Ponoc z usunięciem XP Antivirus 2008

(Detritus) #1

Witam wszystkich!

Od jakiegoś czasu walczę z XP Antivirus 2008.Powywalałem co mogłem nie wyskakują mi juz te cholerne popupy i inne śmieci :smiley: ale cały czas mam obok zegarka (nawet w logu HiJack This) napis VIRUS ALERT!

i jakiś dziwny wpis w HiJackThis który nie daje się skasować :oops: i cały czas zmienia mi w IE stronę na : antispyware-2008.name/buy.php?aff=1003

(nie żebym z IE korzystał ale i tak mnie denerwuje! )

przesyłam log z Hijacka moze uda się Wam mi pomóc!

Pozdr :smiley:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:54: VIRUS ALERT!, on 2008-07-08

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\NetPanel\NetPanel.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\regedit.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antispyware-2008.name/buy.php?aff=1003

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”

O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

O4 - HKLM…\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM…\Run: [kill_popup_SPF] “C:\Program Files\kill_popup_SPF.exe”

O4 - HKLM…\Run: [NetPanel] “C:\Program Files\NetPanel\Starter.exe” /path=“C:\Program Files\NetPanel”

O4 - HKLM…\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe

O4 - HKCU…\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19…\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘Default user’)

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O17 - HKLM\System\CCS\Services\Tcpip…{987402FF-7051-4D30-88A2-C1494E6CD4A5}: NameServer = 10.160.128.250

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

(huber2t) #2

Pokazlog z Combofix

(Detritus) #3

Podaje loga z combofixa

ComboFix 08-07-07.3 - Administrator 2008-07-08 12:18:52.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.226 [GMT 2:00]

Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Administrator\Dane aplikacji\rhc9j3j0eac9

C:\Documents and Settings\Administrator\Dane aplikacji\shcaj3j0eac9

C:\Documents and Settings\All Users\Dane aplikacji\Adsl Software Limited

C:\Documents and Settings\All Users\Dane aplikacji\Adsl Software Limited\WinSpywareProtect\LOG\20080613120244472.log

C:\Documents and Settings\All Users\Menu Start\Programy\Malware Protector 2008.lnk

C:\Documents and Settings\All Users\Pulpit\Malware Protector 2008.lnk

C:\Program Files\Antispyware 2008

C:\Program Files\Antispyware 2008\Antispyware-2008.exe

C:\Program Files\Antispyware 2008\vscan.tsi

C:\Program Files\Antispyware 2008\zlib.dll

C:\Program Files\rhc9j3j0eac9

C:\Program Files\shcaj3j0eac9

C:\WINDOWS\system32\blphccj3j0eac9.scr

.

((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))

.

2008-07-08 11:54 . 2008-07-08 11:54

2008-07-08 10:31 . 2008-07-08 10:31

2008-07-08 10:18 . 2008-07-08 10:36

2008-07-08 10:18 . 2008-07-08 10:18

2008-07-08 10:18 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2008-07-08 10:18 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-07-08 10:18 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-07-08 10:18 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-07-08 10:18 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-07-08 10:17 . 2008-07-08 10:17

2008-07-07 20:48 . 2008-07-07 20:48 780 --a------ C:\SUPERAntiSpyware Free Edition.lnk

2008-07-07 20:48 . 2008-07-07 20:48 754 --a------ C:\Trojan Remover.lnk

2008-07-07 18:51 . 2008-07-08 10:34

2008-07-07 18:48 . 2008-07-07 18:48

2008-07-07 18:48 . 2008-07-07 18:48

2008-07-07 18:48 . 2008-07-07 18:48

2008-07-07 18:48 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll

2008-07-07 18:48 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll

2008-07-07 18:48 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll

2008-07-07 18:48 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll

2008-07-07 18:48 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll

2008-07-07 18:07 . 2008-07-07 18:52

2008-07-07 18:07 . 2008-07-07 18:07

2008-07-07 18:07 . 2008-07-07 18:07

2008-06-28 00:22 . 2008-06-28 00:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-06-28 00:22 . 2008-06-28 00:22 1,409 --a------ C:\WINDOWS\QTFont.for

2008-06-18 19:16 . 2008-06-18 19:16

2008-06-18 19:16 . 2008-06-18 19:16 93,799 --a------ C:\space runner.htm

2008-06-12 12:48 . 2008-06-12 12:48 18,938 --a------ C:\speace star.htm

2008-06-10 09:58 . 2008-06-10 09:58

2008-06-10 09:58 . 2008-06-13 16:54 12,326 --a------ C:\account_oper_print_t.aspx.htm

2008-06-09 00:08 . 2008-06-12 12:49

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-08 08:45 --------- d-----w C:\Program Files\NetPanel

2008-07-07 16:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-05-26 20:52 --------- d-----w C:\Program Files\IrfanView

2005-11-25 08:49 120,786 ----a-w C:\Program Files\kill_popup_SPF.exe

.

------- Sigcheck -------

2006-04-22 21:20 578560 6a93565be9b8422eb7538c66ac732d76 C:\WINDOWS\system32\user32.dll

2001-02-20 14:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINDOWS\system32\CTFMON.EXE

2006-04-22 21:20 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\system32\spoolsv.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2002-07-17 08:59 143360]

“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2002-07-17 08:45 90112]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 05:00 132496]

“nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2008-02-23 14:00 921600]

“SmcService”=“C:\PROGRA~1\Sygate\SPF\smc.exe” [2003-10-21 17:36 2334792]

“kill_popup_SPF”=“C:\Program Files\kill_popup_SPF.exe” [2005-11-25 10:49 120786]

“TrojanScanner”=“C:\Program Files\Trojan Remover\Trjscan.exe” [2008-06-03 20:33 878672]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“DisableStatusMessages”= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

“NoDesktopCleanupWizard”= 1 (0x1)

“ForceClassicControlPanel”= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoSMHelp”= 1 (0x1)

“NoResolveTrack”= 1 (0x1)

“NoInstrumentation”= 1 (0x1)

“NoSMMyDocs”= 1 (0x1)

“NoSMConfigurePrograms”= 1 (0x1)

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]

“NoSMHelp”= 1 (0x1)

“NoResolveTrack”= 1 (0x1)

“NoInstrumentation”= 1 (0x1)

“NoSMMyDocs”= 1 (0x1)

“NoSMConfigurePrograms”= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “C:\Program Files\SUPERAntiSpyware\SASSEH.DLL” [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]

2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“VIDC.YV12”= yv12vfw.dll

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Documents and Settings

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Documents and Settings\All Users

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Documents and Settings\All Users\Dane aplikacji

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Documents and Settings\All Users\Dane aplikacji\ADSL Software Limited

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Documents and Settings\All Users\Dane aplikacji\ADSL Software Limited\WinSpywareProtect

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

R3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]

S3 iAimFP8;iAimFP8;C:\WINDOWS\system32\DRIVERS\wADV11nt.sys [2002-07-23 10:01]

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

DcomLaunch REG_MULTI_SZ DcomLaunch

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP111

.

        • ORPHANS REMOVED - - - -

MSConfigStartUp-winspywareprotect - C:\Documents and Settings\All Users\Dane aplikacji\ADSL Software Limited\WinSpywareProtect\winspywareprotect.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-08 12:20:56

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe

  • C:\Program Files\Eset\pr_imon.dll

.

Completion time: 2008-07-08 12:22:17

ComboFix-quarantined-files.txt 2008-07-08 10:22:13

Pre-Run: 14,330,916,864 bajtów wolnych

Post-Run: 14,362,767,360 bajtów wolnych

147

(huber2t) #4

Log wyglada na czysty

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!