Samoistny upload

siwy89 · 10 Sierpień 2007 16:28

Po odpaleniu neta pojawia się samoistny wysył gdzieś w sieć

log hijackthis"

Logfile of HijackThis v1.99.1 Scan saved at 18:25:35, on 2007-08-10 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\WINDOWS\System32\mmdmm.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\urdvxc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\System32\rasautou.exe C:\Program Files\foobar2000\foobar2000.exe C:\Program Files\Mozilla Firefox\firefox.exe E:\Hijackthis 1.99\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM…\Run: [mmsass] mmdmm.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\RunServices: [mmsass] mmdmm.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O17 - HKLM\System\CCS\Services\Tcpip…{BC36BA3A-374B-482F-8EFC-4AF29D3E9044}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Z gory dzieki za pomoc

jessica · 10 Sierpień 2007 16:38

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

>>Start >>> Uruchom >>> wybierz (lub wpisz) cmd >> zastosować te komendy (po każdej wciśnij “ENTER”):

Potem daj nowy log z Hijacka oraz log z ComboFixa ->

http://forum.dobreprogramy.pl/viewtopic.php?t=36654

(na dole tej strony z linku) -

Log wklej na http://wklej.org/, a w poście daj tylko link.

.

siwy89 · 10 Sierpień 2007 17:11

Tego nie dalo sie wykonac, pisze: nie mozna znalezc pliku

log hijackthis:

Logfile of HijackThis v1.99.1 Scan saved at 19:10:03, on 2007-08-10 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\System32\rasautou.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe E:\Hijackthis 1.99\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O17 - HKLM\System\CCS\Services\Tcpip…{BC36BA3A-374B-482F-8EFC-4AF29D3E9044}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

log z combo nie jest dlugi wiec go tez tu wklejam:

ComboFix 07-08-09.3 - “Mareta” 2007-08-10 19:03:26.1 - FAT32x86 ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32.exe ((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 ))))))))))))))))))))))))))))))) 2007-08-10 19:02 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-06 16:28 169,984 --ahs---- C:\WINDOWS\system32\urdvxc.exe 2007-08-04 15:18 69,208 --a------ C:\WINDOWS\system32\msv.exe 2007-08-01 19:43 2007-07-28 16:04 2007-07-28 16:04 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-06 22:40 507 --a------ C:\WINDOWS\system32\drivers\fwdrv.err 2001-10-26 15:29:52 66,431 --sh–r C:\WINDOWS\system32\mmdmm.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Cmaudio”=“cmicnfg.cpl” [] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2005-05-11 23:12] “mouseElf”=“C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE” [2003-05-13 10:41] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe” [2004-12-06 21:31] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] [HKEY_USERS.default\software\microsoft\windows\currentversion\runservices] “Microsoft Directx push”=directxpushup.exe [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “Microsoft Directx push”=directxpushup.exe C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26] DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-08-18 18:13:35] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3bf28bb7-2ed9-11db-9a84-806d6172696f}] AutoRun\command- D:\Autorun.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-10 19:05:24 Windows 5.1.2600 FAT NTAPI scanning hidden processes … C:\WINDOWS\system32\cmd.exe [1084] 0xFF2C7B38 scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-10 19:06:38 C:\ComboFix-quarantined-files.txt … 2007-08-10 19:06 — E O F —

prosze pomozcie cos

jessica · 10 Sierpień 2007 17:33

Jak widać - pliki są.

Zresztą to mnie nie dziwi, bo tych plików często nie da się usunąć i trzeba sformatować dysk.

Na razie spróbujemy usuwać…

Wklej do Notatnika :

File::

C:\WINDOWS\system32\urdvxc.exe 

C:\WINDOWS\system32\msv.exe

C:\WINDOWS\system32\mmdmm.exe


Registry::

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]

"Microsoft Directx push"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Microsoft Directx push"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bf28bb7-2ed9-11db-9a84-806d6172696f}]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie,

jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

(czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– tak jak na tym obrazku -->http://i12.tinypic.com/4l761r5.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie.

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Potem nowy log z ComboFixa.

.

siwy89 · 10 Sierpień 2007 21:08

nowe logi:

Logfile of HijackThis v1.99.1 Scan saved at 23:08:16, on 2007-08-10 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\logonui.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe E:\Hijackthis 1.99\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O17 - HKLM\System\CCS\Services\Tcpip…{BC36BA3A-374B-482F-8EFC-4AF29D3E9044}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

combo:

ComboFix 07-08-09.3 - “Mareta” 2007-08-10 19:03:26.1 - FAT32x86 ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32.exe ((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 ))))))))))))))))))))))))))))))) 2007-08-10 19:02 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-06 16:28 169,984 --ahs---- C:\WINDOWS\system32\urdvxc.exe 2007-08-04 15:18 69,208 --a------ C:\WINDOWS\system32\msv.exe 2007-08-01 19:43 2007-07-28 16:04 2007-07-28 16:04 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-06 22:40 507 --a------ C:\WINDOWS\system32\drivers\fwdrv.err 2001-10-26 15:29:52 66,431 --sh–r C:\WINDOWS\system32\mmdmm.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Cmaudio”=“cmicnfg.cpl” [] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2005-05-11 23:12] “mouseElf”=“C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE” [2003-05-13 10:41] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe” [2004-12-06 21:31] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] [HKEY_USERS.default\software\microsoft\windows\currentversion\runservices] “Microsoft Directx push”=directxpushup.exe [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “Microsoft Directx push”=directxpushup.exe C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26] DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-08-18 18:13:35] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3bf28bb7-2ed9-11db-9a84-806d6172696f}] AutoRun\command- D:\Autorun.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-10 19:05:24 Windows 5.1.2600 FAT NTAPI scanning hidden processes … C:\WINDOWS\system32\cmd.exe [1084] 0xFF2C7B38 scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-10 19:06:38 C:\ComboFix-quarantined-files.txt … 2007-08-10 19:06 — E O F —

qrczak13 · 10 Sierpień 2007 23:13

Może tak polecą w kosmos:

Ściągnij The Avenger,

wypakuj > uruchom > Input script manually > klikasz w lupkę > w nowo otwartym oknie wklejasz:

Po wklejeniu > Done > klik na zielone światło > ok i będzie restart. Po restarcie wchodzisz gdzie masz The Avenger wklejasz raport avenger.txt oraz nowy log z combofix’a.

siwy89 · 11 Sierpień 2007 11:01

Jakies bledy sie pojawily, log avenger:

////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Syntax error in line — does not appear to be a valid registry path. Line will be ignored. Error code: 1813 Line: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3bf28bb7-2ed9-11db-9a84-806d6172696f} ////////////////////////////////////////// Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\fykhvbvs ******************* Script file located at: ??\C:\WINDOWS\System32\tgqpkobc.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\urdvxc.exe not found! Deletion of file C:\WINDOWS\system32\urdvxc.exe failed! Could not process line: C:\WINDOWS\system32\urdvxc.exe Status: 0xc0000034 File C:\WINDOWS\system32\msv.exe not found! Deletion of file C:\WINDOWS\system32\msv.exe failed! Could not process line: C:\WINDOWS\system32\msv.exe Status: 0xc0000034 File C:\WINDOWS\system32\mmdmm.exe not found! Deletion of file C:\WINDOWS\system32\mmdmm.exe failed! Could not process line: C:\WINDOWS\system32\mmdmm.exe Status: 0xc0000034 Could not delete registry value HKEY_USERS.default\software\microsoft\windows\currentversion\runservices|Microsoft Directx push Deletion of registry value HKEY_USERS.default\software\microsoft\windows\currentversion\runservices|Microsoft Directx push failed! Status: 0xc0000034 Could not delete registry value HKEY_USERS.default\software\microsoft\windows\currentversion\run|Microsoft Directx push Deletion of registry value HKEY_USERS.default\software\microsoft\windows\currentversion\run|Microsoft Directx push failed! Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate.

combo:

ComboFix 07-08-09.3 - “Mareta” 2007-08-11 12:57:34.3 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.44 [GMT 2:00] ((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 ))))))))))))))))))))))))))))))) 2007-08-10 21:16 2007-08-10 21:14 2007-08-10 21:13 2007-08-10 21:12 2007-08-10 19:02 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-01 19:43 2007-07-28 16:04 2007-07-28 16:04 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-06 22:40 507 --a------ C:\WINDOWS\system32\drivers\fwdrv.err ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Cmaudio”=“cmicnfg.cpl” [] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2005-05-11 23:12] “mouseElf”=“C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE” [2003-05-13 10:41] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe” [2004-12-06 21:31] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-08-10 21:14] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26] DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-08-18 18:13:35] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56] R0 viamraid;viamraid;C:\WINDOWS\System32\DRIVERS\viamraid.sys R1 fwdrv;Firewall Driver;C:\WINDOWS\System32\drivers\fwdrv.sys R1 khips;Kerio HIPS Driver;C:\WINDOWS\System32\drivers\khips.sys R2 SVKP;SVKP;??\C:\WINDOWS\System32\SVKP.sys R3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\System32\drivers\cmuda.sys R3 FETNDIS;Sterownik NT karty VIA PCI 10/100Mb Fast Ethernet;C:\WINDOWS\System32\DRIVERS\fetnd5.sys R3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\System32\DRIVERS\gmfiltr.sys ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-11 12:59:34 Windows 5.1.2600 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-11 13:00:54 C:\ComboFix-quarantined-files.txt … 2007-08-10 23:02 — E O F —

hijack:

Logfile of HijackThis v1.99.1 Scan saved at 13:01:42, on 2007-08-11 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe E:\Hijackthis 1.99\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O17 - HKLM\System\CCS\Services\Tcpip…{BC36BA3A-374B-482F-8EFC-4AF29D3E9044}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

jessica · 11 Sierpień 2007 12:22

Avenger podaje, że “failed” komendy, ale z logów wynika, ze jednak swoje zadanie wykonał w 100%.

Jest OK!

.