Lucek1
(Lucek)
27 Listopad 2007 13:47
#1
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:41:41, on 2007-11-27 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\windows\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Ashampoo\Ashampoo AntiVirus\AshAVSrv.exe C:\WINDOWS\system32\CTSvcCDA.EXE C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE C:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe C:\Program Files\Real\RealOne Player\RealPlay.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Documents and Settings\Ala\Pulpit\putty_ssh.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchgateway.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchgateway.net/search/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchgateway.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search/%s R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\secpol.exe, O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\Ashampoo WinOptimizer Platinum 3\PopUp.dll O3 - Toolbar: PHP Designer Toolbar - {1DA183EF-8E1B-4a18-B927-CAB06B60FA46} - C:\Program Files\PHP Designer Toolbar\v2.0.0.1\PHP_Designer_Toolbar.dll O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [CtxfiReg] CTXFIREG.EXE O4 - HKLM…\Run: [CTHelper] CTHELPER.EXE O4 - HKLM…\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\Ashampoo WinOptimizer Platinum 3\PopUpKiller.exe O4 - HKCU…\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: GuardGui.lnk = C:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Read By Natural Voice Reader - C:\Program Files\Natural Voice Reader Standard\read.html O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\Natural Voice Reader Standard\read.html O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU) O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo antivirus\ifslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo antivirus\ifslsp.dll O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} - http://arcaonline.arcabit.com/ArcaOnline.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll O20 - Winlogon Notify: fsmgmt - C:\WINDOWS\SYSTEM32\fsmgmt.dll O22 - SharedTaskScheduler: Module - {429F4BB8-7BF7-4152-8011-3C6F9EB7E892} - (no file) O23 - Service: avGuard Service (avGuard) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiVirus\AshAVSrv.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: MySql - Unknown owner - c:\usr/MYSQL/bin/mysqld.exe – End of file - 5692 bytes
Ufo.exe cos spsulo z pendrivami. Zamiast domyslnej akcji “otworz” pojawila sie nowa akcja “Auto” no i nie wiem co z tym zrobic. i jak to skasowac Poza tym pojawila sie tez druga infekcja Temporary Loader[1].exe
Ashampoo Antivirus nie potrafi sobie poradzic ani z tym ani z tamtym. A mam coraz wieksze problemy typu zawieszanie sie kompa albo ostre spowolnienie. Prosze o pomoc…
Nie wiem jakiego typu to sa wirusy, bo nei spisalem z okienka ale jezeli mi sie pojawia znow to dopisze.
MiikeS
(Miikes)
27 Listopad 2007 14:04
#2
Zanim koledzy dadzą ci konkretniejsze informacje o logach przeskanuj kompa przez EWIDO .
Lucek1
(Lucek)
27 Listopad 2007 20:13
#3
Przeskanowałem i usunąłem zagrożenia, przy których sie pojawilo High czy cos takiego
Lucek1
(Lucek)
28 Listopad 2007 22:23
#5
ComboFix 07-11-19.4 - Ala 2007-11-28 22:17:51.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.325 [GMT 1:00] Running from: C:\Documents and Settings\Ala\Pulpit\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\TEMP.\update C:\WINDOWS\TEMP.\update\antivir0.vdf C:\WINDOWS\TEMP.\update\antivir2.vdf C:\WINDOWS\TEMP.\update\antivir3.vdf C:\WINDOWS\TEMP.\update\avewin32.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\nm ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 ))))))))))))))))))))))))))))))) . 