Wirus netsecurity.exe


(Maciekgawrys) #1

witam serdecznie !!

jestem nowy na forum , mam nastepujacy problem , zlapalem wirusa i nie mam pojecia co z nim zrobic;/;// to jest log z Avasta:

11/14/2007	3:55:41 PM	1195052141	SYSTEM	1212	Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\system32\netsecurity.exe" file.  

11/14/2007	3:56:37 PM	1195052197	SYSTEM	1212	Sign of "Win32:Small-BTX [Trj]" has been found in "C:\WINDOWS\svchost.exe" file.  

11/14/2007	6:14:40 PM	1195060480	SYSTEM	1212	Sign of "Win32:Small-BTX [Trj]" has been found in "C:\WINDOWS\svchost.exe" file.  

11/14/2007	6:18:59 PM	1195060739	SYSTEM	1212	Sign of "Win32:Perlovga" has been found in "C:\copy.exe\[MEW]" file.  

11/14/2007	6:19:29 PM	1195060769	Maciek	3684	Sign of "Win32:Trojan-gePower calibration errorn {Other}" has been found in "C:\config32.exe\[Embedded#1ee90]" file.  

11/14/2007	6:19:40 PM	1195060780	Maciek	3684	Sign of "Win32:Agent-HFH [Trj]" has been found in "C:\config32.exe" file.  

11/14/2007	6:36:29 PM	1195061789	SYSTEM	1212	AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\K-Lite Codec Pack\ffdshow\ffdshow.ax (C:\Program Files\K-Lite Codec Pack\ffdshow\ffdshow.ax) returning error, 0000001E.  

11/14/2007	7:04:01 PM	1195063441	SYSTEM	1212	Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\netsecurity.exe" file.  

11/14/2007	7:04:24 PM	1195063464	SYSTEM	1212	Sign of "Win32:Small-BTX [Trj]" has been found in "C:\WINDOWS\svchost.exe" file.  

11/14/2007	7:57:15 PM	1195066635	SYSTEM	1212	Sign of "Win32:Agent-HFH [Trj]" has been found in "C:\config32.exe" file.  

11/14/2007	7:58:05 PM	1195066685	SYSTEM	1212	AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\K-Lite Codec Pack\ffdshow\ffdshow.ax (C:\Program Files\K-Lite Codec Pack\ffdshow\ffdshow.ax) returning error, 0000001E.  

11/14/2007	9:39:14 PM	1195072754	SYSTEM	1200	Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\netsecurity.exe" file.  

11/14/2007	9:39:18 PM	1195072758	SYSTEM	1200	Sign of "Win32:Small-BTX [Trj]" has been found in "C:\WINDOWS\svchost.exe" file.  

11/14/2007	10:05:22 PM	1195074322	SYSTEM	1200	Sign of "Win32:Agent-HFH [Trj]" has been found in "C:\config32.exe" file.

Dodatkowym problemem jest to ze cos podzialo sie z Nero 6..;/ nie moge wogole wypalic plyt DVD tylko same cd bo dvd nie wykrywa;/;/ Jesli juz wykryje wyswietla po 30 sek komunikat: Power calibration error A to log z Hijackthis:

Logfile of HijackThis v1.99.1

Scan saved at 10:46:58 PM, on 11/14/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ACS.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\WINDOWS\system32\HPZipm12.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

C:\DOCUME~1\Maciek\LOCALS~1\Temp\20071114142735_mcinfo.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\RAMASST.exe

C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\WINDOWS\system32\cidaemon.exe

C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\PROGRA~1\NEOSTR~1\Watch.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\FlashGet\flashget.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\Maciek\LOCALS~1\Temp\Rar$EX00.297\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PINGER] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray

O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Maciek\LOCALS~1\Temp\20071114142735_mcinfo.exe /insfin

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm

O8 - Extra context menu item: Œci¹gnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Œci¹gnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Download link using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Download with Rapget - C:\Documents and Settings\Maciek\Desktop\rapget124\rapget.htm

O8 - Extra context menu item: Export to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm

O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2C091308-A977-44EA-AB27-ED12DCD1175A}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: .NETSecurity - Unknown owner - C:\WINDOWS\system32\netsecurity.exe

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

Pozdrawiam serdecznie! !!


(Gutek) #2

usuń wisy HJT

Daj log z ComboFix


(Maciekgawrys) #3

tamto usunalem , ale ten combofix cos zaczal robic i pasek start zniknal;/;// i w HJT nie mam tej linijki F3

Złączono Posta : 15.11.2007 (Czw) 14:05

pojawilo mi sie na pulpicie archiwum zip o nazwie "catchme" tam w srodku jest plik svchost . co z nim zrobic??

Złączono Posta : 15.11.2007 (Czw) 14:25

log z Combofix:

ComboFix 07-11-08.1 - Maciek 2007-11-15 14:05:57.2 - NTFSx86

(Gutek) #4

Powinno być Ok

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

możesz rejestr przelecieć albo

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509

Opis RegCleaner - http://www.agavk.p9.pl/strony/progra_regcleaner.php

Zobacz - Obsługa jv16 PowerTools


(Maciekgawrys) #5

nero dalej nie nagrywa dvd;/ a skanowalem dysk avastem i wykrywa ze jest 1 zainfekowany plik: config32.exe na dysku C


(Gutek) #6

usuń plik jak jest

Pobierz program SDFix

-