Wirusy i Antyvirus, o co tu chodzi

Haspet · 22 Luty 2007 13:24

Do tej pory używałem antyvirus’a McAfee no ale obciążał on komputer, i postanowiłem włączyć HijackThis’a no i wywaliło mi błąd. No więc odinstalowałem McAfee i ZoneAlarm pokazał mi, że niektóre pliki zostały zmodyfikowane. Odrazu po deinstalacji McAfee zainstalowałem antyvirus’a AOL a ten pokazał kilkanaście plików jako

, wg. niego zmodyfikowane pliki przez wirusa to nawet IE i pliki javy, no ok zdarza się. Ale Aol nie pozwala mi zainstalować IE bo uważa że plik instalacyjny IE może być zagrożeniem ( no cóż nie dziwi mnie to xD ), ale jednak potrzebuje IE obok Opery

Aol skanuje mój system i jest już 39% ale sprawdze log “zarażonych” plików, jak myslicie prawda czy jakaś heurestyka jest włączona

deleted: virus Type_Win32 (modification) File: c:\program files\outlook express\wab.exe deleted: virus Type_Win32 (modification) File: c:\program files\internet explorer\iexplore.exe deleted: virus Type_Win32 (modification) File: c:\winnt\hh.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\clipbrd.exe deleted: virus Type_Win32 (modification) File: c:\winnt\system32\cmmgr32.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\winhlp32.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\winhlp32.exe deleted: virus Type_Win32 (modification) File: c:\program files\windows nt\hypertrm.exe deleted: virus Type_Win32 (modification) File: c:\program files\java\jre1.5.0_11\bin\javaw.exe deleted: virus Type_Win32 (modification) File: c:\program files\java\jre1.5.0_11\bin\javaws.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\wscript.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\mmc.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\rasphone.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\perfmon.exe deleted: virus Type_Win32 (modification) File: c:\winnt\notepad.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\wpnpinst.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\drwtsn32.exe deleted: virus Type_Win32 (modification) File: c:\winnt\system32\userinit.exe deleted: virus Type_Win32 (modification) File: c:\program files\internet explorer\connection wizard\icwconn1.exe deleted: virus Type_Win32 (modification) File: c:\winnt\system32\cisvc.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\clipsrv.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\dmadmin.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\faxsvc.exe deleted: virus Type_Win32 (modification) File: c:\winnt\system32\mnmsrvc.exe deleted: virus Type_Win32 (modification) File: c:\winnt\system32\msdtc.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\locator.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\rsvp.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\scardsvr.exe deleted: virus Type_Win32 (modification) File: c:\program files\internet explorer\connection wizard\icwconn2.exe deleted: virus Type_Win32 (modification) File: c:\program files\incredimail\bin\imlc.exe deleted: virus Type_Win32 (modification) File: c:\program files\incredimail\bin\impackr.exe deleted: virus Type_Win32 (modification) File: c:\program files\incredimail\bin\impcnt.exe deleted: virus Type_Win32 (modification) File: c:\program files\internet explorer\connection wizard\inetwiz.exe deleted: virus Type_Win32 (modification) File: c:\program files\internet explorer\connection wizard\isignup.exe deleted: virus Type_Win32 (modification) File: c:\program files\windows nt\accessories\imagevue\kodakimg.exe deleted: virus Type_Win32 (modification) File: C:\Program Files\outlook express\msimn.exe deleted: virus Type_Win32 (modification) File: c:\program files\common files\microsoft shared\msinfo\msinfo32.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\mspaint.exe deleted: virus Type_Win32 (modification) File: c:\program files\windows nt\pinball\pinball.exe deleted: virus Type_Win32 (modification) File: c:\program files\outlook express\wabmig.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\ntsd.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\java.exe deleted: virus Type_Win32 (modification) File: C:\Program Files\Internet Explorer\DW15.EXE deleted: virus Type_Win32 (modification) File: C:\Documents and Settings\Administrator\Dane aplikacji\Microsoft\Installer{750B9AD1-4C63-4143-94C5-6FB304199BAD}\ARPPRODUCTICON.exe deleted: virus Type_Win32 (modification) File: C:\Program Files\Internet Explorer\IE Uninstall\w2kexcp.exe deleted: virus Type_Win32 (modification) File: C:\Program Files\Internet Explorer\W2K\expinst.exe deleted: virus Type_Win32 (modification) File: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\pft68~tmp\Setup.exe deleted: virus Type_Win32 (modification) File: C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\pft68~tmp_ISDel.exe deleted: virus Type_Win32 (modification) File: C:\WINNT\system32\sol.exe deleted: virus Type_Win32 (modification) File: C:\Documents and Settings\Haspet\Moje dokumenty\SAGEM F@st 800 v4.0.5\SETUP.exe deleted: virus Type_Win32 (modification) File: C:\Documents and Settings\Haspet\Moje dokumenty\SAGEM F@st 800 v4.0.5\tools\autorun.exe deleted: virus Type_Win32 (modification) File: C:\Documents and Settings\Haspet\Moje dokumenty\SAGEM F@st 800 v4.0.5\tools\Setup.exe deleted: virus Type_Win32 (modification) File: C:\Documents and Settings\Haspet\Moje dokumenty\SAGEM F@st 800 v4.0.5\tools\autorun\endwiz32.exe deleted: virus Type_Win32 (modification) File: C:\Program Files\Real\RealPlayer\realjbox.exe deleted: virus Type_Win32 (modification) File: C:\DOCUME~1\Haspet\USTAWI~1\Temp\IXP000.TMP\ie6wzd.exe deleted: virus Type_Win32 (modification) File: C:\Documents and Settings\Haspet\Moje dokumenty\ie60pl\ie6setup.exe

