Problem z XP Antywirusem- totalna destrukcja

juventinho · 3 Czerwiec 2008 21:32

Koledze na kompa przyplątał sie XP Antywirus i zrobił niezłe zamieszanie. Teraz po włączeniu się od razu się zawiesza, a wcześniej strasznie się zamulił niby standardowy problem, więc daję loga i proszę o pomoc (kolega skana zrobił NODem ale ten nie wykrył niby żadnego wirusa)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:17:32, on 2008-06-03

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Boot mode: Safe mode with network support


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\User\Pulpit\HiJackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

R3 - Default URLSearchHook is missing

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe


--

End of file - 4794 bytes

laszjwrz · 3 Czerwiec 2008 21:59

Wyłączyć skaner antywirusowy i pobrać: http://downloads.andymanchesta.com/Remo … /SDFix.exe

Uruchom pobrany plik - instalacja to wypakowanie plików programu do lokalizacji C:/SDFix
Uruchom komputer w trybie awaryjnym (F8 przed bootem systemu)
W trybie awaryjnym uruchom plik RunThis.bat z lokalizacji C:/SDFix
Po uruchomieniu klawisz Y zatwierdza skanowanie i usuwanie zainfekowanych plików
Restart…
Po restarcie SDFix automatycznie uruchomi się ponownie i poinformuje o zakończeniu działania.
Pokaż plik Report.txt znajdujący się w folderze programu (C:/SDFix)

Dodaj log z ComboFix.

juventinho · 4 Czerwiec 2008 21:06

log z ComboFix

ComboFix 08-06-03.4 - User 2008-06-04 19:53:24.1 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.257 [GMT 2:00] Running from: C:\Documents and Settings\User\Pulpit\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 ))))))))))))))))))))))))))))))) . 2008-06-04 19:27 . 2008-06-04 19:27 2008-06-04 19:24 . 2008-06-04 19:39 2008-06-03 21:57 . 2008-06-03 21:57 2008-06-03 21:57 . 2008-06-03 21:57 2008-06-03 21:57 . 2008-06-03 21:57 2008-06-03 21:57 . 2008-06-03 21:57 2008-06-03 21:57 . 2008-06-03 21:57 124,167 --a------ C:\WINDOWS\system32\SYMEVNT.386 2008-06-03 21:57 . 2008-06-03 21:57 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2008-06-03 21:57 . 2008-06-03 21:57 73,624 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-06-03 17:49 . 2008-06-03 17:51 2008-06-03 17:49 . 2008-06-03 17:49 2008-06-03 00:07 . 2008-06-03 00:07 2008-06-02 17:53 . 2008-06-03 21:46 2008-05-25 23:16 . 2008-05-25 23:16 2008-05-14 16:56 . 2008-05-14 16:56 2008-05-11 23:57 . 2008-05-11 23:57 2008-05-11 23:57 . 2005-06-24 16:24 438,272 -ra------ C:\WINDOWS\system32\vp6vfw.dll 2008-05-11 23:57 . 2004-12-10 09:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax 2008-05-10 16:25 . 2008-05-10 16:25 2008-05-05 14:22 . 2003-06-19 01:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2008-05-05 14:22 . 2008-05-05 14:22 421 --a------ C:\WINDOWS\ODBC.INI 2008-05-05 14:21 . 2008-05-05 14:21 2008-05-05 14:20 . 2008-05-05 14:21 2008-05-05 11:18 . 2008-05-05 11:18 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-03 19:57 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-06-03 19:51 --------- d-----w C:\Program Files\Gadu-Gadu 2008-06-03 19:21 --------- d–h--w C:\Program Files\InstallShield Installation Information 2008-05-02 01:51 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Avira 2008-04-30 07:18 --------- d-----w C:\Program Files\Samsung 2008-04-30 06:55 --------- d-----w C:\Program Files\MobiRise 3GP Converter 2008-04-29 12:03 90,112 ----a-w C:\WINDOWS\DUMP49ca.tmp 2008-04-27 23:44 --------- d-----w C:\Documents and Settings\User\Dane aplikacji\Gadu-Gadu 2008-04-26 07:38 --------- d-----w C:\Program Files\D-Tools 2008-04-25 17:43 --------- d-----w C:\Program Files\Codemasters 2008-04-23 18:22 --------- d-----w C:\Program Files\ESET 2008-04-23 18:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ESET 2008-04-23 18:19 --------- d-----w C:\Program Files\Winamp 2008-04-23 18:15 --------- d-----w C:\Program Files\IrfanView 2008-04-23 18:15 --------- d-----w C:\Program Files\Google 2008-04-23 18:14 --------- d-----w C:\Program Files\SubEdit-Player 2008-04-23 18:13 --------- d-----w C:\Program Files\MarBit 2008-04-23 18:11 --------- d-----w C:\Documents and Settings\User\Dane aplikacji\Winamp 2008-04-23 17:02 --------- d-----w C:\Program Files\SUYIN 2008-04-23 17:02 --------- d-----w C:\Program Files\ACER Crystal Eye webcam 2008-04-23 17:02 --------- d-----w C:\Documents and Settings\User\Dane aplikacji\InstallShield 2008-04-23 16:56 315,392 ----a-w C:\WINDOWS\HideWin.exe 2008-04-23 16:56 --------- d-----w C:\Program Files\Realtek 2008-04-23 16:38 --------- d-----w C:\Program Files\Theorica Divx Codecs 2008-04-23 16:35 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-04-23 16:15 277,784 ----a-w C:\WINDOWS\system32\drivers\iaStor.sys . ------- Sigcheck ------- 2007-05-10 17:11 2068096 a87ec7fc3c796046626fee113dfcaad9 C:\WINDOWS\system32\ntkrnlpa.exe 2007-05-10 17:11 2191104 c4738ec0df9ca4149ef16414dceec942 C:\WINDOWS\system32\ntoskrnl.exe 2007-05-10 21:55 1423872 a50dfe31981a01423d327fdd05bdf452 C:\WINDOWS\explorer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 02:44 15360] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2008-03-20 12:04 2127296] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2008-04-23 20:15 171448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-06-27 16:38 141848] “HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2007-06-27 16:38 162328] “Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [2007-06-27 16:38 137752] “RTHDCPL”=“RTHDCPL.EXE” [2007-05-10 18:08 16342528 C:\WINDOWS\RTHDCPL.exe] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 17:05 81920] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2008-04-01 20:49 36352] “Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [2008-04-23 20:15 1838592] “egui”=“C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” [2008-03-13 16:48 1443072] “UnlockerAssistant”=“C:\Program Files\Unlocker\UnlockerAssistant.exe” [2008-05-02 06:15 15872] “vptray”=“C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe” [2003-04-26 01:18 90112] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 02:44 15360] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] “nltide_2”=“regsvr32 /s /n /i:U shell32” [] “nltide_3”=“advpack.dll” [2007-05-10 16:39 124928 C:\WINDOWS\system32\advpack.dll] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] “DisableCAD”= 1 (0x1) “DisableStatusMessages”= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSMHelp”= 1 (0x1) “NoSMMyPictures”= 1 (0x1) “NoSMConfigurePrograms”= 1 (0x1) “NoInstrumentation”= 1 (0x1) “NoStartMenuMFUprogramsList”= 1 (0x1) “NoResolveTrack”= 1 (0x1) “NoResolveSearch”= 1 (0x1) [HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer] “NoSMHelp”= 1 (0x1) “NoSMMyPictures”= 1 (0x1) “NoSMConfigurePrograms”= 1 (0x1) “NoInstrumentation”= 1 (0x1) “NoStartMenuMFUprogramsList”= 1 (0x1) “NoResolveTrack”= 1 (0x1) “NoResolveSearch”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “VIDC.I420”= C:\WINDOWS\system32\i263_32.drv “vidc.DIV3”= DivXc32.dll “vidc.DIV4”= DivXc32f.dll “msacm.divxa32”= DivXa32.acm “VIDC.HFYU”= huffyuv.dll “vidc.ffds”= C:\Program Files\Theorica Divx Codecs\ffdshow.ax “vidc.i263”= C:\WINDOWS\system32\i263_32.drv “msacm.imc”= C:\WINDOWS\system32\imc32.acm [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\Network Diagnostic\xpnetdiag.exe”= “%windir%\system32\sessmgr.exe”= “C:\Program Files\Gadu-Gadu\gg.exe”= “D:\DC++\DCPlusPlus.exe”= R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52] S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\Autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e862b6e8-139b-11dd-8bfc-001b3823d4c4}] \Shell\AutoRun\command - F:\yltt8jpm.bat \Shell\explore\Command - F:\yltt8jpm.bat \Shell\open\Command - F:\yltt8jpm.bat . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-04 19:53:56 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe - C:\WINDOWS\system32\NavLogon.dll . Completion time: 2008-06-04 19:54:26 ComboFix-quarantined-files.txt 2008-06-04 17:54:21 Pre-Run: 9,000,820,736 bajtów wolnych Post-Run: 8,991,698,944 bajtów wolnych 154 log z SDFix SDFix: Version 1.187 Run by User on 2008-06-04 at 19:28 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : No Trojan Files Found Folder C:\Program Files\XP Antivirus - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-04 19:38:20 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40] “khjeh”=hex:20,02,00,00,76,c6,f3,df,9f,9d,19,ef,d2,8c,13,18,bf,71,75,c9,51,… “hj34z0”=hex:67,00,26,3b,7d,d1,05,6c,9d,3c,62,bd,c2,45,f5,48,82,40,b3,a3,71,… “hj34z1”=hex:a6,00,26,3b,05,d1,05,6c,9c,3c,63,bd,c3,45,f5,48,82,40,b3,a3,b1,… “hj34z2”=hex:a6,00,26,3b,05,d1,05,6c,9c,3c,63,bd,c3,45,f5,48,82,40,b3,a3,b1,… “hj34z3”=hex:a6,00,26,3b,05,d1,05,6c,9c,3c,63,bd,c3,45,f5,48,82,40,b3,a3,b1,… “hj34z4”=hex:a6,00,26,3b,05,d1,05,6c,9c,3c,63,bd,c3,45,f5,48,82,40,b3,a3,b1,… scanning hidden registry entries … [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] “AppInit_DLLs”=“C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL” “DeviceNotSelectedTimeout”=“15” “GDIProcessHandleQuota”=dword:00002710 “Spooler”=“yes” “swapdisk”="" “TransmissionRetryTimeout”=“90” “USERProcessHandleQuota”=dword:00002710 “LoadAppInit_DLLs”=dword:00000001 scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “D:\Quake3\quake3.exe”=“D:\Quake3\quake3.exe:*:Enabled:quake3” “C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program glowny” “C:\Program Files\DC++\DCPlusPlus.exe”=“C:\Program Files\DC++\DCPlusPlus.exe:*:Enabled:DC++” “D:\DC++\DCPlusPlus.exe”=“D:\DC++\DCPlusPlus.exe:*:Enabled:DC++” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files : Files with Hidden Attributes : Finished! W dniu 04.06.2008, o godzinie 23:06 został dopisany post przez juventinho proszę o jakiś odzew