Dzisiaj, zaraz po uruchomieniu kompa uruchomiło się 15 iexplore.exe i 2 winlogon.exe przy czym jeden systemowy a drugi użytkownika - będę działał wg. waszych wskazówek
Dodano po 3 [minuty]:
To jest log ze skanowania, mi osobiście nic to nie mówi.
Logfile of HijackThis v1.99.1
Scan saved at 09:06:58, on 10-01-2006
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inet20001\winlogon.exe
E:\Narzędzia\Winamp\winampa.exe
C:\WINDOWS\batserv2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\inet20001\mm4.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\sysc.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\taskmgr.exe
E:\Różne\Download\hijackthis\hijackthis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Give4Free Plugin Installer - {208E7E77-507A-4649-B0C9-D39E9049C7A2} - C:\Program Files\Give4Free Plugin\ibho1.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Narzędzia\Winamp\winampa.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKLM\..\Run: [BatSrv] C:\WINDOWS\batserv2.exe
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) -
http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) -
http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) -
https://www.bph.pl/pi/components/SignActivX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) -
http://67.15.101.3/g_bin/pl/billard8_2_0_0_24.cab
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
Dodano po 40 [minuty]:
Teraz już wiem, że drugi winlogon zadomowił się w folderze C:\WINDOWS\inet20001
są tam następujące pliki:
3.00.12.dll - rozszerzenie aplikacji
3.00.13.dll - rozszerzenie aplikacji
mm4.exe.bak - plik BAK
mm.pid - plik PID
services - aplikacja
winelf - dok tekstowy
winlogon - aplikacja
Avast za każdym razem usuwa mi te piki i znowu się pojawiają. Strona werboot.com nie otwiera się - pokazuje się komunikat, że internet explorer nie może pobrać albo otworzyć strony. Nawet Wirtualnej Polski nie chce otwierać tylko Oneta.
To mi wykrył virusscaner:
File: services.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 561bdaccd07cbc015e4f0ea0d8e3212e
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Scanner results
AntiVir Found Trojan/Dldr.CWS.ARQ.2
ArcaVir Found Trojan.Downloader.Cws.U
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Downloader.BQ
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.5656
F-Prot Antivirus Found W32/Downloader.MBV
Fortinet Found W32/Dloader.AQV!tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.CWS.u
NOD32 Found a variant of Win32/TrojanDownloader.CWS
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.CWS.u
File: 3.00.12.dll
Status: INFECTED/MALWARE
MD5 478222b68bb19e83fe825bdc37750231
Packers detected: UPX
Scanner results
AntiVir Found Adware-Spyware/CWS.BHO.dll adware
ArcaVir Found Trojan.Startpage.Hp.J02
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Adware.Ihbo
F-Prot Antivirus Found nothing
Fortinet Found Adware/BHO
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Ihbo.gen
NOD32 Found Win32/Adware.IHBO application
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found AdWare.Win32.Ihbo.gen
File: 3.00.13.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 c3135961b640aa7bf38faa9fb2416050
Packers detected: UPX
Scanner results
AntiVir Found Adware-Spyware/CWS.BHO.dll adware
ArcaVir Found Trojan.Startpage.Hp.J02
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.QLowZones.A4
ClamAV Found nothing
Dr.Web Found Adware.Ihbo
F-Prot Antivirus Found nothing
Fortinet Found Adware/QLowZones
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Ihbo.gen
NOD32 Found Win32/Adware.IHBO application
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found AdWare.Win32.Ihbo.gen
CWShredder usuną - CWS Yexe