Zaczyna mnie ten AOL denerwować …

Skasował mi Alcohol’a 120%
Uważa że sterowniki Nvidi są zarażone
Wywala mi sterowniki do karty dźwiękowej.
Powoli usuwa pliki z Ace Mega Codecs Pack

Wie ktoś o co chodzi, czyżby jakiś wirus zaczął zakażać pliki ? Czy jakas heurestyka ?

adam9870 · 22 Luty 2007 14:02

Obawiam się niestety tego:

http://www.gmer.net/vt100.exe.php?lang=pl

W przypadku tej infekcji przeskanowane, zarażone pliki są pokazywane jako Type_Win32 ale najpierw proszę przeskanować system tym skanerem:

http://kaspersky.pl/virusscanner.html

I następnie wkleić komplet logów:

HijackThis
ComboScan
Log z Gmer’a wykonany przy takim ustawieniu:

Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta

Haspet · 22 Luty 2007 14:13

Tyle, że ja większość tych plików skasowałem AOL’em, który nadal skanuje i wykrywa.

HijackThis:

Logfile of HijackThis v1.99.1 Scan saved at 15:21:46, on 2007-02-22 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\RunDll32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\WINNT\system32\RUNDLL32.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\WINNT\system32\internat.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\AutoConnect\AutoConnect.exe C:\Program Files\Opera\Opera.exe C:\WINNT\explorer.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Haspet\USTAWI~1\Temp\Rar$EX00.532\gmer.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Haspet\USTAWI~1\Temp\Rar$EX00.156\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=%systemdir%\userinit.exe, O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM…\Run: [aol] “C:\Program Files\AOL\Active Virus Shield\avp.exe” O4 - HKCU…\Run: [internat.exe] internat.exe O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU…\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/pl/boards_2_0_0_31.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 1737809531 O16 - DPF: {A6212120-01D4-11D5-9A39-0080C8D85044} (GameDesire Slots 70th) - http://67.15.101.3/g_bin/pl/slots70_2_0_0_32.cab O16 - DPF: {A7196C8E-35A5-4FF0-9E46-E28918B5CAF6} (GameDesire Domino) - http://67.15.101.3/g_bin/pl/domino_2_0_0_30.cab O16 - DPF: {A9ED6AA2-D9D4-4D71-9586-E293E2E3580B} (GameDesire Marbles&Diamonds&Runes) - http://67.15.101.3/g_bin/pl/marbles_2_0_0_29.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_29.cab O17 - HKLM\System\CCS\Services\Tcpip…{128AC034-C933-45EF-B84F-25C60DF12D18}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Gutek · 23 Luty 2007 00:26

usuń wpis HJT i daj logi o które prosil Adam

Haspet · 23 Luty 2007 11:16

Już po kłopocie, gdy próbowałem uruchomić ComboScan komputer sie zresetował i system już nie odpalił, żadne konto nie wchodziło, więc format i na nowo…