Win32:SQLSlammer - Problem


(Dante49) #1

Mam problem do mojego komputera wdał sie virus Win32:SQLSlammer i nie da sie go usunąć , kwarantanna nie działa na niego,nic na niego nie działa a on wyżera mi system .... ostatnio usunął jakieś biblioteki ... Proszę pomóżcie nie wiem co robić .. :frowning:


(huber2t) #2

Podaj log z Combofix i Hijackthis


(Dante49) #3

A co to jest bo ja taki niedoświadczony :frowning:


(huber2t) #4

Pod tym linkiem masz wszystko podane


(Dante49) #5

Logfile of HijackThis v1.99.1

Scan saved at 12:52:36, on 2008-08-21

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

D:\antywirus\aswUpdSv.exe

D:\antywirus\ashServ.exe

C:\WINDOWS\System32\atiptaxx.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

D:\ANTYWI~1\ashDisp.exe

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

E:\Spyware Doctor\pctsTray.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Winamp Remote\bin\OrbTray.exe

C:\Program Files\SAGEM WiFi manager\WLANUTL.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

E:\Spyware Doctor\pctsAuxs.exe

E:\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\WINDOWS\System32\wuauclt.exe

D:\antywirus\ashWebSv.exe

D:\antywirus\ashMaiSv.exe

G:\pcformat.exe

D:\firefox\firefox.exe

E:\Gadu-Gadu\gg.exe

E:\Fifa 05\Winamp\winamp.exe

D:\Fable\Winamp\eMusic\eMusicClient.exe

D:\Fable\Winamp\winampa.exe

D:\Fable\Winamp\winamp.exe

C:\Documents and Settings\q\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O4 - HKLM..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM..\Run: [avast!] D:\ANTYWI~1\ashDisp.exe

O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM..\Run: [WinampAgent] D:\Fable\Winamp\winampa.exe

O4 - HKLM..\Run: [iSTray] "E:\Spyware Doctor\pctsTray.exe"

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU..\Run: [ares] "D:\Ares\Ares.exe" -h

O4 - HKCU..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background

O4 - Startup: Reboot.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk = ?

O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\antywirus\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - D:\antywirus\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\antywirus\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\antywirus\ashWebSv.exe" /service (file missing)

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - E:\Program Files\MAGIX\Common\Database\bin\fbserver.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Spyware Doctor\

Prosze bardzo ... to wylogowało mi z Hijackthis


(Dante49) #6

To wystarczy bo z tego Combofix jest bardzo skomplikowane cos zrobic .... :frowning:


(sdar) #7

Proszę o zmianę tytułu na bardziej konkretny.

Użyj opcji zmien.gif

Pomocne może być zapoznanie się z TYMI informacjami.


(huber2t) #8

fix w hijackthis

Pokaż jeszce log z combofix


(Dante49) #9

dobrze za kilka minut pokarze


(Dante49) #10

ComboFix 08-08-19.06 - q 2008-08-21 14:19:15.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.100 [GMT 2:00]

Running from: C:\Documents and Settings\q\Pulpit\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))

.

2008-08-21 11:16 . 2008-08-21 11:16

2008-08-21 11:16 . 2008-08-21 11:16

2008-08-21 11:14 . 2008-08-21 12:40

2008-08-20 17:00 . 2008-08-20 17:00

2008-08-20 17:00 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-08-20 17:00 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-08-20 17:00 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-08-20 17:00 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-08-16 12:55 . 2008-08-20 13:04

2008-07-29 10:21 . 2008-07-29 10:21

2008-07-29 10:21 . 2008-07-29 10:32

2008-07-24 19:51 . 2008-07-24 19:51

2008-07-23 11:36 . 2008-07-23 11:36

2008-07-23 11:31 . 2008-07-23 11:31

2008-07-23 11:00 . 2002-09-20 19:04 1,169,920 --a------ C:\WINDOWS\system32\ole32.dll

2008-07-23 11:00 . 2002-09-20 19:04 1,169,920 --a------ C:\WINDOWS\system32\dllcache\ole32.dll

2008-07-23 11:00 . 2002-09-20 19:04 530,432 --a------ C:\WINDOWS\system32\rpcrt4.dll

2008-07-23 11:00 . 2002-09-20 19:04 530,432 --a------ C:\WINDOWS\system32\dllcache\rpcrt4.dll

2008-07-23 11:00 . 2002-09-20 19:04 260,608 --a------ C:\WINDOWS\system32\rpcss.dll

2008-07-23 11:00 . 2002-09-20 19:04 260,608 --a------ C:\WINDOWS\system32\dllcache\rpcss.dll

2008-07-23 10:57 . 2003-05-11 16:26 24,576 --a------ C:\WINDOWS\system32\xpsp1hfm.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-21 11:40 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-08-21 11:20 --------- d-----w C:\Program Files\Neostrada TP

2008-08-19 22:17 --------- d-----w C:\Documents and Settings\q\Dane aplikacji\Skype