2007-11-27 14:40 2007-11-07 00:27 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-23 00:58 --------- d-----w C:\Documents and Settings\Ala\Dane aplikacji\XnView 2007-11-14 22:29 18,944 ----a-w C:\WINDOWS\system32\fsmgmt.dll 2007-11-07 22:52 --------- d-----w C:\Program Files\Gadu-Gadu 2007-11-07 21:55 --------- d-----w C:\Program Files\Winamp 2007-10-21 19:06 --------- d-----w C:\Program Files\GIMP-2.0 2007-10-20 10:53 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-20 10:53 --------- d-----w C:\Documents and Settings\Ala\Dane aplikacji\InstallShield 2007-10-15 20:57 --------- d-----w C:\Documents and Settings\Ala\Dane aplikacji\Creative 2007-10-15 20:43 --------- d-----w C:\Program Files\Creative 2007-10-03 15:53 --------- d-----w C:\Documents and Settings\Ala\Dane aplikacji\AdobeUM 2007-09-22 14:11 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll 2007-09-22 14:11 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll 2007-09-21 15:07 191 ----a-w C:\UnInstall.dat 2007-09-12 18:32 16,896 ----a-w C:\WINDOWS\system32\grwinsthlp.exe 2007-07-25 16:51 217 ----a-w C:\Documents and Settings\Ala\fet_settings.dat 2007-06-10 17:56 18,432 -csha-w C:\Program Files\Thumbs.db . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44] “Ashampoo PopUpBlocker”=“C:\PROGRA~1\Ashampoo\Ashampoo WinOptimizer Platinum 3\PopUpKiller.exe” [2004-02-03 13:13] “RemoteCenter”=“C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE” [2003-10-08 15:35] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2005-11-27 15:55] “CtxfiReg”=“CTXFIREG.EXE” [2006-08-11 13:53 C:\WINDOWS\system32\CTXFIREG.EXE] “CTHelper”=“CTHELPER.EXE” [2006-08-11 13:56 C:\WINDOWS\CTHELPER.EXE] “CTxfiHlp”=“CTXFIHLP.EXE” [2006-08-11 13:56 C:\WINDOWS\system32\CTXFIHLP.EXE] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-03 23:44] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ GuardGui.lnk - C:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe [2007-03-22 21:48:33] Kalendarz XP.lnk - C:\Program Files\Kalendarz XP\Kalendarz.exe [2007-11-07 00:27:13] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoInstrumentation”= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ala^Menu Start^Programy^Autostart^Trust Scanner Utilities.lnk] backup=C:\WINDOWS\pss\Trust Scanner Utilities.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Real-time Monitor.lnk] backup=C:\WINDOWS\pss\Real-time Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Remote Controller.lnk] backup=C:\WINDOWS\pss\Remote Controller.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^TVSCHL.lnk] backup=C:\WINDOWS\pss\TVSCHL.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] 2001-07-09 11:50 155648 -----c— C:\WINDOWS\System32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerS] 2001-08-03 16:56 159800 --a–c— C:\WINDOWS\PowerS.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys R2 avGuard;avGuard Service;C:\Program Files\Ashampoo\Ashampoo AntiVirus\AshAVSrv.exe R2 CX23880;Conexant 2388x Video Capture;C:\WINDOWS\system32\drivers\cx88vid.sys R2 CX88XBAR;Conexant 2388x Crossbar;C:\WINDOWS\system32\drivers\CX88XBAR.sys R2 CXTUNE;Conexant 2388x Tuner;C:\WINDOWS\system32\drivers\CX88TUNE.sys R3 AshAvScan;AshAvScan;C:\WINDOWS\system32\DRIVERS\AshAvScan.sys R3 SiS7012;Service for AC’97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys S3 AshAVMon;AshAVMon;??\C:\Program Files\Ashampoo\Ashampoo AntiVirus\ASHAVMON.SYS S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys S3 DSDrv4;DSDrv4;??\C:\PROGRA~1\DScaler\DSDrv4.sys S3 siusbmod;siusbmod;C:\WINDOWS\system32\DRIVERS\siusbmod.sys S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d1ef9c40-9ad7-11dc-a413-0040f4420041}] \Shell\Auto\command - J:\UFO.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e1fba030-8478-11dc-a3f5-0040f4420041}] \Shell\Auto\command - UFO.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-28 23:09:47 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-28 23:14:28 - machine was rebooted . — E O F —
Dlugo sie robilo cholerstwo
Gutek
(Gutek)
28 Listopad 2007 23:08
#6
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo