bram
(Brewin)
11 Sierpień 2007 09:30
#1
Avast wykrył wirusa Win32:Agent HKH lub/i BBQ (nie pamiętam dokładnie nazwy), teraz komputer wiesza się zaraz po pojawieniu sie komunikatu avasta o jego wykryciu. Windows działa bezproblemowo tylko w trybie awaryjnym, przez co logi są też wykonane w trybie awaryjnym, proszę o pomoc w rozwiązaniu problemu.
HijackThis:
Logfile of HijackThis v1.99.1 Scan saved at 11:20:25, on 2007-08-11 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE H:\Program Files\Mozilla Firefox\firefox.exe H:\nie otwierać!\antivir\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe O4 - HKLM…\Run: [WinampAgent] H:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [avast!] H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [RemoteControl] “D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “I:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Firewall auto setup] C:\DOCUME~1\BRW\USTAWI~1\Temp\winlogon.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Last.fm Helper.lnk = I:\Last.fm\LastFMHelper.exe O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - I:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Dodaj do listy blokowanych reklam - I:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Otwórz w nowym Avant Browser - I:\Program Files\Avant Browser\OpenInNewBrowser.htm O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony… - I:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Podświetl - I:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Szukaj - I:\Program Files\Avant Browser\Search.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\yyaisgd.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - H:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
SilentRunners:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““I:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “Firewall auto setup” = “C:\DOCUME~1\BRW\USTAWI~1\Temp\winlogon.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “NVRaidService” = “C:\WINDOWS\System32\nvraidservice.exe” [“NVIDIA Corporation”] “WinampAgent” = “H:\Program Files\Winamp\winampa.exe” [null data] “avast!” = “H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “RemoteControl” = ““D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “Easy-PrintToolBox” = “C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon” [“CANON INC.”] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Inc.”] “startdrv” = “C:\WINDOWS\Temp\startdrv.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B4B924A2-EBDA-11DA-95DA-00E08161165F}” = “Dodatki Spika” -> {HKLM…CLSID} = “SpikShellExt Class” \InProcServer32(Default) = “H:\Program Files\Spik\shellext_wpmsg.dll” [“Wirtualna Polska”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “H:\Program Files\WinRAR\rarext.dll” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “H:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{AC0B5D2E-B691-4E12-A4F9-CA88492579A2}” = “Zinio Shell Extension” -> {HKLM…CLSID} = “Zinio Magazine” \InProcServer32(Default) = “C:\Program Files\Common Files\Zinio\ZShext.dll” [“Zinio Systems, Inc.”] “{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}” = “Zinio Magazine Column Provider” -> {HKLM…CLSID} = “MyMagazinesColumn Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Zinio\ZShext.dll” [“Zinio Systems, Inc.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {A9AACA72-1C51-4F84-804D-90EDBA0D58F4}(Default) = “Zinio Magazine Column Provider” -> {HKLM…CLSID} = “MyMagazinesColumn Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Zinio\ZShext.dll” [“Zinio Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “H:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Spik(Default) = “{B4B924A2-EBDA-11DA-95DA-00E08161165F}” -> {HKLM…CLSID} = “SpikShellExt Class” \InProcServer32(Default) = “H:\Program Files\Spik\shellext_wpmsg.dll” [“Wirtualna Polska”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “H:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “H:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “H:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Spik(Default) = “{B4B924A2-EBDA-11DA-95DA-00E08161165F}” -> {HKLM…CLSID} = “SpikShellExt Class” \InProcServer32(Default) = “H:\Program Files\Spik\shellext_wpmsg.dll” [“Wirtualna Polska”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “H:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\BRW\Dane aplikacji\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “BRW” & “All Users” startup folders: ----------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Gamma Loader.exe” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] “Last.fm Helper” -> shortcut to: “I:\Last.fm\LastFMHelper.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\yyaisgd.dll [null data], 01 - 18, 37 %SystemRoot%\system32\mswsock.dll [MS], 19 - 22, 25 - 36 %SystemRoot%\system32\rsvpsp.dll [MS], 23 - 24 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{327C2873-E90D-4C37-AA9D-10AC9BABA46C}” = “Easy-WebPrint” -> {HKLM…CLSID} = “Easy-WebPrint” \InProcServer32(Default) = “C:\Program Files\Canon\Easy-WebPrint\Toolband.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{03C1C47F-0538-4645-8372-D3109B9FC636}(Default) = “Easy-WebPrint” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Canon\Easy-WebPrint\Toolband.dll” [null data] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] ATI Smart, ATI Smart, “C:\WINDOWS\system32\ati2sgag.exe” [empty string] avast! Antivirus, avast! Antivirus, ““H:\Program Files\Alwil Software\Avast4\ashServ.exe”” [“ALWIL Software”] avast! iAVS4 Control Service, aswUpdSv, ““H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [“ALWIL Software”] avast! Mail Scanner, avast! Mail Scanner, ““H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““H:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] ICF, ICF, “C:\WINDOWS\system32\svchost.exe:exe.exe” [** WMI GetObject error **] Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\System32\wbem\wmiapsrv.exe” [MS] LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [empty string] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Usługa dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]} Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\MsPMSNSv.dll” [MS]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor PIXMA iP3000\Driver = “CNMLM61.DLL” [“CANON INC.”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 34 seconds. ---------- (total run time: 64 seconds)
jessica
(jessica)
11 Sierpień 2007 10:24
#2
Ściągnij LSP-Fix zaznacz " I know what I’m doing ",
następnie w okienku Keep zaznacz plik yyaisgd.dll (innych plikow NIE ruszaj bo internet przestanie działać)
i za pomocą strzałki (>>) przenieś go do okienka Remover i kliknij Finish i restart kompa.
