bram
(Brewin)
2 Lipiec 2007 07:33
#1
Avast wykrył wirusa Win32:Sinowal-AI [trj] i Win32:Sinowal-AJ[trj] (nie wiem czy to ten sam czy dwa różne, w każdym razie tworzą pliki ibm*.* w katalogu C:\Program Files\Common Files\Microsoft Shared\Web Folders
Proszę o pomoc w usunięciu wirusa, oto logi:
HijackThis:
Logfile of HijackThis v1.99.1 Scan saved at 09:26:16, on 2007-07-02 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe D:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\nvraidservice.exe D:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe D:\Program Files\QuickTime\qttask.exe D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\ctfmon.exe D:\Program Files\Gadu-Gadu\gg.exe D:\Program Files\Corel\Graphics9\Register\Remind32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\system32\wscntfy.exe D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe D:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\wbem\unsecapp.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\Program Files\Alwil Software\Avast4\ashSimpl.exe D:\Program Files\Alwil Software\Avast4\ashChest.exe D:\nie otwierać!\antivir\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nuta.pl/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nuta.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe O4 - HKLM…\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM…\Run: [QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [RemoteControl] “D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “D:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [NBJ] “D:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - Startup: Rejestrowanie produktów Corela.lnk = D:\Program Files\Corel\Graphics9\Register\Remind32.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - D:\Program Files\Spik\url_wpmsg.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
Silent runners:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““D:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “NBJ” = ““D:\Program Files\Ahead\Nero BackItUp\NBJ.exe”” [“Ahead Software AG”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “NVRaidService” = “C:\WINDOWS\System32\nvraidservice.exe” [“NVIDIA Corporation”] “WinampAgent” = “D:\Program Files\Winamp\winampa.exe” [null data] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “QuickTime Task” = ““D:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “avast!” = “D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “RemoteControl” = ““D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] {C08DF07A-3E49-4E25-9AB0-D3882835F153}(Default) = (no title provided) -> {HKLM…CLSID} = “QUICKfind BHO Object” \InProcServer32(Default) = “C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B4B924A2-EBDA-11DA-95DA-00E08161165F}” = “Dodatki Spika” -> {HKLM…CLSID} = “SpikShellExt Class” \InProcServer32(Default) = “D:\Program Files\Spik\shellext_wpmsg.dll” [“Wirtualna Polska”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{AC0B5D2E-B691-4E12-A4F9-CA88492579A2}” = “Zinio Shell Extension” -> {HKLM…CLSID} = “Zinio Magazine” \InProcServer32(Default) = “C:\Program Files\Common Files\Zinio\ZShext.dll” [“Zinio Systems, Inc.”] “{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}” = “Zinio Magazine Column Provider” -> {HKLM…CLSID} = “MyMagazinesColumn Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Zinio\ZShext.dll” [“Zinio Systems, Inc.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {A9AACA72-1C51-4F84-804D-90EDBA0D58F4}(Default) = “Zinio Magazine Column Provider” -> {HKLM…CLSID} = “MyMagazinesColumn Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Zinio\ZShext.dll” [“Zinio Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Spik(Default) = “{B4B924A2-EBDA-11DA-95DA-00E08161165F}” -> {HKLM…CLSID} = “SpikShellExt Class” \InProcServer32(Default) = “D:\Program Files\Spik\shellext_wpmsg.dll” [“Wirtualna Polska”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Spik(Default) = “{B4B924A2-EBDA-11DA-95DA-00E08161165F}” -> {HKLM…CLSID} = “SpikShellExt Class” \InProcServer32(Default) = “D:\Program Files\Spik\shellext_wpmsg.dll” [“Wirtualna Polska”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\BRE\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “BRE” & “All Users” startup folders: ----------------------------------------------------- C:\Documents and Settings\BRE\Menu Start\Programy\Autostart “Rejestrowanie produktów Corela” -> shortcut to: “D:\Program Files\Corel\Graphics9\Register\Remind32.exe” [“IntelliQuest Communications, Inc.”] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Gamma Loader.exe” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] “Microsoft Office” -> shortcut to: “D:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““D:\Program Files\Alwil Software\Avast4\ashServ.exe”” [“ALWIL Software”] avast! iAVS4 Control Service, aswUpdSv, ““D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [“ALWIL Software”] avast! Mail Scanner, avast! Mail Scanner, ““D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““D:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [empty string] NtmlSvc, NtmlSvc, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.dll” [null data]} SecuROM User Access Service (V7), UserAccess7, “C:\WINDOWS\system32\UAService7.exe” [null data] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor PIXMA iP3000\Driver = “CNMLM61.DLL” [“CANON INC.”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 33 seconds. ---------- (total run time: 74 seconds)
adam9870
(adam9870)
2 Lipiec 2007 08:26
#2
W logach widzę jedynie szkodliwą usługę:
Powinien ją automatycznie skosić ComboFix . Tak więc użyj go i wklej utworzony log, a w razie gdyby jeszcze coś zostało, usuniemy to ręcznie.
bram
(Brewin)
2 Lipiec 2007 09:20
#3
log:
2001-03-08 19:30 24064 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml3a.dll.vir
2007-04-19 22:25 54347 --a------ C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll.vir
2007-06-28 10:49 58130 --a------ C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00006.dll.vir
2007-06-28 10:49 73773 --a------ C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.dll.vir
2007-07-02 11:15 758 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_GB.reg.cf
Zmienna PATH folderu
Numer seryjny woluminu: 680B-679B
C:\QOOBOX
\---Quarantine
+---Registry_backups
| LEGACY_GB.reg.cf
|
\---C
+---WINDOWS
| \---system32
| msxml3a.dll.vir
|
\---Program Files
\---Common Files
\---Microsoft Shared
\---Web Folders
ibm00005.dll.vir
ibm00006.dll.vir
ibm00004.dll.vir
slake
(Slake1)
2 Lipiec 2007 09:40
#4
Usuń folder:
Log z ComboFix znajduje się w C:\ComboFix.txt .
adam9870
(adam9870)
2 Lipiec 2007 10:57
#6
Ściągnij program KillBox , zaznacz Delete on reboot , w polu full path of file wklej kolejno ścieżki:
C:\WINDOWS\mjsirel.exe
C:\WINDOWS\eqc.exe
C:\WINDOWS\tajvp.exe
Po wklejeniu każdej ścieżki z osobna kliknij na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgódź się na restart.
Przeskanuj wyżej wymieniony plik na stronie http://virusscan.jotti.org/ i przedstaw tu wynik skanowania.
Start -> uruchom -> regedit -> przejdź do klucza:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
kliknij podwójnie na znajdującą się w prawym okienku wartość netsvcs i w okienku, które się otworzy usuń wpis NtmlSvc pozostałej części nie ruszając.
Po wykonaniu wklej nowy log z ComboFix plus dwa logi z Gmer’a wykonane przy takich ustawieniach:
Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Jeśli wszystkie logi nie zmieszczą się bezpośrednio do posta, to umieść je w jakimś serwisie hostingowym jako pliki *.txt, a tu tylko zlinkuj.
bram
(Brewin)
2 Lipiec 2007 12:09
#7
wynik z http://virusscan.jotti.org/ :
http://www.whatareyoustaringat.republika.pl/skan.jpg
log z Combofix:
ComboFix 07-06-18.2 - D:\nie otwiera†!\antivir\ComboFix.exe “BRE” - 2007-07-02 14:00:42 - Dodatek Service Pack 2 ((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 ))))))))))))))))))))))))))))))) 2007-07-02 13:41 2007-07-02 11:14 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-28 10:49 32,584 --a------ C:\WINDOWS\ta.exe 2007-06-18 16:34 2007-06-12 12:21 607,744 --------- C:\WINDOWS\system32\Decslib.dll 2007-06-12 12:19 245,760 --------- C:\WINDOWS\system32\Sccomp91.dll 2007-06-12 12:19 225,280 --------- C:\WINDOWS\system32\Scint91.dll 2007-06-12 12:19 110,592 --------- C:\WINDOWS\system32\Sccres91.dll 2007-06-05 21:23 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-07 10:26:58 52,736 ----a-w C:\WINDOWS\ipuninst.exe 2005-05-13 15:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe 2005-10-13 19:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe 2005-10-24 09:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe 2005-06-26 13:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-21 20:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll 2005-10-07 17:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll 2004-01-24 22:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll 2004-01-24 22:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll 2005-02-28 11:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe 2005-07-14 10:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll 2006-04-27 08:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 12:02] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {C08DF07A-3E49-4E25-9AB0-D3882835F153}=C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll [2003-06-30 13:57] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2004-12-22 11:09 C:\WINDOWS\SOUNDMAN.EXE] “WinampAgent”=“D:\Program Files\Winamp\winampa.exe” [2006-02-23 21:10] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] “QuickTime Task”=“D:\Program Files\QuickTime\qttask.exe” [2006-10-14 19:32] “avast!”=“D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] “RemoteControl”=“D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2004-11-02 20:24] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “Gadu-Gadu”=“D:\Program Files\Gadu-Gadu\gg.exe” [2006-02-17 14:03] “NBJ”=“D:\Program Files\Ahead\Nero BackItUp\NBJ.exe” [2005-05-19 19:38] ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-02 14:00:59 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Files hidden from API: C:\WINDOWS\Indiaäski pled.bmp C:\WINDOWS\BĄbelki.bmp C:\WINDOWS\system32\Pokaľ kanay.scf Completion time: 2007-07-02 14:01:27 C:\ComboFix2.txt … 2007-07-02 11:51 — E O F —
logi z Gmer’a:
pierwszy:
drugi:
adam9870
(adam9870)
2 Lipiec 2007 12:30
#8
Uruchom system w trybie awaryjnym, a następnie korzystając z wiersza polecenia (start -> uruchom -> cmd) wydaj następujące polecenia:
Uruchom ponownie komputer i wykonaj i wklej tu nowy log z ComboFix plus log z Gmer’a wykonany przy ustawieniu Usługi + pokazuj wszystko. Dodatkowo użyj narzędzia Registry Search Tool i wyszukaj frazę NtmlSvc .
bram
(Brewin)
2 Lipiec 2007 13:13
#9
log z ComboFix:
ComboFix 07-06-18.2 - D:\nie otwiera†!\antivir\ComboFix.exe “BRE” - 2007-07-02 15:06:33 - Dodatek Service Pack 2 ((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 ))))))))))))))))))))))))))))))) 2007-07-02 13:41 2007-07-02 11:14 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-18 16:34 2007-06-12 12:21 607,744 --------- C:\WINDOWS\system32\Decslib.dll 2007-06-12 12:19 245,760 --------- C:\WINDOWS\system32\Sccomp91.dll 2007-06-12 12:19 225,280 --------- C:\WINDOWS\system32\Scint91.dll 2007-06-12 12:19 110,592 --------- C:\WINDOWS\system32\Sccres91.dll 2007-06-05 21:23 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-07 10:26:58 52,736 ----a-w C:\WINDOWS\ipuninst.exe 2005-05-13 15:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe 2005-10-13 19:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe 2005-10-24 09:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe 2005-06-26 13:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-21 20:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll 2005-10-07 17:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll 2004-01-24 22:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll 2004-01-24 22:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll 2005-02-28 11:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe 2005-07-14 10:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll 2006-04-27 08:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 12:02] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {C08DF07A-3E49-4E25-9AB0-D3882835F153}=C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll [2003-06-30 13:57] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2004-12-22 11:09 C:\WINDOWS\SOUNDMAN.EXE] “WinampAgent”=“D:\Program Files\Winamp\winampa.exe” [2006-02-23 21:10] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] “QuickTime Task”=“D:\Program Files\QuickTime\qttask.exe” [2006-10-14 19:32] “avast!”=“D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] “RemoteControl”=“D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2004-11-02 20:24] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “Gadu-Gadu”=“D:\Program Files\Gadu-Gadu\gg.exe” [2006-02-17 14:03] “NBJ”=“D:\Program Files\Ahead\Nero BackItUp\NBJ.exe” [2005-05-19 19:38] ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-02 15:07:06 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes … CMD.EXE [3092] scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Files hidden from API: C:\WINDOWS\Indiaäski pled.bmp C:\WINDOWS\BĄbelki.bmp C:\WINDOWS\system32\Pokaľ kanay.scf Completion time: 2007-07-02 15:07:42 C:\ComboFix3.txt … 2007-07-02 11:51 C:\ComboFix2.txt … 2007-07-02 14:01 — E O F —
log z Gmer’a:
Registry Search Tool nie znalazł frazy NtmlSvc