Wielka prośba o sprawdzenie loga z hijackthis

Witam. Jestem nowy na forum.

Złapalem robala ktory cały czas mi pokazuje dymki że mój komputer jest infected.

Skanowalem avastem, mks, arca i nie pomogło.

Na dymkach napisane są różne nazwy robaków. np :

Networm-i.Virus@fp,

Trojan-Spy.win32@mx

wywala mi też co chwile okienka z jakimś antywirem który ma mi pomóc.

Wrzucam loga z hijackthis: http://wklej.org/id/8868/. Proszę też o pomoc w dalszym postępowaniu.

Dzięki.

usuń HijackThisem >> Fix checked

Pobierz i uruchom narzędzie The Avenger Zaznaczasz tekst podany do usunięcia na forum

kopiuj >> klikasz na Paste Script from Clipboard >> Execute >> Potwierdzasz i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

Pobierz program SDFix

Wielkie dzięki “Leon$”. Wszystko poszło OK.

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file “C:\WINDOWS\system32\winsrc.dll” not found!

Deletion of file “C:\WINDOWS\system32\winsrc.dll” failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

–> the object does not exist

Error: file “C:\WINDOWS\system32\msxml71.dll” not found!

Deletion of file “C:\WINDOWS\system32\msxml71.dll” failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

–> the object does not exist

File “C:\DOCUME~1\WADYSA~1\USTAWI~1\Temp\video1162.cfg.exe” deleted successfully.

File “C:\WINDOWS\system32\ieexplorer32.exe” deleted successfully.

Folder “C:\Program Files\Antivirus 2009” deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

SDFix: Version 1.231

Run by Wadysaw Raszka on 2008-10-06 at 22:06

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\DOCUME~1\WADYSA~1\USTAWI~1\Temp\a.exe - Deleted

C:\DOCUME~1\WADYSA~1\USTAWI~1\Temp\c.exe - Deleted

C:\WINDOWS\system32\ieupdates.exe - Deleted

C:\WINDOWS\system32\winsrc.dll.tmp - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-06 22:09:17

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden services & system hive …

scanning hidden registry entries …

scanning hidden files …

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb0005E.log 131072 bytes

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 1

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Finished!

:slight_smile:

ComboFix 08-10-06.03 - Władysław Raszka 2008-10-06 22:13:53.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1618 [GMT 2:00]

Uruchomiony z: C:\Documents and Settings\Władysław Raszka\Pulpit\ComboFix.exe

* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA!!

.

((((((((((((((((((((((((( Pliki utworzone od 2008-09-06 do 2008-10-06 )))))))))))))))))))))))))))))))

.

2008-10-06 22:05 . 2008-10-06 22:05 578,560 --a–c— C:\WINDOWS\system32\dllcache\user32.dll

2008-10-06 22:04 . 2008-10-06 22:04

2008-10-06 21:58 . 2008-10-06 22:10

2008-10-06 17:14 . 2008-10-06 17:14

2008-10-06 17:09 . 2008-10-06 22:10

2008-10-06 17:09 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-10-06 17:09 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-10-06 17:09 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-10-06 17:09 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-10-06 17:08 . 2008-10-06 17:12

2008-10-06 17:08 . 2008-10-06 17:08

2008-10-06 17:02 . 2008-10-06 17:06

2008-09-25 23:19 . 2008-09-25 23:19

2008-09-25 22:57 . 2008-09-26 10:05

2008-09-25 21:21 . 2008-09-25 21:21

2008-09-25 21:21 . 2003-03-18 22:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll

2008-09-25 21:21 . 2003-03-18 21:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll

2008-09-25 00:30 . 2008-09-25 00:30

2008-09-25 00:29 . 2008-09-25 00:29

2008-09-18 21:47 . 2008-09-18 21:47

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-18 19:48 --------- d-----w C:\Program Files\Common Files\Adobe

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“StartCCC”=“C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 90112]

“SoundMAXPnP”=“C:\Program Files\Analog Devices\Core\smax4pnp.exe” [2007-01-05 872448]

“QlbCtrl.exe”=“C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe” [2008-02-26 177456]

“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2008-01-18 1028096]

“hpWirelessAssistant”=“C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe” [2007-05-11 472632]

“QuickTime Task”=“C:\WINDOWS\system32\qttask.exe” [2008-06-04 98304]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 155648]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 32768]

“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-07-19 78008]

“ISTray”=“C:\Program Files\Spyware Doctor\pctsTray.exe” [2008-08-25 1168264]

“Tweak UI”=“TWEAKUI.CPL” [2003-03-25 C:\WINDOWS\system32\tweakui.cpl]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213]

Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - C:\Program Files\SAGEM WiFi manager\WLANUTL.exe [2008-06-23 950272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“msacm.sl_anet”= C:\PROGRA~1\ACEMEG~1\SystemS\sl_anet.acm

“vidc.yv12”= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL

“vidc.divx”= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll

“vidc.iyuv”= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll

“vidc.yvu9”= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll

“vidc.uyvy”= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll

“vidc.yuy2”= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll

“vidc.yvyu”= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll

“msacm.msaudio1”= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm

“msacm.iac2”= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@=“Driver”

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

R3 Com4QLBEx;Com4QLBEx;C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-02-07 193840]

S3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;C:\WINDOWS\system32\DRIVERS\WlanBZXP.sys [2007-01-10 450560]

S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS []

*Newly Created Service* - PROCEXP90

.

.

------- Skan uzupełniający -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.onet.pl/

O8 -: Eksport do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 -: Wyślij do urządzenia Bluetooth… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab

C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab

C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} - hxxp://arcaonline.arcabit.com/ArcaOnline.cab

C:\WINDOWS\Downloaded Program Files\ArcaOnline.inf

C:\WINDOWS\system32\ArcaMicroScanUpdater.exe

C:\WINDOWS\system32\ArcaOnlineUninstall.exe

C:\WINDOWS\system32\ArcaOnline.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-06 22:15:07

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

Czas ukończenia: 2008-10-06 22:15:54

ComboFix-quarantined-files.txt 2008-10-06 20:15:51

Przed: 70 032 728 064 bajtów wolnych

Po: 70,023,540,736 bajtów wolnych

120 — E O F — 2008-06-26 11:08:38

start >> uruchom >> cmd

sc stop ZDCndis5 >> Enter

sc delete ZDCndis5 >> Enter

Log wygląda na czysty

Pobierz CCleaner http://www.filehippo.com/download_ccleaner/

przeskanuj nim i wyczyść rejestr.

zrób optymalizacje uruchamiania

http://cybertrash.netarteria.pl/cyber/i … 378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE

:slight_smile: