x-kom hosting

jak pozbyć się pozostałości po anvo.exe? bo to chyba dolega mojej maszynie... resztki po malware

blackfenix
utworzono
utworzono

no witam...

mam mały problem z kompem... nie za bardzo wiem co się dzieje. komp zwalnia, procesy niby w normie, ale przy otwieraniu folderów z c:/windows wyskakuje komunikat że wykryto infekcje i łączy mnie z witryną:

http://sc.videofreeforonline.com/id/4912933/4/1/

mam nod 32 + eset smart sec. - uaktualniane na bieżąco...

do tego wszystkiego dochodzi dziwne zachowanie wingrozy (możliwe że to pozostałość po anvo.exe)

pomożecie?

Oto log hijack:

----------------------

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 19:48:32, on 2008-11-05Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Program Files\Firebird\Firebird_2_0\bin\fbguard.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Firebird\Firebird_2_0\bin\fbserver.exeC:\WINDOWS\System32\wbem\wmiapsrv.exeC:\WINDOWS\mojexplorer.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\tsnpstd3.exeC:\WINDOWS\vsnpstd3.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\Program Files\Lexmark 2300 Series\lxcgmon.exeC:\Program Files\Lexmark 2300 Series\ezprint.exeC:\WINDOWS\system32\lxcgcoms.exeC:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exeC:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exeC:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exeC:\DOCUME~1\BLACKF~1\USTAWI~1\Temp\winlogon.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Skype\Plugin Manager\skypePM.exeC:\Program Files\Gadu-Gadu\gg.exeC:\Program Files\Winamp\winamp.exeC:\totalcmd\TOTALCMD.EXEC:\WINDOWS\system32\taskmgr.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://spartani.com/homeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft InternetExplorerR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =*.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaF2 - REG:system.ini: Shell=mojexplorer.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Adobe\/AdobeContribute CS3/contributeieplugin.dllO2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - (no file)O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\ProgramFiles\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\ProgramFiles\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} -C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllO2 - BHO: JurToolbar - {DEE7B1F7-A014-477C-B0C5-23A51AA81DB5} -C:\WINDOWS\system32\jofcsd.dllO2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\CommonFiles\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} -D:\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\CommonFiles\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllO4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXEC:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exeO4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"O4 - HKLM\..\Run: [NodLogin] C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exeO4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide/waitserviceO4 - HKLM\..\Run: [LXCGCATS] rundll32C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry(małpa)16O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"O4 - HKLM\..\Run: [Onet.pl AutoUpdate] C:\Program Files\CommonFiles\Onet.pl\AutoUpdate.exe /tsrO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Marc 2 Uninstaller] C:\Documents and Settings\blackfenix\Pulpit\Nowyfolder\m2_nt5_ui.exe /filesO4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\CommonFiles\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbyloginO4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat9.0\Acrobat\Acrobat_sl.exe"O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat9.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\AshampooFireWall\FireWall.exe" -TRAYO4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\CommonFiles\LightScribe\LightScribeControlPanel.exe -hiddenO4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\ProgramFiles\Common Files\Ahead\Lib\NMBgMonitor.exe"O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe"clearO4 - HKCU\..\Run: [Flircik] C:\Program Files\Onet\Flircik\Flircik.exeO4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\BLACKF~1\USTAWI~1\Temp\winlogon.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGALOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGASIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Defaultuser')O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\MicrosoftOffice\Office10\OSA.EXEO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\CommonFiles\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\ProgramFiles\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\ProgramFiles\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\CommonFiles\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&ksport do programu Microsoft Excel -res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\ProgramFiles\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} -C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\ProgramFiles\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: ShopperReports - Compare product prices -{C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\System32\shdocvw.dllO9 - Extra button: ShopperReports - Compare travel rates -{C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\System32\shdocvw.dllO16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} -http://www.eska.pl/streamplayers/OggX.ocxO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\ProgramFiles\Yahoo!\Common\Yinsthelper.dllO17 - HKLM\System\CCS\Services\Tcpip\..\{8B545217-9C5D-420F-9DF3-8EF768ABB9B1}: NameServer= 85.255.114.103,85.255.112.151O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\ProgramFiles\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\ProgramFiles\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVTCorporation\BlueSoleil\BTNtService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32Antivirus\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32Antivirus\ekrn.exeO23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) -FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\bin\fbguard.exeO23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) -FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\bin\fbserver.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\CommonFiles\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\ProgramFiles\iPod\bin\iPodService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) -Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\CommonFiles\Ahead\Lib\NMIndexingService.exeO23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIACorporation\nTune\nTuneService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACETechnologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC ConnectivitySolution\ServiceLayer.exeO23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVTCorporation\BlueSoleil\StartSkysolSvc.exe-- End of file - 12281 bytes

---------------------------------------

z góry dzięki za pomoc...

Gość
komentarz
komentarz

Daj nam normalnego oga.

Mateusz J.
komentarz
komentarz
F2 - REG:system.ini: Shell=mojexplorer.exeO2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - (no file)O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\BLACKF~1\USTAWI~1\Temp\winlogon.exe

Do sfixowania, nie wiem czy znalazłem wszystko, bo coś kiepsko ten log wkleiłeś.

Użyj programu FixwareOut, bo widać u Ciebie szkodliwe DNS.

Następnie tworzysz log z ComboFix + nowy z HijackThis.

Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!

Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.

×
×
  • Dodaj nową pozycję...

Powiadomienie o plikach cookie

Strona wykorzystuje pliki cookies w celu prawidłowego świadczenia usług i wygody użytkowników. Warunki przechowywania i dostępu do plików cookies możesz zmienić w ustawieniach przeglądarki.