system
(system)
16 Czerwiec 2007 21:14
#1
Czesc od 2 dni mam powazny klopot z wirusem o nazwie win32.backdoor. usuwam go lecz po resecie kompa wsyztko powraca do normy czyli poprostu zapisuje w tempie to co robie to co szukam w google i przedewszytstkim jest keylogger zapisuje moje hasla co najgorsze.
Prosze was o pomoc bo nie dosc ze hasla musze pozmieniac to siec mi wolno chodzi a potrbzuje jej do pracy .
Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 23:58:03, on 2007-06-16 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe C:\worque\wincmd\WINCMD32.EXE C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Tlen.pl\tlen.exe c:\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll HKLM…\Run: [NvCplDaemon] “RUNDLL32.EXE” C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] “nwiz.exe” /install O4 - HKLM…\Run: [NvMediaCenter] “RUNDLL32.EXE” C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [Nokia Tray Application] “C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe” O4 - HKLM…\Run: [LWBMOUSE] “C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE” O4 - HKLM…\Run: [PCSuiteTrayApplication] “C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE” -onlytray O4 - HKLM…\Run: [Outpost Firewall] “C:\Program Files\Agnitum\Outpost Firewall\outpost.exe” /waitservice O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Spy Sweeper Fix.lnk = C:\Program Files\Webroot\Spy Sweeper\SpySweeperFix.bat O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\Program Files\Agnitum\Outpost Firewall\TRASH.EXE (HKCU) O9 - Extra ‘Tools’ menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\P Files\Agnitum\Outpost Firewall\TRASH.EXE (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://www.pcworld.pl O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 1916922125 O21 - SSODL: WinCTL - {009541A0-3B00-1F1C-00F3-040224009C02} - C:\Program Files\Common Files\winctl.dll (file missing) O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe – End of file - 5754 bytes
Raport z smit fraud’a
SmitFraudFix v2.195 Scan done at 23:03:07,76, 2007-06-16 Run from c:\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is FAT32 Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Sterownik miniport Harmonogramu pakietów DNS Server Search Order: 10.0.0.2 HKLM\SYSTEM\CCS\Services\Tcpip…{DD036D6B-35CA-450B-9E33-7F865B5BC052}: DhcpNameServer=10.0.0.2 HKLM\SYSTEM\CS1\Services\Tcpip…{DD036D6B-35CA-450B-9E33-7F865B5BC052}: DhcpNameServer=10.0.0.2 HKLM\SYSTEM\CS2\Services\Tcpip…{DD036D6B-35CA-450B-9E33-7F865B5BC052}: DhcpNameServer=10.0.0.2 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning not selected. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End
z hax fix’a
HAXFIX logfile - by Marckie version 4.46 2007-06-16 22:29:35,29 — Checking for Haxdoor — checking for a3d files a3d files not found checking for matching notify keys no matching notify keys found checking for matching services no matching services found checking for matching safeboot services no matching safeboot services found checking for other Haxdoor-files no other Haxdoor-files found — Checking for Goldun — checking for SSODL keys no ssodl keys found checking for notify keys no notify keys found checking for services no services found checking for other Goldun-files no other Goldun-files found checking iexplore.exe iexplore.exe is not infected — Catchme logfile - thank you Gmer — catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-16 22:29:35 Windows 5.1.2600 Dodatek Service Pack 2 FAT scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 — Analysing Catchme logfile — no matching regkeys found Finished!
Złączono Posta : 17.06.2007 (Nie) 10:23
ODswiezam prosze o pomoc bo nie moge pracowac
adam9870
(adam9870)
17 Czerwiec 2007 09:13
#2
W logach widzę tylko:
W celu usunięcia użyj ponownie narzędzia SmitFradudFix ale tym razem z opcji numer 2 w trybie awaryjnym.
Po wykonaniu wklej log z ComboFix . Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C.
system
(system)
17 Czerwiec 2007 09:48
#3
Komp aczykowliek zaczo lchodzic dobrze oczyscilem po upadate avg antyspywere i chyba zacznie dzialac z tego co widze .
