ticzer
4 Lipiec 2007 07:25
#1
Witam.
Mam problem z samoczynnie włączającą się stroną w IE (co jest o tyle dziwne że wcale z IE nie korzystam - tylko z Firefoxa).Ta strona to gsearching.com .
Widziałem tu juz tematy związane z podobnym problemem, zatem zgodnie ze znalezionymi tam radami wklejam loga z Hijack This i bardzo proszę o pomoc.
Logfile of HijackThis v1.99.1 Scan saved at 09:18:38, on 2007-07-04 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\windows\Explorer.EXE C:\windows\system32\spoolsv.exe C:\windows\System32\CTsvcCDA.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\windows\System32\nvsvc32.exe C:\windows\vsnpstd.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\windows\System32\NSecurity.exe D:\Program Files\Winamp\winampa.exe C:\sg.exe C:\windows\System32\svchost.exe C:\windows\System32\UAService7.exe C:\windows\System32\ctfmon.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\DS Clock\dsclock.exe C:\WINDOWS\NCLAUNCH.EXe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Kalendarz XP\Kalendarz.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\Program Files\FlashGet\flashget.exe C:\Documents and Settings\Piątek\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Radio_UK toolbar - {0aff1fc6-fbe5-4eba-9853-65aad3f03c68} - C:\Program Files\Radio_UK\tbRadi.dll R3 - URLSearchHook: RoadrunnerPL - {26124d48-1baf-4239-b605-4325c2bd2713} - C:\Program Files\RoadrunnerPL\tbRoa0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Radio_UK toolbar - {0aff1fc6-fbe5-4eba-9853-65aad3f03c68} - C:\Program Files\Radio_UK\tbRadi.dll O2 - BHO: RoadrunnerPL - {26124d48-1baf-4239-b605-4325c2bd2713} - C:\Program Files\RoadrunnerPL\tbRoa0.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FLASHGET\jccatch.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - D:\Program Files\Desktop Sidebar\sbhelp.dll O2 - BHO: (no name) - {4A9D81AB-427B-42DF-AED1-0EC21D4F0DFF} - (no file) O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FLASHGET\getflash.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll (file missing) O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Radio_UK toolbar - {0aff1fc6-fbe5-4eba-9853-65aad3f03c68} - C:\Program Files\Radio_UK\tbRadi.dll O3 - Toolbar: RoadrunnerPL - {26124d48-1baf-4239-b605-4325c2bd2713} - C:\Program Files\RoadrunnerPL\tbRoa0.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM…\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM…\Run: [TkBellExe] “realsched.exe” -osboot O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\windows\system32\NeroCheck.exe O4 - HKLM…\Run: [snpstd] C:\windows\vsnpstd.exe O4 - HKLM…\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM…\Run: [sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM…\Run: [Network Security] C:\windows\System32\NSecurity.exe O4 - HKLM…\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [NvCp1Do] C:\sg.exe O4 - HKLM…\Run: [Virscanner] c:\windows\smss.exe O4 - HKLM…\Run: [AntiVir] c:\Program Files\smss.exe O4 - HKLM…\Run: [Msnmsgr.exe] c:\lsass.exe O4 - HKLM…\RunServices: [NvCp1Do] C:\sg.exe O4 - HKLM…\RunServices: [Virscanner] c:\windows\smss.exe O4 - HKLM…\RunServices: [AntiVir] c:\Program Files\smss.exe O4 - HKLM…\RunServices: [Msnmsgr.exe] c:\lsass.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\windows\System32\ctfmon.exe O4 - HKCU…\Run: [DS Clock] “C:\Program Files\DS Clock\dsclock.exe” O4 - HKCU…\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe O4 - HKCU…\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe O4 - HKCU…\Run: [Creative Detector] “C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe” /R O4 - HKCU…\Run: [rasman] C:\windows\System32\rasman32.exe O4 - HKCU…\Run: [Office Monitors] C:\windows\System32\GoogleUpdater.exe O4 - HKCU…\Run: [ActiveSync] C:\windows\System32\wcescom32.exe O4 - HKCU…\Run: [Network Security] C:\windows\System32\NSecurity.exe O4 - HKCU…\Run: [NvCp1Do] C:\sg.exe O4 - HKCU…\Run: [Virscanner] c:\windows\smss.exe O4 - HKCU…\Run: [AntiVir] c:\Program Files\smss.exe O4 - HKCU…\Run: [Msnmsgr.exe] c:\lsass.exe O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe O8 - Extra context menu item: Add to AMV Converter… - E:\LARK\The amv1.5 conversion\AMVConverter\grab.html O8 - Extra context menu item: Download all links using BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using &BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: MediaManager tool grab multimedia file - E:\LARK\The amv1.5 conversion\MediaManager\grab.html O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - D:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - D:\Program Files\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - D:\Program Files\Desktop Sidebar\sbhelp.dll O9 - Extra ‘Tools’ menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - D:\Program Files\Desktop Sidebar\sbhelp.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe O15 - Trusted IP range: 213.159.117.202 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\windows\System32\CTsvcCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Protected Exchange (MainService) - Unknown owner - C:\windows\System32\nprotect32.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\windows\System32\UAService7.exe
Gutek
4 Lipiec 2007 09:47
#2
Najpierw automaty - Skan AVG Anti-Spyware 7.5
Daj log z Combofix
ticzer
4 Lipiec 2007 11:56
#3
Log z AVG Anti-Spyware:
… i z ComboFix:
“PiĄtek” - 2007-07-04 13:32:23 - ComboFix 07-07-03.9 - Dodatek Service Pack. 1 FAT32 ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\ALLUSE~1\DANEAP~1.\TEMP C:\windows\lsass.exe C:\windows\setup.exe C:\windows\smss.exe ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_RDRIV ((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 ))))))))))))))))))))))))))))))) 2007-07-04 13:31 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-04 12:00 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-07-04 10:13 2007-07-04 10:13 2007-07-04 10:04 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-07-04 09:46 2007-07-03 12:33 2007-07-03 12:30 2007-07-02 17:33 163,840 —hs---- C:\sg.exe 2007-07-02 17:33 163,840 —hs---- C:\Program Files\smss.exe 2007-07-02 17:33 163,840 —hs---- C:\lsass.exe 2007-06-30 11:52 90,112 --a------ C:\favo.exe 2007-06-24 08:38 2007-06-20 17:42 2007-06-16 20:27 2007-06-15 19:48 2007-06-13 15:31 2007-06-08 22:49 2007-06-08 15:19 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-04 11:42:30 163,840 --sh–w C:\windows\smss.exe 2007-07-04 11:42:30 0 ----a-w C:\windows\lsass.exe 2007-06-11 13:31:32 12,208 --sha-w C:\windows\system32\KGyGaAvL.sys 2007-06-03 06:50:00 15,978 ----a-w C:\windows\mozver.dat 2007-05-08 14:28:54 11,776 ----a-w C:\start.exe 2007-05-07 16:47:52 606 ----a-w C:\windows\system32\SpoonUninstall-SYLT Lyrics Plugin 1.2.1.dat 2007-05-07 16:47:52 167,936 ----a-w C:\windows\system32\SpoonUninstall.exe 2007-05-07 16:47:24 611 ----a-w C:\windows\system32\SpoonUninstall-SYLT Lyrics Plugin 1.3.0.dat 2007-05-07 16:45:24 249,856 ------w C:\windows\Setup1.exe 2007-05-07 16:45:22 73,216 ----a-w C:\windows\ST6UNST.EXE 2007-05-07 08:47:58 2,560 ----a-w C:\windows\system32\BitCometRes.dll 2007-05-06 17:22:44 3,579 ----a-w C:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat 2007-05-03 05:19:06 98 ----a-w C:\windows\temp.bat 2007-04-30 15:46:10 745,600 ----a-w C:\windows\system32\aswBoot.exe 2007-04-30 15:35:28 95,872 ----a-w C:\windows\system32\AVASTSS.scr 2007-04-23 00:15:20 200,704 ----a-w C:\windows\system32\ssldivx.dll 2007-04-23 00:15:20 1,044,480 ----a-w C:\windows\system32\libdivx.dll 2007-04-17 08:19:52 3,082 ----a-w C:\windows\system32\affv208325p1now.sys 2005-10-13 19:27:00 422,400 --sha-r C:\windows\x2.64.exe 2005-05-13 15:12:00 217,073 --sha-r C:\windows\meta4.exe 2005-10-24 09:13:58 66,560 --sha-r C:\windows\MOTA113.exe 2005-10-07 17:14:52 308,224 --sha-r C:\windows\system32\avisynth.dll 2005-04-28 20:25:56 56 --sh–r C:\windows\system32\433253CFCE.sys 2005-02-28 11:16:22 240,128 --sha-r C:\windows\system32\x.264.exe 2005-07-14 10:31:20 27,648 --sha-r C:\windows\system32\AVSredirect.dll 2005-06-26 13:32:28 616,448 --sha-r C:\windows\system32\cygwin1.dll 2005-06-21 20:37:42 45,568 --sha-r C:\windows\system32\cygz.dll 2006-04-27 08:24:24 2,945,024 --sha-r C:\windows\system32\Smab.dll 2004-01-24 22:00:00 70,656 --sha-r C:\windows\system32\i420vfw.dll 2004-01-24 22:00:00 70,656 --sha-r C:\windows\system32\yv12vfw.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2003-05-12 00:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{0aff1fc6-fbe5-4eba-9853-65aad3f03c68}] 2007-06-12 12:27 1354776 --a------ C:\Program Files\Radio_UK\tbRadi.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{26124d48-1baf-4239-b605-4325c2bd2713}] 2007-06-26 17:54 1383448 --a------ C:\Program Files\RoadrunnerPL\tbRoa0.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}] 2006-05-16 15:19 81920 --a------ D:\PROGRA~1\FLASHGET\jccatch.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}] 2007-03-29 16:31 394816 --a------ D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{45AD732C-2CE2-4666-B366-B2214AD57A49}] 2006-07-09 22:06 278528 --a------ D:\Program Files\Desktop Sidebar\sbhelp.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{4A9D81AB-427B-42DF-AED1-0EC21D4F0DFF}] [HKEY_LOCAL_MACHINE~\Browser Helper Objects{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}] 2004-12-20 11:38 272384 --a------ D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{6A373B7E-496E-424f-A9BE-486A5E9AB018}] C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] 2005-11-10 13:22 184423 --a------ C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{9394EDE7-C8B5-483E-8773-474BF36AF6E4}] 2004-08-13 17:42 155648 --a------ C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{B56A7D7D-6927-48C8-A975-17DF180C71AC}] 2004-12-19 17:38 325632 --a------ D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
Raport z AVG skróciłam z powodu rozjazdu Forum, czekam na nowy po usunięciu syfu, Joan
Joan
4 Lipiec 2007 12:49
#4
Wywalasz wszystko, co znalazł AVG, skanujesz jeszcze raz po tej akcji i dajesz nowy raport.
Pobierz i uruchom narzędzie The Avenger Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:
Klikasz Done , a następnie zielone światełko i zgadzasz się na restart klikając OK .
Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt
Daj nowy, kompletny log z combofixa.
Joan
4 Lipiec 2007 14:50
#6
no i pięknie, kwarantannę opróżnić proszę i dawaj nowego loga z Combo.
ticzer
4 Lipiec 2007 14:50
#7
Raport z combofixa (w dwóch postach, bo w jednym się nie mieści):
“PiĄtek” - 2007-07-04 13:32:23 - ComboFix 07-07-03.9 - Dodatek Service Pack. 1 FAT32 ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\ALLUSE~1\DANEAP~1.\TEMP C:\windows\lsass.exe C:\windows\setup.exe C:\windows\smss.exe ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_RDRIV ((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 ))))))))))))))))))))))))))))))) 2007-07-04 13:31 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-04 12:00 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-07-04 10:13 2007-07-04 10:13 2007-07-04 10:04 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-07-04 09:46 2007-07-03 12:33 2007-07-03 12:30 2007-07-02 17:33 163,840 —hs---- C:\sg.exe 2007-07-02 17:33 163,840 —hs---- C:\Program Files\smss.exe 2007-07-02 17:33 163,840 —hs---- C:\lsass.exe 2007-06-30 11:52 90,112 --a------ C:\favo.exe 2007-06-24 08:38 2007-06-20 17:42 2007-06-16 20:27 2007-06-15 19:48 2007-06-13 15:31 2007-06-08 22:49 2007-06-08 15:19 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-04 11:42:30 163,840 --sh–w C:\windows\smss.exe 2007-07-04 11:42:30 0 ----a-w C:\windows\lsass.exe 2007-06-11 13:31:32 12,208 --sha-w C:\windows\system32\KGyGaAvL.sys 2007-06-03 06:50:00 15,978 ----a-w C:\windows\mozver.dat 2007-05-08 14:28:54 11,776 ----a-w C:\start.exe 2007-05-07 16:47:52 606 ----a-w C:\windows\system32\SpoonUninstall-SYLT Lyrics Plugin 1.2.1.dat 2007-05-07 16:47:52 167,936 ----a-w C:\windows\system32\SpoonUninstall.exe 2007-05-07 16:47:24 611 ----a-w C:\windows\system32\SpoonUninstall-SYLT Lyrics Plugin 1.3.0.dat 2007-05-07 16:45:24 249,856 ------w C:\windows\Setup1.exe 2007-05-07 16:45:22 73,216 ----a-w C:\windows\ST6UNST.EXE 2007-05-07 08:47:58 2,560 ----a-w C:\windows\system32\BitCometRes.dll 2007-05-06 17:22:44 3,579 ----a-w C:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat 2007-05-03 05:19:06 98 ----a-w C:\windows\temp.bat 2007-04-30 15:46:10 745,600 ----a-w C:\windows\system32\aswBoot.exe 2007-04-30 15:35:28 95,872 ----a-w C:\windows\system32\AVASTSS.scr 2007-04-23 00:15:20 200,704 ----a-w C:\windows\system32\ssldivx.dll 2007-04-23 00:15:20 1,044,480 ----a-w C:\windows\system32\libdivx.dll 2007-04-17 08:19:52 3,082 ----a-w C:\windows\system32\affv208325p1now.sys 2005-10-13 19:27:00 422,400 --sha-r C:\windows\x2.64.exe 2005-05-13 15:12:00 217,073 --sha-r C:\windows\meta4.exe 2005-10-24 09:13:58 66,560 --sha-r C:\windows\MOTA113.exe 2005-10-07 17:14:52 308,224 --sha-r C:\windows\system32\avisynth.dll 2005-04-28 20:25:56 56 --sh–r C:\windows\system32\433253CFCE.sys 2005-02-28 11:16:22 240,128 --sha-r C:\windows\system32\x.264.exe 2005-07-14 10:31:20 27,648 --sha-r C:\windows\system32\AVSredirect.dll 2005-06-26 13:32:28 616,448 --sha-r C:\windows\system32\cygwin1.dll 2005-06-21 20:37:42 45,568 --sha-r C:\windows\system32\cygz.dll 2006-04-27 08:24:24 2,945,024 --sha-r C:\windows\system32\Smab.dll 2004-01-24 22:00:00 70,656 --sha-r C:\windows\system32\i420vfw.dll 2004-01-24 22:00:00 70,656 --sha-r C:\windows\system32\yv12vfw.dll
Złączono Posta : 04.07.2007 (Sro) 16:51
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2003-05-12 00:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{0aff1fc6-fbe5-4eba-9853-65aad3f03c68}] 2007-06-12 12:27 1354776 --a------ C:\Program Files\Radio_UK\tbRadi.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{26124d48-1baf-4239-b605-4325c2bd2713}] 2007-06-26 17:54 1383448 --a------ C:\Program Files\RoadrunnerPL\tbRoa0.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}] 2006-05-16 15:19 81920 --a------ D:\PROGRA~1\FLASHGET\jccatch.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}] 2007-03-29 16:31 394816 --a------ D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{45AD732C-2CE2-4666-B366-B2214AD57A49}] 2006-07-09 22:06 278528 --a------ D:\Program Files\Desktop Sidebar\sbhelp.