proszę o sprawdzenie loga

przez **ora007** » 01 Maj 2008, 14:50

Od jakiegoś czasu męczę się z nieustannymi infekcjami kompów, zainfekowanymi przez Trojana o nazwie OnLine Games. Tym razem zaatakował mi stacjonarnego kompa. Skąd się biorą te wirusy?

Oto log z ComboFixa

ComboFix 08-04-29.5 - Ola 2008-05-01 14:42:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.42 [GMT 2:00]
Running from: C:\Documents and Settings\Ola\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\msssc.dll
C:\WINDOWS\xmg.exe
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-04-26 12:36 . 2008-04-13 20:04 102,316 -r-hs---- C:\8de.bat
2008-04-19 11:01 . 2008-04-19 11:01 <DIR> d-------- C:\WINDOWS\Sun
2008-04-17 22:09 . 2008-04-17 22:09 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-11 18:09 . 2008-04-19 13:38 69 --a------ C:\WINDOWS\NeroDigital.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 15:09 --------- d-----w C:\Documents and Settings\Ola\Dane aplikacji\Skype
2008-04-27 14:58 --------- d-----w C:\Documents and Settings\Ola\Dane aplikacji\skypePM
2008-04-11 15:57 --------- d-----w C:\Documents and Settings\Ola\Dane aplikacji\BearShare
2008-03-30 09:04 --------- d-----w C:\Documents and Settings\Ola\Dane aplikacji\Winamp
2008-03-28 14:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-28 14:37 --------- d-----w C:\Program Files\Ulead Systems
2008-03-28 14:36 --------- d-----w C:\Program Files\ABBYY FineReader 4.0 Sprint
2008-03-28 14:32 --------- d-----w C:\Program Files\BearPaw 1200CU Plus
2008-03-28 14:31 --------- d-----w C:\Program Files\Temp
2008-03-28 14:28 --------- d-----w C:\Program Files\Common Files\Nero
2008-03-28 14:28 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-03-28 14:26 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-28 14:26 --------- d-----w C:\Program Files\Ahead
2008-03-28 14:24 --------- d-----w C:\Program Files\HP
2008-03-28 14:24 --------- d-----w C:\Program Files\Common Files\HP
2008-03-28 14:22 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-28 14:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\HP
2008-03-28 14:17 --------- d-----w C:\Documents and Settings\Ola\Dane aplikacji\HP
2008-03-28 14:15 --------- d-----w C:\Documents and Settings\Ola\Dane aplikacji\ACD Systems
2008-03-28 14:07 --------- d-----w C:\Program Files\BearShare Applications
2008-03-28 13:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-28 13:29 --------- d-----w C:\Program Files\Java
2008-03-28 13:25 --------- d-----w C:\Program Files\Common Files\Java
2008-03-28 13:21 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-03-28 13:19 --------- d-----w C:\Program Files\Skype
2008-03-28 13:19 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-28 13:19 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-03-28 13:09 --------- d-----w C:\Program Files\Acrobat 7.0
2008-03-28 13:00 892,928 ----a-w C:\WINDOWS\system32\iconv.dll
2008-03-28 12:59 405,504 ----a-w C:\WINDOWS\system32\libmplayer.dll
2008-03-28 12:59 3,138,560 ----a-w C:\WINDOWS\system32\libavcodec.dll
2008-03-28 12:59 126,976 ----a-w C:\WINDOWS\system32\libmpeg2_ff.dll
2008-03-28 12:58 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll
2008-03-28 12:58 56,832 ----a-w C:\WINDOWS\system32\ff_unrar.dll
2008-03-28 12:58 54,784 ----a-w C:\WINDOWS\system32\ff_liba52.dll
2008-03-28 12:58 397,312 ----a-w C:\WINDOWS\system32\ff_libfaad2.dll
2008-03-28 12:58 26,624 ----a-w C:\WINDOWS\system32\ff_wmv9.dll
2008-03-28 12:58 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll
2008-03-28 12:58 188,416 ----a-w C:\WINDOWS\system32\ff_theora.dll
2008-03-28 12:58 172,032 ----a-w C:\WINDOWS\system32\ff_libdts.dll
2008-03-28 12:58 143,360 ----a-w C:\WINDOWS\system32\ff_libmad.dll
2008-03-28 12:58 135,168 ----a-w C:\WINDOWS\system32\ff_samplerate.dll
2008-03-28 12:58 118,784 ----a-w C:\WINDOWS\system32\ff_realaac.dll
2008-03-28 12:58 102,912 ----a-w C:\WINDOWS\system32\ff_tremor.dll
2008-03-28 12:57 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll
2008-03-28 12:57 45,056 ----a-w C:\WINDOWS\system32\ogg.dll
