x-kom hosting

virut prosze o sprawdzenie loga

piokil
utworzono
utworzono

sprawdzilem kopma juz dr web ale caly czas moj nod szaleje i i wyswietla komunikat o virut.nbp combofix nie chce chodzic dlaego ponizej log z hijackthis

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 22:13:53, on 2009-07-05Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\acs.exeC:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Atheros\ACU.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exeC:\Program Files\ESET\ESET Smart Security\egui.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\agrsmsvc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\Program Files\Common Files\BinarySense\hldasvc.exeC:\Program Files\Common Files\BinarySense\hldasvc.exeC:\Program Files\IDrive\IDriveWebM.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exeC:\WINDOWS\system32\oodag.exeC:\WINDOWS\system32\IoctlSvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Spyware Terminator\sp_rsser.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exeC:\WINDOWS\System32\TUProgSt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\wbem\wmiapsrv.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Java\jre6\bin\java.exeC:\Program Files\Opera 10 Preview\opera.exeC:\Program Files\WinRAR\WinRAR.exeC:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXER1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.onet.pl/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: IEPluginBHO - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\Piotrek\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -noguiO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /STARTO4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /HO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1236010947843O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cabO16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{1C613D00-D12F-4A74-9174-79BA5018CABC}: NameServer = 192.168.1.1O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\Common Files\BinarySense\hlAPP.dll" (file missing)O23 - Service: Usługa konfiguracji Atheros (ACS) - Atheros - C:\WINDOWS\system32\acs.exeO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\WINDOWS\system32\agrsmsvc.exeO23 - Service: Usługa bramy warstwy aplikacji (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: ConfigFree Service (CFSvcs) - Unknown owner - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeO23 - Service: Usługa indeksowania (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exeO23 - Service: Aplikacja systemowa modelu COM+ (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exeO23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exeO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exeO23 - Service: Google Update Service (gupdate1c986054654bfcc) (gupdate1c986054654bfcc) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\Common Files\BinarySense\hldasvc.exeO23 - Service: IDrivePlugin - Unknown owner - C:\Program Files\IDrive\IDriveWebM.exeO23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exeO23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exeO23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exeO23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\WINDOWS\system32\IoctlSvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: Menedżer sesji pomocy pulpitu zdalnego (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exeO23 - Service: Lokalizator usługi zdalnego wywołania procedury (RPC) (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exeO23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\WINDOWS\system32\rsvp.exeO23 - Service: Karta inteligentna (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exeO23 - Service: ServiceLayer - Unknown owner - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exeO23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exeO23 - Service: Dzienniki wydajności i alerty (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exeO23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exeO23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exeO23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exeO23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exeO23 - Service: Zasilacz awaryjny (UPS) (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exeO23 - Service: Kopiowanie woluminów w tle (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe--End of file - 9264 bytes

Gość
komentarz
komentarz

Może podałbyś/podałabyś więcej informacji? Jak skanowałeś/łaś "Doktorkiem", jaki obszar, co wykrył i ile znalazł.?

Gdzie NOD32 wykrywa nadal wirusy - Screen?

Log z HJT jest czysty.

Spróbuj dać logi z DDS'a.

.

MarekM25
komentarz
komentarz (edytowane)

Jeżeli to virut to masz dwie możliwości:

1. Format wszystkich partycji i urządzeń przenośnych bez kopiowania plików wykonywalnych (exe, dll itp)

2. Leczenie antywirusem w wersji LiveCD np dr web.

kamil trochę szybszy;) właśnie ja też nie widzę tu ewidentnej infekcji, ale jeżeli combofix nie działa i antywirusy wykrywają viruta to coś tu musi być

Jeszcze tak w celach rozpoznawczych: Jaki komunikat wyświetla combofix??

