SafeGroup

Witajcie moi milidziś to nie ja potrzebuje pomocy tylko kolega i to w jego sprawie sie do was zwracam. Sprawa wygląda nie zaciekawię a więc jest kupa wirusów na kompie(1 pobrał kupę plików na dysk patrz screen) oraz inne trojany itd.
cały czas skanuje komputer AVIRO w poszukiwaniu i usuwaniu tego badziewia.
p.s wiecie czemu sie komputer wyłącza samoczynnie ? (temperatura jest dobra)

LOG z hijackthis

Cytat: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:49:47, on 2007-08-18
Platform: Windows XP(WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
Crogram FilesAntiVir PersonalEdition Classicavguard.exe
C:WINDOWSExplorer.EXE
C:WINDOWSMixer.exe
C:WINDOWSSystem32RUNDLL32.EXE
Crogram FilesAntiVir PersonalEdition Classicavgnt.exe
D:ggGadu-Gadugg.exe
Crogram FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
Crogram FilesMicrosoft OfficeOffice1045OLFSNT40.EXE
Crogram FilesAntiVir PersonalEdition Classicsched.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32nvsvc32.exe
C:WINDOWSSystem32wdfmgr.exe
Crogram FilesMozilla Firefoxfirefox.exe
C:WINDOWSSystem32notepad.exe
Crogram FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =
[Aby zobaczyć linki, zarejestruj się tutaj]
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Ĺącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O4 - HKLM..Run: [nwiz]nwiz.exe /install
O4 - HKLM..Run: [C-Media Mixer]Mixer.exe /startup
O4 - HKLM..Run: [NvCplDaemon]RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [NvMediaCenter]RUNDLL32.EXE C:WINDOWSSystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [BearShare]"Crogram FilesBearShareBearShare.exe" /pause
O4 - HKLM..Run: [avgnt]"Crogram FilesAntiVir PersonalEdition Classicavgnt.exe" /min
O4 - HKCU..Run: [Gadu-Gadu]"D:ggGadu-Gadugg.exe" /tray
O4 - HKCU..Run: [swg]Crogram FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
O4 - HKCU..Run: [ares]"Crogram FilesAresAres.exe" -h
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE]C:WINDOWSSystem32CTFMON.EXE (User ''?'')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE]C:WINDOWSSystem32CTFMON.EXE (User ''?'')
O4 - HKUSS-1-5-21-2025429265-1637723038-839522115-1004..Run: [Gadu-Gadu]"D:ggGadu-Gadugg.exe" /tray (User ''?'')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE]C:WINDOWSSystem32CTFMON.EXE (User ''?'')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE]C:WINDOWSSystem32CTFMON.EXE (User ''Default user'')
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = Crogram FilesMicrosoft OfficeOffice1045OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = Crogram FilesMicrosoft OfficeOfficeOSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm
O9 - Extra ''Tools'' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm
O17 - HKLMSystemCCSServicesTcpip..{7215599B-6BF2-4214-B063-21AD5059D653}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLMSystemCCSServicesTcpip..{CF6D8022-3258-455A-B43C-1066A86F8A24}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLMSystemCS1ServicesTcpip..{7215599B-6BF2-4214-B063-21AD5059D653}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLMSystemCS2ServicesTcpip..{7215599B-6BF2-4214-B063-21AD5059D653}: NameServer = 85.255.115.46,85.255.112.154
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - Crogram FilesAntiVir PersonalEdition Classicsched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - Crogram FilesAntiVir PersonalEdition Classicavguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - Crogram FilesAreschatServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - Crogram FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe

--
End of file - 4268 bytes

[Aby zobaczyć linki, zarejestruj się tutaj]

nie zamieszczam z sillenta bo jakiś error mi wysakuję ze coś jest nie uaktywnione

Cytat: O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm
O9 - Extra ''Tools'' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm
O17 - HKLMSystemCCSServicesTcpip..{7215599B-6BF2-4214-B063-21AD5059D653}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLMSystemCCSServicesTcpip..{CF6D8022-3258-455A-B43C-1066A86F8A24}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLMSystemCS1ServicesTcpip..{7215599B-6BF2-4214-B063-21AD5059D653}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLMSystemCS2ServicesTcpip..{7215599B-6BF2-4214-B063-21AD5059D653}: NameServer = 85.255.115.46,85.255.112.154

Skasuj te wpisy w hijacku i zastosuj

[Aby zobaczyć linki, zarejestruj się tutaj]

Użyj szczepionki przeciwko Netsky

[Aby zobaczyć linki, zarejestruj się tutaj]

Po zabiegach dajesz logi z hijacka fixwareout i

[Aby zobaczyć linki, zarejestruj się tutaj]

[code:1] ComboFix 07-08-14.4 - "Real" 2007-08-18 15:47:49.1 - FAT32 x86

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C Grin

OCUME~1RealPulpit.internet explorer.lnk
C Tongue

rogram FilesCommon Filesmicrosoft sharedweb foldersibm00001.dll
C Tongue

rogram FilesCommon Filesmicrosoft sharedweb foldersibm00002.dll
C Tongue

rogram Filesmyglobalsearch
C Tongue

rogram Filesmyglobalsearchbar1.binM9FFXTBR.JAR
C Tongue

rogram Filesmyglobalsearchbar1.binM9FFXTBR.MANIFEST
C Tongue

rogram Filesmyglobalsearchbar1.binM9NTSTBR.JAR
C Tongue

rogram Filesmyglobalsearchbar1.binM9NTSTBR.MANIFEST
C Tongue

rogram Filesmyglobalsearchbar1.binM9PLUGIN.DLL
C Tongue

rogram Filesmyglobalsearchbar1.binNPMYGLSH.DLL
C Tongue

rogram FilesmyglobalsearchbarCache0024A7C.bin
C Tongue

rogram FilesmyglobalsearchbarCache0024F2F.bin
C Tongue

rogram FilesmyglobalsearchbarCache0025087.bin
C Tongue

rogram FilesmyglobalsearchbarCache004EEF0
C Tongue

rogram FilesmyglobalsearchbarCachefiles.ini
C Tongue

rogram FilesmyglobalsearchbarHistorysearch
C Tongue

rogram FilesmyglobalsearchbarSettingsprevcfg.htm

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------LEGACY_NTMLSVC
-------NtmlSvc

((((((((((((((((((((((((( Files Created from 2007-07-18 to 2007-08-18)))))))))))))))))))))))))))))))

2007-08-18 15:47 51,200 --a------ C:WINDOWSnircmd.exe
2007-08-18 15:40 6,552 --a------ C:dnsbak.reg
2007-08-18 14:56 1,156 --a------ C:WINDOWSmozver.dat
2007-08-18 14:04 <DIR> d-------- C Grin

OCUME~1ALLUSE~1DANEAP~1AntiVir PersonalEdition Classic
2007-08-18 13:39 <DIR> d-------- C Tongue

rogram FilesLavalys
2007-08-18 13:20 0 --a------ C:WINDOWSnsreg.dat
2007-08-18 13:20 <DIR> d-------- C Grin

OCUME~1RealDANEAP~1Talkback
2007-08-18 12:57 <DIR> d-------- C Tongue

rogram FilesTrend Micro
2007-08-17 15:24 <DIR> d--hs---- C:FOUND.008
2007-07-22 08:00 <DIR> d-------- C Grin

OCUME~1RealDANEAP~1.BitTornado

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 08:00 --------- d-------- C Grin

OCUME~1RealDANEAP~1.BitTornado
2007-07-11 22:22 --------- d-------- C Tongue

rogram FilesAres
2007-07-11 21:10 --------- d-------- C Grin

OCUME~1RealDANEAP~1Google
2007-07-11 21:09 --------- d-------- C Grin

OCUME~1RealDANEAP~1Gadu-Gadu
2007-07-10 17:39 --------- d-------- C Tongue

rogram FileseMule
2007-07-10 17:21 --------- d-------- C Tongue

rogram FilesWinamp
2007-07-10 17:14 2560 --a------ C:WINDOWS_MSRSTRT.EXE
2007-07-08 15:50 208384 --a------ C:WINDOWSADS.exe
2007-07-07 13:43 --------- d-------- C Tongue

rogram FilesGoogle
2007-07-02 21:41 36624 --------- C:WINDOWSsystem32driverspxhelp20.sys
2007-06-19 17:34 140520 --a------ C:WINDOWSsystem32CModule.dll
2007-05-31 17:58 173 --a------ C Grin

elUS.bat
2007-05-31 17:24 704512 --a------ C:WINDOWSsystem32mfcl31d.dll
2001-11-23 06:08 712704 -ra------ C:WINDOWSinfOTHERAUDIO3D.DLL
1999-05-17 14:58 99840 --a------ C Tongue

rogram FilesCommon FilesIRAABOUT.DLL
1998-12-09 03:53 70144 --a------ C Tongue

rogram FilesCommon FilesIRAMDMTR.DLL
1998-12-09 03:53 48640 --a------ C Tongue

rogram FilesCommon FilesIRALPTTR.DLL
1998-12-09 03:53 31744 --a------ C Tongue

rogram FilesCommon FilesIRAWEBTR.DLL
1998-12-09 03:53 186368 --a------ C Tongue

rogram FilesCommon FilesIRAREG.DLL
1998-12-09 03:53 17920 --a------ C Tongue

rogram FilesCommon FilesIRASRIAL.DLL
2007-04-05 15:52:36 5 --sha-w C:WINDOWSsystem32bcebeffd_s.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"nwiz"="nwiz.exe" [2005-04-01 16:16 C:WINDOWSsystem32nwiz.exe]
"C-Media Mixer"="Mixer.exe" [2003-03-20 08:21 C:WINDOWSmixer.exe]
"NvCplDaemon"="C:WINDOWSSystem32NvCpl.dll" [2005-04-01 16:16]
"NvMediaCenter"="C:WINDOWSSystem32NvMcTray.dll" [2005-04-01 16:16]
"BearShare"="C Tongue

rogram FilesBearShareBearShare.exe" []
"avgnt"="C Tongue

rogram FilesAntiVir PersonalEdition Classicavgnt.exe" [2007-04-02 10:35]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Gadu-Gadu"="D:ggGadu-Gadugg.exe" [2007-05-10 16:36]
"swg"="C Tongue

rogram FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe" [2007-07-21 13:36]
"ares"="C Tongue

rogram FilesAresAres.exe" []

C Grin

ocuments and SettingsAll UsersMenu StartProgramyAutostart
Symantec Fax Starter Edition Port.lnk - C Tongue

rogram FilesMicrosoft OfficeOffice1045OLFSNT40.EXE [1999-05-17 14:59:04]
Microsoft Office.lnk - C Tongue

rogram FilesMicrosoft OfficeOfficeOSA9.EXE [1999-02-17 21:05:56]

R0 avgntmgr;avgntmgr;C:WINDOWSSystem32DRIVERSavgntmgr.sys
R1 avgntdd;avgntdd;C:WINDOWSSystem32DRIVERSavgntdd.sys
R1 avipbb;avipbb;C:WINDOWSSystem32DRIVERSavipbb.sys
R1 ssmdrv;ssmdrv;C:WINDOWSSystem32DRIVERSssmdrv.sys
S3 ctlsb16;Sterownik Creative SB16/AWE32/AWE64 (WDM);C:WINDOWSSystem32driversctlsb16.sys
S3 cwbwdm_device;Sterownik kodera-dekodera audio Crystal WDM;C:WINDOWSSystem32driverscwbwdm.sys
S3 ess;Sterownik audio ESS (WDM);C:WINDOWSSystem32driversess.sys

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

[Aby zobaczyć linki, zarejestruj się tutaj]

Rootkit scan 2007-08-18 15:50:19
Windows 5.1.2600FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-18 15:51:36 - machine was rebooted
C:ComboFix-quarantined-files.txt ... 2007-08-18 15:51

--- E O F ---
[/code:1]

Cytat: Username "Real" - 2007-08-18 15:40:53 [Fixwareout edited 2007/07/05]

»»»»»Prerun check
HKLMSOFTWARE~Winlogon "System"="kddup.exe"

HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicestcpipparametersinterfaces{8AFD5894-664C-44BC-A5EB-307293A93BB5}
"DhcpNameServer"="85.255.115.46,85.255.112.154" <Value cleared.
HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicestcpipparametersinterfaces{CF6D8022-3258-455A-B43C-1066A86F8A24}
"DhcpNameServer"="85.255.115.46,85.255.112.154" <Value cleared.

Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS.

System was rebooted successfully.

»»»»» Postrun check
HKLMSOFTWARE~Winlogon "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Other
C:WINDOWSTEMPkddup.ren 66505 2001-10-26

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"nwiz"="nwiz.exe /install"
"C-Media Mixer"="Mixer.exe /startup"
"NvCplDaemon"="RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit"
"BearShare"=""C:\Program Files\BearShare\BearShare.exe" /pause"
"avgnt"=""C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min"

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Gadu-Gadu"=""D:\gg\Gadu-Gadu\gg.exe" /tray"
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"ares"=""C:\Program Files\Ares\Ares.exe" -h"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

[code:1] Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:54:55, on 2007-08-18
Platform: Windows XP(WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C Tongue

rogram FilesAntiVir PersonalEdition Classicavguard.exe
C:WINDOWSExplorer.EXE
C Tongue

rogram FilesAntiVir PersonalEdition Classicsched.exe
C:WINDOWSSystem32nvsvc32.exe
C:WINDOWSMixer.exe
C:WINDOWSSystem32RUNDLL32.EXE
C Tongue

rogram FilesAntiVir PersonalEdition Classicavgnt.exe
D:ggGadu-Gadugg.exe
C Tongue

rogram FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C Tongue

rogram FilesMicrosoft OfficeOffice1045OLFSNT40.EXE
C Tongue

rogram FilesMozilla Firefoxfirefox.exe
C Tongue

rogram FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =

[Aby zobaczyć linki, zarejestruj się tutaj]

R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = aboutblank
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Ĺącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O4 - HKLM..Run: [nwiz]nwiz.exe /install
O4 - HKLM..Run: [C-Media Mixer]Mixer.exe /startup
O4 - HKLM..Run: [NvCplDaemon]RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [NvMediaCenter]RUNDLL32.EXE C:WINDOWSSystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [BearShare]"C Tongue

rogram FilesBearShareBearShare.exe" /pause
O4 - HKLM..Run: [avgnt]"C Tongue

rogram FilesAntiVir PersonalEdition Classicavgnt.exe" /min
O4 - HKCU..Run: [Gadu-Gadu]"D:ggGadu-Gadugg.exe" /tray
O4 - HKCU..Run: [swg]C Tongue

rogram FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
O4 - HKCU..Run: [ares]"C Tongue

rogram FilesAresAres.exe" -h
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE]C:WINDOWSSystem32CTFMON.EXE (User ''USĹUGA LOKALNA'')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE]C:WINDOWSSystem32CTFMON.EXE (User ''USĹUGA SIECIOWA'')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE]C:WINDOWSSystem32CTFMON.EXE (User ''SYSTEM'')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE]C:WINDOWSSystem32CTFMON.EXE (User ''Default user'')
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C Tongue

rogram FilesMicrosoft OfficeOffice1045OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C Tongue

rogram FilesMicrosoft OfficeOfficeOSA9.EXE
O17 - HKLMSystemCS2ServicesTcpip..{7215599B-6BF2-4214-B063-21AD5059D653}: NameServer = 85.255.115.46,85.255.112.154
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C Tongue

rogram FilesAntiVir PersonalEdition Classicsched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C Tongue

rogram FilesAntiVir PersonalEdition Classicavguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C Tongue

rogram FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe

--
End of file - 3359 bytes
[/code:1]

jakos widac poprawe od skanu aviry:mrgreen:
aleczemu sie komp wyłącza ? np. podczas skanu aviry ( dochodzi do około 30% i zgon)

Pogrubiony plik usuń ręcznie z dysku w trybie awaryjnym i wyłączonym przywracaniem systemu

Cytat: C:WINDOWS ADS.exe

Przeskanuj ten plik na

[Aby zobaczyć linki, zarejestruj się tutaj]

Cytat: C:WINDOWSsystem32 bcebeffd_s.dll

Skasuj w hijacku

Cytat: R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
O17 - HKLMSystemCS2ServicesTcpip..{7215599B-6BF2-4214-B063-21AD5059D653}: NameServer = 85.255.115.46,85.255.112.154

Potem nowe logi z hijacka i combofix

Co się takdokładnie dzieje z silentem?

dymek9229

Serafin

dymek9229

Serafin