w32.fujacks.ce!infچطورميشه پاكش كرد [آرشيو] - P30World Forums

مشاهده نسخه کامل : w32.fujacks.ce!infچطورميشه پاكش كرد

رضاانزلي

06-02-2010, 11:53

با سلام خدمت دوستان
توي يكي از سيستمهاي شبكه ويروسي با نام w32.fujacks.ce!infافتاده كه sysmantec,macاونو lيشناسه يك بارclean ويك بارdelميكنن ولي بازم ويندوزو به هم ميريزه وپيغام Schost.exe,lsasc.exe cannot read memory...ميده combofixهم نتونست كاري بكنه لطفا راهي نشون بديد ممنون

picher_s

06-02-2010, 12:04

درود

چطوری رفیق؟!!

موسستون خوب هستند؟!

خوب بعد از اجرای Combofix شما متنه Logَ رو اینجا Paste کنید.

بعد هم آویرا بنصبید.

picher_s

06-02-2010, 12:15

...........

amd>intel

06-02-2010, 12:22

با استرینگر مکافی هم میتونی پاکش کنی

رضاانزلي

08-02-2010, 14:06

lo combo
ComboFix 10-02-01.02 - Administrator 02/08/2010 8:19.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1256.981.1033.18.959.400 [GMT 3.5:30]
Running from: f:\anti viruse\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\c.exe
c:\windows\kb913800.exe
c:\windows\system32\asycfilt.dllkLMYS
c:\windows\system32\c_30218.nls
c:\windows\system32\cryptcom.dll
c:\windows\system32\dllcache\asycfilt.dllkLMYS
c:\windows\system32\dllcache\dsound.dllIExRj
c:\windows\system32\drivers\dHook.sys
c:\windows\system32\dsound.dllIExRj
c:\windows\system32\fyddos.dll
c:\windows\system32\iscsrunsrv.dll
c:\windows\system32\t320067.dll
c:\windows\system32\t320067.ini
c:\windows\system32\t322044.dll
c:\windows\system32\t322044.ini
c:\windows\system32\t329139.dll
c:\windows\system32\t329139.ini
c:\windows\Temp\1057.exe
c:\windows\Temp\1716000.exe
c:\windows\Temp\1835328.exe
c:\windows\Temp\2475250.exe
c:\windows\Temp\2498109.exe
c:\windows\Temp\2580500.exe
c:\windows\Temp\2607234.exe
c:\windows\Temp\2659375.exe
c:\windows\Temp\2688859.exe
c:\windows\Temp\2773671.exe
c:\windows\Temp\2800281.exe
c:\windows\Temp\2807468.exe
c:\windows\Temp\2852562.exe
c:\windows\Temp\2934875.exe
c:\windows\Temp\2964734.exe
c:\windows\Temp\3015390.exe
c:\windows\Temp\3097781.exe
c:\windows\Temp\3130500.exe
c:\windows\Temp\432359.exe
c:\windows\Temp\4495546.exe
c:\windows\Temp\4553593.exe
c:\windows\Temp\458656.exe
c:\windows\Temp\4680656.exe
c:\windows\Temp\4707062.exe
c:\windows\Temp\4849625.exe
c:\windows\Temp\4876343.exe
c:\windows\Temp\4960921.exe
c:\windows\Temp\4997343.exe
c:\windows\Temp\5005078.exe
c:\windows\Temp\5014734.exe
c:\windows\Temp\5029906.exe
c:\windows\Temp\5048281.exe
c:\windows\Temp\5064906.exe
c:\windows\Temp\5080796.exe
c:\windows\Temp\5102250.exe
c:\windows\Temp\5125234.exe
c:\windows\Temp\5221703.exe
c:\windows\Temp\5333234.exe
c:\windows\Temp\542656.exe
c:\windows\Temp\5491875.exe
c:\windows\Temp\570234.exe
c:\windows\Temp\5882984.exe
c:\windows\Temp\5926140.exe
c:\windows\Temp\608328.exe
c:\windows\Temp\663000.exe
c:\windows\Temp\748968.exe
c:\windows\Temp\788250.exe
c:\windows\Temp\796734.exe
c:\windows\Temp\815109.exe
c:\windows\Temp\910375.exe
c:\windows\Temp\939546.exe
c:\windows\TEMP\Win_XP\Win_XP\WindowsXP-KB958644-x86-ENU.exe
D:\cconter.exe
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\1033\MSOHELP.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\1033\SCHDPL32.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\1033\UNPACK.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\DSSM.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\EXCEL.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\FINDER.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\GRAPH.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\INFOPATH.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSACCESS.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSE7.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSOHTMED.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSPUB.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSQRY32.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSTORDB.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSTORE.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\OIS.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\OSA.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\OUTLOOK.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\POWERPNT.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\PPTVIEW.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\PROFLWIZ.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\SELFCERT.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\SETLANG.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\UNBIND.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\WAVTOASF.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\WINWORD.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Mozilla Firefox\crashreporter.exe
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Mozilla Firefox\firefox.exe
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Mozilla Firefox\uninstall\helper.exe
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Mozilla Firefox\updater.exe
-- Previous Run --
Infected copy of c:\windows\system32\rpcss.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rpcss.dll
Infected copy of c:\windows\system32\rpcss.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rpcss.dll
Infected copy of c:\windows\system32\lpk.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{C25D4C75-A720-4842-9297-DC6EC4F855A0}\RP9\A0001238.dll
Infected copy of c:\windows\system32\rpcss.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rpcss.dll
Infected copy of c:\windows\system32\lpk.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{C25D4C75-A720-4842-9297-DC6EC4F855A0}\RP9\A0001238.dll
Infected copy of c:\windows\system32\asycfilt.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{C25D4C75-A720-4842-9297-DC6EC4F855A0}\RP9\A0001241.dll
Infected copy of c:\windows\system32\rpcss.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rpcss.dll
Infected copy of c:\windows\system32\lpk.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{C25D4C75-A720-4842-9297-DC6EC4F855A0}\RP9\A0001238.dll
Infected copy of c:\windows\system32\asycfilt.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{C25D4C75-A720-4842-9297-DC6EC4F855A0}\RP9\A0001241.dll
Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll
--------
Infected copy of c:\windows\system32\xmlprov.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\xmlprov.dll
Infected copy of c:\windows\system32\ntmssvc.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntmssvc.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BACKGROUND_SWITCH
-------\Legacy_MEDIACENTER
-------\Legacy_SLENUMHOOK2
-------\Legacy_WINDOWSREMOTE
-------\Service_BackGround switch
-------\Service_MediaCenter
-------\Service_WindowsRemote
-------\Legacy_iScsSrv
-------\Service_iScsSrv

((((((((((((((((((((((((( Files Created from 2010-01-08 to 2010-02-08 )))))))))))))))))))))))))))))))
.
2010-02-08 04:11 . 2004-08-03 23:56 22016 ----a-w- c:\windows\system32\lpk.dll
2010-02-07 05:06 . 2010-02-07 05:06 21576704 -csha-w- c:\windows\system32\dllcache\qmgr.dll
2010-02-07 05:06 . 2010-02-07 05:06 21576704 --sha-w- c:\windows\system32\qmgr.dll
2010-02-07 05:03 . 2010-02-07 05:11 -------- d-----w- c:\windows\system32\TFLKKZ7L8O
2010-02-07 04:58 . 2010-02-07 04:59 -------- d-----w- c:\windows\system32\SA4T7LX8MJ
2010-02-07 04:40 . 2004-08-03 23:56 65024 ----a-w- c:\windows\system32\asycfilt.dll
2010-02-07 04:40 . 2010-02-07 04:40 33604 ----a-w- c:\windows\system\TrJcv.DRV
2010-02-07 04:40 . 2010-02-07 04:39 36164 ----a-w- c:\windows\system\HoBjm.DRV
2010-02-07 04:38 . 2010-02-07 04:38 27136 ----a-w- c:\windows\system32\Intelproc.dll
2010-02-07 04:37 . 2010-02-07 04:37 72792 ----a-w- c:\documents and settings\NetworkService\Application Data\Dbg32.Sys
2010-02-07 04:29 . 2010-02-07 04:30 -------- d-----w- c:\windows\system32\MHFNC6IVDB
2010-02-07 04:26 . 2010-02-07 04:28 -------- d-----w- c:\windows\system32\LZUDXCLW9R
2010-02-07 03:44 . 2010-02-07 03:47 -------- d-----w- c:\windows\system32\C139BMFUG7
2010-02-07 03:41 . 2010-02-07 03:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\ACD Systems
2010-02-07 03:38 . 2010-02-07 03:42 -------- d-----w- c:\windows\system32\BFA0RP22H2
2010-02-07 03:35 . 2010-02-07 03:38 -------- d-----w- c:\windows\system32\AVZ48MPJEE
2010-02-07 03:34 . 2010-02-07 03:34 10368 --sh--w- c:\windows\bfgdc.exe
2010-02-07 03:33 . 2010-02-07 03:35 -------- d-----w- c:\windows\system32\APKR2A67A3
2010-02-07 03:29 . 2010-02-07 03:29 239959 ------w- c:\windows\system32\panp.exe
2010-02-07 03:29 . 2010-02-07 03:30 -------- d-----w- c:\windows\system32\9QDKJ9LCSP
2010-02-07 03:28 . 2010-02-07 05:02 275992 ------w- c:\windows\system32\iscslogsrv.dll
2010-02-06 13:01 . 2010-02-06 13:05 -------- d-----w- C:\My Photos
2010-02-06 10:41 . 2010-02-06 10:41 378440 ----a-w- c:\windows\system32\uvafuz.exe
2010-02-06 10:39 . 2010-02-06 10:41 -------- d-----w- c:\windows\system32\8SIQAOSXI9
2010-02-06 10:37 . 2010-02-06 10:38 -------- d-----w- c:\windows\system32\7TGC4M2WZF
2010-02-06 10:28 . 2006-07-12 11:20 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2010-02-06 10:12 . 2010-02-06 10:15 -------- d-----w- c:\windows\system32\2V606FGZ33
2010-02-06 10:08 . 2010-02-07 03:41 54784 ----a-w- c:\windows\system32\tcpsves.exe
2010-02-06 10:07 . 2010-02-06 10:09 -------- d-----w- c:\windows\system32\1SI839RYWR
2010-02-06 10:06 . 2010-02-06 10:07 -------- d-----w- c:\windows\system32\iB
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-02-08 04:53 . 2010-02-06 06:14 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-07 13:29 . 2010-02-06 06:14 -------- d-----w- c:\program files\Symantec
2010-02-07 12:46 . 2010-02-06 08:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Babylon
2010-02-07 04:37 . 2010-02-07 04:38 72792 ----a-w- c:\documents and settings\NetworkService\Application Data\Bug.Tmp
2010-02-06 10:28 . 2010-02-06 08:37 -------- d-----w- c:\program files\InstallShield Installation Information
2010-02-06 10:12 . 2010-02-06 09:47 -------- d-----w- c:\program files\ScannerU
2010-02-06 09:58 . 2010-02-06 09:57 -------- d-----w- c:\program files\VIA
2010-02-06 09:57 . 2010-02-06 09:57 -------- d-----w- c:\program files\S3
2010-02-06 09:57 . 2010-02-06 08:37 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-06 09:49 . 2010-02-06 09:49 -------- d-----w- c:\program files\NewSoft
