Podejrzenie wirusa - komunikat w NOD32


(1blueinferno) #1
File C:\WINDOWS\system32\drvxok.dll is infected with application Win32/Hoax.Renos.NAH. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.

Przy skanowaniu NOD32 pokazał coś takiego. Czy mam usunąć ten plik?


(adam9870) #2

Pokaż log z HijackThis i ComboFix. Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C.


(1blueinferno) #3

HijackThis:

Logfile of HijackThis v1.99.1

Scan saved at 12:22:16, on 2007-04-06

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

D:\Tools\Diskeeper\DkService.exe

D:\Safe PC\NOD32\nod32krn.exe

D:\Tools\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\nvraidservice.exe

C:\WINDOWS\SOUNDMAN.EXE

D:\Safe PC\NOD32\nod32kui.exe

D:\Rafał\winuptime\Windows Uptime.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

D:\Tools\Fast Launcher\fl.exe

D:\Kalendarz XP\Kalendarz.exe

D:\Tools\Total Commander\TOTALCMD.EXE

D:\AQQ\AQQ.exe

D:\Players\Last.fm\LastFM.exe

D:\Players\foobar2000\foobar2000.exe

D:\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

D:\Rafał\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [nod32kui] "D:\Safe PC\NOD32\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [Odkurzacz-MCD] D:\Tools\Odkurzacz\odk_mcd.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: HideBUS.lnk = ?

O4 - Startup: Windows Uptime.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - D:\Tools\WINnerTweak3\PopUp Blocker.exe

O9 - Extra 'Tools' menuitem: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - D:\Tools\WINnerTweak3\PopUp Blocker.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROD~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://toolbar.imageshack.us

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158965838326

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_24.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{EEF9B59A-DEAB-48E2-B2C0-C0F3714ED51B}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: ArcaVir Antivirus Monitor Service (ArcaVirMonitor) - Unknown owner - D:\ArcaVir\ArcaVir\AvMon.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Diskeeper - Diskeeper Corporation - D:\Tools\Diskeeper\DkService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Safe PC\NOD32\nod32krn.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Tools\Alcohol 120\StarWind\StarWindService.exe

ComboFix:

"[nazwa usera]" - 07-04-06 12:31:57 Dodatek Service Pack 2

(adam9870) #4

Usuń wpisy HJT,

Czy masz jeszcze ArcaVira? Jeśli nie to wybierz start >>> uruchom >>> wpisz cmd i kliknij OK >>> w konsoli, która się otworzy wpisz:

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Zajrzyj tutaj:

http://www.searchengines.pl/phpbb203/in ... opic=86584

Po wykonaniu możesz pokazać nowy log z Combo plus wynik szukania na BootDrv w narzędziu Registry Search Tool.


(1blueinferno) #5

Ok, ale w gruncie rzeczy nie odpowiedziałeś na moje pytanie:


(adam9870) #6

Jeśli masz ten plik (w co wątpię) na dysku to go usuń ale prawdopodobnie NOD sam go usunął.