piokil
komentarz
komentarz (edytowane)

oto log DDS

DDS (Ver_09-06-26.01) - NTFSx86  Run by Piotrek at 22:53:38,59 on 2009-07-05Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Professional  5.1.2600.2.1250.48.1045.18.2038.1356 [GMT 2:00]AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated)   {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}FW: ESET Personal firewall *enabled*   {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\acs.exeC:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Atheros\ACU.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exeC:\Program Files\ESET\ESET Smart Security\egui.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\agrsmsvc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\Program Files\Common Files\BinarySense\hldasvc.exeC:\Program Files\Common Files\BinarySense\hldasvc.exeC:\Program Files\IDrive\IDriveWebM.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exeC:\WINDOWS\system32\oodag.exeC:\WINDOWS\system32\IoctlSvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Spyware Terminator\sp_rsser.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exeC:\WINDOWS\System32\TUProgSt.exeC:\WINDOWS\system32\wbem\wmiapsrv.exeC:\Program Files\Opera 10 Preview\opera.exeC:\download\dds.pif============== Pseudo HJT Report ===============uSearch Page = hxxp://www.google.comuDefault_Search_URL = hxxp://www.google.com/ieuStart Page = hxxp://www.onet.pl/uDefault_Page_URL = hxxp://www.onet.pl/uInternet Settings,ProxyOverride = <local>uSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%sBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: IEPluginBHO Class: {f5cc7f02-6f4e-4462-b5b1-394a57fd3e0d} - c:\documents and settings\piotrek\dane aplikacji\nowe gadu-gadu\_userdata\ggbho.1.dllTB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No FileTB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No FileuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /HmRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [Persistence] c:\windows\system32\igfxpers.exemRun: [RTHDCPL] RTHDCPL.EXEmRun: [Alcmtr] ALCMTR.EXEmRun: [ACU] "c:\program files\atheros\ACU.exe" -noguimRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exemRun: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /STARTmRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservicemRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osbootdRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEIE: E&ksport do programu Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLLDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236010947843DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cabDPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} - hxxps://www.bph.pl/pi/components/SignActivX.cabDPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabTCP: {1C613D00-D12F-4A74-9174-79BA5018CABC} = 192.168.1.1Handler: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - c:\program files\common files\binarysense\hlAPP.dllNotify: igfxcui - igfxdev.dll================= FIREFOX ===================FF - ProfilePath - c:\docume~1\piotrek\daneap~1\mozilla\firefox\profiles\pxl3yhet.default\FF - prefs.js: browser.startup.homepage - hxxp://onet.pl/FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=FF - plugin: c:\documents and settings\all users\dane aplikacji\zylom\zylomgamesplayer\npzylomgamesplayer.dllFF - plugin: c:\documents and settings\piotrek\dane aplikacji\nowe gadu-gadu\_userdata\npgg.1.dllFF - plugin: c:\documents and settings\piotrek\ustawienia lokalne\dane