Problem z csrss.exe, winlogan.exe

dawidowski (Davids) 2010-05-05 15:08:35 UTC #1

Witam.

W managerze zadań widnieją takie procesy jak csrss.exe, winlogan.exe, Apoint.exe, soundman.exe oraz 8 procesów svochost.exe które obciążają mi komp. Dodatkowo mam problemy z licznymi robakami łącznie jest ich 28. Darmowy program spycheck wykrył takie zagrożenia jak XP Antivirus, Rolepi GV, Gamepass MP, SillyDl GUB, Pigeon QK, Sipay KT, Frethog NS, Bancos PSC, Vxidl JC, PcClient FL, Waledac UK, Hitpop BH, Aleuron YP, Oneraw OR, Swizzor AEQ, Inject AO, Puppetcorpse P, Fuzfle CB, Pigeon SGM, Pluckyis, Pidief EM, PcClient LP, Zlob DV. Proszę o pomoc poniżej zamieszczam log z OTL

http://www.wklej.org/id/328606/

jessica (jessica) 2010-05-05 16:17:13 UTC #2

Tylko kosmetyka:

Uruchom OTL i w oknie Custom Scans/Fixes wklej to:

:OTL O4 - HKLM..\Run: [photo_id] C:\WINDOWS\System32\photo_id.exe File not found O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\System32\regedit.exe File not found O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe File not found O4 - HKCU..\Run: [photo_id] C:\Documents and Settings\Marian\photo_id.exe File not found O33 - MountPoints2{2a965a30-5864-11da-adcf-0012f0d39888}\Shell\AutoRun\command - "" = E:\f9o8o.exe -- File not found O33 - MountPoints2{2a965a30-5864-11da-adcf-0012f0d39888}\Shell\open\Command - "" = E:\f9o8o.exe -- File not found O33 - MountPoints2{331a8800-d8dd-11de-b7da-0012f0d39888}\Shell - "" = AutoRun O33 - MountPoints2{331a8800-d8dd-11de-b7da-0012f0d39888}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found O33 - MountPoints2{4bb19fd0-eb8e-11dd-b531-0012f0d39888}\Shell - "" = AutoRun O33 - MountPoints2{4bb19fd0-eb8e-11dd-b531-0012f0d39888}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found O33 - MountPoints2{50bae150-06a8-11df-b862-0012f0d39888}\Shell - "" = AutoRun O33 - MountPoints2{50bae150-06a8-11df-b862-0012f0d39888}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found O33 - MountPoints2{62b550b0-d414-11de-b7d0-9562b9118d36}\Shell\AutoRun\command - "" = E:\pozuda\malena.exe -- File not found O33 - MountPoints2{62b550b0-d414-11de-b7d0-9562b9118d36}\Shell\explore\command - "" = E:\pozuda\malena.exe -- File not found O33 - MountPoints2{62b550b0-d414-11de-b7d0-9562b9118d36}\Shell\open\command - "" = E:\pozuda\malena.exe -- File not found O33 - MountPoints2{78f17603-7a05-11de-b6b1-4d6564696130}\Shell - "" = AutoRun O33 - MountPoints2{78f17603-7a05-11de-b6b1-4d6564696130}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found O33 - MountPoints2{7bed7c30-3169-11dd-b3aa-0012f0d39888}\Shell\AutoRun\command - "" = E:\9u.exe -- File not found O33 - MountPoints2{7bed7c30-3169-11dd-b3aa-0012f0d39888}\Shell\open\Command - "" = E:\9u.exe -- File not found O33 - MountPoints2{8da44d00-1d9b-11df-b8b8-0012f0d39888}\Shell\AutoRun\command - "" = PROCICE///boljid.exe O33 - MountPoints2{8da44d00-1d9b-11df-b8b8-0012f0d39888}\Shell\open\command - "" = PROCICE///boljid.exe O33 - MountPoints2{aa01dd3c-5271-11de-b64c-0012f0d39888}\Shell\AutoRun\command - "" = E:\ji83j.exe -- File not found O33 - MountPoints2{aa01dd3c-5271-11de-b64c-0012f0d39888}\Shell\open\Command - "" = E:\ji83j.exe -- File not found O33 - MountPoints2{b7fdd5e0-e11e-11dc-b2d6-4d6564696130}\Shell\AutoRun\command - "" = G:\f9o8o.exe -- File not found O33 - MountPoints2{b7fdd5e0-e11e-11dc-b2d6-4d6564696130}\Shell\open\Command - "" = G:\f9o8o.exe -- File not found O33 - MountPoints2{bcbb95e2-be07-11de-b78a-0012f0d39888}\Shell\AutoRun\command - "" = E:\9g86.exe -- File not found O33 - MountPoints2{bcbb95e2-be07-11de-b78a-0012f0d39888}\Shell\open\Command - "" = E:\9g86.exe -- File not found O33 - MountPoints2{c2ce93b1-40e5-11df-b92f-0012f0d39888}\Shell\AutoRun\command - "" = E:\RAZLOG\zaljubljeni.exe -- File not found O33 - MountPoints2{c2ce93b1-40e5-11df-b92f-0012f0d39888}\Shell\explore\command - "" = E:\RAZLOG\zaljubljeni.exe -- File not found O33 - MountPoints2{c2ce93b1-40e5-11df-b92f-0012f0d39888}\Shell\open\command - "" = E:\RAZLOG\zaljubljeni.exe -- File not found O33 - MountPoints2{c923a342-3270-11df-b900-0012f0d39888}\Shell\AutoRun\command - "" = E:\SETUP.EXE -- File not found O33 - MountPoints2{c923a342-3270-11df-b900-0012f0d39888}\Shell\configure\command - "" = E:\SETUP.EXE -- File not found O33 - MountPoints2{c923a342-3270-11df-b900-0012f0d39888}\Shell\install\command - "" = E:\SETUP.EXE -- File not found :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] :Commands [emptytemp] [resethosts] [Reboot]

