barto0o
Poziom 6
Dołączył: 11 Wrz 2008
Posty: 19
Miasto: Ostrołęka
|
21 Maj 2009 19:25 virut sprawdzenie logów |
|
|
|
walczyłem z wirusem sality i się poddałem, zrobiłem format obu partycji, zabrałem na pendrive pojedyńcze pliki o rozszerzeniach rar, zip, txt, doc, i mdb teraz dowiedziałem się że moge mieć sality bo jest wpis:
| Cytat: |
detected NTDLL code modification:
ZwClose, ZwOpenFile |
czy to jest jednoznaczne z virutem?? nic niepokojącego się nie dzieje.
chciałem uruchomić szczepionke od symateca ale wyskakuje monit:
| Cytat: |
| symantec W32.virut removal tool 1.1.2 mast be executed from SAFE boot mode only |
log z combo
| Kod: |
ComboFix 09-05-20.A0 - Bart 2009-05-21 14:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.1023.732 [GMT 2:00]
Uruchomiony z: c:\documents and settings\Bart\Pulpit\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.
((((((((((((((((((((((((( Pliki utworzone od 2009-04-21 do 2009-05-21 )))))))))))))))))))))))))))))))
.
2009-05-21 11:50 . 2009-05-21 11:51 -------- d-----w c:\program files\Winamp
2009-05-21 11:50 . 2009-04-02 13:21 84480 ----a-w c:\windows\system32\ff_vfw.dll
2009-05-21 11:50 . 2008-06-08 21:58 60273 ----a-w c:\windows\system32\pthreadGC2.dll
2009-05-21 11:50 . 2009-05-21 11:50 -------- d-----w c:\program files\ffdshow
2009-05-21 11:49 . 2008-12-12 22:26 178688 ----a-w c:\windows\system32\xvidvfw.dll
2009-05-21 11:49 . 2008-12-12 22:23 617984 ----a-w c:\windows\system32\xvidcore.dll
2009-05-21 11:49 . 2008-09-19 20:57 3596288 ----a-w c:\windows\system32\qt-dx331.dll
2009-05-21 11:49 . 2008-09-25 07:03 81920 ----a-w c:\windows\system32\dpl100.dll
2009-05-21 11:49 . 2008-09-25 07:03 524288 ----a-w c:\windows\system32\DivXsm.exe
2009-05-21 11:49 . 2008-10-28 21:35 684032 ----a-w c:\windows\system32\divx.dll
2009-05-21 11:49 . 2009-05-21 11:49 -------- d-----w c:\program files\Codec
2009-05-21 11:25 . 2009-05-21 11:25 1172 ----a-w c:\windows\mozver.dat
2009-05-21 11:24 . 2009-05-21 11:24 0 ----a-w c:\windows\nsreg.dat
2009-05-21 11:24 . 2009-05-21 11:24 -------- d-----w c:\documents and settings\Bart\Ustawienia lokalne\Dane aplikacji\Mozilla
2009-05-21 11:21 . 2009-05-21 11:21 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-21 11:21 . 2009-05-21 11:21 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-21 11:20 . 2009-05-21 11:20 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-21 11:20 . 2009-05-21 11:22 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-21 11:20 . 2009-05-21 11:20 -------- d-----w c:\program files\AVG
2009-05-21 11:20 . 2009-05-21 11:20 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\avg8
2009-05-21 09:42 . 2009-05-21 09:42 253688 ----a-w c:\windows\system32\cssdll32.dll
2009-05-21 09:42 . 2009-05-21 09:42 -------- d-----w c:\program files\AskBarDis
2009-05-21 09:41 . 2009-05-21 11:05 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Comodo
2009-05-21 09:41 . 2009-05-21 09:41 168208 ----a-w c:\windows\system32\guard32.dll
2009-05-21 09:41 . 2009-05-21 09:41 132640 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-05-21 09:41 . 2009-05-21 09:41 24096 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-05-21 09:41 . 2009-05-21 09:42 -------- d-----w c:\program files\COMODO
2009-05-21 09:37 . 2004-08-03 21:07 6400 -c--a-w c:\windows\system32\dllcache\splitter.sys
2009-05-21 09:37 . 2004-08-03 21:07 6400 ----a-w c:\windows\system32\drivers\splitter.sys
2009-05-21 09:37 . 2004-08-03 21:15 82944 -c--a-w c:\windows\system32\dllcache\wdmaud.sys
2009-05-21 09:37 . 2004-08-03 21:15 82944 ----a-w c:\windows\system32\drivers\wdmaud.sys
2009-05-21 09:37 . 2004-08-03 21:07 52864 -c--a-w c:\windows\system32\dllcache\dmusic.sys
2009-05-21 09:37 . 2004-08-03 21:07 52864 ----a-w c:\windows\system32\drivers\DMusic.sys
2009-05-21 09:19 . 2009-05-21 09:19 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\CyberLink
2009-05-21 09:19 . 2009-05-21 09:19 -------- d-----w c:\program files\CyberLink
2009-05-21 09:19 . 2009-05-21 09:19 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-21 09:05 . 2009-05-21 09:05 -------- d-s---w c:\documents and settings\Bart\UserData
2009-05-21 09:02 . 2004-10-13 09:56 462212 ----a-w c:\windows\system32\drivers\SkyNET.sys
2009-05-21 08:57 . 2009-05-21 08:57 21361 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-05-21 08:57 . 2008-01-15 19:50 459520 ----a-w c:\windows\system32\drivers\rt73.sys
2009-05-21 08:57 . 2005-11-30 09:33 2048 ----a-w c:\windows\system32\rt73.bin
2009-05-21 08:57 . 2009-05-21 08:57 -------- dc----w c:\windows\system32\DRVSTORE
