Wolna praca komputera+trojan+ultimate defender

Dla specjalistów Bezpieczeństwo
#1

Od kilku dni komputer nie pracuje normalnie. Skanowałam ad-aware, avastem, trojan remover, spyware doctor. wszystkie pokazują problemy ale nie usuwają ich. podaje log z hijacka i dziekuje za pomoc

Logfile of Browser Hijack Recover(BHR) v2.3

http://www.browser-hijack.com/

Log created on 2008-02-02 08:05:48

Microsoft Windows XP Professional Dodatek Service Pack 2 (Build 2600)

Internet Explorer v7.0.5730.13 Update Versions: 0

[Process Manager] - [Process]

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\braviax.exe

C:\Program Files\Art Multimedia\Art TV\RemoteCtl.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\ppp\Dane aplikacji\Simply Super Software\Trojan Remover\nni20.exe

C:\Documents and Settings\ppp\Dane aplikacji\Simply Super Software\Trojan Remover\nni20.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Browser Hijack Recover\bhr.exe

[iE Options] - [Normal]

R0 - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

R0 - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/windows/ie_intl/en/start/

R0 - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Window Title =

R1 - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

[iE Options] - [iE Menu]

[iE Options] - [internet Options]

[iE Options] - [iE Search Hooks]

R3 - URLSearchHook: Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll

[iE Add-Ons] - [Toolbars]

[iE Add-Ons] - [Explorer Bars]

O9 - Extra “View” Explorer Bars: IE Search Band - {30D02401-6A81-11D0-8274-00C04FD5AE38} - C:\WINDOWS\system32\ieframe.dll

O9 - Extra “View” Explorer Bars: Pasek eksploratora wyszukiwania plików - {C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - C:\WINDOWS\system32\SHELL32.dll

O9 - Extra “View” Explorer Bars: Favorites Band - {EFA24E61-B078-11D0-89E4-00C04FC9E26E} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra “View” Explorer Bars: History Band - {EFA24E62-B078-11D0-89E4-00C04FC9E26E} - C:\WINDOWS\system32\shdocvw.dll

[iE Add-Ons] - [Context Menu]

[iE Add-Ons] - [bHOs]

[iE Add-Ons] - [Tools Menu]

[iE Add-Ons] - [Tools Button]

[system Options]

[startUp]

04 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Gadu-Gadu = C:\Program Files\Gadu-Gadu\gg.exe" /tray

04 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Skype = C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

04 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe

04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe

04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run WinampAgent = C:\Program Files\Winamp\winampa.exe

04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched = C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run TrojanScanner = C:\Program Files\Trojan Remover\Trjscan.exe

O4 - C:\Documents and Settings\ppp\Menu Start\Programy\Autostart\Personal Player.lnk = C:\Program Files\Web Hottest Videos Personal Player\deliclous deluxe Web hottest videos personal player.exe

O4 - C:\Documents and Settings\ppp\Menu Start\Programy\Autostart.protected =

O4 - C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Art TV Remote Control.lnk = C:\PROGRA~1\ARTMUL~1\ARTTV~1\REMOTE~1.EXE

#2

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

Daj log z ComboFix

#3

podaję log z ComboFix

ComboFix 08-02.05.3 - ppp 2008-02-06 21:33:03.2 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.113 [GMT 1:00]

Running from: C:\Documents and Settings\ppp\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\WINDOWS\system32\ksvcl.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_LANMANDRV

((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))

.

2008-02-05 17:14 . 2008-02-06 20:551,080–a------C:\WINDOWS\system32\tmp.reg

2008-02-03 19:56 . 2001-08-17 22:474,224–a------C:\WINDOWS\system32\drivers\beep.sys

2008-02-03 19:56 . 2001-08-17 22:474,224–a------C:\WINDOWS\system32\dllcache\beep.sys

2008-02-03 18:55 . 2007-07-30 19:19271,224–a------C:\WINDOWS\system32\mucltui.dll

2008-02-03 18:55 . 2007-07-30 19:1830,072–a------C:\WINDOWS\system32\mucltui.dll.mui

2008-02-03 18:01 . 2007-12-04 14:04837,496–a------C:\WINDOWS\system32\aswBoot.exe

2008-02-03 18:01 . 2004-01-09 10:13380,928–a------C:\WINDOWS\system32\actskin4.ocx