aplikacji\google\update\1.2.183.7\npGoogleOneClick8.dllFF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dllFF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dllFF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dllFF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dllFF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dllFF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dllFF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dllFF - plugin: c:\program files\opera 10 preview\program\plugins\npdsplay.dllFF - plugin: c:\program files\opera 10 preview\program\plugins\NPSWF32.dllFF - plugin: c:\program files\opera 10 preview\program\plugins\npwmsdrm.dllFF - plugin: c:\program files\opera\program\plugins\NP_IDM1.dllFF - plugin: c:\program files\opera\program\plugins\NP_IDM2.dllFF - plugin: c:\program files\opera\program\plugins\NP_IDM3.dllFF - plugin: c:\program files\opera\program\plugins\NP_IDM5.dllFF - plugin: c:\program files\opera\program\plugins\npdivx32.dllFF - plugin: c:\program files\opera\program\plugins\nppl3260.dllFF - plugin: c:\program files\opera\program\plugins\nprpjplug.dllFF - plugin: c:\program files\picasa2\npPicasa2.dllFF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}---- FIREFOX POLICIES ----FF - user.js: network.http.max-persistent-connections-per-server - 4FF - user.js: content.max.tokenizing.time - 1800000FF - user.js: content.notify.interval - 600000FF - user.js: content.switch.threshold - 600000FF - user.js: nglayout.initialpaint.delay - 600c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota",	  5120);c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",	 true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",	true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",	 true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",	   true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",	true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history",				 true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata",				true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords",			   false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads",			   true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies",				 true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache",				   true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions",				true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",			 false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",			false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",	false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");============= SERVICES / DRIVERS ===============R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-3 64160]R1 is-K7RMRdrv;is-K7RMRdrv;c:\windows\system32\drivers\45656315.sys [2009-7-2 148496]R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-11-8 141312]R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2008-10-24 468224]R2 HDDlife HDD Access service;HDDlife HDD Access service;c:\program files\common files\binarysense\hldasvc.exe [2008-2-15 832760]R2 IDrivePlugin;IDrivePlugin;c:\program files\idrive\IDriveWebM.exe [2009-1-27 73728]R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-5-5 604416]R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2008-10-22 57408]S2 gupdate1c986054654bfcc;Google Update Service (gupdate1c986054654bfcc);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\anti trojan elite\atepmon.sys --> c:\program files\anti trojan elite\ATEPMon.sys [?]S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-11-8 38160]S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2009-2-21 30464]S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2009-2-21 12672]S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\drivers\stppp.sys [2009-2-21 32000]=============== Created Last 30 ================2009-07-05 22:13	252,416	a-------	c:\windows\system32\Notepad.exe2009-07-05 