Program antywirusowy nie radzi sobie z mnogością trojanó

13jola · 30 Lipiec 2008 20:41

Proszę o pomoc w ogarnięciu sytuacji. Od kilku dni program wykazuje po kilkanaście trojanów, robaków…

Wklejam logi:

Logfile of HijackThis v1.99.1 Scan saved at 22:29:26, on 2008-07-30 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\runsvc32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Maciek\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [WindowsUpdater] WindowsUpdater.exe O4 - HKLM…\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot O4 - HKLM…\Run: [runsvc32] runsvc32.exe O4 - HKLM…\RunServices: [WindowsUpdater] WindowsUpdater.exe O4 - HKLM…\RunServices: [runsvc32] runsvc32.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip…{51FE690A-1F4D-4ADA-BC94-4CA95B9AA04D}: NameServer = 194.204.159.1 217.98.63.164

“Silent Runners.vbs”, revision 58, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “WindowsUpdater” = “WindowsUpdater.exe” [file not found] “TrojanScanner” = “C:\Program Files\Trojan Remover\Trjscan.exe /boot” [“Simply Super Software”] “runsvc32” = “runsvc32.exe” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{52B87208-9CCF-42C9-B88E-069281105805}” = “Trojan Remover Shell Extension” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“aswBoot.exe /M:1b155ba5” [“ALWIL Software”] HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoSMHelp” = (REG_DWORD) dword:0x00000001 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Help menu from Start Menu} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ MSPlayCDAudioOnArrival\ “Provider” = “ALLPlayer” “InvokeProgID” = “AllPlayerFile” “InvokeVerb” = “play” HKLM\SOFTWARE\Classes\AllPlayerFile\shell\play\command(Default) = "“C:\Program Files\MarBit\ALLPlayer\ALLPlayer.exe” “%1"” [“MarBit”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 ---------- (launch time: 2008-07-30 22:30:22) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 17 seconds. ---------- (total run time: 148 seconds)

Dziękuję.

Leon1 · 30 Lipiec 2008 20:48

Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 przeskanuj daj log

potem jeszcze raz log HijackThis 2.02 bo obcięty

Pobierz HijackThis http://forum.dobreprogramy.pl/viewtopic.php?f=16&t=36654 przeskanuj system daj log

13jola · 30 Lipiec 2008 21:27

ComboFix 08-07-29.1 - Maciek 2008-07-30 23:19:02.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.346 [GMT 2:00] Running from: C:\Documents and Settings\Maciek\Pulpit\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\RECYCLER\HSC.exe C:\RECYCLER\iroffer.exe . ((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 ))))))))))))))))))))))))))))))) . 2008-07-29 00:30 . 2008-07-29 00:31 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-28 22:42 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2007-12-01 22:38 260,471 -c–a-w C:\Program Files\Mpeg2DSSetup.exe 2007-11-23 17:48 2,861,613 -c–a-w C:\Program Files\EClea2_0.exe 2007-11-23 17:47 17,512,696 -c–a-w C:\Program Files\setuppol.exe 2007-11-23 16:48 96,374 -c–a-w C:\Documents and Settings\All Users\Dane aplikacji\firstlsp.reg.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 12:38 866816] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 13:06 79224] “TrojanScanner”=“C:\Program Files\Trojan Remover\Trjscan.exe” [2008-07-26 21:02 910416] “runsvc32”=“runsvc32.exe” [2005-04-07 20:53 733105 C:\WINDOWS\system32\runsvc32.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] “runsvc32”=“runsvc32.exe” [2005-04-07 20:53 733105 C:\WINDOWS\system32\runsvc32.exe] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSMHelp”= 1 (0x1) [HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer] “NoSMHelp”= 1 (0x1) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “}y”= }y:runsvc32 R3 AN983;Karta ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet;C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 23:59] S3 NtApm;Sterownik interfejsu NT Apm/Legacy;C:\WINDOWS\System32\DRIVERS\NtApm.sys [2001-10-26 17:48] *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . - - - - ORPHANS REMOVED - - - - HKLM-Run-WindowsUpdater - WindowsUpdater.exe HKLM-RunServices-WindowsUpdater - WindowsUpdater.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.pl/ O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm O17 -: HKLM\CCS\Interface{51FE690A-1F4D-4ADA-BC94-4CA95B9AA04D}: NameServer = 194.204.159.1 217.98.63.164 ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-30 23:20:28 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-07-30 23:21:43 ComboFix-quarantined-files.txt 2008-07-30 21:21:41 Pre-Run: 5,831,614,464 bajtów wolnych Post-Run: 5,828,038,656 bajtów wolnych 69 Logfile of HijackThis v1.99.1 Scan saved at 23:22:20, on 2008-07-30 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\runsvc32.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Maciek\Ustawienia lokalne\temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot O4 - HKLM…\Run: [runsvc32] runsvc32.exe O4 - HKLM…\RunServices: [runsvc32] runsvc32.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip…{51FE690A-1F4D-4ADA-BC94-4CA95B9AA04D}: NameServer = 194.204.159.1 217.98.63.164

Leon1 · 30 Lipiec 2008 21:42

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

13jola · 30 Lipiec 2008 21:57

ComboFix 08-07-29.1 - Maciek 2008-07-30 23:52:37.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.335 [GMT 2:00] Running from: C:\Documents and Settings\Maciek\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Maciek\Pulpit\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED FILE :: C:\WINDOWS\System32\runsvc32.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\System32\runsvc32.exe . ((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 ))))))))))))))))))))))))))))))) . 2008-07-29 00:30 . 2008-07-29 00:31 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-28 22:42 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2007-12-01 22:38 260,471 -c–a-w C:\Program Files\Mpeg2DSSetup.exe 2007-11-23 17:48 2,861,613 -c–a-w C:\Program Files\EClea2_0.exe 2007-11-23 17:47 17,512,696 -c–a-w C:\Program Files\setuppol.exe 2007-11-23 16:48 96,374 -c–a-w C:\Documents and Settings\All Users\Dane aplikacji\firstlsp.reg.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 12:38 866816] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 13:06 79224] “TrojanScanner”=“C:\Program Files\Trojan Remover\Trjscan.exe” [2008-07-26 21:02 910416] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSMHelp”= 1 (0x1) [HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer] “NoSMHelp”= 1 (0x1) R3 AN983;Karta ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet;C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 23:59] S3 NtApm;Sterownik interfejsu NT Apm/Legacy;C:\WINDOWS\System32\DRIVERS\NtApm.sys [2001-10-26 17:48] *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-30 23:53:44 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-07-30 23:54:48 ComboFix-quarantined-files.txt 2008-07-30 21:54:45 ComboFix2.txt 2008-07-30 21:21:44 Pre-Run: 5,828,808,704 bajtów wolnych Post-Run: 5,823,221,760 bajtów wolnych 59 :-o

Leon1 · 30 Lipiec 2008 22:04

Log wygląda na czysty

zrób optymalizacje uruchamiania

http://cybertrash.netarteria.pl/cyber/i … 378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE