Witam.
Raz:
Jestem po reinstalacji systemu windows xp. Sytuacja wyglada nastepujaco; nie ładuja mi sie strony z haslami “kaspersky”, “Panda”, “antyvirus” itp., nie moge wykonac scana online a jakikolwiek antywirus do instalacji krzaczy sie podczas instalacji albo nie odpala sie po zainstalowaniu. Wirus blokuje tez tryb awaryjny (wyskakuje bluescreen).
Dwa:
Po analizie logów doradzono mi zeby usunac
C:\DOCUME~1\HEROS\USTAWI~1\Temp\winvrxku.exe
C:\DOCUME~1\HEROS\USTAWI~1\Temp\winpdcbbe.exe
C:\DOCUME~1\HEROS\USTAWI~1\Temp\winexesg.exe
ALE NIE DALEM RADY TYCH PLIKOW USUNAC, probowalem przez cmd, sc stop i sc delete, probowalem zamykac porty programem wwdc, probowalem sciagac killbox’a ale on krzaczy sie podczas włączania…
i hijackiem USUNALEM
O4 - HKUS.DEFAULT…\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘Default user’)
O17 - HKLM\System\CCS\Services\Tcpip…{12114277-DAD0-4ACF-9D16-E4004FD6F52B}: NameServer = 83.238.255.76 213.241.79.37
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
Trzy:
logi z Silent Runner , HijackThis i z ComboFixa:
“Silent Runners.vbs”, revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“swg” = “C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [“Google Inc.”]
“AQQ” = “C:\PROGRA~1\WapSter\WAPSTE~1\AQQ.exe” [empty string]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“High Definition Audio Property Page Shortcut” = “CHDAudPropShortcut.exe” [“Windows ® Server 2003 DDK provider”]
“SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]
“AVP” = ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe”” [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
“WIAWizardMenu” = “RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu” [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}(Default) = “IEVkbdBHO”
-> {HKLM…CLSID} = “IEVkbdBHO Class”
\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll” [“Kaspersky Lab”]
{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided)
-> {HKLM…CLSID} = “Google Toolbar Helper”
\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wy�wietlania”
-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wy�wietlania”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{3028902F-6374-48b2-8DC6-9725E775B926}” = “IE Microsoft AutoComplete”
-> {HKLM…CLSID} = “IE Microsoft AutoComplete”
\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS]
“{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band”
-> {HKLM…CLSID} = “History Band”
\InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS]
z HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:01:54, on 2009-04-12
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WapSter\WapSter AQQ\AQQ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\HEROS\USTAWI~1\Temp\winvrxku.exe
C:\DOCUME~1\HEROS\USTAWI~1\Temp\winpdcbbe.exe
C:\DOCUME~1\HEROS\USTAWI~1\Temp\winexesg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kaspersky-help.com/?hl=pl&li … ild%202600&pid=kis&version=8.0.0.454
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM…\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe”
O4 - HKLM…\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU…\Run: [AQQ] C:\PROGRA~1\WapSter\WAPSTE~1\AQQ.exe
O4 - HKUS\S-1-5-18…\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘SYSTEM’)
O4 - HKUS.DEFAULT…\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘Default user’)
O8 - Extra context menu item: Dodaj do listy blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://slimak.onet.pl/_m/wirusy/ArcaOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip…{12114277-DAD0-4ACF-9D16-E4004FD6F52B}: NameServer = 83.238.255.76 213.241.79.37
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
–
End of file - 3911 bytes
z combofix:
ComboFix 09-04-04.01 - HEROS 2009-04-12 13:36:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.2038.1771 [GMT 2:00]
Uruchomiony z: c:\documents and settings\HEROS\Pulpit\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
F:\autorun.inf
F:\sqxc.pif
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASC3360PR
-------\Service_asc3360pr
((((((((((((((((((((((((( Pliki utworzone od 2009-03-12 do 2009-04-12 )))))))))))))))))))))))))))))))
.
Nie utworzono żadnych nowych plików w tym okresie
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 11:39 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-12 11:39 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-12 11:39 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-12 11:39 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-12 11:17 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\f-secure
2009-04-12 11:12 --------- d-----w c:\program files\WapSter
2009-04-12 10:45 --------- d-----w c:\program files\Panda Security
2009-04-12 10:25 --------- d-----w c:\program files\Google
2009-04-12 10:23 --------- d-----w c:\program files\Universal
2009-04-12 10:23 --------- d-----w c:\program files\Flash Player Pro
2009-04-12 10:09 96,976 ----a-w c:\windows\system32\drivers\klin.dat
2009-04-12 10:09 87,855 ----a-w c:\windows\system32\drivers\klick.dat
2009-04-12 10:08 --------- d-----w c:\program files\Kaspersky Lab
2009-04-12 09:56 --------- d–h--w c:\program files\InstallShield Installation Information
2009-04-12 09:56 --------- d-----w c:\program files\Thomson
2009-04-12 09:56 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-12 09:53 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab
2009-04-12 09:51 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2009-04-12 09:48 --------- d-----w c:\program files\CONEXANT
2009-04-12 09:45 --------- d-----w c:\program files\Hewlett-Packard
2009-04-12 09:40 --------- d-----w c:\program files\microsoft frontpage
2009-04-12 09:39 --------- d-----w c:\program files\Usługi online
.
------- Sigcheck -------
2008-12-16 20:53 2093568 24ce9980cfc68895ac71bfbd58b61a3a c:\windows\system32\ntkrnlpa.exe
2008-12-16 13:28 2214912 6a2abef283a82ac927de57ccdacc9864 c:\windows\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domy�lne, prawidłowe wpisy nie sš pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“swg”=“c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2009-04-12 171448]
“AQQ”=“c:\progra~1\WapSter\WAPSTE~1\AQQ.exe” [2009-02-25 4879360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SpeedTouch USB Diagnostics”=“c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-08-06 877568]
“AVP”=“c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe” [2008-07-29 206088]
“High Definition Audio Property Page Shortcut”=“CHDAudPropShortcut.exe” [2006-07-27 c:\windows\system32\CHDAudPropShortcut.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
“WIAWizardMenu”=“c:\windows\system32\sti_ci.dll” [2008-04-14 137216]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“_nltide_3”=“advpack.dll” [2008-04-14 c:\windows\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“DisableStatusMessages”= 1 (0x1)
“EnableLUA”= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoSMHelp”= 1 (0x1)
“ForceClassicControlPanel”= 1 (0x1)
“NoSMMyPictures”= 1 (0x1)
“NoSMConfigurePrograms”= 1 (0x1)
“NoResolveTrack”= 1 (0x1)
[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]
“NoSMHelp”= 1 (0x1)
“ForceClassicControlPanel”= 1 (0x1)
“NoSMMyPictures”= 1 (0x1)
“NoSMConfigurePrograms”= 1 (0x1)
“StartMenuLogoff”= 1 (0x1)
“NoResolveTrack”= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
“DisableMonitoring”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
“DisableUnicastResponsesToMulticastBroadcast”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“%windir%\system32\sessmgr.exe”=
“d:\Instalki\SP32482.exe”=
“c:\WINDOWS\system32\CHDAudPropShortcut.exe”=
“c:\WINDOWS\system32\userinit.exe”=
“c:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe”=
“c:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe”=
“c:\ComboFix\NirCmdC.cfexe”=
“c:\WINDOWS\system32\IPCONFIG.exe”=
“c:\WINDOWS\system32\CF4899.exe”=
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-04-12 28544]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
— Inne Usługi/Sterowniki w Pamięci —
*NewlyCreated* - ASC3360PR
*NewlyCreated* - HELPSVC
*NewlyCreated* - WUAUSERV
.
.
------- Skan uzupełniajšcy -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.kaspersky-help.com/?hl=pl&li … ild%202600)&pid=kis&version=8.0.0.454
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Dodaj do listy blokowanych banerów - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
TCP: {12114277-DAD0-4ACF-9D16-E4004FD6F52B} = 83.238.255.76 213.241.79.37
DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} - hxxp://slimak.onet.pl/_m/wirusy/ArcaOnline.cab
FF - ProfilePath - c:\documents and settings\HEROS\Dane aplikacji\Mozilla\Firefox\Profiles\1crjcvfu.default\
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 13:40:34
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomy�lnie ukończone
ukryte pliki: 0
**************************************************************************
.
Czas ukończenia: 2009-04-12 13:41:27 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-04-12 11:41:24
Przed: 36 438 818 816 bajtów wolnych
Po: 36,424,159,232 bajtów wolnych
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect
138