SunRiseS
18 Marzec 2008 18:55
#1
Witam.
Złapałem wirusa ms322dll.dll.vbs prawdopodobnie przez pendrive’a.
Poniżej załączam logi z HijackThis.
Proszę o pomoc
wirus zagnieździł sie na dysku c i na pendrivie(a raczej karcie pamieci w telefonie komórkowym, ale to chyba to samo)
prosiłbym o szczegółowe wytłumaczenie jak pozbyć sie problemu bo jestem w tym totalnie zielony
Logfile of HijackThis v1.99.1 Scan saved at 19:45:54, on 2008-03-18 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe E:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe E:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Common Files\Teleca Shared\Generic.exe E:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe E:\Program Files\Hamachi\hamachi.exe E:\PROGRA~1\Mozilla Firefox\firefox.exe C:\Documents and Settings\RAFAŁ\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\2.bin\MGSBAR.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\2.bin\MGSBAR.DLL O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [QuickTime Task] “E:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [VirtualCloneDrive] “e:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe” /s O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” O4 - HKLM…\Run: [sony Ericsson PC Suite] “E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Gadu-Gadu] “E:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = ? O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
Leon1
18 Marzec 2008 19:11
#2
Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl
Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/Security-Related/PRT-Perlovga-Removal-Tool.shtml lub format
wpisy
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\2.bin\MGSBAR.DLL O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\2.bin\MGSBAR.DLL
usuń HijackThisem >> Fix checked
pobierz Combofix http://www.searchengines.pl/index.php?showtopic=86306&st=0&p=395642entry395642 przeskanuj daj log
SunRiseS
18 Marzec 2008 19:28
#3
wyłączyłem przywracanie systemu,ściagłem PRT,otworzylem i tyle… pisało że komputer jest czysty… pendrive tez? :>
obawiam sie ze wirus rozprzestrzenil sie takze na drugi nosnik pamieci… powtórzyc wszystkie kroki drugi raz?
nie umiem zapisać plików na karcie, wyskakuje komunikat “nie można odnaleźć na dysku żądanego sektora” to też wina wirusa?
http://forum.pclab.pl/lofiversion/index.php?t339043.html ten sam problem
nie umialem znaleść logów:
gdzieś znikły przy ponownym skanowaniu HijackThis’em
nowy log:
Logfile of HijackThis v1.99.1 Scan saved at 20:31:39, on 2008-03-18 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe E:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Common Files\Teleca Shared\Generic.exe E:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe E:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe E:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\RAFAŁ\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [QuickTime Task] “E:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [VirtualCloneDrive] “e:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe” /s O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” O4 - HKLM…\Run: [sony Ericsson PC Suite] “E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Gadu-Gadu] “E:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = ? O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
log z ComboFix’a
ComboFix 08-03-17.1 - RAFAŁ 2008-03-18 20:26:15.2 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.233 [GMT 1:00] Running from: C:\Documents and Settings\RAFAŁ\Pulpit\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 ))))))))))))))))))))))))))))))) . 2008-03-18 16:12 . 2008-03-18 16:12 2008-03-12 15:48 . 2004-08-04 00:44 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll 2008-03-12 15:48 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2008-03-12 15:48 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys 2008-03-12 15:48 . 2001-10-26 17:29 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll 2008-03-12 13:54 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll 2008-03-12 13:54 . 2006-09-28 16:05 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll 2008-03-12 13:54 . 2006-07-28 09:30 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll 2008-03-12 13:54 . 2006-07-28 09:30 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll 2008-03-01 13:13 . 2008-03-01 13:13 66 --a------ C:\WINDOWS\Power Video Converter.INI 2008-02-29 15:13 . 2008-02-29 15:14 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll 2008-02-29 15:13 . 2008-02-29 15:14 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll 2008-02-29 15:13 . 2008-02-29 15:14 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll 2008-02-26 12:59 . 2008-02-26 12:59 2008-02-26 12:58 . 2008-02-26 12:58 2008-02-23 14:33 . 2008-02-23 14:33 2008-02-23 14:33 . 2008-02-23 14:33 2008-02-21 02:57 . 2008-02-21 02:57 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll 2008-02-19 15:36 . 2008-02-19 15:36 2008-02-19 15:36 . 2008-02-19 15:36 119,568 --------- C:\WINDOWS\system32\vb6fr.dll 2008-02-19 15:36 . 2008-02-19 15:36 108,336 --------- C:\WINDOWS\system32\mswinsck.ocx 2008-02-19 15:36 . 2008-02-19 15:36 15,872 --------- C:\WINDOWS\system32\winskfr.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-17 18:16 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-03-17 18:15 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-03-04 18:09 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys 2008-02-24 12:08 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-02-10 18:58 20,520 ----a-w C:\WINDOWS\system32\drivers\ggsemc.sys 2008-02-10 18:58 13,352 ----a-w C:\WINDOWS\system32\drivers\ggflt.sys 2008-01-22 21:38 2,845,696 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys 2008-01-22 21:38 2,845,696 ----a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys 2008-01-22 20:44 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll 2008-01-22 20:43 272,384 ----a-w C:\WINDOWS\system32\ati2dvag.dll 2008-01-22 20:39 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll 2008-01-22 20:36 9,949,184 ----a-w C:\WINDOWS\system32\atioglx2.dll 2008-01-22 20:35 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll 2008-01-22 20:35 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe 2008-01-22 20:35 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll 2008-01-22 20:35 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll 2008-01-22 20:35 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll 2008-01-22 20:34 512,000 ----a-w C:\WINDOWS\system32\ati2evxx.exe 2008-01-22 20:33 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL 2008-01-22 20:25 3,121,920 ----a-w C:\WINDOWS\system32\ati3duag.dll 2008-01-22 20:15 1,664,256 ----a-w C:\WINDOWS\system32\ativvaxx.dll 2008-01-22 20:04 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll 2008-01-22 20:01 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll 2008-01-22 19:59 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll 2008-01-22 19:58 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll 2008-01-22 19:58 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll 2008-01-22 19:57 163,840 ----a-w C:\WINDOWS\system32\atiok3x2.dll 2008-01-22 19:53 503,808 ----a-w C:\WINDOWS\system32\ati2cqag.dll 2008-01-22 13:42 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe 2008-01-04 18:16 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-12-21 09:48 73,392 ----a-w C:\WINDOWS\unins001.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 22:44 15360] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2006-05-19 18:11 18577448] “Gadu-Gadu”=“E:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 11:54 2131392] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2004-12-22 11:09 77824 C:\WINDOWS\SOUNDMAN.EXE] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2005-05-12 21:05 344064] “QuickTime Task”=“E:\Program Files\QuickTime\qttask.exe” [2007-06-29 06:24 286720] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00 79224] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50 155648] “VirtualCloneDrive”=“e:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe” [2006-04-29 15:21 94208] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00 132496] “Sony Ericsson PC Suite”=“E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [2006-11-24 01:06 487424] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2008-02-26 12:58 180269] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 22:44 15360] C:\Documents and Settings\RAFAť\Menu Start\Programy\Autostart\ Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-02-21 02:57:28 2945872] C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1\ Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696] Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-22 09:30:23 113664] [HKEY_LOCAL_MACHINE\software\microsoft\security center] “AntiVirusDisableNotify”=dword:00000001 “UpdatesDisableNotify”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “E:\Program Files\Firefly Studios\Stronghold Legends\StrongholdLegends.exe”= “C:\Program Files\uTorrent\uTorrent.exe”= “C:\Program Files\Skype\Phone\Skype.exe”= [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “3389:TCP”= 3389:TCP:*:Disabled:@xpsp2res.dll ,-22009 R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 11:31] S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-02-10 19:58] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-18 20:26:54 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-03-18 20:27:11 ComboFix-quarantined-files.txt 2008-03-18 19:27:10 ComboFix2.txt 2008-03-18 19:15:00
SunRiseS
18 Marzec 2008 19:53
#4
logi z drugiego komputera:
Logfile of HijackThis v1.99.1 Scan saved at 20:52:08, on 2008-03-18 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Ahead\InCD\InCD.exe C:\WINDOWS\System32\WScript.exe C:\Program Files\Lexmark X74-X75\lxbbbmon.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\wscript.exe I:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM…\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM…\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM…\Run: [iSUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start O4 - HKLM…\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\PL\Programs\Registration.exe /title=“CorelDRAW Graphics Suite 12” /date=033008 serial=DR12CUZ-0710975-WHL lang=PL O4 - HKLM…\Run: [Lexmark X74-X75] “C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe” O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [MS32DLL] C:\WINDOWS\MS32DLL.dll.vbs O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Rejestrowanie produktów Corela.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
komputer nr. 1 wydaje sie czysty. problem zniknął ale nie mam pewnosci… problem dalej jest z komputem nr.2.
Które pliki usunąć??
Leon1
19 Marzec 2008 16:59
#5
Pierwszy komputer wygląda na czysty
usuń ręcznie folder C: \Qoobox
usuń instalkę Combofix z dysku.
włącz przywracanie systemu
drugi komputer
Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl
wpisy
usuń HijackThisem >> Fix checked
otwórz notatnik i wklej
zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe
http://img.wklej.org/images/88953CFScri … iemoes.gif
Powinno rozpocząć się usuwanie
Potem log z usuwania Combofix