2008-02-03 18:01 . 2007-12-04 13:5495,608–a------C:\WINDOWS\system32\AvastSS.scr

2008-02-03 18:01 . 2007-12-04 15:5594,544–a------C:\WINDOWS\system32\drivers\aswmon2.sys

2008-02-03 18:01 . 2007-12-04 15:5693,264–a------C:\WINDOWS\system32\drivers\aswmon.sys

2008-02-03 18:01 . 2007-12-04 15:5142,912–a------C:\WINDOWS\system32\drivers\aswTdi.sys

2008-02-03 18:01 . 2007-12-04 15:4926,624–a------C:\WINDOWS\system32\drivers\aavmker4.sys

2008-02-03 18:01 . 2007-12-04 15:5323,152–a------C:\WINDOWS\system32\drivers\aswRdr.sys

2008-02-03 11:03 . 2008-02-03 11:03

2008-02-02 07:44 . 2008-02-02 07:44

2008-02-02 06:41 . 2008-02-02 06:41

2008-02-02 06:41 . 2008-02-02 06:41

2008-02-02 06:41 . 2008-02-02 06:41

2008-02-02 06:41 . 2006-05-25 15:52162,304–a------C:\WINDOWS\system32\ztvunrar36.dll

2008-02-02 06:41 . 2003-02-02 20:06153,088–a------C:\WINDOWS\system32\UNRAR3.dll

2008-02-02 06:41 . 2005-08-26 01:5077,312–a------C:\WINDOWS\system32\ztvunace26.dll

2008-02-02 06:41 . 2002-03-06 01:0075,264–a------C:\WINDOWS\system32\unacev2.dll

2008-02-02 06:41 . 2006-06-19 13:0169,632–a------C:\WINDOWS\system32\ztvcabinet.dll

2008-02-01 19:38 . 2008-02-01 19:38

2008-02-01 14:55 . 2008-02-01 14:55

2008-02-01 13:31 . 2008-02-01 13:31

2008-02-01 12:44 . 2008-02-01 12:44

2008-02-01 12:44 . 2008-02-01 12:440–a------C:\WINDOWS\system32\8104297.jun

2008-02-01 10:37 . 2008-02-01 10:37

2008-02-01 10:23 . 2007-06-08 09:448,576–a------C:\WINDOWS\system32\drivers\RkPavProc.sys

2008-01-31 07:35 . 2008-01-31 07:35

2008-01-31 07:35 . 2008-01-31 07:35

2008-01-31 07:01 . 2008-01-31 07:0116,384–a------C:\WINDOWS\system32\nod32se.exe

2008-01-30 15:25 . 2008-02-03 19:0511,264–a------C:\WINDOWS\system32\cru629.dat

2008-01-30 15:25 . 2008-02-03 19:0511,264–a------C:\WINDOWS\cru629.dat

2008-01-30 15:25 . 2008-02-03 19:0511,264–a------C:\WINDOWS\braviax.exe

2008-01-30 15:24 . 2008-01-31 22:2046,592–a------C:\WINDOWS\system32\install11236.exe

2008-01-30 15:24 . 2008-02-03 19:0511,264–a------C:\WINDOWS\system32\braviax.exe

2008-01-28 09:18 . 2008-01-28 09:19

2008-01-28 09:15 . 2007-07-30 19:1943,352–a------C:\WINDOWS\system32\wups2.dll

2008-01-28 09:15 . 2007-07-30 19:1938,232–a------C:\WINDOWS\system32\wucltui.dll.mui

2008-01-28 09:15 . 2007-07-30 19:2030,040–a------C:\WINDOWS\system32\wuaucpl.cpl.mui

2008-01-28 09:15 . 2007-07-30 19:2030,040–a------C:\WINDOWS\system32\wuapi.dll.mui

2008-01-28 09:15 . 2007-07-30 19:1821,336–a------C:\WINDOWS\system32\wuaueng.dll.mui

2008-01-28 09:08 . 2008-01-28 09:08

2008-01-28 09:06 . 2008-01-28 09:06

2008-01-28 09:06 . 2006-09-06 17:4322,752–a------C:\WINDOWS\system32\spupdsvc.exe

2008-01-27 17:09 . 2008-01-27 17:09

2008-01-27 17:09 . 2008-01-27 17:09

2008-01-27 17:03 . 2008-01-27 17:03

2008-01-27 17:03 . 2008-01-27 17:03

2008-01-27 17:03 . 2008-01-27 17:03

2008-01-27 16:56 . 2008-01-27 16:56

2008-01-27 16:51 . 2008-01-27 16:51

2008-01-27 09:55 . 2008-01-27 09:56

2008-01-27 08:05 . 2008-01-27 08:05

2008-01-26 17:49 . 2008-01-26 17:49

2008-01-20 21:40 . 2008-01-20 21:4022,296–a------C:\WINDOWS\system32\up110022.exe

2008-01-18 13:24 . 2008-01-18 13:2462–a------C:\mscrypt.bat

2008-01-18 12:41 . 2008-01-18 12:41

2008-01-18 12:41 . 2008-01-18 12:4132–a------C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2008-01-17 20:30 . 2008-01-17 20:30

2008-01-17 20:30 . 2008-01-17 20:30

2008-01-16 19:33 . 2008-02-01 18:5339,424–a------C:\WINDOWS\system32\KernelDrv.exe.vir

2008-01-16 19:33 . 2008-02-02 06:3525,312–a------C:\WINDOWS\system32\kcopt.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-18 05:37155,648----a-wC:\WINDOWS\system32\nerocheck.exe

2007-12-14 10:3212,632----a-wC:\WINDOWS\system32\lsdelete.exe

2007-07-11 16:05389----a-wC:\Program Files\INSTALL.LOG

2007-03-19 19:136,422,611----a-wC:\Program Files\frostwire-4.13.1.6.windows.exe

2006-10-01 14:025,794----a-wC:\Program Files\install.ini

2004-10-01 14:0040,960----a-wC:\Program Files\Uninstall_CDS.exe

2004-09-01 13:5389,080----a-wC:\Program Files\matura.bmp

2004-06-25 14:30159,744----a-wC:\Program Files\Uninstall.exe

2003-02-20 17:102,454----a-wC:\Program Files\Licencja.txt

2003-02-19 21:29808----a-wC:\Program Files\Matematyka.ini

2002-06-20 12:2251----a-wC:\Program Files\am.url

2002-03-28 03:47580----a-wC:\Program Files\Polski.ini

.

Files Infected - Win32.Agent.zb

C:\WINDOWS\system32\NeroCheck.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe

C:\Program Files\Gadu-Gadu\gg.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2008-01-18 06:37 2119104]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-12-07 15:11 21803304]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 22:44 15360]

“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search Destroy\TeaTimer.exe” [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2008-01-18 06:37 155648]

“HPDJ Taskbar Utility”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe” [2008-01-18 06:37 200704]

“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2007-05-15 00:22 35328]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]

“TrojanScanner”=“C:\Program Files\Trojan Remover\Trjscan.exe” [2008-02-02 06:45 743504]

“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00 79224]

“braviax”=“braviax.exe” [2008-02-03 19:05 11264 C:\WINDOWS\system32\braviax.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 22:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Art TV Remote Control.lnk - C:\Program Files\Art Multimedia\Art TV\RemoteCtl.exe [2007-03-07 19:13:26 139264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

“NoBandCustomize”= 0 (0x0)

“NoToolbarCustomize”= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoBandCustomize”= 0 (0x0)

“NoToolbarCustomize”= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

avldr.dll 2006-07-14 13:46 45056 C:\WINDOWS\system32\AVLDR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

“APVXDWIN”=“C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE” /s

R2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2001-11-06 07:20]

R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2001-03-07 11:30]

R2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [1999-07-21 10:28]

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-06 21:34:20

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-02-06 21:34:48

ComboFix-quarantined-files.txt 2008-02-06 20:34:46

Wklej.org nie ponosi odpowiedzialności za zamieszczone dane.

© 2006-2007 wklej.org Design by: styleshout | Valid XHTML | CSS Home | powered by

#4

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

Wklej do Notatnika:

File::

C:\WINDOWS\system32\nod32se.exe

C:\WINDOWS\system32\cru629.dat 

C:\WINDOWS\cru629.dat 

C:\WINDOWS\braviax.exe

C:\WINDOWS\system32\install11236.exe 

C:\WINDOWS\system32\braviax.exe

C:\WINDOWS\system32\KernelDrv.exe.vir 

C:\WINDOWS\system32\kcopt.dll

C:\WINDOWS\system32\NeroCheck.exe 

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe 

C:\Program Files\Gadu-Gadu\gg.exe


Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 

"Gadu-Gadu"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"braviax"=-

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo