gajdowy
(gajdowy)
13 Czerwiec 2009 11:10
#1
Witam, mogłby ktoś przeglądnąć log z hijacka? Znalazło mi Win32:Hupigon-LCG [Trj] w C:\Program Files\Alwil Software\Avast4\DATA\moved\copy.exe
oraz Win32:RaMag [Cryp] ktory powodował jakieś połączenie. Możliwe iż jest gdzieś jeszcze heur.win32. Z góry dziękuję za pomoc. Oczywiście wirusy z pendriva
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:05:11, on 2009-06-13
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\ASUS\PowerForPhone\PowerForPhone.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ASUSTPE.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ASUS\Net4Switch\Net4Switch.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\ASUS\PowerForPhone\PowerForPhone.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ASUSTPE] C:\WINDOWS\system32\ASUSTPE.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Net4Switch] C:\Program Files\ASUS\Net4Switch\Net4Switch.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: CCC.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: CCC.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: CCC.lnk = ? (User 'Default user')
O4 - Startup: CCC.lnk = ?
O4 - Startup: OpenOffice.ux.pl 2.3.1.lnk = C:\Program Files\OpenOffice.ux.pl 2.3.1\program\quickstart.exe
O4 - Global Startup: MultiFrame.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{33CC2F57-0575-40DF-B293-B3CF71DE7CAC}: NameServer = 194.204.159.1,194.204.152.34
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
--
End of file - 8022 bytes
Leon1
(Leon$)
13 Czerwiec 2009 11:21
#2
jest infekcja
Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 uruchom dwuklikiem
pokaż log
Podczas pobierania i skanu Combofixem proszę wyłączyć wszelkie zapory i antywirusy
gajdowy
(gajdowy)
13 Czerwiec 2009 11:37
#3
oto log z combofixa:
ComboFix 09-06-12.03 - EDEN 2009-06-13 13:27.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.1919.1441 [GMT 2:00]
Uruchomiony z: c:\documents and settings\EDEN\Pulpit\ComboFix.exe
AV: avast! antivirus 4.8.1169 [VPS 090603-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
c:\windows\system32\acovcnt.exe
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\nmdfgds1.dll
c:\windows\system32\olhrwef.exe
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_AVPsys
((((((((((((((((((((((((( Pliki utworzone od 2009-05-13 do 2009-06-13 )))))))))))))))))))))))))))))))
.
2009-06-13 11:05 . 2009-06-13 11:05 -------- d-----w- c:\program files\Trend Micro
2009-06-11 16:55 . 2009-06-11 16:55 10134 ----a-r- c:\documents and settings\EDEN\Dane aplikacji\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-11 16:55 . 2009-06-11 16:55 -------- d-----w- c:\program files\Microsoft WSE
2009-06-11 16:55 . 2008-09-05 00:22 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2009-06-11 16:54 . 2006-09-28 14:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-06-11 16:54 . 2009-06-11 16:54 -------- d-----w- c:\windows\Logs
2009-06-11 16:42 . 2009-06-11 16:42 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\DAEMON Tools Lite
2009-06-11 16:42 . 2009-06-11 16:42 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-06-11 16:42 . 2009-06-11 16:42 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-06-11 16:37 . 2009-06-11 16:37 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-11 16:37 . 2009-06-11 16:37 -------- d-----w- c:\documents and settings\EDEN\Dane aplikacji\DAEMON Tools Lite
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\UC.PIF
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\RAR.PIF
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\PKZIP.PIF
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\PKUNZIP.PIF
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\NOCLOSE.PIF
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\LHA.PIF
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\ARJ.PIF
2009-06-11 15:57 . 2009-06-11 15:57 -------- d-sh--w- C:\FOUND.004
2009-06-11 12:13 . 2009-06-11 11:39 104655 --sh--r- C:\6phx.com
2009-06-11 12:13 . 2001-08-17 19:52 18688 ----a-w- c:\windows\system32\dllcache\cdaudio.sys
2009-05-15 10:08 . 1998-11-13 11:10 307200 ----a-w- c:\windows\IsUn0415.exe
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 08:56 . 2008-02-21 20:00 1 ----a-w- c:\documents and settings\EDEN\Dane aplikacji\OpenOffice.ux.pl2\user\uno_packages\cache\stamp.sys
2009-05-07 15:44 . 2006-08-27 09:39 346112 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:32 . 2006-08-27 09:39 670720 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:32 . 2006-08-27 09:39 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-19 20:11 . 2006-08-27 09:39 1846912 ----a-w- c:\windows\system32\win32k.sys
2009-04-19 18:33 . 2006-08-27 09:39 81584 ----a-w- c:\windows\system32\perfc015.dat
2009-04-19 18:33 . 2006-08-27 09:39 464434 ----a-w- c:\windows\system32\perfh015.dat
2009-04-15 15:18 . 2006-08-27 09:39 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ASUSTPE"="c:\windows\system32\ASUSTPE.exe" [2006-10-14 69632]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-07-09 2119104]
"Net4Switch"="c:\program files\ASUS\Net4Switch\Net4Switch.exe" [2006-04-13 1101824]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-10-14 110592]
"SMSERIAL"="c:\windows\sm56hlpr.exe" [2006-03-21 544768]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-06-08 53248]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 180224]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2006-05-30 811008]
"RemoteControl"="c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe" [2005-01-12 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"PowerForPhone"="c:\program files\ASUS\PowerForPhone\PowerForPhone.exe" [2006-06-29 774144]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 79224]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-24 132496]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-30 16269312]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]
c:\windows\system32\config\systemprofile\Menu Start\Programy\Autostart\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\Monisia\Menu Start\Programy\Autostart\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\Jacu\Menu Start\Programy\Autostart\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\Witek\Menu Start\Programy\Autostart\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\EDEN\Menu Start\Programy\Autostart\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
OpenOffice.ux.pl 2.3.1.lnk - c:\program files\OpenOffice.ux.pl 2.3.1\program\quickstart.exe [2007-12-7 17408]
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
MultiFrame.lnk - c:\program files\ASUS\Asus MultiFrame\MultiFrame.exe [2007-10-19 491520]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-15 113664]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-18 75856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-18 20560]
R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\ATK0100\ASNDIS5.sys [2004-05-27 16269]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [2006-08-08 1116544]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [2006-08-08 7808]
S3 ipswuio;ipswuio;c:\windows\system32\drivers\ipswuio.sys [2007-10-19 34944]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb
.
