win32/nuwar worm . soboru adirka.dll
win32/nuwar worm . soboru adirka.dll
liporadte .. co stim mam dělat .. nod mi to hlasi ale nemuzu se toho zbavit ..
-
fredik
- člen Security týmu
-
Master Level 7
- Příspěvky: 4680
- Registrován: červenec 06
- Pohlaví:
- Stav:
Offline
Vlož sem log z HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 20:11:56, on 12.3.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\lnwin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\adirka.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\T-Tor\Plocha\new Programy\Wolf's Profi Miranda-Pack v1.3.0\miranda32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\T-Tor\Plocha\Nová složka\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.atlas.cz/?from=icqhp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.175.95.171:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
pochvilce cteni .. sem vlozim i co jsem dostal z webu
Complete scanning result of "adirka.exe", received in VirusTotal at 03.12.2007, 20:16:17 (CET).
Antivirus Version Update Result
AntiVir 7.3.1.41 03.12.2007 TR/Small.DBY.AK
Authentium 4.93.8 03.09.2007 no virus found
Avast 4.7.936.0 03.12.2007 no virus found
AVG 7.5.0.447 03.12.2007 no virus found
BitDefender 7.2 03.12.2007 Trojan.Peed.JZ
CAT-QuickHeal 9.00 03.12.2007 no virus found
ClamAV devel-20060426 03.12.2007 no virus found
DrWeb 4.33 03.12.2007 Trojan.Packed.51
eSafe 7.0.14.0 03.12.2007 Suspicious Trojan/Worm
eTrust-Vet 30.6.3472 03.12.2007 Win32/Sinteri.BE
Ewido 4.0 03.12.2007 no virus found
FileAdvisor 1 03.12.2007 no virus found
Fortinet 2.85.0.0 03.12.2007 suspicious
F-Prot 4.3.1.45 03.09.2007 no virus found
F-Secure 6.70.13030.0 03.12.2007 Email-Worm.Win32.Zhelatin.bf
Ikarus T3.1.1.3 03.12.2007 no virus found
Kaspersky 4.0.2.24 03.12.2007 Email-Worm.Win32.Zhelatin.bf
McAfee 4982 03.12.2007 no virus found
Microsoft 1.2306 03.12.2007 Worm:Win32/Nuwar.gen
NOD32v2 2109 03.12.2007 Win32/Nuwar.gen
Norman 5.80.02 03.12.2007 no virus found
Panda 9.0.0.4 03.12.2007 no virus found
Prevx1 V2 03.12.2007 Downloader.Drev.A
Sophos 4.15.0 03.12.2007 no virus found
Sunbelt 2.2.907.0 03.10.2007 VIPRE.Suspicious
Symantec 10 03.12.2007 Trojan.Packed.13
TheHacker 6.1.6.074 03.12.2007 no virus found
UNA 1.83 03.12.2007 no virus found
VBA32 3.11.2 03.12.2007 no virus found
VirusBuster 4.3.19:9 03.12.2007 Trojan.Tibs.Gen!Pac.68
Scan saved at 20:11:56, on 12.3.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\lnwin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\adirka.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\T-Tor\Plocha\new Programy\Wolf's Profi Miranda-Pack v1.3.0\miranda32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\T-Tor\Plocha\Nová složka\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.atlas.cz/?from=icqhp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.175.95.171:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
pochvilce cteni .. sem vlozim i co jsem dostal z webu
Complete scanning result of "adirka.exe", received in VirusTotal at 03.12.2007, 20:16:17 (CET).
Antivirus Version Update Result
AntiVir 7.3.1.41 03.12.2007 TR/Small.DBY.AK
Authentium 4.93.8 03.09.2007 no virus found
Avast 4.7.936.0 03.12.2007 no virus found
AVG 7.5.0.447 03.12.2007 no virus found
BitDefender 7.2 03.12.2007 Trojan.Peed.JZ
CAT-QuickHeal 9.00 03.12.2007 no virus found
ClamAV devel-20060426 03.12.2007 no virus found
DrWeb 4.33 03.12.2007 Trojan.Packed.51
eSafe 7.0.14.0 03.12.2007 Suspicious Trojan/Worm
eTrust-Vet 30.6.3472 03.12.2007 Win32/Sinteri.BE
Ewido 4.0 03.12.2007 no virus found
FileAdvisor 1 03.12.2007 no virus found
Fortinet 2.85.0.0 03.12.2007 suspicious
F-Prot 4.3.1.45 03.09.2007 no virus found
F-Secure 6.70.13030.0 03.12.2007 Email-Worm.Win32.Zhelatin.bf
Ikarus T3.1.1.3 03.12.2007 no virus found
Kaspersky 4.0.2.24 03.12.2007 Email-Worm.Win32.Zhelatin.bf
McAfee 4982 03.12.2007 no virus found
Microsoft 1.2306 03.12.2007 Worm:Win32/Nuwar.gen
NOD32v2 2109 03.12.2007 Win32/Nuwar.gen
Norman 5.80.02 03.12.2007 no virus found
Panda 9.0.0.4 03.12.2007 no virus found
Prevx1 V2 03.12.2007 Downloader.Drev.A
Sophos 4.15.0 03.12.2007 no virus found
Sunbelt 2.2.907.0 03.10.2007 VIPRE.Suspicious
Symantec 10 03.12.2007 Trojan.Packed.13
TheHacker 6.1.6.074 03.12.2007 no virus found
UNA 1.83 03.12.2007 no virus found
VBA32 3.11.2 03.12.2007 no virus found
VirusBuster 4.3.19:9 03.12.2007 Trojan.Tibs.Gen!Pac.68
-
fredik
- člen Security týmu
-
Master Level 7
- Příspěvky: 4680
- Registrován: červenec 06
- Pohlaví:
- Stav:
Offline
Je tam toho krapet víc:
Ukonči v TaskManageru (zmáčkni zároveň klávesy ctrl+alt+delete) otevře se ti okno a v něm se přepni na záložku Procesy a v ní ukonči:
adirss.exe
lnwin.exe
adirka.exe
Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
po zaškrtnutí klikni na tlačítko Fix Checked
pak najdi a smaž červeně označené soubory:
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\lnwin.exe
C:\WINDOWS\system32\adirka.exe
Stáhni si Mwav. Proveď update a spusť prohlídku přes tlačítko Scan & Clean (nesmíš mít zatrhnutou volbu Scan Only). Co najde to odstraní. Po skončení prohlídky možná bude chtít restart tak to povol.
Dej sem pak nový log z HJT a řekni jestli se vše povedlo.
Ukonči v TaskManageru (zmáčkni zároveň klávesy ctrl+alt+delete) otevře se ti okno a v něm se přepni na záložku Procesy a v ní ukonči:
adirss.exe
lnwin.exe
adirka.exe
Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
po zaškrtnutí klikni na tlačítko Fix Checked
pak najdi a smaž červeně označené soubory:
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\lnwin.exe
C:\WINDOWS\system32\adirka.exe
Stáhni si Mwav. Proveď update a spusť prohlídku přes tlačítko Scan & Clean (nesmíš mít zatrhnutou volbu Scan Only). Co najde to odstraní. Po skončení prohlídky možná bude chtít restart tak to povol.
Dej sem pak nový log z HJT a řekni jestli se vše povedlo.
je to divnypomoc .. ten Mwav toho našel fakt hodně co stím mam dělat aaaaaa
mimochodem.. je to zli už umě nastala dvakrat modra smrt ..
tohle vsechno nasel scan :
File C:\WINDOWS\system32\rsvp32_2.dll infected by "Email-Worm.Win32.Zhelatin.al" Virus! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "savenow Adware" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.
Entry "HKCR\ICQPhone.SipxPhoneManager" refers to invalid object "{82308D15-1A2C-416A-A5BE-21DAF85DDB75}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\NMUIEngine.NMUIResourceLoaderHarddisk" refers to invalid object "{03DC5606-EA66-4f02-AB52-2065524B03821}". Action Taken: No Action Taken.
Entry "HKCR\vmappsdk.MksCompatCtl.9" refers to invalid object "{7DABFF61-6A84-4E64-908D-C662E2C4102A}". Action Taken: No Action Taken.
Entry "HKCR\VSEditorFactory.VsEditorFactory.1" refers to invalid object "{CB3FCF01-03DF-11D1-81D2-00A0C91BBEE3}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxwma.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxcpyi64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Nabídka Start\Programy\Sunbelt Software\Personal Firewall\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Nabídka Start\Programy\Sunbelt Software\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Nabídka Start\Programy\USB Flash Disk Utility\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".120". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mds". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".part". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".Strdb00p". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{847FDA01-ABB2-431D-9CB5-5C888D76E5A6}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{FFFF6D5C-E2F1-4B40-BC89-8923312E89EB}}_is1". Action Taken: No Action Taken.
File C:\WINDOWS\pp.exe infected by "Email-Worm.Win32.Zhelatin.bf" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\via.exe infected by "Email-Worm.Win32.Zhelatin.bf" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\dd.exe infected by "Email-Worm.Win32.Zhelatin.bf" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\rsvp32_2.dll infected by "Email-Worm.Win32.Zhelatin.al" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\sm.exe infected by "Email-Worm.Win32.Zhelatin.bf" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\via.exe infected by "Email-Worm.Win32.Zhelatin.bf" Virus! Action Taken: No Action Taken.
mimochodem.. je to zli už umě nastala dvakrat modra smrt ..
tohle vsechno nasel scan :
File C:\WINDOWS\system32\rsvp32_2.dll infected by "Email-Worm.Win32.Zhelatin.al" Virus! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "savenow Adware" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.
Entry "HKCR\ICQPhone.SipxPhoneManager" refers to invalid object "{82308D15-1A2C-416A-A5BE-21DAF85DDB75}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\NMUIEngine.NMUIResourceLoaderHarddisk" refers to invalid object "{03DC5606-EA66-4f02-AB52-2065524B03821}". Action Taken: No Action Taken.
Entry "HKCR\vmappsdk.MksCompatCtl.9" refers to invalid object "{7DABFF61-6A84-4E64-908D-C662E2C4102A}". Action Taken: No Action Taken.
Entry "HKCR\VSEditorFactory.VsEditorFactory.1" refers to invalid object "{CB3FCF01-03DF-11D1-81D2-00A0C91BBEE3}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxwma.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxcpyi64.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Nabídka Start\Programy\Sunbelt Software\Personal Firewall\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Nabídka Start\Programy\Sunbelt Software\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Nabídka Start\Programy\USB Flash Disk Utility\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".120". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mds". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".part". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".Strdb00p". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{847FDA01-ABB2-431D-9CB5-5C888D76E5A6}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{FFFF6D5C-E2F1-4B40-BC89-8923312E89EB}}_is1". Action Taken: No Action Taken.
File C:\WINDOWS\pp.exe infected by "Email-Worm.Win32.Zhelatin.bf" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\via.exe infected by "Email-Worm.Win32.Zhelatin.bf" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\dd.exe infected by "Email-Worm.Win32.Zhelatin.bf" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\rsvp32_2.dll infected by "Email-Worm.Win32.Zhelatin.al" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\sm.exe infected by "Email-Worm.Win32.Zhelatin.bf" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\via.exe infected by "Email-Worm.Win32.Zhelatin.bf" Virus! Action Taken: No Action Taken.
-
fredik
- člen Security týmu
-
Master Level 7
- Příspěvky: 4680
- Registrován: červenec 06
- Pohlaví:
- Stav:
Offline
Sice v logu daná položka nefigurovala ale zkus pro jistoto toto:
Stáhni si LSPFix a spusť jej.
V okně zatrhni čtvereček u volby I know what i'm doing a zaktivují se ti šipečky mezi okny. Potom dole v levém okně označ (zamodři ) to, co bude mít název rsvp32_2.dll a šipkama >> jej přesuň do pravého okna. Až to budeš mít, klikni dole na tlačítko Finish. Ale pozor nesmíš přesunout nic jiného, protože by sis mohl zlikvidovat internet. Pravděpodobně tam asi nebude.
Pokud si Mwav nastavil tak jak jsem psal tak by ti měl dané soubory odstranit on sám. Viz obrázek červeně označené položky.
Samozřejmě že můžeš mít nastavenou kontrolu disků to ber jen jako informační pomůcku.
Pokud by ti ty soubory neodstranil Mwav tak by jsme to museli odstranit jinak. Ještě si neřekl nic o tom souboru adirka.dll.
Stáhni si LSPFix a spusť jej.
V okně zatrhni čtvereček u volby I know what i'm doing a zaktivují se ti šipečky mezi okny. Potom dole v levém okně označ (zamodři ) to, co bude mít název rsvp32_2.dll a šipkama >> jej přesuň do pravého okna. Až to budeš mít, klikni dole na tlačítko Finish. Ale pozor nesmíš přesunout nic jiného, protože by sis mohl zlikvidovat internet. Pravděpodobně tam asi nebude.
Pokud si Mwav nastavil tak jak jsem psal tak by ti měl dané soubory odstranit on sám. Viz obrázek červeně označené položky.
Samozřejmě že můžeš mít nastavenou kontrolu disků to ber jen jako informační pomůcku.
Pokud by ti ty soubory neodstranil Mwav tak by jsme to museli odstranit jinak. Ještě si neřekl nic o tom souboru adirka.dll.
-
fredik
- člen Security týmu
-
Master Level 7
- Příspěvky: 4680
- Registrován: červenec 06
- Pohlaví:
- Stav:
Offline
Dneska už musím jít pokud si tě někdo nepřevezme tak to dořešíme později. Některé soubory i pokud máš nastavené zobrazení skrytých a systémových souborů nemusíš vidět.
Nod ti píše že ten soubor je nakažený nebo co jsi myslel tím warning? a je to adirka.dll nebo adria.dll?
Když tak sem dej přesné názvy souborů a jejich umístění a řekni jestli Mwav vše vymazal.
Nod ti píše že ten soubor je nakažený nebo co jsi myslel tím warning? a je to adirka.dll nebo adria.dll?
Když tak sem dej přesné názvy souborů a jejich umístění a řekni jestli Mwav vše vymazal.
Zpět na “Viry, antiviry, firewally…”
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 3 hosti