2010-02-06 09:31 . 2010-02-06 09:31 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{90B5E602-1867-449D-86FD-FC9DEA4434BF}\NewShortcut1_5B69D3033CA54B39B5ECE7D 051297E77.exe
2010-02-06 09:31 . 2010-02-06 09:29 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-06 09:30 . 2010-02-06 09:29 -------- d-----w- c:\program files\Zero G Registry
2010-02-06 09:29 . 2010-02-06 09:29 -------- d-----w- c:\program files\HP
2010-02-06 09:27 . 2010-02-06 09:27 -------- d-----w- c:\program files\Common Files\SWF Studio
2010-02-06 09:19 . 2010-02-06 09:19 -------- d-----w- c:\program files\Common Files\L&H
2010-02-06 09:19 . 2010-02-06 09:19 -------- d-----w- c:\program files\Microsoft.NET
2010-02-06 09:19 . 2010-02-06 09:19 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-06 09:18 . 2010-02-06 09:18 -------- d-----w- c:\program files\Microsoft Works
2010-02-06 09:11 . 2010-02-06 09:06 -------- d-----w- c:\program files\The KMPlayer
2010-02-06 09:10 . 2010-02-06 09:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\ACD Systems
2010-02-06 09:09 . 2010-02-06 09:09 -------- d-----w- c:\program files\Common Files\ACD Systems
2010-02-06 09:09 . 2010-02-06 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2010-02-06 09:09 . 2010-02-06 09:09 -------- d-----w- c:\program files\ACD Systems
2010-02-06 08:52 . 2010-02-06 08:50 -------- d-----w- c:\program files\DAP
2010-02-06 08:52 . 2010-02-06 08:52 2368 ----a-w- c:\windows\system32\SVKP.sys
2010-02-06 08:50 . 2010-02-06 08:50 50688 ----a-w- c:\windows\system32\wbhelp2.dll
2010-02-06 08:48 . 2010-02-06 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2010-02-06 08:48 . 2010-02-06 08:48 -------- d-----w- c:\program files\Babylon
2010-02-06 08:48 . 2010-02-06 08:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-06 08:47 . 2010-02-06 08:47 -------- d-----w- c:\program files\Yahoo!
2010-02-06 08:47 . 2010-02-06 08:47 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-06 08:47 . 2010-02-06 08:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\InterTrust
2010-02-06 08:39 . 2010-02-06 08:39 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-02-06 08:39 . 2010-02-06 08:38 -------- d-----w- c:\program files\CyberLink
2010-02-06 08:38 . 2010-02-06 08:37 -------- d-----w- c:\program files\JetAudio
2010-02-06 08:32 . 2010-02-06 08:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-02-06 06:15 . 2010-02-06 06:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-06 06:15 . 2010-02-06 06:15 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-06 06:15 . 2010-02-06 06:15 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-06 06:15 . 2010-02-06 06:15 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-06 06:15 . 2010-02-06 06:15 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-06 06:14 . 2010-02-06 06:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-06 06:02 . 2010-02-06 06:02 -------- d-----w- c:\program files\microsoft frontpage
2010-02-06 06:01 . 2010-02-06 06:01 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-06 05:59 . 2010-02-06 05:59 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-06 05:58 . 2010-02-06 05:58 -------- d-----w- c:\program files\Windows Media Connect 2
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RgmptwC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RjmktrC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RlmuthC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RqmrtmC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RtmqtfC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RwmrtsC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RwmttmC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RzmmttC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RzmotrC.dll