22:07	<DIR>	-cd-----	c:\windows\system32\dllcache\cache2009-07-05 22:03	<DIR>	--ds----	C:\ComboFix2009-07-05 22:03	395,264	a-------	c:\windows\system32\CF15372.exe2009-07-05 21:53	<DIR>	a-dshr--	C:\cmdcons2009-07-05 21:47	155,136	a-------	c:\windows\PEV.exe2009-07-05 21:47	161,792	a-------	c:\windows\SWREG.exe2009-07-05 21:47	98,816	a-------	c:\windows\sed.exe2009-07-02 20:17	49,745,952	a--sh---	c:\windows\system32\drivers\fidbox.dat2009-07-02 20:17	545,828	a--sh---	c:\windows\system32\drivers\fidbox.idx2009-07-02 20:16	148,496	a-------	c:\windows\system32\drivers\45656315.sys2009-06-29 21:34	<DIR>	--d-----	c:\program files\common files\DivX Shared==================== Find3M  ====================2009-07-02 23:56	33,792	a-------	c:\windows\system32\WPABALN.EXE2009-07-02 23:53	64,512	a-------	c:\windows\system32\cmstp.exe2009-07-02 20:09	217,600	a-------	c:\windows\system32\wbem\wmiprvse.exe2009-07-02 20:09	366,592	a-------	c:\windows\system32\wbem\wmic.exe2009-07-02 20:09	126,464	a-------	c:\windows\system32\wbem\wmiapsrv.exe2009-07-02 20:09	196,096	a-------	c:\windows\system32\wbem\wmiadap.exe2009-07-02 20:09	117,760	a-------	c:\windows\system32\wbem\wbemtest.exe2009-07-02 20:09	16,384	a-------	c:\windows\system32\wbem\unsecapp.exe2009-07-02 20:09	36,352	a-------	c:\windows\system32\wbem\scrcons.exe2009-07-02 20:09	16,896	a-------	c:\windows\system32\wbem\mofcomp.exe2009-07-02 20:02	30,208	a-------	c:\windows\system32\xcopy.exe2009-07-02 20:02	31,744	a-------	c:\windows\system32\wupdmgr.exe2009-07-02 20:02	168,448	a-------	c:\windows\system32\wuauclt1.exe2009-07-02 20:01	114,688	a-------	c:\windows\system32\wscript.exe2009-07-02 20:01	32,256	a-------	c:\windows\system32\wpnpinst.exe2009-07-02 20:01	13,824	a-------	c:\windows\system32\wscntfy.exe2009-07-02 20:01	5,120	a-------	c:\windows\system32\write.exe2009-07-02 20:01	189,440	a-------	c:\windows\system32\WISPTIS.EXE2009-07-02 20:01	119,296	a-------	c:\windows\system32\winmine.exe2009-07-02 20:01	11,264	a-------	c:\windows\system32\winmsd.exe2009-07-02 20:01	7,680	a-------	c:\windows\system32\winhlp32.exe2009-07-02 20:01	435,200	a-------	c:\windows\system32\wiaacmgr.exe2009-07-02 20:01	65,536	a-------	c:\windows\system32\wextract.exe2009-07-02 20:01	58,880	a-------	c:\windows\system32\wdfmgr.exe2009-07-02 19:59	127,488	a-------	c:\windows\system32\schtasks.exe2009-07-02 19:58	5,632	a-------	c:\windows\system32\msdtc.exe2009-07-02 19:57	193,536	a-------	c:\windows\system32\eudcedit.exe2009-07-02 19:56	150,528	a-------	c:\windows\pchealth\uploadlb\binaries\UploadM.exe2009-07-02 19:55	34,816	a-------	c:\windows\pchealth\helpctr\binaries\notiflag.exe2009-07-02 19:55	159,232	a-------	c:\windows\pchealth\helpctr\binaries\msconfig.exe2009-07-02 19:55	18,432	a-------	c:\windows\pchealth\helpctr\binaries\HscUpd.exe2009-07-02 19:55	743,424	a-------	c:\windows\pchealth\helpctr\binaries\HelpSvc.exe2009-07-02 19:55	99,328	a-------	c:\windows\pchealth\helpctr\binaries\HelpHost.exe2009-07-02 19:55	768,000	a-------	c:\windows\pchealth\helpctr\binaries\HelpCtr.exe2009-06-17 11:27	38,160	a-------	c:\windows\system32\drivers\mbamswissarmy.sys2009-06-17 11:27	19,096	a-------	c:\windows\system32\drivers\mbam.sys2009-05-05 17:20	604,416	a-------	c:\windows\system32\TUProgSt.exe2009-05-05 17:20	361,216	a-------	c:\windows\system32\TuneUpDefragService.exe2009-04-28 21:51	15,688	a-------	c:\windows\system32\lsdelete.exe2009-04-28 17:29	448,586	a-------	c:\windows\system32\perfh015.dat2009-04-28 17:29	74,648	a-------	c:\windows\system32\perfc015.dat2009-04-27 14:21	28,928	a-------	c:\windows\system32\uxtuneup.dll2009-04-05 10:01	140	a---h---	c:\docume~1\piotrek\daneap~1\lakerda1967.sys============= FINISH: 22:53:55,78 ===============

