log.txt

Wirus, zamykający strony, blokujący edycje rejestru itp.

Zaatakował mnie jakiś natrętny wirus. Wyłącza mi menadżer zadań (menadżer zadań został wyłączony przez administratora), edytora rejestru (edycja rejestru zostałą zablokowana przez administratora sieci), gdy tylko zainstaluję Hijackthis i go uruchomię to go od razu usuwa bez żadnego błędu, po prostu usuwa (znalazłem na to sposób, bo jak się nazwę Hijacka zmieni na przykład na hihihi.exe to się uruchomi i działa) oraz nie pozwala mi wejść na strony o antywirusach, wirusach , encyklopediach wirusów itp. Znalazłem taką stronkę http://forum.gazeta.pl/forum/72,2.html?f=430&w=72073301&a=73225936 . Jakiś user miał identyczny przypadek, trochę poczytałem, ale mi tamte porady nic nie pomagają, bo żaden program, ani w dosie ani normalnie nie widzi żadnej dodatkowej partycji. Combofix na szczęście działa bezproblemowo, log w załączniku. Dodam jeszcze, że wirus objawia się na dwóch komputerach (mamy w domu 2 podłączone do routera)


ComboFix 09-03-06.02 - xp 2009-03-10 19:59:22.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.511.260 [GMT 1:00]
Uruchomiony z: c:\documents and settings\xp\Pulpit\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Usuni?to )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\regedit.com
c:\windows\spolis.exe
c:\windows\system32\CC.dll
c:\windows\system32\cmd.com
c:\windows\system32\LeChucK.exe
c:\windows\system32\LeChucK.hta
c:\windows\system32\zip32.dll

.
((((((((((((((((((((((((( Pliki utworzone od 2009-02-10 do 2009-03-10 )))))))))))))))))))))))))))))))
.

2009-03-10 19:55 . 2009-03-10 19:55 291 --a------ C:\fix.reg
2009-03-10 18:55 . 2009-03-10 18:55 63 --a------ C:\fix.bat
2009-03-04 16:17 . 2009-03-04 16:16 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-03 17:36 . 2009-03-03 18:51 & lt; DIR & gt; d-------- c:\program files\English Translator 3
2009-02-25 10:23 . 2009-02-25 10:28 & lt; DIR & gt; d-------- C:\Nowy folder
2009-02-24 14:11 . 2009-02-24 14:11 685,576 --a------ c:\windows\unins000.exe
2009-02-24 14:11 . 2009-02-24 14:11 9,034 --a------ c:\windows\unins000.dat
2009-02-24 10:10 . 2009-02-24 10:10 544,256 --a------ c:\documents and settings\xp\Sound.dll
2009-02-24 10:10 . 2009-02-24 10:10 207,360 --a------ c:\documents and settings\xp\Gui.dll
2009-02-24 10:10 . 2009-02-24 10:09 33,280 --a------ c:\documents and settings\xp\KKSInfo.exe
2009-02-24 10:10 . 2009-02-24 10:10 32,768 --a------ c:\documents and settings\xp\Interop.ShockwaveFlashObjects.dll
2009-02-24 10:10 . 2009-02-24 10:09 28,672 --a------ c:\documents and settings\xp\AxInterop.ShockwaveFlashObjects.dll
2009-02-24 10:10 . 2009-02-24 10:09 19,968 --a------ c:\documents and settings\xp\Business.dll
2009-02-24 10:10 . 2009-02-24 10:09 10,240 --a------ c:\documents and settings\xp\AutoUpdate.dll
2009-02-24 10:10 . 2009-02-24 10:09 5,120 --a------ c:\documents and settings\xp\Common.dll
2009-02-15 12:18 . 2009-02-15 20:52 & lt; DIR & gt; d-------- c:\program files\Nowe Gadu-Gadu
2009-02-14 19:49 . 2009-02-14 19:49 50 --a------ c:\windows\MegaManager.INI
2009-02-14 19:28 . 2009-02-16 18:43 & lt; DIR & gt; d-------- c:\program files\MegauploadToolbar
2009-02-14 19:28 . 2009-02-14 19:28 & lt; DIR & gt; d-------- c:\documents and settings\xp\Dane aplikacji\MegauploadToolbar
2009-02-14 19:28 . 2009-02-14 19:28 & lt; DIR & gt; d-------- c:\documents and settings\xp\Dane aplikacji\Megaupload
2009-02-14 19:28 . 2009-02-14 19:28 & lt; DIR & gt; d-------- c:\documents and settings\xp\Dane aplikacji\EmailNotifier
2009-02-14 19:28 . 2009-02-14 19:28 & lt; DIR & gt; d-------- c:\documents and settings\All Users\Dane aplikacji\Megaupload
2009-02-14 19:28 . 2009-02-14 19:28 & lt; DIR & gt; d-------- c:\documents and settings\All Users\Dane aplikacji\EmailNotifier
2009-02-10 17:26 . 2009-02-17 18:04 & lt; DIR & gt; d-------- c:\program files\Common Files\Panda Software

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 18:57 --------- d-----w c:\documents and settings\xp\Dane aplikacji\Skype
2009-03-10 18:02 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab
2009-03-10 17:20 --------- d-----w c:\program files\Panda Security
2009-03-10 16:46 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2009-03-10 16:29 --------- d-----w c:\documents and settings\xp\Dane aplikacji\skypePM
2009-03-05 20:58 --------- d-----w c:\documents and settings\xp\Dane aplikacji\Vso
2009-03-04 15:16 --------- d-----w c:\program files\Java
2009-02-16 15:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-16 14:49 --------- d-----w c:\program files\microsoft frontpage
2009-02-15 11:20 --------- d-----w c:\documents and settings\xp\Dane aplikacji\Nowe Gadu-Gadu
2009-02-09 14:31 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-05 20:40 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\sentinel
2009-02-05 20:36 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Symantec
2009-02-05 19:45 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Installations
2009-01-31 16:52 --------- d-----w c:\program files\Microsoft.NET
2009-01-30 19:45 --------- d-----w c:\program files\EA GAMES
2009-01-25 16:04 --------- d-----w c:\program files\Common Files\Adobe
2009-01-24 18:07 --------- d-----w c:\program files\Gadu-Gadu
2009-01-17 07:30 --------- d-----w c:\documents and settings\xp\Dane aplikacji\Cream Software
2008-10-01 19:52 87,608 ----a-w c:\documents and settings\xp\Dane aplikacji\ezpinst.exe
2008-10-01 19:52 47,360 ----a-w c:\documents and settings\xp\Dane aplikacji\pcouffin.sys
2007-09-10 14:57 102,840 --sha-r c:\windows\system32\wins.exe
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyœlne, prawid?owe wpisy nie s? pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" CTFMON.EXE " = " c:\windows\system32\ctfmon.exe " [2004-08-03 15360]
" MSMSGS " = " c:\program files\Messenger\msmsgs.exe " [2004-10-13 1694208]
" NBJ " = " c:\program files\Ahead\Nero BackItUp\NBJ.exe " [2005-07-14 1961984]
" H/PC Connection Agent " = " c:\program files\Microsoft ActiveSync\wcescomm.exe " [2006-11-13 1289000]
" Skype " = " c:\program files\Skype\Phone\Skype.exe " [2008-11-18 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" TrueImageMonitor.exe " = " c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe " [2006-10-16 1164912]
" AcronisTimounterMonitor " = " c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe " [2006-10-16 1941784]
" Acronis Scheduler2 Service " = " c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe " [2006-10-16 87584]
" NvCplDaemon " = " c:\windows\system32\NvCpl.dll " [2007-04-19 7700480]
" NvMediaCenter " = " c:\windows\system32\NvMcTray.dll " [2007-04-19 86016]
" GamerOSD " = " c:\program files\ASUS\GamerOSD\GamerOSD.exe " [2007-02-14 380928]
" HP Software Update " = " c:\program files\HP\HP Software Update\HPWuSchd2.exe " [2004-02-12 49152]
" HP Component Manager " = " c:\program files\HP\hpcoretech\hpcmpmgr.exe " [2004-05-12 241664]
" Adobe Reader Speed Launcher " = " c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe " [2008-01-11 39792]
" SunJavaUpdateSched " = " c:\program files\Java\jre6\bin\jusched.exe " [2009-03-04 136600]
" nwiz " = " nwiz.exe " [2007-04-19 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
" CTFMON.EXE " = " c:\windows\system32\CTFMON.EXE " [2004-08-03 15360]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-02-18 278528]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
" DisableRegistryTools " = 1 (0x1)
" disabletaskmgr " = 0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
" aux " = ctwdm32.dll
" aux1 " = ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\[u]0[/u]OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2004-05-06 11:13 221696 c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-06-21 18:14 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
" DisableMonitoring " =dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
" DisableMonitoring " =dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
" DisableMonitoring " =dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
" %windir%\\system32\\sessmgr.exe " =
" c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe " =
" c:\\Program Files\\Gadu-Gadu\\gg.exe " =
" c:\\Program Files\\Tlen.pl\\tlen.exe " =
" c:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\Polish\\setup.exe " =
" c:\\Program Files\\Java\\jre1.6.0_07\\bin\\java.exe " =
" c:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\Polish\\setup.exe " =
" c:\\Program Files\\EA Sports\\FIFA 09\\FIFA09.exe " =
" c:\program files\Microsoft ActiveSync\rapimgr.exe " = c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
" c:\program files\Microsoft ActiveSync\wcescomm.exe " = c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
" c:\program files\Microsoft ActiveSync\WCESMgr.exe " = c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
" %windir%\\Network Diagnostic\\xpnetdiag.exe " =
" c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe " =
" c:\\Program Files\\Skype\\Phone\\Skype.exe " =