2008-03-28 12:57 391,168 ----a-w C:\WINDOWS\system32\i263_32.drv
2008-03-28 12:57 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll
2008-03-28 12:57 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll
2008-03-28 12:57 1,415,680 ----a-w C:\WINDOWS\system32\WMV9VCM.dll
2008-03-28 12:56 755,027 ----a-w C:\WINDOWS\system32\xvidcore.dll
2008-03-28 12:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-28 12:56 141,312 ----a-w C:\WINDOWS\system32\mp4.dll
2008-03-28 12:56 108,032 ----a-w C:\WINDOWS\system32\avi.dll
2008-03-28 12:55 79,360 ----a-w C:\WINDOWS\system32\mkzlib.dll
2008-03-28 12:55 23,552 ----a-w C:\WINDOWS\system32\mkunicode.dll
2008-03-28 12:55 163,840 ----a-w C:\WINDOWS\system32\ts.dll
2008-03-28 12:55 159,744 ----a-w C:\WINDOWS\system32\mmfinfo.dll
2008-03-28 12:55 148,480 ----a-w C:\WINDOWS\system32\mkx.dll
2008-03-28 12:55 120,832 ----a-w C:\WINDOWS\system32\ogm.dll
2008-03-28 12:55 --------- d-----w C:\Program Files\Real Alternative
2008-03-28 12:54 --------- d-----w C:\Program Files\QT Lite
2008-03-28 12:54 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2008-03-28 12:51 --------- d-----w C:\Program Files\ALLPlayer
2008-03-28 12:48 --------- d-----w C:\Program Files\Winamp
2008-03-28 12:32 --------- d-----w C:\Documents and Settings\Ola\Dane aplikacji\Gadu-Gadu
2008-03-28 12:29 --------- d-----w C:\Program Files\Gadu-Gadu
2008-03-28 12:22 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-03-28 12:22 --------- d-----w C:\Program Files\ACD Systems
2008-03-28 12:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ACD Systems
2008-03-28 12:07 --------- d-----w C:\Program Files\Microsoft Works
2008-03-28 12:05 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-27 11:21 --------- d-----w C:\Program Files\Analog Devices
2008-03-27 11:20 --------- d-----w C:\Program Files\Intel
2008-03-27 11:05 --------- d-----w C:\Program Files\ATI Technologies
2008-03-27 10:59 --------- d-----w C:\Program Files\Thomson
2008-03-27 10:56 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-03-27 10:53 --------- d-----w C:\Program Files\PowerDVD
2008-03-27 10:53 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\CyberLink
2008-03-27 10:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-27 10:45 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 10:43 --------- d-----w C:\Program Files\Usługi online
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-08-06 10:45 877568]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 22:05 344064]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 09:57 143360]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 14:06 40048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 17:40 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-03-27 07:55 36352]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
Ulead Photo Express Calendar Checker For My Custom Edition.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe [2008-03-28 16:40:11 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce8d1332-079b-11dd-96ca-000e50aeeee1}]
\Shell\AutoRun\command - x6.bat
\Shell\explore\Command - x6.bat
\Shell\open\Command - x6.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7150fb0-fcb5-11dc-96be-000e50aeeee1}]
\Shell\AutoRun\command - H:\8de.bat
\Shell\explore\Command - H:\8de.bat
\Shell\open\Command - H:\8de.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecc137a2-0d1d-11dd-96d4-000e50aeeee1}]
\Shell\AutoRun\command - H:\x6.bat
\Shell\explore\Command - H:\x6.bat
\Shell\open\Command - H:\x6.bat

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 14:45:28
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-01 14:47:44
ComboFix-quarantined-files.txt 2008-05-01 12:47:30

Pre-Run: 13,979,996,160 bajtów wolnych
Post-Run: 13,994,242,048 bajtów wolnych

172

przez **huber2t** » 01 Maj 2008, 16:36

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko: File:: C:\8de.bat Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik

zapisz jako

CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

proszę o sprawdzenie loga

proszę o sprawdzenie loga

Kto jest na forum