Problem po usunięciu Solow-D prosze o sprawdzenie loga

Imperial_Dragon · 4 Kwiecień 2008 06:32

witam wszystkich.

mam taki problem. avast wykrył takie o to robactwo jak Solow-D, które to sobie zapodałem teraz jak widzę z mojego pendriva.

problem jest taki, że po usunięciu tego to intruza nie można wejść z mój komputer w litery dysków. pojawia sie oto taki komunikat:

Nie można znaleźć pliku skryptu"D:\pagefile.sys.vbs".

w jaki sposób można by to naprawić…?

pozdrawiam

Robert.K

Quetzactl · 4 Kwiecień 2008 07:05

Cześć. Tu jest chyba rozwiązanie Twojego problemu.

Imperial_Dragon · 4 Kwiecień 2008 08:17

ten post jest opisany kiedy jest infekcja aktywna. ja natomiast te robaki już usunąłem, ale problem dotarcia do dysków C i D pozostał dalej z poziomu mój komputer. z eksploratora windows można wejść.

to mój log.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:14:35, on 2008-04-04 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\WINDOWS\system32\Prismsta.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/default R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [Prism_Utility] Prismsta.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{DBC9FA20-A9EB-4F6B-B039-785E2E17CB12}: NameServer = 217.8.168.244 157.25.5.18 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe – End of file - 4133 bytes

Imperial_Dragon · 4 Kwiecień 2008 08:40

już po problemie. Zapodałem ComboFixa i wszystko naprawione.

pozdrawiam.

a to log z ComboFiksa:

ComboFix 08-04-03.3 - PIOTREK 2008-04-04 10:24:38.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.212 [GMT 2:00] Running from: C:\Documents and Settings\PIOTREK\Moje dokumenty\My Completed Downloads\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 ))))))))))))))))))))))))))))))) . 2008-04-04 09:28 . 2008-04-04 09:28 2008-04-04 09:22 . 2008-04-04 09:22 2008-04-04 09:12 . 2008-04-04 09:12 2008-04-04 07:08 . 2008-03-29 19:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2008-04-04 07:08 . 2008-03-29 19:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2008-04-04 07:07 . 2008-04-04 07:07 2008-04-04 07:07 . 2008-03-29 19:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe 2008-04-04 07:07 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll 2008-04-04 07:07 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll 2008-04-04 07:07 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2008-04-04 07:07 . 2008-03-29 19:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2008-04-04 07:07 . 2008-03-29 19:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2008-04-04 07:07 . 2008-01-17 17:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2008-04-04 07:07 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys 2008-04-04 07:07 . 2008-03-29 19:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2008-04-04 07:07 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys 2008-04-04 07:02 . 2008-04-04 07:03 2008-04-04 07:01 . 2008-04-04 07:51 2008-04-04 07:01 . 2008-04-04 07:01 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx 2008-04-04 07:01 . 2008-04-04 07:01 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx 2008-04-04 07:01 . 2008-04-04 07:01 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll 2008-04-04 06:52 . 2006-03-02 14:00 28,288 --a–c— C:\WINDOWS\system32\dllcache\xjis.nls 2008-04-04 06:50 . 2006-03-02 14:00 1,875,968 --a–c— C:\WINDOWS\system32\dllcache\msir3jp.lex 2008-04-04 06:49 . 2006-03-02 14:00 13,463,552 --a–c— C:\WINDOWS\system32\dllcache\hwxjpn.dll 2008-04-04 06:48 . 2006-03-02 14:00 1,677,824 --a–c— C:\WINDOWS\system32\dllcache\chsbrkr.dll 2008-04-04 06:47 . 2003-03-24 15:52 188,480 --a–c— C:\WINDOWS\system32\dllcache\cfgwiz.exe 2008-04-04 06:47 . 2003-03-24 15:52 20,540 --a–c— C:\WINDOWS\system32\dllcache\author.dll 2008-04-04 06:47 . 2003-03-24 15:52 20,540 --a–c— C:\WINDOWS\system32\dllcache\admin.dll 2008-04-04 06:47 . 2003-03-24 15:52 16,439 --a–c— C:\WINDOWS\system32\dllcache\author.exe 2008-04-04 06:47 . 2003-03-24 15:52 16,439 --a–c— C:\WINDOWS\system32\dllcache\admin.exe 2008-04-04 06:45 . 2008-04-04 06:45 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-04-04 06:45 . 2008-04-04 06:45 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2008-04-04 06:45 . 2008-04-04 06:45 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest 2008-04-04 06:45 . 2008-04-04 06:45 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest 2008-04-04 06:45 . 2008-04-04 06:45 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2008-04-04 06:42 . 2004-08-04 00:44 153,088 --a------ C:\WINDOWS\system32\irftp.exe 2008-04-04 06:42 . 2004-08-03 23:00 87,424 --a------ C:\WINDOWS\system32\drivers\irda.sys 2008-04-04 06:42 . 2004-08-04 00:44 27,648 --a------ C:\WINDOWS\system32\irmon.dll 2008-04-04 06:42 . 2004-08-04 00:44 8,192 --a------ C:\WINDOWS\system32\wshirda.dll 2008-04-04 06:35 . 2001-08-17 21:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys 2008-04-04 01:21 . 2008-04-04 10:23 2008-04-04 00:52 . 2008-04-04 09:24 2008-04-04 00:52 . 2008-04-04 00:53 17,128 --a------ C:\WINDOWS\setupapi.old 2008-04-04 00:47 . 2008-04-04 00:47 2008-04-04 00:43 . 2008-04-04 00:56 2008-04-04 00:41 . 2008-04-04 00:41 2008-04-04 00:41 . 2008-04-04 00:43 2008-04-04 00:37 . 2008-04-04 00:37 2008-04-04 00:37 . 2008-04-04 00:37 2008-04-04 00:37 . 2008-04-04 09:19 95 --a------ C:\WINDOWS\winamp.ini 2008-04-04 00:34 . 2008-04-04 00:34 2008-04-04 00:32 . 2008-04-04 00:32 2008-04-04 00:32 . 2008-04-04 09:43 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2008-04-04 00:30 . 2008-04-04 00:30 2008-04-04 00:09 . 2008-04-04 00:09 2008-04-04 00:09 . 2008-04-04 00:09 2008-04-04 00:09 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2008-04-04 00:09 . 2002-01-05 03:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll 2008-04-04 00:09 . 1999-06-25 09:56 127,184 --a------ C:\WINDOWS\Unwise.exe 2008-04-04 00:00 . 2008-04-04 00:00 2008-04-03 23:57 . 2008-04-03 23:57 2008-04-03 23:50 . 2008-04-03 23:50 2008-04-03 23:50 . 2003-11-20 16:15 178,528 --a------ C:\WINDOWS\system32\drivers\SynTP.sys 2008-04-03 23:50 . 