.
------- Sigcheck -------
[7] 2007-02-18 . 9941382A1C2289F5FB4C87D0DAACC21C . 360704 . . [5.1.2600.2956] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2007-02-18 . 2E231F82BF3BACCC360B03BE39BB0620 . 360704 . . [5.1.2600.2956] . . c:\windows\system32\drivers\tcpip.sys
[-] 2010-02-07 05:06 . DE24F1D4FF06E44F6B8D630FD5E25356 . 21576704 . . [1.0.0.1] . . c:\windows\system32\qmgr.dll
[-] 2010-02-07 05:06 . DE24F1D4FF06E44F6B8D630FD5E25356 . 21576704 . . [1.0.0.1] . . c:\windows\system32\dllcache\qmgr.dll
[-] 2004-08-03 23:56 . 873C66E52C06F7110EAC11AA7D825F40 . 249344 . . [------] . . c:\windows\system32\xmlprov.dll
[7] 2004-08-03 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\xmlprov.dll
[-] 2004-08-03 23:56 . 873C66E52C06F7110EAC11AA7D825F40 . 249344 . . [------] . . c:\windows\system32\appmgmts.dll
[7] 2004-08-03 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\appmgmts.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-09 4617720]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Device Detector"="DevDetect.exe -autorun" [X]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-07 125368]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 303104]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2006-05-01 890880]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 442368]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
"VTTimer"="VTTimer.exe" [2004-01-15 49152]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 67584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
KYESCAN.lnk - c:\progra~1\ScannerU\KYESCAN.exe [2010-2-6 172032]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
R2 BulkUsb;Genius ColorPage USB Scanner;c:\windows\system32\drivers\usbscan.sys [2010/02/06 01:17 ب.ظ 15104]
R2 fars;feas;c:\windows\system32\APKR2A67A3\J001.exe [2010/02/07 07:04 ق.ظ 73728]
R2 fuj;ilk;c:\windows\system32\1SI839RYWR\D001.exe [2010/02/06 01:37 ب.ظ 65536]
R2 gu;cf;c:\windows\system32\TFLKKZ7L8O\J001.exe [2010/02/07 08:35 ق.ظ 65536]
R2 nhfg;mgh;c:\windows\bfgdc.exe [2010/02/07 07:04 ق.ظ 10368]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2010/02/06 12:22 ب.ظ 2368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010/02/06 09:57 ق.ظ 102448]
S2 saytst;saytst;c:\windows\system32\uvafuz.exe [2010/02/06 02:11 ب.ظ 378440]
S2 TCPZ;TCP Half Open Limited Patcher ( TCP-Z);\??\c:\windows\system32\drivers\tcpz-x86d.sys --> c:\windows\system32\drivers\tcpz-x86d.sys [?]
S2 VMservices;VMservices;c:\windows\system32\panp.exe [2010/02/07 06:59 ق.ظ 239959]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007/10/07 08:48 ب.ظ 116664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iScsSrv REG_MULTI_SZ iScsSrv iSCS
nhibbwvy REG_MULTI_SZ nhibbwvy
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{LMS03AB-B707-11d2-9CBD-0000F87A369E}]
2010-02-06 10:41 274432 ----a-w- c:\program files\Microsoft Office\svchost.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://[ برای مشاهده لینک ، لطفا با نام کاربری خود وارد شوید یا ثبت نام کنید ]
uInternet Settings,ProxyOverride = <local>
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
IE: Download &all with DAP - c:\progra~1\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {5EF5C567-4593-4747-86A9-50801BDA98D5} = 20.0.0.30,217.219.187.0
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: [ برای مشاهده لینک ، لطفا با نام کاربری خود وارد شوید یا ثبت نام کنید ] - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{36341DC2-9E82-4F3A-BD91-92A15251AA0F} - c:\documents and settings\Administrator\Application Data\Dbg32.Sys

************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [ برای مشاهده لینک ، لطفا با نام کاربری خود وارد شوید یا ثبت نام کنید ]
Rootkit scan 2010-02-08 08:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{ 5EF5C567-4593-4747-86A9-50801BDA98D5}]
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(4640)
c:\windows\system32\msi.dll
c:\program files\Babylon\Babylon-Pro\CAPTLIB.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\ACD Systems\EN\DevDetect.exe
c:\windows\system32\VTTimer.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\drwtsn32.exe
.
************************************************** ************************
.
Completion time: 2010-02-08 08:31:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-08 05:01
Pre-Run: 15,466,172,416 bytes free
Post-Run: 15,296,925,696 bytes free
- - End Of File - - BDFFA68F7E28FD23B9576EA7497BA5AB

saeed774

08-02-2010, 19:05

با اجازه دوستان
از استارآپ دو فايلي كه پيغام پيدا نشدن ميده رو بردار . كمبوفيكس كه اكثر ويروس ها رو برات پاك كرده !!
با همون آويرا يا سيمانتك بعد آپديت فول اسكن بزن و دوباره كمبو رو اجرا كن مشكلت حل ميشه .

picher_s

08-02-2010, 20:23

درود

ما هم با اجازه سعيد

رضا خان اين سيستم باحال ماله كجاست؟

تا به حال اينقدر مشكل نديده بودم Combofix‌گزارش بده.

