zbig65
(Polonista65)
13 Listopad 2007 17:13
#1
Witam wszystkich na Forum.
Będę wdzięczny, jeśli ktoś rzuci okiem na ten log. Coś ostatnio pojawiają się notorycznie jakiś wirusy.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:59:38, on 2007-11-13 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\opnmjge.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” O4 - HKLM…\Run: [avgnt] “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: opnmjge - C:\WINDOWS\SYSTEM32\opnmjge.dll O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE – End of file - 5251 bytes
Gutek
(Gutek)
13 Listopad 2007 19:50
#2
zbig65
(Polonista65)
13 Listopad 2007 22:06
#3
Gutek2222 wielkie ukłony, chylę czoła przed Twą wiedzą. Dziękuję bardzo - lekarstwa podałem - pomogło.
Jeszcze log z ComboFixa
ComboFix 07-11-08.1 - VIVO 2007-11-13 21:37:27.1 - NTFSx86 Running from: D:\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\pac.txt . ((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 ))))))))))))))))))))))))))))))) . 2007-11-13 21:36 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-13 21:16 2007-11-13 17:40 2007-11-12 21:08 2007-11-12 18:11 36,352 --a------ C:\WINDOWS\system32\opnmjge.dll.vir 2007-11-11 14:02 2007-11-09 19:49 26,496 --a–c— C:\WINDOWS\system32\dllcache\usbstor.sys 2007-11-09 12:19 2007-11-08 22:35 2007-11-08 21:03 2007-11-08 20:21 2007-11-08 18:40 2007-11-08 18:26 2007-11-08 18:23 2007-11-08 18:19 2007-11-08 18:18 2007-11-08 18:08 2007-11-08 18:00 2007-11-08 17:56 2,680 --a------ C:\Temp\GG_password.zip 2007-11-08 17:40 2007-11-08 17:40 2007-11-08 17:40 2007-11-08 17:39 2007-11-08 17:37 2007-11-08 17:32 2007-11-08 17:31 2007-11-08 17:29 2007-11-08 17:28 2007-11-08 17:24 2007-11-08 17:22 2007-11-08 17:22 2007-11-08 17:21 2007-11-08 17:21 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll 2007-11-08 17:21 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-11-08 17:09 2007-11-08 17:07 2007-11-08 17:02 2007-11-08 17:01 2007-11-08 17:01 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2007-11-08 14:07 2007-11-08 14:07 2007-11-08 14:07 2007-11-08 14:07 2007-11-08 14:05 2007-11-08 14:00 2007-11-08 14:00 2007-11-08 13:48 2007-11-07 23:53 2007-11-07 23:50 2007-11-07 23:33 2007-11-07 23:29 2007-11-07 23:29 2007-11-07 23:06 2007-11-07 23:03 2007-11-07 23:03 2007-11-07 22:54 2007-11-07 22:54 545 --a------ C:\WINDOWS\UC.PIF 2007-11-07 22:54 545 --a------ C:\WINDOWS\RAR.PIF 2007-11-07 22:54 545 --a------ C:\WINDOWS\PKZIP.PIF 2007-11-07 22:54 545 --a------ C:\WINDOWS\PKUNZIP.PIF 2007-11-07 22:54 545 --a------ C:\WINDOWS\NOCLOSE.PIF 2007-11-07 22:54 545 --a------ C:\WINDOWS\LHA.PIF 2007-11-07 22:54 545 --a------ C:\WINDOWS\ARJ.PIF 2007-11-07 22:51 2007-11-07 22:50 2007-11-07 22:49 2007-11-07 22:28 2007-11-07 22:28 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe 2007-11-07 22:17 2007-11-07 22:09 2007-11-07 22:07 2007-11-07 22:00 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-08 17:27 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-11-07 21:28 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-07 20:43 --------- d-----w C:\Program Files\Realtek Sound Manager 2007-11-07 20:43 --------- d-----w C:\Program Files\AvRack 2007-11-07 20:42 --------- d-----w C:\Program Files\Gigabyte 2007-11-07 20:30 --------- d-----w C:\Program Files\microsoft frontpage 2007-11-07 20:28 --------- d-----w C:\Program Files\Usługi online 2007-10-22 02:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll 2007-10-22 02:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll 2007-10-12 14:14 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll 2007-10-12 14:14 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll 2007-10-02 08:56 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11] “avgnt”=“C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” [2007-11-07 23:04] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2007-08-31 16:46] “H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2006-06-20 22:36] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk.disabled [2007-11-07 22:17:10] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” “NeroFilterCheck”=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” -atboottime “SoundMan”=SOUNDMAN.EXE “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{26c6c686-8f08-11dc-893a-000d613134ea}] \Shell\AutoRun\command - I:\Autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{cee50b23-8ec3-11dc-8939-000d613134ea}] \Shell\AutoRun\command - H:\Autorun.exe *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-13 21:39:12 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-13 21:39:40 . — E O F —
Gutek
(Gutek)
13 Listopad 2007 22:27
#4
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo
zbig65
(Polonista65)
14 Listopad 2007 13:23
#5
Myślę, że teraz już będzie spokoj…chociaż na jakiś czas :mrgreen:
ComboFix 07-11-08.1 - VIVO 2007-11-14 14:10:05.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.70 [GMT 1:00] Running from: D:\ComboFix.exe Command switches used :: D:\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\opnmjge.dll.vir . ((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 ))))))))))))))))))))))))))))))) . 2007-11-13 21:36 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-13 17:40 2007-11-12 21:08 2007-11-11 14:02 2007-11-09 19:49 26,496 --a–c— C:\WINDOWS\system32\dllcache\usbstor.sys 2007-11-09 12:19 2007-11-08 22:35 2007-11-08 21:03 2007-11-08 20:21 2007-11-08 18:40 2007-11-08 18:26 2007-11-08 18:23 2007-11-08 18:19 2007-11-08 18:18 2007-11-08 18:08 2007-11-08 18:00 2007-11-08 17:56 2,680 --a------ C:\Temp\GG_password.zip 2007-11-08 17:40 2007-11-08 17:40 2007-11-08 17:40 2007-11-08 17:39 2007-11-08 17:37 2007-11-08 17:32 2007-11-08 17:31 2007-11-08 17:29 2007-11-08 17:28 2007-11-08 17:24 2007-11-08 17:22 2007-11-08 17:22 2007-11-08 17:21 2007-11-08 17:21 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll 2007-11-08 17:21 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-11-08 17:09 2007-11-08 17:07 2007-11-08 17:02 2007-11-08 17:01 2007-11-08 17:01 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2007-11-08 14:07 2007-11-08 14:07 2007-11-08 14:07 2007-11-08 14:07 2007-11-08 14:05 2007-11-08 14:00 2007-11-08 14:00 2007-11-08 13:48 2007-11-07 23:53 2007-11-07 23:50 2007-11-07 23:33 2007-11-07 23:29 2007-11-07 23:29 2007-11-07 23:06 2007-11-07 23:03 2007-11-07 23:03 2007-11-07 22:54 2007-11-07 22:54 545 --a------ C:\WINDOWS\UC.PIF 2007-11-07 22:54 545 --a------ C:\WINDOWS\RAR.PIF 2007-11-07 22:54 545 --a------ C:\WINDOWS\PKZIP.PIF 2007-11-07 22:54 545 --a------ C:\WINDOWS\PKUNZIP.PIF 2007-11-07 22:54 545 --a------ C:\WINDOWS\NOCLOSE.PIF 2007-11-07 22:54 545 --a------ C:\WINDOWS\LHA.PIF 2007-11-07 22:54 545 --a------ C:\WINDOWS\ARJ.PIF 2007-11-07 22:51 2007-11-07 22:50 2007-11-07 22:49 2007-11-07 22:28 2007-11-07 22:28 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe 2007-11-07 22:17 2007-11-07 22:09 2007-11-07 22:07 2007-11-07 22:00 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-08 17:27 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-11-07 21:28 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-07 20:43 --------- d-----w C:\Program Files\Realtek Sound Manager 2007-11-07 20:43 --------- d-----w C:\Program Files\AvRack 2007-11-07 20:42 --------- d-----w C:\Program Files\Gigabyte 2007-11-07 20:30 --------- d-----w C:\Program Files\microsoft frontpage 2007-11-07 20:28 --------- d-----w C:\Program Files\Usługi online 2007-10-22 02:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll 2007-10-22 02:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll 2007-10-12 14:14 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll 2007-10-12 14:14 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll 2007-10-02 08:56 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11] “avgnt”=“C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” [2007-11-07 23:04] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-10-19 20:16] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2007-08-31 16:46] “H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2006-06-20 22:36] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk.disabled [2007-11-07 22:17:10] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” “NeroFilterCheck”=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” -atboottime “SoundMan”=SOUNDMAN.EXE “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-14 14:11:26 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-14 14:12:01 C:\ComboFix2.txt … 2007-11-13 21:39 . — E O F —