalowałeś GigaSize toolbar?

Underek · 19 Październik 2007 15:07

ComboFix 07-10-17.8@ - pina 2007-10-19 16:49:27.1 - NTFSx86

jessica · 20 Październik 2007 14:33

ComboFix w zasadzie usunął już całą infekcję “VUNDO”.

Zrób jeszcze tylko to:

Wklej do Notatnika :

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=-

"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\

  00


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PowerBar"=-

Z menu Notatnika >>> Plik >>> Zapisz jako >>> Ustaw rozszerzenie na “Wszystkie pliki” >>> Zapisz jako FIX.REG >>> uruchom ten plik (dwuklik).

jessi