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
" 80:TCP " = 80:TCP:Fire
" 3658:UDP " = 3658:UDP:fifa
" 9570:UDP " = 9570:UDP:fifa1
" 443:TCP " = 443:TCP:fifa3
" 3659:TCP " = 3659:TCP:fifa4
" 30440:TCP " = 30440:TCP:fifa5
" 30441:TCP " = 30441:TCP:fifa
" 30443:TCP " = 30443:TCP:fifa
" 30442:TCP " = 30442:TCP:fifa
" 30444:TCP " = 30444:TCP:fifa
" 30445:TCP " = 30445:TCP:fifa
" 30446:TCP " = 30446:TCP:fifa
" 30447:TCP " = 30447:TCP:fifa
" 30448:TCP " = 30448:TCP:fifa
" 30449:TCP " = 30449:TCP:fifa
" 26675:TCP " = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S3 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.SYS [2000-06-29 3584]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [2009-01-09 3567]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78879a2b-19e3-11dd-bb58-00e04d2813c1}]
\Shell\AutoRun\command - F:\-.exe
\Shell\explore\Command - F:\-.exe
\Shell\open\Command - F:\-.exe
.
Zawartoœae folderu 'Zaplanowane zadania'

2009-02-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []
.
.
------- Skan uzupe?niaj?cy -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms} & sourceid=ie7 & rls=com.microsoft:en-US & ie=utf8 & oe=utf8
uInternet Settings,ProxyServer = socks=
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E & ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} -
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\xp\Dane aplikacji\Mozilla\Firefox\Profiles\zocfqslt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - elektroda.pl/rtvforum/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8 & fr=megaup & p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX - SPOSÓB POST?POWANIA ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
.
.
------- Skojarzenia plików -------
.
batfile=c:\windows\system32\wins.exe " %1 " %*
cmdfile=c:\windows\system32\wins.exe " %1 " %*
comfile=c:\windows\system32\wins.exe " %1 " %*
exefile=c:\windows\system32\wins.exe " %1 " %*
piffile=c:\windows\system32\wins.exe " %1 " %*
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 20:02:49
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyœlnie uko?czone
ukryte pliki: 0

