15.05.2009, 01:10
Witam!
Mam problem gdyż Avira wykryła mi trojana TR/Crypt.XPACK.Gen i niebardzo wiem jak mogę się go pozbyć... Wklejam logi z hijacka i combofixa. Bardzo proszę o pomoc i z góry dziękuje.
log z HijackThis
i z ComboFix
Pozdrawiam serdecznie
Mam problem gdyż Avira wykryła mi trojana TR/Crypt.XPACK.Gen i niebardzo wiem jak mogę się go pozbyć... Wklejam logi z hijacka i combofixa. Bardzo proszę o pomoc i z góry dziękuje.
log z HijackThis
Cytat:Logfile of HijackThis v1.99.1
Scan saved at 01:31:32, on 2009-05-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
D:\WINDOWS\system32\msiexec.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
D:\Documents and Settings\Ostafin\Pulpit\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =[Aby zobaczyć linki, zarejestruj się tutaj]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - D:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)
F3 - REG:win.ini: load=C:\TBridge\Flatbed.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - D:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - D:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - D:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - D:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched]"D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Synchronization Manager]%SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update]D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BearShare]"D:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Cmaudio]RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck]D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VTTimer]VTTimer.exe
O4 - HKLM\..\Run: [avgnt]"D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task]"D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Gadu-Gadu]"D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [DAEMON Tools Lite]"D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -[Aby zobaczyć linki, zarejestruj się tutaj]
:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra ''Tools'' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -[Aby zobaczyć linki, zarejestruj się tutaj]
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Zarządzanie aplikacjami AppMgmtclr_optimization_v2.0.50727_32 (AppMgmtclr_optimization_v2.0.50727_32) - Unknown owner - D:\WINDOWS\system32\wpv251236951426.cpx.exe (file missing)
i z ComboFix
Cytat: ComboFix 09-05-14.03 - Ostafin 2009-05-151:55.3 - NTFSx86
Microsoft Windows XP Professional5.1.2600.2.1250.48.1045.18.735.474 [GMT 2:00]
Uruchomiony z: d:\documents and settings\Ostafin\Pulpit\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\windows\system32\wpv251236951426.cpx
d:\windows\Temp\283810366.exe
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_APPMGMTCLR_OPTIMIZATION_V2.0.50727_32
-------\Service_AppMgmtclr_optimization_v2.0.50727_32
((((((((((((((((((((((((( Pliki utworzone od 2009-04-15 do 2009-05-15)))))))))))))))))))))))))))))))
.
2009-05-14 23:19 . 2009-05-15 00:00 11552 --sha-w d:\windows\system32\drivers\fidbox2.dat
2009-05-14 23:19 . 2009-05-15 00:02 836896 --sha-w d:\windows\system32\drivers\fidbox.dat
2009-05-14 22:59 . 2009-05-14 23:30 -------- d-----w d:\program files\Common Files\ParetoLogic
2009-05-14 22:59 . 2009-05-14 22:59 -------- d-----w d:\documents and settings\All Users\Dane aplikacji\ParetoLogic Anti-Virus PLUS
2009-05-14 22:59 . 2009-05-14 22:59 -------- d-----w d:\documents and settings\Ostafin\Ustawienia lokalne\Dane aplikacji\Downloaded Installations
2009-05-06 17:01 . 2009-05-06 17:01 -------- d-----w d:\documents and settings\Ostafin\Dane aplikacji\Media Player Classic
2009-04-16 11:02 . 2004-08-03 22:38 14848 -c--a-w d:\windows\system32\dllcache\kbdhid.sys
2009-04-16 11:02 . 2004-08-03 22:38 14848 ----a-w d:\windows\system32\drivers\kbdhid.sys
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 00:00 . 2009-05-14 23:19 1628 --sha-w d:\windows\system32\drivers\fidbox2.idx
2009-05-15 00:00 . 2009-05-14 23:19 12236 --sha-w d:\windows\system32\drivers\fidbox.idx
2009-05-14 22:46 . 2009-03-13 17:44 169 --s-a-w d:\windows\system32\2776990058.dat
2009-04-17 17:14 . 2001-10-26 16:15 74230 ----a-w d:\windows\system32\perfc015.dat
2009-04-17 17:14 . 2001-10-26 16:15 448004 ----a-w d:\windows\system32\perfh015.dat
2009-03-22 13:53 . 2009-03-22 13:52 -------- d-----w d:\program files\K-Lite Codec Pack
2009-03-22 13:52 . 2008-11-05 11:55 -------- d-----w d:\program files\DivX
2009-03-22 13:47 . 2009-03-22 13:46 -------- d-----w d:\program files\QuickTime
2009-03-22 13:46 . 2009-03-22 13:46 -------- d-----w d:\program files\Apple Software Update
2009-03-19 18:17 . 2009-02-28 00:34 -------- d-----w d:\program files\Internet Download Manager
2009-03-19 18:17 . 2007-11-09 21:39 -------- d-----w d:\program files\Google
2009-03-06 14:47 . 2004-08-03 23:44 285184 ----a-w d:\windows\system32\pdh.dll
2009-02-28 01:53 . 2009-02-28 01:46 108144 ----a-w d:\windows\system32\CmdLineExt.dll
2009-02-28 01:06 . 2009-02-28 01:06 717296 ----a-w d:\windows\system32\drivers\sptd.sys
2009-02-20 08:32 . 2004-08-03 23:44 662016 ----a-w d:\windows\system32\wininet.dll
2009-02-20 08:32 . 2004-08-03 23:44 81920 ----a-w d:\windows\system32\ieencode.dll
.
------- Sigcheck -------
[7]2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 d:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7]2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 d:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7]2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 d:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7]2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D d:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7]2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E d:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7]2004-08-03 22:14 359040 9F4B36614A0FC234525BA224957DE55C d:\windows\$NtUninstallKB917953$\tcpip.sys
[7]2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 d:\windows\$NtUninstallKB941644$\tcpip.sys
[7]2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 d:\windows\$NtUninstallKB951748$\tcpip.sys
[-]2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 d:\windows\SoftwareDistribution\Download\85612d9569f9a4d033130e1ccf6503f1\tcpip.sys
[-]2008-06-20 10:45 360320 1CC09561E21A48A7F649A40F18235860 d:\windows\system32\dllcache\tcpip.sys
[-]2008-06-20 10:45 360320 1CC09561E21A48A7F649A40F18235860 d:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="d:\program files\Gadu-Gadu\gg.exe" [2007-07-09 2119104]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="d:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-14 132760]
"Synchronization Manager"="d:\windows\system32\mobsync.exe" [2004-08-03 143872]
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avgnt"="d:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"VTTimer"="VTTimer.exe" - d:\windows\system32\VTTimer.exe [2003-08-20 45056]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
d:\documents and settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Gadu-Gadu\\gg.exe"=
"d:\\Program Files\\Murator\\Drzewa i krzewy\\DiK2006.exe"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Zawartość folderu ''Zaplanowane zadania''
2009-04-18 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - USUNIĘTO PUSTE WPISY - - - -
HKLM-Run-BearShare - d:\program files\BearShare\BearShare.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
.
------- Skan uzupełniający -------
.
uStart Page =[Aby zobaczyć linki, zarejestruj się tutaj]
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&ksport do programu Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\Ostafin\Dane aplikacji\Mozilla\Firefox\Profiles\bgvgmlyz.default\
FF - prefs.js: browser.startup.homepage -[Aby zobaczyć linki, zarejestruj się tutaj]
FF - plugin: d:\documents and settings\Ostafin\Dane aplikacji\Mozilla\Firefox\Profiles\bgvgmlyz.default\extensions\[email protected]\plugins\NPSignPlugin.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,[Aby zobaczyć linki, zarejestruj się tutaj]
Rootkit scan 2009-05-15 02:03
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
[HKEY_USERS\S-1-5-21-507921405-1500820517-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8b,8b,a1,37,26,f0,e1,93,f3,73,a6,fd,0e,05,55,d2,ad,00,55,ec,56,43,c2,
77,60,14,4e,d9,4c,34,07,f4,ca,e8,a8,60,a4,e0,12,69,0e,43,83,8a,4d,c8,8f,e7,\
"??"=hex:e1,f5,7f,44,be,21,f4,3c,11,b7,c1,5f,43,8e,36,51
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > ''explorer.exe''(4092)
d:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
d:\program files\Common Files\Microsoft Shared\Web Components\11\1045\OWCI11.DLL
d:\windows\system32\shdoclc.dll
d:\windows\system32\browselc.dll
d:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
d:\program files\Microsoft Office\OFFICE11\msohev.dll
d:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
d:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
d:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
d:\windows\system32\wdfmgr.exe
d:\program files\HP\Digital Imaging\bin\hpqste08.exe
d:\windows\system32\wscntfy.exe
d:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Czas ukończenia: 2009-05-152:06 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt2009-05-15 00:06
Przed: 60 488 957 952 bajtów wolnych
Po: 61 387 321 344 bajtów wolnych
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
150 --- E O F --- 2009-05-13 10:05
Pozdrawiam serdecznie