2009-05-21 08:57 . 2009-05-21 08:57 -------- d-----w c:\program files\EDIMAX
2009-05-21 08:57 . 2009-05-21 08:57 -------- d-----w c:\documents and settings\Bart\Dane aplikacji\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 09:36 . 2009-05-21 09:36 -------- d-----w c:\program files\C-Media 3D Audio
2009-05-21 09:19 . 2009-05-20 21:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-21 09:06 . 2001-10-26 16:15 49492 ----a-w c:\windows\system32\perfc015.dat
2009-05-21 09:06 . 2001-10-26 16:15 355486 ----a-w c:\windows\system32\perfh015.dat
2009-05-21 08:56 . 2009-05-20 21:52 -------- d-----w c:\program files\RALINK
2009-05-20 21:47 . 2009-05-20 21:47 12328 ----a-w c:\documents and settings\Bart\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-05-20 21:39 . 2009-05-20 21:39 -------- d-----w c:\program files\microsoft frontpage
2009-05-20 21:38 . 2001-07-21 22:36 67 --sha-w c:\windows\Fonts\desktop.ini
2009-05-20 21:38 . 2009-05-20 21:37 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-20 21:37 . 2009-05-20 21:37 -------- d-----w c:\program files\Usługi online
2009-05-20 21:35 . 2009-05-20 21:35 21856 ----a-w c:\windows\system32\emptyregdb.dat
2008-12-18 00:26 . 2009-05-21 11:24 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-18 00:26 . 2009-05-21 11:24 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-18 00:26 . 2009-05-21 11:24 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-18 00:26 . 2009-05-21 11:24 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-18 00:26 . 2009-05-21 11:24 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
------- Sigcheck -------
[-] 2008-06-02 07:14 1548288 64FF4E77CF31132734C42C90B4839FBA c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 13:20 279944 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2009-05-21 278264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-05-21 1794320]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-21 1947928]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Wireless Utility.lnk - c:\program files\EDIMAX\Common\RaUI.exe [2009-5-21 716800]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-21 11:21 11952 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\cssdll32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-05-21 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-05-21 108552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-05-21 132640]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-05-21 24096]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-05-21 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-21 298776]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;c:\windows\system32\drivers\SkyNET.sys [2009-05-21 462212]
.
- - - - USUNIĘTO PUSTE WPISY - - - -
HKLM-Run-Cmaudio - cmicnfg.cpl
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.onet.pl/
FF - ProfilePath - c:\documents and settings\Bart\Dane aplikacji\Mozilla\Firefox\Profiles\w3qwgeh1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 14:05
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > 'lsass.exe'(1144)
c:\windows\system32\guard32.dll
- - - - - - - > 'explorer.exe'(3292)
c:\windows\system32\guard32.dll
.
Czas ukończenia: 2009-05-21 14:06
ComboFix-quarantined-files.txt 2009-05-21 12:06
Przed: 5 672 345 600 bajtów wolnych
Po: 5 761 220 608 bajtów wolnych
146 |
log z HJT
| Kod: |
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:06:36, on 2009-05-21
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\EDIMAX\Common\RaUI.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Wireless Utility.lnk = C:\Program Files\EDIMAX\Common\RaUI.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
--
End of file - 3306 bytes |
log z drweb
| Kod: |
A0001255.bat;C:\System Volume Information\_restore{2210F109-3F97-4A82-83A2-5CFE292355DC}\RP6;Prawdopodobnie BATCH.Virus;Usunięty.;
A0001335.bat;C:\System Volume Information\_restore{2210F109-3F97-4A82-83A2-5CFE292355DC}\RP6;Prawdopodobnie BATCH.Virus;Usunięty.;
A0001363.exe/data002\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{2210F109-3F97-4A82-83A2-5CFE292355DC}\RP6\A0001363.exe/data002;Prawdopodobnie BATCH.Virus;;
data002;C:\System Volume Information\_restore{2210F109-3F97-4A82-83A2-5CFE292355DC}\RP6;Archiwum zawierające zainfekowane obiekty;;
A0001363.exe;C:\System Volume Information\_restore{2210F109-3F97-4A82-83A2-5CFE292355DC}\RP6;Kontener zawiera zainfekowane obiekty;Przeniesiony.;
dhvud.exe;F:\;Win32.Sector.19;Wyleczony.; |
| Moderowano przez Ari2k5: |
http://www.elektroda.pl/rtvforum/topic1044160.html
Kosz. |
|
|
