Proszę o sprawdzenie loga - Win32.Sality pomocy

kamilos876 · 6 Lipiec 2008 16:34

Prosze o sprawdzenie loga z HijackThis bo wszedl mi do kompa wirus z rodziny Win32.Sality (oby nie trzeba bylo robic formata )

kaseprski wykrywa mi te wirusy w plikach exe. i je czysci (leczy) , ale jak chce pozniej te wyleczone pliki exe wlaczyc to pisze blad pliku exe czyli tak zwane “Wystąpił problem z aplikacją i zostanie ona zamknięta. Przepraszamy za kłopoty”. Mialem kiedys taki inny wirus co zarazal pliki exe ale po wyleczeniu one dzialaly a tutaj nie dzialaja.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:22:01, on 2008-07-06

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AutoConnect\AutoConnect.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\caav.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\caavGUIScan.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: (no name) - {5492B2E3-6DF0-4BB3-B41C-360FD238E0F6} - C:\WINDOWS\system32\efcDVnLb.dll (file missing)

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: (no name) - {EE5A1465-1E73-4784-8F63-45983FDF0DB8} - C:\WINDOWS\system32\ljJYsQih.dll (file missing)

O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\styler\TB\StylerTB.dll (file missing)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"

O4 - HKLM\..\Run: [BMe398d2b7] Rundll32.exe "C:\WINDOWS\system32\xidagjqu.dll",s

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Download Video on This Page - C:\Program Files\Tomato\TubeDownload\TDIEDoc.html

O8 - Extra context menu item: Download Video This Links To - C:\Program Files\Tomato\TubeDownload\TDIELink.html

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll

O9 - Extra button: Download Video - {A103A693-F92C-4A81-8F7F-6C80799EFF3D} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Download Video on This Page - {A103A693-F92C-4A81-8F7F-6C80799EFF3D} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A71FF610-DE42-413C-99B3-128C350E9BED}: NameServer = 85.255.116.91,85.255.112.215

O17 - HKLM\System\CCS\Services\Tcpip\..\{A886F463-A465-4085-8C65-C0CE823F5783}: NameServer = 194.204.159.1 217.98.63.164

O17 - HKLM\System\CCS\Services\Tcpip\..\{D44D9393-1419-4ABB-A1F1-4FE81B61B1F1}: NameServer = 85.255.116.91,85.255.112.215

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.215

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.215

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.215

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.215

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll

O20 - Winlogon Notify: ljJYsQih - ljJYsQih.dll (file missing)

O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe


--

End of file - 9159 bytes

Leon1 · 6 Lipiec 2008 16:42

wpisy

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: (no name) - {5492B2E3-6DF0-4BB3-B41C-360FD238E0F6} - C:\WINDOWS\system32\efcDVnLb.dll (file missing) O2 - BHO: (no name) - {EE5A1465-1E73-4784-8F63-45983FDF0DB8} - C:\WINDOWS\system32\ljJYsQih.dll (file missing) O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\styler\TB\StylerTB.dll (file missing) O4 - HKLM…\Run: [bMe398d2b7] Rundll32.exe “C:\WINDOWS\system32\xidagjqu.dll”,s O17 - HKLM\System\CCS\Services\Tcpip…{A71FF610-DE42-413C-99B3-128C350E9BED}: NameServer = 85.255.116.91,85.255.112.215 O17 - HKLM\System\CCS\Services\Tcpip…{D44D9393-1419-4ABB-A1F1-4FE81B61B1F1}: NameServer = 85.255.116.91,85.255.112.215 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.215 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.215 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.215 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.215 O20 - Winlogon Notify: ljJYsQih - ljJYsQih.dll (file missing)

usuń HijackThisem >> Fix checked nie pomyl się

Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 ale nie włączaj.

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

kamilos876 · 6 Lipiec 2008 17:12

Zrobilem tak jak mowiles i po tym usuwaniu tym ComboFixem wyskoczylo mi takie okienko, dać tak czy nie???

i mam jeszcze pytanie gdzie bedzie ten log z combofixa???

McFreak · 6 Lipiec 2008 17:20

Wciśnij Tak. Ten log combofixa otworzy ci się automatycznie , jeżeli nie , znajdziesz go na dysku C:\

Leon1 · 6 Lipiec 2008 17:24

Start >> wyszukaj >> ComboFix.txt

Gutek · 7 Lipiec 2008 14:54

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=253052