2003-11-20 16:16 110,592 --a------ C:\WINDOWS\system32\SynCtrl.dll 2008-04-03 23:50 . 2003-11-20 16:16 90,112 --a------ C:\WINDOWS\system32\SynTPAPI.dll 2008-04-03 23:50 . 2003-11-20 16:21 77,824 --a------ C:\WINDOWS\system32\SynTPCoI.dll 2008-04-03 23:50 . 2003-11-20 16:16 77,824 --a------ C:\WINDOWS\system32\SynCOM.dll 2008-04-03 23:50 . 2003-11-20 16:19 65,536 --a------ C:\WINDOWS\system32\SynTPFcs.dll 2008-04-03 23:46 . 2004-01-14 16:09 313,418 --a------ C:\WINDOWS\system32\PRISMCFG.cpl 2008-04-03 23:46 . 2004-01-14 16:09 215,552 --a------ C:\WINDOWS\system32\PRISMSTA.exe 2008-04-03 23:46 . 2004-01-14 16:09 82,006 --a------ C:\WINDOWS\system32\PRISMRES.dll 2008-04-03 23:46 . 2004-01-14 16:09 79,872 --a------ C:\WINDOWS\system32\PRISMIOC.dll 2008-04-03 23:46 . 2008-04-03 23:46 252 --a------ C:\WINDOWS\setup.iss 2008-04-03 23:41 . 2004-01-19 20:30 1,086,853 --a------ C:\WINDOWS\system32\drivers\IntelC51.sys 2008-04-03 23:41 . 2004-01-19 20:29 619,369 --a------ C:\WINDOWS\system32\drivers\IntelC52.sys 2008-04-03 23:41 . 2004-01-19 20:28 163,840 --a------ C:\WINDOWS\system32\intelmoh.dll 2008-04-03 23:41 . 2004-01-19 20:30 77,925 --a------ C:\WINDOWS\system32\drivers\IntelC53.sys 2008-04-03 23:41 . 2004-01-19 20:28 31,440 --a------ C:\WINDOWS\system32\drivers\mohfilt.sys 2008-04-03 23:41 . 2001-08-17 21:57 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys 2008-04-03 23:34 . 2004-01-16 09:31 380,736 --a------ C:\WINDOWS\system32\drivers\PRISMA00.sys 2008-04-03 23:29 . 2001-01-09 09:58 8,811 --a------ C:\WINDOWS\system32\drivers\SetupSys.sys 2008-04-03 21:55 . 2008-04-03 21:55 2008-04-03 21:54 . 2008-04-03 21:54 0 --a------ C:\WINDOWS\nsreg.dat 2008-04-03 21:51 . 2008-04-03 21:51 2008-04-03 21:51 . 2008-04-04 00:01 2008-04-03 21:51 . 2008-04-03 23:57 2008-04-03 21:51 . 2003-12-08 11:53 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys 2008-04-03 21:51 . 2003-12-08 11:53 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys 2008-04-03 21:51 . 2003-12-08 11:53 5,606 --a------ C:\WINDOWS\system32\stci.dll 2008-04-03 21:51 . 2003-12-08 11:53 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys 2008-04-03 21:51 . 2003-12-08 11:53 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-03 20:54 --------- d-----w C:\Program Files\Intel 2008-04-03 20:49 --------- d-----w C:\Program Files\Realtek 2008-04-03 20:49 --------- d-----w C:\Documents and Settings\PIOTREK\Dane aplikacji\InstallShield 2008-04-03 20:39 --------- d-----w C:\Program Files\microsoft frontpage 2008-04-03 20:36 --------- d-----w C:\Program Files\Usługi online 2008-04-03 20:31 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles 2008-04-03 20:13 --------- d-----w C:\Program Files\Realtek Sound Manager 2008-04-03 20:13 --------- d-----w C:\Program Files\AvRack 2008-02-25 18:54 105,088 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 14:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-03-23 12:06 888832] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2004-04-13 15:25 3309568] “nwiz”=“nwiz.exe” [2004-04-13 15:25 782336 C:\WINDOWS\system32\nwiz.exe] “Prism_Utility”=“Prismsta.exe” [2004-01-14 16:09 215552 C:\WINDOWS\system32\PRISMSTA.exe] “SoundMan”=“SOUNDMAN.EXE” [2003-12-29 20:32 57344 C:\WINDOWS\SOUNDMAN.EXE] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-03-29 19:37 79224] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 14:00 15360] [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “C:\Program Files\DAP\DAP.exe”= “C:\Program Files\Bonjour\mDNSResponder.exe”= “C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe”= “C:\Program Files\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe”= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35] R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2008-04-04 07:02] R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe [2008-04-04 07:02] R3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt [2005-08-18 00:00] R3 PRISM_A00;PRISM 802.11g Driver;C:\WINDOWS\system32\DRIVERS\PRISMA00.sys [2004-01-16 09:31] R3 SetupSys;Conexant Setup API;C:\WINDOWS\system32\drivers\SetupSys.sys [2001-01-09 09:58] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ed24aa46-01be-11dd-bbbf-000ae44d3672}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-04 10:26:53 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver] “ImagePath”="??\C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt" . Completion time: 2008-04-04 10:27:34 ComboFix-quarantined-files.txt 2008-04-04 08:27:29 Pre-Run: 15,504,535,552 bajtów wolnych Post-Run: 15,497,187,328 bajtów wolnych

Imperial_Dragon · 4 Kwiecień 2008 08:41

tylko coś tu świeci na czerwono… hmmm