**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
" OODEFRAG08.00.00.01WORKSTATION " = " 05498BAB8A8976F00240976F4DC619BB35E8E7700B8F6E87690F12FE1D710AD2FC8F062D2FC8AFD91E328AD12998366ECE8B0E28577B3FD840753D78F0A237477914F252E3E5AE55D2ED74D77ADDF91AB8957C9847972B4D4D579977674CCFF848085A2D94B88B3DB1D7474E02F27A1F6C3AB263115E64EF905AD317CD2AC13C8BA33372C2DC124EA2D7E72198717EC5363423D0028FCEB0D82A0B19853CAEC8BAA36C7A8532C0AB635BB263253E8237B641B4CAF62B85FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E6675D575E7D6A3B9808A6A0AC4980AC79332FBFF155116CB47ED133FE0450DC95FEBF9945A859403F0BEB73BB6A97314B25D62110D6918ECE73E7669031FBAF45F44AC79E0FECE69185E0AFB8BF914E88B3CCE68C0FF56796E2F860A5CF6690E643C1CB18B6554325102784528656A1CCAC0AC76C1129D906040839137D54D7153A5442786B4F41D6383035E158BD4DD3FA6CC838E038DBD9BB7A5E32CDAAECAD5F0F9D0A6D39E1C5BFD65841413E061E3F35C6FB7A567714299B1163487553D2ED67A29C711738549ED557D1C2F615EF4B0AF1494BD7CAF81C99658567E29CEA51B3EC011F136DA97E4F7377D2A659D0A674CDB334B60A129886447E9947EE9F2C2EE79012F5BE31BE46BC185934C10E8DE032550D92F8AB58D96BB94398075F537857A25B32F91AF0241C2033A755B57021C9C89F2BF1D8C66C69A33A71B35D51155018FD5985D6DB344A7F312E2C1E71EB15B0286865EB847E24AD4A91588E636B3BD3F12659207A2758A91A18F4DD68D8E8B15AD25381E630554DB1DAEC2DFAC6D8BA24728070F912A717A55AEED26166EB72DC19D473F50A09FC2454FA373D563839F3BD9C063E6CEEC1028E709B9BF419A1478B11656D741FBAC8A9A2EF04ADC03D35ADE0E45E933AA94EF0641D0A4BC2EEA922473BBF40CE87BAA918DB5C45AB39308917D32447E653A062C57F55120A0E05F5CA1E101E1EE88846A14688F68523A1BC195E0D2D29C68168A52E57D6683A5045027B36A46B6835971B3DFD02B2F638D75A534C4B858E6F2CABD9228A29AEF3F0E405414E67143758F292650CE6331A0E5CC5498FD8BAD9790F7676036C2B507F04AE6FF995FD7B66AD5D9D99AC5A5DB7B80E9DCA515F26419EBCCDF92475351C0133B5E9D0BADE4561F5B69862720E511CC51830F1922E99B928D20C1BD66A12120E3CC3C3E4B51D3A7C7756B886AC79C4CBBBD911723E3B5679E5BAEA1AA8D401816192F01947B7F5D1590835262E740AC43EC2D89C9681FEB4196C04121EFA2C92B3C42C7A4D82E99C0944B3E2F82B51180A4A4A366EEECFA1B4E82911EDBC080AF8AC1FAC7713FB46E705DF53E92898EFBEB7 "
.
--------------------- Pliki DLL ?adowane pod uruchomionymi procesami ---------------------

- - - - - - - & gt; 'lsass.exe'(688)
c:\windows\system32\relog_ap.dll
.
------------------------ Pozosta?e uruchomione procesy ------------------------
.
c:\windows\system32\rundll32.exe
c:\qoobox\Quarantine\C\WINDOWS\system32\LeChucK.exe.vir
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\ATKKBService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\oodag.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Czas uko?czenia: 2009-03-10 20:05:35 - komputer zosta? uruchomiony ponownie [xp]
ComboFix-quarantined-files.txt 2009-03-10 19:05:20
ComboFix2.txt 2009-03-10 13:01:42

Przed: 187 457 536 bajtów wolnych
Po: 263,102,464 bajtów wolnych

232 --- E O F --- 2009-02-10 16:43:30


Download file - link to post