Zawartość folderu 'Zaplanowane zadania'
2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:57]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.asus.com
TCP: {33CC2F57-0575-40DF-B293-B3CF71DE7CAC} = 194.204.159.1,194.204.152.34
FF - ProfilePath - c:\documents and settings\EDEN\Dane aplikacji\Mozilla\Firefox\Profiles\zoed9oc8.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 13:30
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2160)
c:\program files\ASUS\Asus MultiFrame\HookTitle.dll
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\program files\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
c:\program files\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
c:\program files\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\program files\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
c:\program files\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\windows\system32\CF30876.exe
c:\windows\ATK0100\ATKOSD.exe
c:\windows\SYSTEM32\ACENGSVR.EXE
c:\program files\ALWIL SOFTWARE\AVAST4\ASHDISP.EXE
c:\program files\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\MOM.EXE
c:\program files\OpenOffice.ux.pl 2.3.1\program\soffice.exe
c:\program files\OpenOffice.ux.pl 2.3.1\program\soffice.BIN
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Czas ukończenia: 2009-06-13 13:35 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-06-13 11:35
Przed: 47 349 104 640 bajtów wolnych
Po: 47 976 218 624 bajtów wolnych
WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
194 --- E O F --- 2009-06-12 10:24
Leon1
(Leon$)
13 Czerwiec 2009 11:56
#4
Otwórz notatnik i wklej
zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe
Powinno rozpocząć się usuwanie
Potem log z usuwania Combofix
Pobierz CCleaner http://www.filehippo.com/download_ccleaner/
przeskanuj nim i wyczyść rejestr.
zrób optymalizacje uruchamiania
http://cybertrash.netarteria.pl/cyber/i … 378.0.html
usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.
Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl
przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html gdy będą wirusy pokaż raport
lub
Dr.WEB CureIt! http://dobreprogramy.pl/index.php?dz=2& … It!+4.44.5
gajdowy
(gajdowy)
13 Czerwiec 2009 12:05
#5
log z usuwania combofixa
ComboFix 09-06-12.03 - EDEN 2009-06-13 14:02.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.1919.1438 [GMT 2:00]
Uruchomiony z: c:\documents and settings\EDEN\Pulpit\ComboFix.exe
Użyto następujących komend :: c:\documents and settings\EDEN\Pulpit\CFScript.txt
AV: avast! antivirus 4.8.1169 [VPS 090603-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FILE ::
"C:\6phx.com"
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\FOUND.004
C:\6phx.com
c:\found.004\FILE0000.CHK
.
((((((((((((((((((((((((( Pliki utworzone od 2009-05-13 do 2009-06-13 )))))))))))))))))))))))))))))))
.