Kliknij w Run Fix.

Użyj >http://www.dobreprogramy.pl/Malwarebytes-AntiMalware,Program,Windows,13117.html

Niech usunie, co wykryje, a raport z niego tu pokaż.

jessi

dawidowski (Davids) 2010-05-05 19:40:14 UTC #3

Log z Malwarebytes

Malwarebytes' Anti-Malware 1.46

Wersja bazy: 4069

Windows 5.1.2600 Dodatek Service Pack 3

Internet Explorer 7.0.5730.13

2010-05-05 21:22:21

mbam-log-2010-05-05 (21-22-21).txt

Typ skanowania: Pełne skanowanie (C:\|)

Przeskanowano obiektów: 216333

Upłynęło: 1 godzin(y), 17 minut(y), 59 sekund(y)

Zainfekowanych procesów w pamięci: 0

Zainfekowanych modułów w pamięci: 0

Zainfekowanych kluczy rejestru: 5

Zainfekowanych wartości rejestru: 0

Zainfekowane informacje rejestru systemowego: 0

Zainfekowanych folderów: 0

Zainfekowanych plików: 16

Zainfekowanych procesów w pamięci:

(Nie znaleziono zagrożeń)

Zainfekowanych modułów w pamięci:

(Nie znaleziono zagrożeń)

Zainfekowanych kluczy rejestru:

HKEY_CLASSES_ROOT\CLSID{b03a4be6-5e5a-b9b3-483e-c484d4b20b72} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID{c5f43bef-ce2f-afe6-46d8-a647bacd1f09} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\NOD32KVBIT (Trojan.Frethog) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XP antiVirus (Rogue.XPantiVirus) -> Quarantined and deleted successfully.

Zainfekowanych wartości rejestru:

(Nie znaleziono zagrożeń)

Zainfekowane informacje rejestru systemowego:

(Nie znaleziono zagrożeń)

Zainfekowanych folderów:

(Nie znaleziono zagrożeń)

Zainfekowanych plików:

C:\System Volume Information_restore{EBE851C6-D750-49E9-B3FF-CC24FF052C6A}\RP50\A0015063.exe (HackTool.Snadboy) -> Quarantined and deleted successfully.

C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025313.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025333.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025359.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025374.com (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025393.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025347.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025364.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025449.com (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025419.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025440.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025458.com (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025488.dll (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marian\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marian\Dane aplikacji\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

-- Dodane 05.05.2010 (Śr) 21:42 --

Log z Malware

Malware' Anti-Malware 1.46 http://www.malwarebytes.org Wersja bazy: 4069 Windows 5.1.2600 Dodatek Service Pack 3 Internet Explorer 7.0.5730.13 2010-05-05 21:22:21 mbam-log-2010-05-05 (21-22-21).txt Typ skanowania: Pełne skanowanie (C:\|) Przeskanowano obiektów: 216333 Upłynęło: 1 godzin(y), 17 minut(y), 59 sekund(y) Zainfekowanych procesów w pamięci: 0 Zainfekowanych modułów w pamięci: 0 Zainfekowanych kluczy rejestru: 5 Zainfekowanych wartości rejestru: 0 Zainfekowane informacje rejestru systemowego: 0 Zainfekowanych folderów: 0 Zainfekowanych plików: 16 Zainfekowanych procesów w pamięci: (Nie znaleziono zagrożeń) Zainfekowanych modułów w pamięci: (Nie znaleziono zagrożeń) Zainfekowanych kluczy rejestru: HKEY_CLASSES_ROOT\CLSID{b03a4be6-5e5a-b9b3-483e-c484d4b20b72} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID{c5f43bef-ce2f-afe6-46d8-a647bacd1f09} (Spyware.OnlineGames) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\NOD32KVBIT (Trojan.Frethog) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XP antiVirus (Rogue.XPantiVirus) -> Quarantined and deleted successfully. Zainfekowanych wartości rejestru: (Nie znaleziono zagrożeń) Zainfekowane informacje rejestru systemowego: (Nie znaleziono zagrożeń) Zainfekowanych folderów: (Nie znaleziono zagrożeń) Zainfekowanych plików: C:\System Volume Information_restore{EBE851C6-D750-49E9-B3FF-CC24FF052C6A}\RP50\A0015063.exe (HackTool.Snadboy) -> Quarantined and deleted successfully. C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025313.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025333.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025359.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025374.com (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025393.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025347.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025364.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025449.com (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025419.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025440.bat (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025458.com (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information_restore{ECDED79B-5399-4362-8584-EC683D21B1CD}\RP226\A0025488.dll (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Marian\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\Marian\Dane aplikacji\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

jessica (jessica) 2010-05-05 19:44:16 UTC #4

Teraz widać, jakie miałeś infekcje.

Teraz powinno już być czysto.

W OTL kliknij na przycisk "CleanUp" - to go usunie razem z jego Kwarantanną.

Usuń kopie szkodników z folderu "System Volume Information" poprzez chwilowe wyłączenie "Przywracania Systemu":

Choć właściwie, to już MBAM usunął te kopie ...

jessi

Monczkin (Monczkin) 2010-05-06 06:34:38 UTC #5

dawidowski , przeczytaj ten temat i popraw tytuł oraz logi w postach. Inaczej zostanie usunięty.

zasady-wklejania-logow-forum-tytulowania-tematow-t253052.html

dawidowski (Davids) 2010-05-06 07:32:15 UTC #6

Poprawiony, nowy log w trybie szybkiego przeszukiwania z Malware:

http://www.wklej.org/id/328991/

deFco247 (deFco247) 2010-05-07 13:46:21 UTC #7

Kolejny skan nie był potrzebny, gdyż i tak pełny skan jak sama nazwa wskazuje przeszukuje cały system, a szybki tylko newralgiczne punkty systemu.

Poza tym moderatorowi chodziło o skorygowanie wcześniej zamieszczonych logów.

Oparte na Discourse, najlepiej oglądać z włączonym JavaScriptem