Prośba o sprawdzenie loga

[sZeNio 0]

Mój system (Win XP Pro SP2) jest już stary, ale narazie działa i nie narzekam. Niestety ostatnio skaner mks wykrywa mi trojany/robale w plikach systemowych m.in. w userinit.exe. Prosiłbym o sprawdzenie moich logów, ponieważ sam się na tym nie znam. Prosiłbym też o rady co i jak usunąć.

 

Jeszcze przy okazji: Po tym jak uszkodziła się moja poczciwa karta GF 6600 GT byłem zmuszony pożyczyć starego Radeona 7000. Po zainstalowaniu sterowników ATI okazało się, że nie mogę nic ustawić, bo nie mam uprawnień administartora... Omegi pomogły. Sterowniki ATI wymagały zainstalowania Net Framework mimo, iż to miałem przez cały czas. Po tych instalacjach mks w kilku plikach systemowych (w tym w instalce Framework) znaduje trojany i robale... Czyżby ATI dało d*py?

 

Teraz do rzeczy:

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 00:34:58, on 2008-08-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ULI5289\ALi5289.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Instalki\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.mks.com.pl
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe

 

ComboFix:

ComboFix 08-08-26.01 - k 2008-08-27  0:18:12.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.261 [GMT 2:00]
Running from: C:\Documents and Settings\k\Pulpit\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\k\Dane aplikacji\macromedia\Flash Player\#SharedObjects\ZJ2Y6NBZ\bin.clearspring.com
C:\Documents and Settings\k\Dane aplikacji\macromedia\Flash Player\#SharedObjects\ZJ2Y6NBZ\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\k\Dane aplikacji\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\k\Dane aplikacji\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\WINDOWS\system32\alog.txt
C:\WINDOWS\system32\cmds.txt
C:\WINDOWS\system32\cs.dat
C:\WINDOWS\system32\file.exe
C:\WINDOWS\system32\hi.sfc
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\tkcom32.dll

.
(((((((((((((((((((((((((   Files Created from 2008-07-26 to 2008-08-26  )))))))))))))))))))))))))))))))
.

2008-08-23 22:29 . 2008-08-23 22:29	<DIR>	d--------	C:\Program Files\MultiRes
2008-08-23 22:29 . 2004-09-15 21:10	516,096	---------	C:\WINDOWS\system32\ati2sgag.exe
2008-08-23 22:28 . 2008-08-23 22:28	<DIR>	d--------	C:\Program Files\Radeon Omega Drivers
2008-08-23 22:28 . 2008-08-23 22:28	451,072	--a------	C:\WINDOWS\Radeon Omega Drivers v3.8.252 Uninstall.exe
2008-08-23 22:00 . 2008-08-23 22:19	<DIR>	d--------	C:\Documents and Settings\k\Dane aplikacji\ATI
2008-08-23 21:45 . 2008-08-23 21:45	<DIR>	d--------	C:\ATI

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 20:34	1,273	----a-w	C:\WINDOWS\system32\drivers\fwdrv.err
2008-08-23 19:46	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-08-16 20:05	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-08-11 17:07	---------	d-----w	C:\Documents and Settings\k\Dane aplikacji\Skype
2008-07-25 21:56	---------	d-----w	C:\Program Files\Fraps
2008-07-19 21:40	---------	d-----w	C:\Program Files\Easy RealMedia Tools
2008-07-17 21:41	---------	d-----w	C:\Program Files\LightZone 3
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44 15360]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-02-17 15:03 2396160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALi5289"="C:\Program Files\ULI5289\ALi5289.exe" [2005-03-10 15:56 405504]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-09 00:00 128920]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 18:35 32768]
"Anti-Blaxx Manager"="C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe" [2005-05-18 17:08 208896]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 18:01 68096 C:\WINDOWS\SOUNDMAN.EXE]
"AtiPTA"="atiptaxx.exe" [2006-02-22 02:05 344064 C:\WINDOWS\system32\atiptaxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DIV3"= DivXc32.dll
"VIDC.DIV4"= DivXc32f.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.MPG4"= msmpeg4.dll
"VIDC.MP42"= msmpeg4.dll
"VIDC.MP43"= msmpeg4.dll
"msacm.l3fhg"= mp3fhg.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sunbelt Software\\Personal Firewall 4\\kpf4gui.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"E:\\Gry\\EA GAMES\\Need for Speed Underground 2\\speed2.exe"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"E:\\Gry\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"E:\\Gry\\Call of Duty\\CoDMP.exe"=
"C:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"RemoteAddresses"= *
"Enabled"= 1 (0x1)

R0 JAHCI;JAHCI;C:\WINDOWS\system32\DRIVERS\JAHCI.sys [2005-10-25 05:35]
R0 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys [2004-12-01 11:49]
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 18:31]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2005-12-15 18:13]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2005-12-15 18:01]
R2 NwSapAgent;Agent SAP;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:44]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 21:36]
S1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\atitray.sys []
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-02-17 21:34]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2006-02-17 21:34]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2006-02-17 21:34]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2006-02-17 21:34]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2006-02-17 21:34]
S3 ntportio;ntportio;C:\DOCUME~1\k\USTAWI~1\Temp\Rar$EX03.266\ntportio.sys []
S3 SER120;OTI Serial port driver;C:\WINDOWS\system32\DRIVERS\SER120.sys [2005-03-22 04:03]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.pl/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&ksport do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} - hxxp://arcaonline.arcabit.com/ArcaOnline.cab
C:\WINDOWS\Downloaded Program Files\ArcaOnline.inf
C:\WINDOWS\system32\ArcaMicroScanUpdater.exe
C:\WINDOWS\system32\ArcaOnlineUninstall.exe

O16 -: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} - hxxp://mks.com.pl/skaner/SkanerOnline.cab
C:\WINDOWS\Downloaded Program Files\SkanerOnline.inf
C:\WINDOWS\system32\SkanerOnlineUninstall.exe

O16 -: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab
C:\WINDOWS\Downloaded Program Files\SkanerOnline.inf
C:\WINDOWS\system32\SkanerOnlineUninstall.exe
C:\WINDOWS\system32\SkanerOnline.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 00:23:22
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-27  0:25:30
ComboFix-quarantined-files.txt  2008-08-26 22:25:23

Pre-Run: 849,514,496 bajtów wolnych
Post-Run: 895,590,400 bajtów wolnych

146

 

Pozdrawiam i z góry dziękuję za pomoc .

[Sabathus 0]

www.hijackthis.de

[DhanOS 65]

Czy ja dobrze widzę, że nie masz żadnego aktywnego skanera antywirusowego?

Czas się na jakiś w końcu zdecydować.

Log czysty.

Ati niczego nie dało Pliki zostały zarażone po instalacji.

Jak już będziesz miał antywirusa który Cię będzie chronił i zrobisz dokładne skanowanie systemu, uruchom polecenie sfc /scannow (sprawdzi pliki systemowe i ew. poprosi o płytę aby przywrócić właściwe).

 

 

Pozdrawiam.