2009-06-13 11:05 . 2009-06-13 11:05 -------- d-----w- c:\program files\Trend Micro
2009-06-11 16:55 . 2009-06-11 16:55 10134 ----a-r- c:\documents and settings\EDEN\Dane aplikacji\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-11 16:55 . 2009-06-11 16:55 -------- d-----w- c:\program files\Microsoft WSE
2009-06-11 16:55 . 2008-09-05 00:22 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2009-06-11 16:54 . 2006-09-28 14:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-06-11 16:54 . 2009-06-11 16:54 -------- d-----w- c:\windows\Logs
2009-06-11 16:42 . 2009-06-11 16:42 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\DAEMON Tools Lite
2009-06-11 16:42 . 2009-06-11 16:42 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-06-11 16:42 . 2009-06-11 16:42 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-06-11 16:37 . 2009-06-11 16:37 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-11 16:37 . 2009-06-11 16:37 -------- d-----w- c:\documents and settings\EDEN\Dane aplikacji\DAEMON Tools Lite
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\UC.PIF
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\RAR.PIF
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\PKZIP.PIF
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\PKUNZIP.PIF
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\NOCLOSE.PIF
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\LHA.PIF
2009-06-11 16:10 . 2008-08-08 05:04 545 ----a-w- c:\windows\ARJ.PIF
2009-06-11 12:13 . 2001-08-17 19:52 18688 ----a-w- c:\windows\system32\dllcache\cdaudio.sys
2009-05-15 10:08 . 1998-11-13 11:10 307200 ----a-w- c:\windows\IsUn0415.exe
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 08:56 . 2008-02-21 20:00 1 ----a-w- c:\documents and settings\EDEN\Dane aplikacji\OpenOffice.ux.pl2\user\uno_packages\cache\stamp.sys
2009-05-07 15:44 . 2006-08-27 09:39 346112 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:32 . 2006-08-27 09:39 670720 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:32 . 2006-08-27 09:39 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-19 20:11 . 2006-08-27 09:39 1846912 ----a-w- c:\windows\system32\win32k.sys
2009-04-19 18:33 . 2006-08-27 09:39 81584 ----a-w- c:\windows\system32\perfc015.dat
2009-04-19 18:33 . 2006-08-27 09:39 464434 ----a-w- c:\windows\system32\perfh015.dat
2009-04-15 15:18 . 2006-08-27 09:39 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ASUSTPE"="c:\windows\system32\ASUSTPE.exe" [2006-10-14 69632]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-07-09 2119104]
"Net4Switch"="c:\program files\ASUS\Net4Switch\Net4Switch.exe" [2006-04-13 1101824]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-10-14 110592]
"SMSERIAL"="c:\windows\sm56hlpr.exe" [2006-03-21 544768]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-06-08 53248]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 180224]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2006-05-30 811008]
"RemoteControl"="c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe" [2005-01-12 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"PowerForPhone"="c:\program files\ASUS\PowerForPhone\PowerForPhone.exe" [2006-06-29 774144]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 79224]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-24 132496]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-30 16269312]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]
c:\windows\system32\config\systemprofile\Menu Start\Programy\Autostart\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\Monisia\Menu Start\Programy\Autostart\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\Jacu\Menu Start\Programy\Autostart\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\Witek\Menu Start\Programy\Autostart\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\EDEN\Menu Start\Programy\Autostart\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
OpenOffice.ux.pl 2.3.1.lnk - c:\program files\OpenOffice.ux.pl 2.3.1\program\quickstart.exe [2007-12-7 17408]
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
MultiFrame.lnk - c:\program files\ASUS\Asus MultiFrame\MultiFrame.exe [2007-10-19 491520]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-15 113664]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-18 75856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-18 20560]
R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\ATK0100\ASNDIS5.sys [2004-05-27 16269]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [2006-08-08 1116544]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [2006-08-08 7808]
S3 ipswuio;ipswuio;c:\windows\system32\drivers\ipswuio.sys [2007-10-19 34944]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb
.
Zawartość folderu 'Zaplanowane zadania'
2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:57]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.asus.com
TCP: {33CC2F57-0575-40DF-B293-B3CF71DE7CAC} = 194.204.159.1,194.204.152.34
FF - ProfilePath - c:\documents and settings\EDEN\Dane aplikacji\Mozilla\Firefox\Profiles\zoed9oc8.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 14:04
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
.
Czas ukończenia: 2009-06-13 14:04
ComboFix-quarantined-files.txt 2009-06-13 12:04
ComboFix2.txt 2009-06-13 11:35
Przed: 47 968 911 360 bajtów wolnych
Po: 47 955 279 872 bajtów wolnych
155 --- E O F --- 2009-06-12 10:24
Leon1
(Leon$)
13 Czerwiec 2009 12:11
#6
Log wygląda na czysty
Pobierz CCleaner http://www.filehippo.com/download_ccleaner/
przeskanuj nim i wyczyść rejestr.
zrób optymalizacje uruchamiania
http://cybertrash.netarteria.pl/cyber/i … 378.0.html
usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.
Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl
przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html gdy będą wirusy pokaż raport
lub
Dr.WEB CureIt! http://dobreprogramy.pl/index.php?dz=2& … It!+4.44.5
gajdowy
(gajdowy)
13 Czerwiec 2009 12:55
#7
znalazło mi “win32.perlovga.a” w katalogu avastu/data/moved/copy.exe
Leon1
(Leon$)
13 Czerwiec 2009 13:05
#8
gajdowy
(gajdowy)
13 Czerwiec 2009 15:22
#9
zrobilem flash inspectora a to logi z otl: http://www.wklejto.pl/36011 i http://www.wklejto.pl/36012
usunąłem i teraz avast nie chce sie uaktualniac, ani odinstalowac:P ktos cos poradzi??
plik byl w c:/…/avast/data/moved/copy.exe