Wirusa win32:Advare-gen i zawieszanie komputera

Dla specjalistów Bezpieczeństwo
#1

Przeskanowałam komputer programem avast!Antyvirus i wykrylo mi ze mam wirusa win32:Advare-gen. Od paru dni komputer zawiesza mi sie mniej wiecej co 30 minut i musze go resetowac. A to logi z HijackThis:

Logfile of HijackThis v1.99.1

Scan saved at 15:00:24, on 2007-05-01

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

D:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\explorer.exe

D:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\WINDOWS\system32\WF2K.EXE

C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

C:\windows\system32\rlvknlg.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\WINDOWS\system32\rundll32.exe

D:\DC++\Downloads\iTunes\iTunesHelper.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\NCLAUNCH.EXe

D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wscntfy.exe

D:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\system32\WgaTray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe

D:\Program Files\PalickSoft\HDD Temperature\HDDTemperature.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\Piotrek\USTAWI~1\Temp\Rar$EX00.407\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll (file missing)

F2 - REG:system.ini: Shell=explorer.exe 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {10753836-0535-CC34-6221-C087ED116391} - (no file)

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll (file missing)

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb103\Dealio.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: (no name) - {BA2325ED-F9EB-4830-8FCE-0BC35B16969B} - (no file)

O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - C:\PROGRA~1\BEARSH~1\BEARSH~1\MediaBar.dll (file missing)

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll (file missing)

O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb103\Dealio.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\system32\WF2K.EXE

O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings

O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\system32\rlvknlg.exe -boot

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [Date Enc Cash Flag] C:\Documents and Settings\All Users\Dane aplikacji\Typebookdateenc\grimaim.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\DC++\Downloads\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe

O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /min

O4 - HKCU\..\Run: [RuleJump] C:\DOCUME~1\Piotrek\DANEAP~1\SHIMFI~1\Play axis.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - Startup: HDD temperature.lnk = D:\Program Files\PalickSoft\HDD Temperature\HDDTemperature.exe

O4 - Startup: Xfire.lnk = D:\Program Files\Xfire\Xfire.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe

O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb103\res\DealioSearch.html

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb103\Dealio.dll

O20 - AppInit_DLLs: wbsys.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: WB - D:\Program Files\AlienGUIse\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: HDD Temperature (HDDTService) - PalickSoft - D:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[quote]


Prosze o sprawdzenie loga i porade.[/quote]
#2

Nie trzymaj hijacka w TEMPie lub innym katalogu tymczasowym. Umieść go np. na pulpicie.

Pliki i foldery usuń ręcznie w trybie awaryjnym natomiast wpisy HijackThis.

Użyj narzędzia SmitFraudFix z opcji numer 2 w trybie awaryjnym.

Czy sam instalowałeś Dealio? Jeśli nie to go również usuń.

Proponuję usunąć Megaupload Toolbar ponieważ jest to Toolbar wątpliwej reputacji. Bowiem zbiera dane o użytkowniki i gdzieś je wysyła, nie wiadomo gdzie.

Użyj narzędzia NoLop.

Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz zawartość pliku c:\rapport.txt i C:\NoLop.log