log attach

kawalek loga z noda

2009-07-05 22:26:28	Real-time file system protection	file	C:\WINDOWS\system32\wdfmgr.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Documents and Settings\Piotrek\Ustawienia lokalne\temp\jkos-Piotrek\binaries\ScanningProcess.exe.2009-07-05 22:26:27	Real-time file system protection	file	C:\WINDOWS\system32\IoctlSvc.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Documents and Settings\Piotrek\Ustawienia lokalne\temp\jkos-Piotrek\binaries\ScanningProcess.exe.2009-07-05 22:26:25	Real-time file system protection	file	C:\Program Files\IDrive\IDriveWebM.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Documents and Settings\Piotrek\Ustawienia lokalne\temp\jkos-Piotrek\binaries\ScanningProcess.exe.2009-07-05 22:26:23	Real-time file system protection	file	C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Documents and Settings\Piotrek\Ustawienia lokalne\temp\jkos-Piotrek\binaries\ScanningProcess.exe.2009-07-05 22:26:23	Real-time file system protection	file	C:\WINDOWS\system32\agrsmsvc.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Documents and Settings\Piotrek\Ustawienia lokalne\temp\jkos-Piotrek\binaries\ScanningProcess.exe.2009-07-05 22:13:53	Real-time file system protection	file	C:\WINDOWS\system32\wdfmgr.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to run the file by the application: C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE.2009-07-05 22:13:52	Real-time file system protection	file	C:\WINDOWS\system32\IoctlSvc.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to run the file by the application: C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE.2009-07-05 22:13:52	Real-time file system protection	file	C:\Program Files\IDrive\IDriveWebM.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to run the file by the application: C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE.2009-07-05 22:13:52	Real-time file system protection	file	C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to run the file by the application: C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE.2009-07-05 22:13:52	Real-time file system protection	file	C:\WINDOWS\system32\agrsmsvc.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to run the file by the application: C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE.2009-07-05 22:12:56	Real-time file system protection	file	C:\WINDOWS\system32\wdfmgr.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.2009-07-05 22:12:38	Real-time file system protection	file	C:\WINDOWS\system32\IoctlSvc.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.2009-07-05 22:12:34	Real-time file system protection	file	C:\WINDOWS\system32\agrsmsvc.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.2009-07-05 22:11:26	Real-time file system protection	file	C:\WINDOWS\system32\wdfmgr.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to run the file by the application: C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE.2009-07-05 22:11:24	Real-time file system protection	file	C:\WINDOWS\system32\IoctlSvc.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to run the file by the application: C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE.2009-07-05 22:11:23	Real-time file system protection	file	C:\Program Files\IDrive\IDriveWebM.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to run the file by the application: C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE.2009-07-05 22:11:22	Real-time file system protection	file	C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to run the file by the application: C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE.2009-07-05 22:11:22	Real-time file system protection	file	C:\WINDOWS\system32\agrsmsvc.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to run the file by the application: C:\Program Files\Trend Micro\HijackThis\HIJACKTHIS.EXE.2009-07-05 22:10:07	Real-time file system protection	file	C:\WINDOWS\system32\wdfmgr.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Program Files\Java\jre6\bin\jqs.exe.2009-07-05 22:10:07	Real-time file system protection	file	C:\WINDOWS\system32\IoctlSvc.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Program Files\Java\jre6\bin\jqs.exe.2009-07-05 22:10:07	Real-time file system protection	file	C:\Program Files\IDrive\IDriveWebM.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Program Files\Java\jre6\bin\jqs.exe.2009-07-05 22:10:07	Real-time file system protection	file	C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Program Files\Java\jre6\bin\jqs.exe.2009-07-05 22:10:07	Real-time file system protection	file	C:\WINDOWS\system32\agrsmsvc.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Program Files\Java\jre6\bin\jqs.exe.2009-07-05 22:10:05	Real-time file system protection	file	C:\WINDOWS\system32\wdfmgr.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Program Files\Java\jre6\bin\jqs.exe.2009-07-05 22:10:05	Real-time file system protection	file	C:\WINDOWS\system32\IoctlSvc.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Program Files\Java\jre6\bin\jqs.exe.2009-07-05 22:10:05	Real-time file system protection	file	C:\Program Files\IDrive\IDriveWebM.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Program Files\Java\jre6\bin\jqs.exe.2009-07-05 22:10:05	Real-time file system protection	file	C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Program Files\Java\jre6\bin\jqs.exe.2009-07-05 22:10:05	Real-time file system protection	file	C:\WINDOWS\system32\agrsmsvc.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Program Files\Java\jre6\bin\jqs.exe.2009-07-05 22:10:03	Real-time file system protection	file	C:\WINDOWS\system32\wdfmgr.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Program Files\Java\jre6\bin\jqs.exe.2009-07-05 22:10:03	Real-time file system protection	file	C:\WINDOWS\system32\IoctlSvc.exe	Win32/Virut.NBP virus	error while cleaning	ZARZÄDZANIE NT\SYSTEM	Event occurred during an attempt to access the file by the application: C:\Program Files\Java\jre6\bin\jqs.exe.

co do dr weba to zrobilem pelne skanowanie 2 razy. Za 1 razem wykryl okolo 2000 zainfekowanych plikow exe a za 2 razem juz tylko kilka ale nod caly czas pokazuje alarm na virut.nbp

MarekM25
komentarz
komentarz (edytowane)

masz przeskanować kompa programem LiveCD :| a nie cureit

wypalasz płytę i bootujesz i leczysz, ale nie usuwasz plików

ftp://ftp.drweb.com/pub/drweb/livecd/minD...iveCD-5.0.0.iso

Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!

Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.

×
×
  • Dodaj nową pozycję...

Powiadomienie o plikach cookie

Strona wykorzystuje pliki cookies w celu prawidłowego świadczenia usług i wygody użytkowników. Warunki przechowywania i dostępu do plików cookies możesz zmienić w ustawieniach przeglądarki.