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{4A9D81AB-427B-42DF-AED1-0EC21D4F0DFF}] [HKEY_LOCAL_MACHINE~\Browser Helper Objects{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}] 2004-12-20 11:38 272384 --a------ D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{6A373B7E-496E-424f-A9BE-486A5E9AB018}] C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] 2005-11-10 13:22 184423 --a------ C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{9394EDE7-C8B5-483E-8773-474BF36AF6E4}] 2004-08-13 17:42 155648 --a------ C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{B56A7D7D-6927-48C8-A975-17DF180C71AC}] 2004-12-19 17:38 325632 --a------ D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}] 2006-01-17 16:04 282624 --a------ C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{F156768E-81EF-470C-9057-481BA8380DBA}] 2006-09-12 10:50 126976 --a------ D:\PROGRA~1\FLASHGET\getflash.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “nwiz”=“nwiz.exe” [2004-07-13 01:50 C:\WINDOWS\system32\nwiz.exe] “SmcService”=“C:\PROGRA~1\Sygate\SPF\smc.exe” [2004-10-15 19:40] “TkBellExe”=“realsched.exe” [] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [2005-11-10 13:03] “Easy-PrintToolBox”=“C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe” [2004-01-14 12:10] “@”="" [] “Sony Ericsson PC Suite”=“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [2005-10-26 16:17] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] “PCSuiteTrayApplication”=“D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2007-03-23 13:20] “WinampAgent”=“D:\Program Files\Winamp\winampa.exe” [2007-05-15 00:22] “NvCp1Do”=“C:\sg.exe” [2007-07-02 17:33] “AntiVir”=“c:\Program Files\smss.exe” [2007-07-02 17:33] “Msnmsgr.exe”=“c:\lsass.exe” [2007-07-02 17:33] “!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 11:25] “NvCplDaemon”=“C:\windows\System32\NvCpl.dll” [2004-07-13 01:50] “Virscanner”=“c:\windows\smss.exe” [2007-07-04 13:42] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\windows\System32\ctfmon.exe” [2002-09-20 16:05] “DS Clock”=“C:\Program Files\DS Clock\dsclock.exe” [2005-02-14 22:23] “NCLaunch”=“C:\WINDOWS\NCLAUNCH.EXe” [2005-03-23 22:53] “Active Desktop Calendar”=“C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe” [] “Creative Detector”=“C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe” [2004-12-02 18:23] “Twoje TVN24”="" [] “rasman”=“C:\windows\System32\rasman32.exe” [] “Office Monitors”=“C:\windows\System32\GoogleUpdater.exe” [] “ActiveSync”=“C:\windows\System32\wcescom32.exe” [] “Network Security”=“C:\windows\System32\NSecurity.exe” [] “NvCp1Do”=“C:\sg.exe” [2007-07-02 17:33] “Virscanner”=“c:\windows\smss.exe” [2007-07-04 13:42] “AntiVir”=“c:\Program Files\smss.exe” [2007-07-02 17:33] “Msnmsgr.exe”=“c:\lsass.exe” [2007-07-02 17:33] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] “NvCp1Do”=C:\sg.exe “Virscanner”=c:\windows\smss.exe “AntiVir”=c:\Program Files\smss.exe “Msnmsgr.exe”=c:\lsass.exe [HKEY_USERS.default\software\microsoft\windows\currentversion\runonce] “RunNarrator”=Narrator.exe [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “rasman”=C:\windows\System32\rasman32.exe “Nokia.PCSync”=D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoLowDiskSpaceChecks”=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2007-05-30 14:29] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] NvCp1Do C:\sg.exe Virscanner c:\windows\smss.exe AntiVir c:\Program Files\smss.exe Msnmsgr.exe c:\lsass.exe [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard] *Newly Created Service* - AVGASCLN ************************************************************************** catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-04 13:42:00 Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … HKCU\Software\Microsoft\Windows\CurrentVersion\Run Creative Detector = “C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe” /R???wpO?w???K;?w@[?w?k???w? ??m???p???p???_?w???w? ??m??? ?s???w? ??m???P???.?xP???.?x???@?w?yp???@?wP???.?x?@?w8?????????w?O?w?????@?w rasman = C:\windows\System32\rasman32.exe??x?????h???e?.?|??????w???w?????2?w?3?w?.?wK.?w?.?w?.?w@?????$????????w????????????0???p??w?????.?w???????? C??B??????? ?@??????????????????????/?w|??????w???w????j??w?-?w????????????!????????????_?w????????!??????????????? ?@ ActiveSync = C:\windows\System32\wcescom32.exe?x?t?h?e?m?e?.?d?l??@?wd??wN?wb`?w ???.?wK.?w?.?w?.?wB???$???CX?w???B???0???p??w???.?w???B??? ?@???/?w|???w???w???j??w?-?w???"???_?w???"??? ?@ scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-04 13:45:06 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-07-04 13:45 — E O F —
Złączono Posta : 04.07.2007 (Sro) 16:53
Raport z avengera:
Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\cewegivi ******************* Script file located at: ??\C:\yyrutiam.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\sg.exe deleted successfully. File C:\Program Files\smss.exe deleted successfully. File C:\lsass.exe deleted successfully. File C:\favo.exe deleted successfully. Error: C:\FOUND.057 is a folder, not a file! Deletion of file C:\FOUND.057 failed! Could not process line: C:\FOUND.057 Status: 0xc00000ba Error: C:\FOUND.009 is a folder, not a file! Deletion of file C:\FOUND.009 failed! Could not process line: C:\FOUND.009 Status: 0xc00000ba Error: C:\FOUND.008 is a folder, not a file! Deletion of file C:\FOUND.008 failed! Could not process line: C:\FOUND.008 Status: 0xc00000ba Error: C:\FOUND.007 is a folder, not a file! Deletion of file C:\FOUND.007 failed! Could not process line: C:\FOUND.007 Status: 0xc00000ba Error: C:\FOUND.006 is a folder, not a file! Deletion of file C:\FOUND.006 failed! Could not process line: C:\FOUND.006 Status: 0xc00000ba File C:\windows\smss.exe deleted successfully. File C:\windows\lsass.exe deleted successfully. File C:\start.exe deleted successfully. Folder C:!KillBox deleted successfully. Completed script processing. ******************* Finished! Terminate.
Joan
4 Lipiec 2007 15:20
#8
Jeszcze rqaz Avenger. Wklejasz:
Klikasz Done , a następnie zielone światełko i zgadzasz się na restart klikając OK .
Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt
Otwórz notatnik i wklej w nim to:
Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG
Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa
Nowy log z combo i logi z GMERA
Zakładka Rootkit > zaznacz wszystko oprócz Pokaż wszystko > kliknij Szukaj
Zakładka Rootkit > zaznacz tylko Usługi oraz Pokaż wszystko > kliknij Szukaj i w obydwu przypadkach poczekaj cierpliwie, aż skończy pracę
Joan
4 Lipiec 2007 16:23
#10
A gdzie reszta? Gmer i combo?
ticzer
4 Lipiec 2007 16:49
#11
No właśnie miałem się do tego zabrać. Ale po resecie (po operacji z FIX.REG) komp przestał współpracować! Przy załączaniu Windowsa nie mogło znaleźć pliku lsass.exe. Musiałem wejść w “ostatnie działające ustawienia”… I sam nie wiem na czym teraz stoję… Zrobić tego Gmera i combo? Czy od początku? I co z tym plikiem?
Joan
4 Lipiec 2007 16:53
#12
Daj najpierw loga z Combofixa. Przypuszczam że przywrócił te śmieci przy okazji
Joan
4 Lipiec 2007 17:48
#14
Otwórz notatnik i wklej w nim to:
Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG
Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa
Daj kontrolnie loga z Combo.
qrczak13
4 Lipiec 2007 20:51
#16
Przeskanuj na http://www.virustotal.com/vt/ i wklej raport po skanowaniu. Jak pliku nie znajdziesz wyłącz ukrywanie ukrytych plików i chronionych plików systemowych.
Do notatnika wklej:
Plik > zapisz jako > zmień rozszerzenie z .txt na wszystkie pliki > zapisz pod nazwą Fix.reg np na
pulpicie > dwuklik na Fix.reg > potwierdzasz > restart.
Czyszczenie rejestru - jv16 PowerTools 2006 1.5.2.350
qrczak13
4 Lipiec 2007 21:54
#18
Usuń jeszcze to i będzie ok.
A strona jeszcze się pokazuje?
Jeśli tak to zrób skan SUPERAntiSpyware
ticzer
4 Lipiec 2007 21:59
#19
Nie, już się nie pokazuje. Pewnie się czai… WIELKIE DZIĘKI ZA POMOC.
