Siedziba wirusów. Proszę o sprawdzenie logów

Janusek · 29 Październik 2011 12:42

Windows Vista Home premium

Oto log z combo fix

ComboFix 11-10-29.03 - Laptop 2011-10-29 13:09:42.1.1 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1250.48.1045.18.1022.456 [GMT 2:00]

Uruchomiony z: c:\users\Laptop\Desktop\ComboFix.exe

AV: avast! antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}

SP: avast! antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Utworzono nowy punkt przywracania

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\facemoods.com

c:\program files\facemoods.com\facemoods\1.4.8.1\bh\facemoods.dll

c:\program files\facemoods.com\facemoods\1.4.8.1\facemoods.crx

c:\program files\facemoods.com\facemoods\1.4.8.1\facemoods.png

c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodsApp.dll

c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodsEng.dll

c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodssrv.exe

c:\program files\facemoods.com\facemoods\1.4.8.1\uninstall.exe

c:\users\Laptop\AppData\Local\Bron.tok-14-1

c:\users\Laptop\AppData\Local\Bron.tok-14-10

c:\users\Laptop\AppData\Local\Bron.tok-14-11

c:\users\Laptop\AppData\Local\Bron.tok-14-12

c:\users\Laptop\AppData\Local\Bron.tok-14-13

c:\users\Laptop\AppData\Local\Bron.tok-14-14

c:\users\Laptop\AppData\Local\Bron.tok-14-15

c:\users\Laptop\AppData\Local\Bron.tok-14-16

c:\users\Laptop\AppData\Local\Bron.tok-14-17

c:\users\Laptop\AppData\Local\Bron.tok-14-18

c:\users\Laptop\AppData\Local\Bron.tok-14-19

c:\users\Laptop\AppData\Local\Bron.tok-14-2

c:\users\Laptop\AppData\Local\Bron.tok-14-20

c:\users\Laptop\AppData\Local\Bron.tok-14-21

c:\users\Laptop\AppData\Local\Bron.tok-14-22

c:\users\Laptop\AppData\Local\Bron.tok-14-23

c:\users\Laptop\AppData\Local\Bron.tok-14-24

c:\users\Laptop\AppData\Local\Bron.tok-14-25

c:\users\Laptop\AppData\Local\Bron.tok-14-26

c:\users\Laptop\AppData\Local\Bron.tok-14-27

c:\users\Laptop\AppData\Local\Bron.tok-14-28

c:\users\Laptop\AppData\Local\Bron.tok-14-29

c:\users\Laptop\AppData\Local\Bron.tok-14-3

c:\users\Laptop\AppData\Local\Bron.tok-14-30

c:\users\Laptop\AppData\Local\Bron.tok-14-31

c:\users\Laptop\AppData\Local\Bron.tok-14-4

c:\users\Laptop\AppData\Local\Bron.tok-14-5

c:\users\Laptop\AppData\Local\Bron.tok-14-6

c:\users\Laptop\AppData\Local\Bron.tok-14-7

c:\users\Laptop\AppData\Local\Bron.tok-14-8

c:\users\Laptop\AppData\Local\Bron.tok-14-9

c:\users\Laptop\AppData\Local\csrss.exe

c:\users\Laptop\AppData\Local\inetinfo.exe

c:\users\Laptop\AppData\Local\Kosong.Bron.Tok.txt

c:\users\Laptop\AppData\Local\lsass.exe

c:\users\Laptop\AppData\Local\services.exe

c:\users\Laptop\AppData\Local\smss.exe

c:\users\Laptop\AppData\Local\winlogon.exe

c:\users\Laptop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif

c:\users\Laptop\AppData\Roaming\Microsoft\Windows\Templates\Brengkolang.com

c:\windows\BerasJatah.exe

c:\windows\pkunzip.pif

c:\windows\pkzip.pif

c:\windows\shellnew\sempalong.exe

c:\windows\system32\Laptop’s Setting.scr

.

Zainfekowana kopia c:\windows\system32\userinit.exe została znaleziona. Problem naprawiono

Plik odzyskano z - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

.

((((((((((((((((((((((((( Pliki utworzone od 2011-09-28 do 2011-10-29 )))))))))))))))))))))))))))))))

.

2011-10-29 11:21 . 2011-10-29 11:21 0 —ha-w- c:\users\Laptop\AppData\Local\BITE14A.tmp

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

“{ce18769b-c7fa-42d2-860d-17c4662c70ad}”= “c:\program files\Babylon-English\tbBaby.dll” [2010-06-13 2734688]

.

[HKEY_CLASSES_ROOT\clsid{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

.

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

2010-06-13 17:10 2734688 ----a-w- c:\program files\Babylon-English\tbBaby.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{ce18769b-c7fa-42d2-860d-17c4662c70ad}”= “c:\program files\Babylon-English\tbBaby.dll” [2010-06-13 2734688]

.

[HKEY_CLASSES_ROOT\clsid{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

“{CE18769B-C7FA-42D2-860D-17C4662C70AD}”= “c:\program files\Babylon-English\tbBaby.dll” [2010-06-13 2734688]

.

[HKEY_CLASSES_ROOT\clsid{ce18769b-c7fa-42d2-860d-17c4662c70ad}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2010-08-07 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“StartCCC”=“c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 90112]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“EnableUIADesktopToggle”= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“aux1”=wdmaud.drv

.

[HKLM~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth Monitor.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Monitor.lnk

backup=c:\windows\pss\Bluetooth Monitor.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM~\startupfolder\C:^Users^Laptop^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Empty.pif]

path=c:\users\Laptop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif

backup=c:\windows\pss\Empty.pif.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

2009-02-05 20:08 81000 ----a-w- c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

2010-08-10 15:40 3824056 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu 10]

2010-07-21 23:24 12477024 ----a-w- c:\program files\Gadu-Gadu 10\gg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPLA!]

2010-06-21 08:23 16218112 ----a-w- c:\program files\ipla\ipla.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 14:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ORAHSSSessionManager]

2008-06-10 09:14 107248 ----a-w- c:\program files\Livebox\SessionManager\SessionManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2003-10-31 17:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]

2008-01-21 02:23 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]

2008-01-21 02:23 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2006-12-22 449536]

R3 EverestDriver;Lavalys EVEREST Kernel Driver;e:\ewerest\EVEREST Ultimate Edition 55\kerneld.wnt [x]

R3 PCAMp50;PCAMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50.sys [2006-11-28 28224]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

R4 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 135664]

R4 gupdatem;Usługa Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 135664]

S1 aswSP;avast! Self Protection; [x]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-02-05 51792]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.

Zawartość folderu ‘Zaplanowane zadania’

.

2011-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 13:26]

.

2011-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 13:26]

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://search.babylon.com/home?AF=14542

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Funkcja Google Sidewiki - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm

IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm

TCP: Interfaces{8969DEA7-D206-4FDB-89C7-B489AA1D539E}: NameServer = 8.8.8.8

.

- - - USUNIĘTO PUSTE WPISY - - - -

.

MSConfigStartUp-facemoods - c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodssrv.exe

AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.8.1\uninstall.exe

.

**************************************************************************

skanowanie ukrytych procesów …

.

skanowanie ukrytych wpisów autostartu …

.

skanowanie ukrytych plików …

.

skanowanie pomyślnie ukończone

ukryte pliki:

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EverestDriver]

“ImagePath”="??\e:\ewerest\EVEREST Ultimate Edition 55\kerneld.wnt"

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

“BlindDial”=dword:00000000

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\progra~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\conime.exe

.

**************************************************************************

.

Czas ukończenia: 2011-10-29 13:29:18 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2011-10-29 11:28

.

Przed: 19 059 744 768 bajtów wolnych

Po: 19 467 517 952 bajtów wolnych

.

- End Of File - - 0D1C594EC02FC9DECCC146FBD40AF64E

Narazie skanuje Malwarebytes później wkleje logi.

spandaupol · 30 Październik 2011 10:28

I gdzie są te logi OTL?

Janusek · 30 Październik 2011 16:16

Logi z Malwarebytes

Malwarebytes’ Anti-Malware 1.51.2.1300

www.malwarebytes.org

Wersja bazy: 8040

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

2011-10-29 16:09:41

mbam-log-2011-10-29 (16-09-41).txt

Typ skanowania: Pełne skanowanie (C:|D:|)

Przeskanowano obiektów: 278561

Upłynęło: 1 godzin(y), 10 minut(y), 58 sekund(y)

Zainfekowanych procesów w pamięci: 0

Zainfekowanych modułów w pamięci: 0

Zainfekowanych kluczy rejestru: 0

Zainfekowanych wartości rejestru: 0

Zainfekowane informacje rejestru systemowego: 0

Zainfekowanych folderów: 0

Zainfekowanych plików: 15

Zainfekowanych procesów w pamięci:

(Nie znaleziono zagrożeń)

Zainfekowanych modułów w pamięci:

(Nie znaleziono zagrożeń)

Zainfekowanych kluczy rejestru:

(Nie znaleziono zagrożeń)

Zainfekowanych wartości rejestru:

(Nie znaleziono zagrożeń)

Zainfekowane informacje rejestru systemowego:

(Nie znaleziono zagrożeń)

Zainfekowanych folderów:

(Nie znaleziono zagrożeń)

Zainfekowanych plików:

c:\Qoobox\quarantine\C\Users\Laptop\AppData\Local\csrss.exe.vir (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\Users\Laptop\AppData\Local\inetinfo.exe.vir (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\Users\Laptop\AppData\Local\lsass.exe.vir (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\Users\Laptop\AppData\Local\services.exe.vir (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\Users\Laptop\AppData\Local\smss.exe.vir (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\Users\Laptop\AppData\Local\winlogon.exe.vir (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\Users\Laptop\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\empty.pif.vir (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\Users\Laptop\AppData\Roaming\microsoft\Windows\templates\brengkolang.com.vir (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\Windows\berasjatah.exe.vir (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\Windows\ShellNew\sempalong.exe.vir (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\Windows\System32\laptop’s setting.scr.vir (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Users\Laptop\Desktop\nowy folder (2)\documents.exe (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Users\Laptop\Desktop\nowy folder (2)\cyberlink\PowerDVD\PowerDVD.exe (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Users\Laptop\documents\documents.exe (Worm.Brontok) -> Quarantined and deleted successfully.

c:\Windows\pss\empty.pif.startup (Worm.Brontok) -> Quarantined and deleted successfully.