Następnie ściągnij (do usuwania powyższych wpisów) program SDFix
Pokaż Report.txt znajdujący się w folderze SDFix.
Po tych usuwaniach został do usunięcia jeszcze:
Sfiksuj ten wpis w Hijacku:
>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked .
Ten zaznaczony na czerwono plik spróbuj usunąć ręcznie w Trybie Awaryjnym.
Potem daj tu:
raport z SDFixa
log z Hijacka
log z ComboFixa:
http://forum.dobreprogramy.pl/viewtopic.php?t=36654
(na dole tej strony z linku) -
Log wklej na http://wklej.org/ , a w poście daj tylko link.
.
bram
(Brewin)
11 Sierpień 2007 11:47
#3
po uzyciu LSP-Fix i SDFix komputer daje się bez problemu uruchomić w normalnym trybie, wpisu:
nie ma w HijackThis, danego pliku rówież nie ma.
logi i raporty:
SDFix
SDFix: Version 1.97 Run by BRW on 2007-08-11 at 13:18 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: ICF runtime SysLibrary ImagePath: C:\WINDOWS\system32\svchost.exe:exe.exe ??\C:\WINDOWS\System32\drivers\runtime.sys ??\C:\WINDOWS\system32\DefLib.sys ICF - Deleted runtime - Deleted SysLibrary - Deleted ndis.sys Infected! Patched File copied to Backups Folder Attempting to replace ndis.sys with original version… Original ndis.sys Restored Patched tcpip.sys Found! tcpip.sys File Locations: C:\WINDOWS$NtServicePackUninstall$\tcpip.sys C:\WINDOWS\ServicePackFiles\i386\tcpip.sys C:\WINDOWS\system32\drivers\tcpip.sys MD5 Checksum: [C] E7774698BB0D14B0710A9A31E209F9B6 [C] 9F4B36614A0FC234525BA224957DE55C [C] D41D8CD98F00B204E9800998ECF8427E Detected Patched Files Are Listed Below: C:\WINDOWS\system32\drivers\tcpip.sys Note: SDFix Does Not Repair This File! Please Scan All Files Above At VirusTotal! If No Clean Copies Are Found Download The Below Update To Restore Original Files: http://www.microsoft.com/technet/securi … 6-032.mspx Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Service asc3550u - Deleted after Reboot Service runtime2 - Deleted after Reboot Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\system32\home.exe.exe - Deleted C:\DOCUME~1\BRW\USTAWI~1\Temp\winlogon.exe - Deleted C:\WINDOWS\system32\8_exception.nls - Deleted C:\WINDOWS\system32\DefLib.sys - Deleted C:\WINDOWS\system32\drivers\asc3550u.sys - Deleted C:\WINDOWS\system32\svcp.csv - Deleted C:\WINDOWS\system32\winsub.xml - Deleted C:\WINDOWS\Temp\startdrv.exe - Deleted C:\WINDOWS\system32\drivers\runtime2.sys - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe : ADS Found! svchost.exe: deleted 58880 bytes in 1 streams. Checking for remaining Streams C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll ,-22019" “H:\Program Files\Spik\Spik.exe”=“H:\Program Files\Spik\Spik.exe:*:Enabled:Spik” “G:\Program Files\EA SPORTS\FIFA 07\fifa07.exe”=“G:\Program Files\EA SPORTS\FIFA 07\fifa07.exe:*:Enabled:fifa07” “D:\Program Files\Hamachi\hamachi.exe”=“D:\Program Files\Hamachi\hamachi.exe:*:Enabled:Hamachi” “G:\Program Files\Ground Control II\gcii.exe”=“G:\Program Files\Ground Control II\gcii.exe:*:Disabled:Ground Control II” “H:\Program Files\totalcmd\TOTALCMD.EXE”=“H:\Program Files\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows” “D:\Program Files\Shareaza\Shareaza.exe”=“D:\Program Files\Shareaza\Shareaza.exe:*:Enabled:Shareaza” “C:\Program Files\eMule\emule.exe”=“C:\Program Files\eMule\emule.exe:*:Enabled:eMule” “I:\Last.fm\LastFM.exe”=“I:\Last.fm\LastFM.exe:*:Enabled:Last.fm” “G:\Program Files\EA GAMES\Need For Speed Underground\Speed.exe”=“G:\Program Files\EA GAMES\Need For Speed Underground\Speed.exe:*:Disabled:Speed” “D:\Program Files\Ahead\Nero ShowTime\ShowTime.exe”=“D:\Program Files\Ahead\Nero ShowTime\ShowTime.exe:*:Disabled:Nero ShowTime” “C:\WINDOWS\system32\svchost.exe”=“C:\WINDOWS\system32\svchost.exe:*:Enabled:svchost” “C:\WINDOWS\spooldr.exe”=“C:\WINDOWS\spooldr.exe:*:Enabled:enable” “C:\WINDOWS\Explorer.EXE”=“C:\WINDOWS\Explorer.EXE:*:Enabled:Explorer” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll ,-22019" Remaining Files: --------------- Backups Folder: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: C:\Documents and Settings\BRW\Ustawienia lokalne\Temp\dotnetfx304506.30\1033\wcu\rgbrast\x86\BITF.tmp Finished