2008-08-19 22:04 --------- d-----w C:\Documents and Settings\q\Dane aplikacji\skypePM

2008-08-18 10:12 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-08-18 07:39 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-07-14 13:59 --------- d-----w C:\Documents and Settings\q\Dane aplikacji\Flock

2008-07-08 20:14 --------- d-----w C:\Documents and Settings\q\Dane aplikacji\Nowe Gadu-Gadu

2008-06-30 13:08 --------- d-----w C:\Program Files\Skype

2008-06-30 13:08 --------- d-----w C:\Program Files\Common Files\Skype

2008-06-23 11:21 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll

2008-06-23 11:21 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll

2008-06-23 11:21 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll

2008-06-21 07:32 --------- d-----w C:\Program Files\Java

2008-06-21 07:26 --------- d-----w C:\Program Files\Common Files\Java

2008-06-21 07:00 --------- d-----w C:\Program Files\Sun

2008-05-11 16:55 31,664 ----a-w C:\Documents and Settings\q\Dane aplikacji\GDIPFONTCACHEV1.DAT

2008-03-27 18:02 32 ----a-r C:\Documents and Settings\All Users\hash.dat

2008-01-31 10:16 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2008-03-31 14:02 56 --sh--r C:\WINDOWS\system32\FE4DF07264.sys

2008-03-31 14:02 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2008-07-16 22:51 1266992]

[HKEY_CLASSES_ROOT\clsid{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-20 19:05 13312]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-13 16:08 68856]

"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 03:54 507904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2008-01-28 17:13 102400]

"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 19:07 24576]

"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 12:38 866816]

"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 19:07 20480]

"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [2003-10-16 19:07 53248]

"avast!"="D:\ANTYWI~1\ashDisp.exe" [2008-07-19 16:38 78008]

"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-07-10 19:02 188416]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

"WinampAgent"="D:\Fable\Winamp\winampa.exe" [2008-08-04 01:02 36352]

"ISTray"="E:\Spyware Doctor\pctsTray.exe" [2008-07-16 09:16 1166216]

"AtiPTA"="atiptaxx.exe" [2002-07-25 11:04 290816 C:\WINDOWS\system32\atiptaxx.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 19:05 13312]

C:\Documents and Settings\q\Menu Start\Programy\Autostart\

Reboot.exe [2008-01-28 17:30:45 382464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i263_32.drv

"vidc.3ivx"= 3ivxVfWCodec.dll

"vidc.3iv2"= 3ivxVfWCodec.dll

"msacm.divxa32"= divxa32.acm

"VIDC.HFYU"= huffyuv.dll

"VIDC.i263"= i263_32.drv

"msacm.imc"= imc32.acm

"VIDC.VP31"= vp31vfw.dll

R1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-07-19 16:35]

R3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;C:\WINDOWS\System32\DRIVERS\WlanBZXP.sys [2007-01-10 11:14]

R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\System32\drivers\sis7012.sys [2002-04-23 09:02]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;E:\Program Files\MAGIX\Common\Database\bin\fbserver.exe []

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-29 02:32]

S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\System32\ZDCndis5.SYS []

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

  • ORPHANS REMOVED - - - -

HKCU-Run-ares - D:\Ares\Ares.exe

Notify-WgaLogon - (no file)

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\q\Dane aplikacji\Mozilla\Firefox\Profiles\760uoogn.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://slirsredirect.search.aol.com/sli ... ie7query=

FF -: plugin - C:\Program Files\Java\j2re1.4.0_03\bin\NPJava11.dll

FF -: plugin - C:\Program Files\Java\j2re1.4.0_03\bin\NPJava12.dll

FF -: plugin - C:\Program Files\Java\j2re1.4.0_03\bin\NPJava13.dll

FF -: plugin - C:\Program Files\Java\j2re1.4.0_03\bin\NPJava32.dll

FF -: plugin - C:\Program Files\Java\j2re1.4.0_03\bin\NPJPI140_03.dll

FF -: plugin - C:\Program Files\Java\j2re1.4.0_03\bin\NPOJI610.dll

FF -: plugin - D:\firefox\plugins\np32dsw.dll

FF -: plugin - D:\firefox\plugins\npnul32.dll

FF -: plugin - D:\firefox\plugins\nppdf32.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-21 14:22:09

Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-08-21 14:24:41

ComboFix-quarantined-files.txt 2008-08-21 12:24:34

Pre-Run: 2,721,284,096 bajtów wolnych

Post-Run: 3,626,778,624 bajtów wolnych

139 --- E O F --- 2008-06-13 17:26:02

Prosze to z Combo fix


(huber2t) #11

Log wyglada na czysty

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!


(Dante49) #12

Dobrze zrobię tak jak mówisz :slight_smile: A raport dam jak tylko zrobię te czynnośći :slight_smile:

Wykonaj optymalizację autostartu - nie rozumiem jak to zrobić mógłbyś mi to ty wytłumaczyć ?