ComboFix 07-06-13.3 - c:\ComboFix.exe “studio51” - 2007-06-17 11:43:42 - Dodatek Service Pack 2 ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\ldinfo.ldr ((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 ))))))))))))))))))))))))))))))) 2007-06-17 11:43 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-17 11:42 1,085,249 --a------ C:\ComboFix.exe 2007-06-17 11:41 2,562,680 --a------ C:\q810847(1).exe 2007-06-17 11:40 51,232 --a------ C:\4.wwdc - blokowanie portow na wiry.exe 2007-06-17 00:54 21,407,888 --a------ C:\avg free edition - darmowy.exe 2007-06-16 23:37 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-06-16 23:29 2007-06-16 23:15 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-06-16 23:15 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-06-16 23:15 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-06-16 23:14 14,846,128 --a------ C:\nod32.exe 2007-06-16 23:08 1,308,216 --a------ C:\HiJackThis_v2.exe 2007-06-16 22:54 2007-06-16 22:38 401,108 --a------ C:\3.Rustbfix.exe 2007-06-16 22:33 2,466 --a------ C:\WINDOWS\system32\tmp.reg 2007-06-16 22:32 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-06-16 22:32 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-06-16 22:29 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe 2007-06-16 22:29 86,528 --a------ C:\WINDOWS\system32\catchme.exe 2007-06-16 22:29 53,248 --a------ C:\WINDOWS\system32\process.exe 2007-06-16 22:29 4,096 --a------ C:\WINDOWS\system32\reboot.exe 2007-06-16 22:28 526,883 --a------ C:\1.haxfix.exe 2007-06-16 20:34 2007-06-16 20:34 2007-06-16 20:34 2007-06-16 20:34 2007-06-16 19:41 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr 2007-06-16 19:41 433,152 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-06-16 19:41 16,176 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-06-16 19:41 2007-06-16 18:50 2007-06-16 18:41 2007-06-15 20:25 2007-06-11 17:29 2007-06-10 13:37 5,120 --ah----- C:\WINDOWS\system32\pifpaf.pif 2007-06-07 22:48 160,304 --a------ C:\WINDOWS\undrnstl.exe 2007-06-07 22:48 2007-05-19 11:44 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-14 12:16:48 3,356 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat 2007-05-14 12:13:32 10,883,960 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe 2007-04-20 10:26:06 -------- d-----w C:\Program Files\Elemental Audio Systems 2007-04-20 10:26:06 -------- d-----w C:\Program Files\Common Files\Digidesign 2007-04-17 10:33:22 583 ----a-w C:\sox_skrypt.cmd 2007-04-07 22:43:30 19 ----a-w C:\WINDOWS\system32\enhmprod547.dll 2007-04-01 10:39:10 56 --sh–r C:\WINDOWS\system32\07095C1CA3.sys 2007-04-01 10:39:10 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys 2007-03-23 10:15:28 720,896 ----a-w C:\WINDOWS\iun6002.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.CE\Acrobat\ActiveX\AcroIEHelper.ocx [2001-04-16 17:39] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “nwiz”=“nwiz.exe” [2005-10-10 14:49 C:\WINDOWS\system32\nwiz.exe] “Nokia Tray Application”=“C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe” [2003-01-03 15:45] “LWBMOUSE”=“C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE” [2001-11-20 11:51] “PCSuiteTrayApplication”=“C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe” [2005-12-13 08:49] “Outpost Firewall”=“C:\Program Files\Agnitum\Outpost Firewall\outpost.exe” [2003-05-20 12:53] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-06-16 23:14] “AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2007-06-17 00:55] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^studio51^Menu Start^Programy^Autostart^Mouse32A.exe] path=C:\Documents and Settings\studio51\Menu Start\Programy\Autostart\Mouse32A.exe backup=C:\WINDOWS\pss\Mouse32A.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] C:\worque\avast\ashDisp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsc -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] “C:\worque\winamp\Winampa.exe” HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs NtmlSvc
Gutek
(Gutek)
18 Czerwiec 2007 14:11
#4
przeskanuj pliki http://www.virustotal.com/en/indexf.html chociaż są do usuniecia