HijackThis
Logfile of HijackThis v1.99.1 Scan saved at 13:44:06, on 2007-08-11 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe H:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\SOUNDMAN.EXE H:\Program Files\Winamp\winampa.exe H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\ctfmon.exe I:\Program Files\Gadu-Gadu\gg.exe I:\Last.fm\LastFMHelper.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe H:\Program Files\Alwil Software\Avast4\ashWebSv.exe H:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE H:\nie otwierać!\antivir\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WinampAgent] H:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [avast!] H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [RemoteControl] “D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “I:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Last.fm Helper.lnk = I:\Last.fm\LastFMHelper.exe O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - I:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Dodaj do listy blokowanych reklam - I:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Otwórz w nowym Avant Browser - I:\Program Files\Avant Browser\OpenInNewBrowser.htm O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony… - I:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Podświetl - I:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Szukaj - I:\Program Files\Avant Browser\Search.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - H:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
ComboFix: http://wklej.org/id/34018333d1
jessica
(jessica)
11 Sierpień 2007 12:43
#4
Tego “winlogona” nie było już, bo usunął go SDFix - widać to w jego raporcie.
Nawet nie wiedziałam, że go potrafi usunąć!
Jest już OK!.
.
Kuba11
(Kuba1)
11 Sierpień 2007 12:58
#5
C:\WINDOWS\ unvise32.exe
Ten plik jest do usunięcia w trybie awaryjnym.
bram
(Brewin)
13 Sierpień 2007 08:34
#6
Avast znowu wykrył Win32:Agent HKH (czy jakoś tak), potraktowałem go SDFixem i ComboFixem, wydaje się, że już wszystko w porządku, proszę o sprawdzenie logów:
SDFix
SDFix: Version 1.97 Run by BRW on 2007-08-13 at 10:11 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: ICF qqd.sys runtime SysLibrary ImagePath: C:\WINDOWS\system32\svchost.exe:exe.exe ??\C:\qqd.sys ??\C:\WINDOWS\System32\drivers\runtime.sys ??\C:\WINDOWS\system32\DefLib.sys ICF - Deleted qqd.sys - Deleted runtime - Deleted SysLibrary - Deleted ndis.sys Infected! Patched File copied to Backups Folder Attempting to replace ndis.sys with original version… Original ndis.sys Restored Patched tcpip.sys Found! tcpip.sys File Locations: C:\WINDOWS$NtServicePackUninstall$\tcpip.sys C:\WINDOWS\ServicePackFiles\i386\tcpip.sys C:\WINDOWS\system32\drivers\tcpip.sys MD5 Checksum: [C] E7774698BB0D14B0710A9A31E209F9B6 [C] 9F4B36614A0FC234525BA224957DE55C [C] AA23A91E726DCD02D95FA7356FF8814B Detected Patched Files Are Listed Below: C:\WINDOWS\system32\drivers\tcpip.sys Note: SDFix Does Not Repair This File! Please Scan All Files Above At VirusTotal! If No Clean Copies Are Found Download The Below Update To Restore Original Files: http://www.microsoft.com/technet/securi … 6-032.mspx Restoring Windows Registry Values Restoring Windows Default Hosts File Restoring Missing SharedAccess Service Rebooting… Service runtime2 - Deleted after Reboot Normal Mode: Checking Files: Trojan Files Found: C:\DOCUME~1\BRW\USTAWI~1\Temp\winlogon.exe - Deleted C:\WINDOWS\spooldr.exe - Deleted C:\WINDOWS\system32\9_exception.nls - Deleted C:\WINDOWS\system32\DefLib.sys - Deleted C:\WINDOWS\system32\rpcc.dll - Deleted C:\WINDOWS\Temp\startdrv.exe - Deleted C:\WINDOWS\system32\drivers\runtime2.sys - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe : ADS Found! svchost.exe: deleted 58880 bytes in 1 streams. Checking for remaining Streams C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “H:\Program Files\Spik\Spik.exe”=“H:\Program Files\Spik\Spik.exe:*:Disabled:Spik” “D:\Program Files\Shareaza\Shareaza.exe”=“D:\Program Files\Shareaza\Shareaza.exe:*:Enabled:Shareaza” “I:\Last.fm\LastFM.exe”=“I:\Last.fm\LastFM.exe:*:Disabled:Last.fm” “C:\WINDOWS\system32\svchost.exe”=“C:\WINDOWS\system32\svchost.exe:*:Enabled:svchost” “C:\WINDOWS\Explorer.EXE”=“C:\WINDOWS\Explorer.EXE:*:Enabled:Explorer” “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll ,-22019" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll ,-22019" Remaining Files: --------------- Backups Folder: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: C:\WINDOWS\system32\avisynth.dll C:\WINDOWS\system32\AVSredirect.dll C:\WINDOWS\system32\cygwin1.dll C:\WINDOWS\system32\cygz.dll C:\WINDOWS\system32\i420vfw.dll C:\WINDOWS\system32\Smab.dll C:\WINDOWS\system32\yv12vfw.dll C:\WINDOWS\meta4.exe C:\WINDOWS\MOTA113.exe C:\WINDOWS\x2.64.exe C:\WINDOWS\system32\x.264.exe C:\WINDOWS\system32\config\default.tmp.LOG C:\WINDOWS\system32\config\SAM.tmp.LOG C:\WINDOWS\system32\config\SECURITY.tmp.LOG C:\WINDOWS\system32\config\software.tmp.LOG C:\WINDOWS\system32\config\system.tmp.LOG Finished
ComboFix: http://wklej.org/id/d605b54e3d
i HijackThis wykonany po powyższych:
Logfile of HijackThis v1.99.1 Scan saved at 10:23:35, on 2007-08-13 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe H:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\SOUNDMAN.EXE H:\Program Files\Winamp\winampa.exe H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\ctfmon.exe I:\Program Files\Gadu-Gadu\gg.exe I:\Last.fm\LastFMHelper.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe H:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe H:\Program Files\Mozilla Firefox\firefox.exe H:\nie otwierać!\antivir\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WinampAgent] H:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [avast!] H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [RemoteControl] “D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM…\Run: [QuickTime Task] “D:\Program Files\QuickTime\QTTask.exe” -atboottime O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “I:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Last.fm Helper.lnk = I:\Last.fm\LastFMHelper.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - H:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
jessica
(jessica)
13 Sierpień 2007 09:25
#7
Logi z Hijacka i ComboFixa wyglądają na czyste.
Natomiast raport SDFixa zawiera baardzo niepokojące wieści:
Miałeś zainfekowany plik “ndis.sys” - SDFix go usunął i zastąpił zapasowym. Ale teraz nie masz już zapasowego i jeśli nastąpi powtórna infekcja, to SDFix nie będzie miał skąd wziąć.
Skopiuj teraz “ndis.sys” znajdujący się w folderze C:\WINDOWS\system32\ drivers do folderu C:\WINDOWS\system32\ dllcache . Będziesz miał znów zapasowy (o ile w międzyczasie nie został znów zainfekowany!).
Natomiast nie bardzo zrozumiałam, o co chodzi z plikiem “tcpip.sys” (nie znam angielskiego).
Być może też jest zainfekowany, bo z raportu wynika, że SDFix nie potrafił go naprawić.
W takim wypadku trzeba by go było wymienić poprzez Consolę Odzyskiwania.
Ale o tym musi zadecydować ktoś, kto zna ang., by mieć pewność, że to o to chodzi.
.