Witam wszystkich
Mam dość nietypowy problem. Nie dawno skasowałem wirusa ctfmon.exe Niestety po kasacji wirusa pojawił się mały problem. Przeglądarka internetowa nie chce sie połączyć z żadną stroną www, pomimo nawiązania połączenia. W celu łączenia się z internetem wykorzystywana jest neostrada. Aby się połączyć z dowolną witryną trzeba pierw z menedżera zadań wyłaczyć wszystkiego programy zaczynające się na c oraz d. Załączam logi z HijackThis v2.0.2 oraz ComboFix. Bardzo proszę o pomoc. Z góry dziękuję.
HijackThis v2.0.2
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 01:42:49, on 2008-06-09 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\taskbaricon.exe O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [unlockerAssistant] “C:\Program Files\Unlocker\UnlockerAssistant.exe” O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [egui] “C:\Program Files\ESET\ESET Smart Security\egui.exe” /hide /waitservice O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows … 6980932593 O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://static.pe.studentix.pl/photouplo … 20080128-1 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/ … s-i586.cab O17 - HKLM\System\CCS\Services\Tcpip…{6D8A9F3C-B885-4A83-896F-225A7F54BFDD}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe – End of file - 5774 bytes
ComboFix
ComboFix 08-06-08.2 - Marta 2008-06-09 1:44:13.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.51 [GMT 2:00] Running from: C:\Documents and Settings\Marta\Pulpit\LOGI\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Recycled\Recycled C:\WINDOWS\Downloaded Program Files\setup.inf . ((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 ))))))))))))))))))))))))))))))) . 2008-06-09 01:40 . 2008-06-09 01:40 2008-06-09 00:49 . 2008-06-09 00:49 2008-06-09 00:47 . 2008-06-09 00:47 2008-06-09 00:47 . 2008-06-09 00:47 2008-06-08 23:30 . 2008-06-08 23:30 2008-06-08 23:11 . 2008-06-08 23:27 2008-05-14 19:53 . 2008-05-14 19:53 2008-05-14 19:53 . 2008-05-14 20:11 2008-05-12 23:04 . 2008-06-09 01:44 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-08 23:37 --------- d-----w C:\Program Files\Neostrada TP 2008-06-08 21:54 --------- d-----w C:\Program Files\Real Alternative 2008-06-08 21:54 --------- d-----w C:\Program Files\PowerDVD 2008-06-08 21:21 --------- d-----w C:\Program Files\Gadu-Gadu 2008-06-08 21:21 --------- d-----w C:\Program Files\eMule 2008-06-08 21:16 --------- d-----w C:\Program Files\EasyCleaner 2008-06-08 19:26 --------- d-----w C:\Program Files\SkanerOnline 2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys 2008-02-27 12:16 17,144 ----a-w C:\Documents and Settings\Marta\Dane aplikacji\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 20:07 20480] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\taskbaricon.exe” [2003-10-16 20:07 53248] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 20:07 24576] “UnlockerAssistant”=“C:\Program Files\Unlocker\UnlockerAssistant.exe” [2008-05-02 06:15 15872] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 12:38 866816] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2003-09-12 22:10 335872] “egui”=“C:\Program Files\ESET\ESET Smart Security\egui.exe” [2008-03-13 16:48 1443072] “MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe” [2004-08-04 09:44 159744] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “vidc.I420”= i263_32.drv [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] --a------ 2003-12-22 09:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2003-08-04 18:28 49152 C:\Program Files\HP\HP Software Update\HPWuSchd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --a------ 2003-08-05 07:59 57344 C:\WINDOWS\SOUNDMAN.EXE [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “C:\Program Files\Gadu-Gadu\gg.exe”= “C:\Program Files\eMule\emule.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= “C:\Program Files\Internet Explorer\iexplore.exe”= “C:\Program Files\iTunes\iTunes.exe”= S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};C:\WINDOWS\TEMP\29F.tmp [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe \Shell\Open(0)\command - C:\Recycled\ctfmon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe \Shell\Open(0)\command - D:\Recycled\ctfmon.exe *Newly Created Service* - CATCHME . Contents of the ‘Scheduled Tasks’ folder “2008-05-30 15:52:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-09 01:47:07 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services{DEF85C80-216A-43ab-AF70-1665EDBE2780}] “ImagePath”="??\C:\WINDOWS\TEMP\29F.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe - C:\WINDOWS\system32\Ati2evxx.dll . Completion time: 2008-06-09 1:50:26 ComboFix-quarantined-files.txt 2008-06-08 23:50:23 Pre-Run: 2,803,290,112 bajtów wolnych Post-Run: 2,921,390,080 bajtów wolnych 106 — E O F — 2008-05-28 04:17:55
dodd
(W Kowaluk)
9 Czerwiec 2008 01:08
#2
Gutek
(Gutek)
9 Czerwiec 2008 10:03
#3
Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350
Walaka będzie długa:
Pobierz program SDFix
Witam wszystkich. Niestety z przykrością muszę stwierdzić że chwilowo nie mam dostępu do pierwszego komputera, skąd są pierwsze logi. Ten sam wirus ctfmon.exe przez pendrajwa przeniósł mi się na komputer domowy. Zamieszczam tutaj logi. Logi z pierwszego komputera dam dzisiaj późnym wieczorem ewentualnie jutro wieczorem. Proszę o wyrozumiałość i z góry dziękuję.
SDFix - Report
http://wklej.org/id/2abf640a64
SDFix catchme
http://wklej.org/id/1f3038fb4a
log z tego programu Dr. Web CureIt będzie za jakiś czas. W obecnej chwili idzie pełne skanowanie.
Gutek
(Gutek)
10 Czerwiec 2008 09:34
#5