Infected copy of c:\windows\system32\asycfilt.dll was found and disinfected

حتما يه فايلهاي سيستميت رو با SFC /Scannow دوباره جايگزين كن.

رضاانزلي

17-02-2010, 07:27

سلام ممنون ازت اگه بشه كمكي بكني خيلي كمكم كردي فردا آخره ماهه ومن بايد به سيستم كليه شعب وصل بشم
راستي ويروسي كه سيمانتك ميشناسه وكلين مكنه fujackc.ce!infوسايتش ميكه مربوط به فايلهاي HTMLاست
log avz pc khodam
Attention !!! Database was last updated 2009/08/17 it is necessary to update the bases using automatic updates (File/Database update)
>>>> Danger - the avz.exe file is changed, check of its CRC by Trusted Objects Database failed
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 2010/02/16 11:32:53 ق.ظ
Database loaded: signatures - 237476, NN profile(s) - 2, microprograms of healing - 56, signature database released 17.08.2009 20:49
Heuristic microprograms loaded: 374
SPV microprograms loaded: 9
Digital signatures of system files loaded: 134337
Heuristic analyzer mode: Medium heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=085700)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055C700
KiST = 80504450 (284)
Function NtAlertResumeThread (0C) intercepted (805D4B3A->8A89D590), hook not defined
Function NtAlertThread (0D) intercepted (805D4AEA->8A811350), hook not defined
Function NtAllocateVirtualMemory (11) intercepted (805A8A9E->8ADC50F8), hook not defined
Function NtAssignProcessToJobObject (13) intercepted (805D65FE->A87F41CC), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtConnectPort (1F) intercepted (805A45B4->8AD620C8), hook not defined
Function NtCreateKey (29) intercepted (80623786->BA7A2A8E), hook not defined
Function NtCreateMutant (2B) intercepted (80616D52->8AB5DEF8), hook not defined
Function NtCreateThread (35) intercepted (805D0FD4->A87F4206), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtDeleteKey (3F) intercepted (80623C16->BA7A2A93), hook not defined
Function NtDeleteValueKey (41) intercepted (80623DE6->BA7A2A9D), hook not defined
Function NtFreeVirtualMemory (53) intercepted (805B2F7E->8AB741B0), hook not defined
Function NtImpersonateAnonymousToken (59) intercepted (805F8A32->8AB65F90), hook not defined
Function NtImpersonateThread (5B) intercepted (805D77BE->8AAC26A8), hook not defined
Function NtLoadKey (62) intercepted (80625982->BA7A2AA2), hook not defined
Function NtMapViewOfSection (6C) intercepted (805B2006->8AB7E8D0), hook not defined
Function NtOpenEvent (72) intercepted (8060E702->8AB66AE8), hook not defined
Function NtOpenProcess (7A) intercepted (805CB3FC->A87F451A), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtOpenProcessToken (7B) intercepted (805ED722->8AB6C570), hook not defined
Function NtOpenThread (80) intercepted (805CB688->A87F43F6), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtOpenThreadToken (81) intercepted (805ED740->8AB749F0), hook not defined
Function NtProtectVirtualMemory (89) intercepted (805B83DA->A87F4292), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtQueryValueKey (B1) intercepted (806219BE->8A844F20), hook not defined
Function NtReplaceKey (C1) intercepted (80625832->BA7A2AAC), hook not defined
Function NtRestoreKey (CC) intercepted (8062513E->BA7A2AA7), hook not defined
Function NtResumeThread (CE) intercepted (805D4976->8AB6CE70), hook not defined
Function NtSetContextThread (D5) intercepted (805D16F6->A87F418E), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtSetInformationProcess (E4) intercepted (805CDE46->8AB74648), hook not defined
Function NtSetInformationThread (E5) intercepted (805CC0CA->8AB74CE0), hook not defined
Function NtSetValueKey (F7) intercepted (80621D0C->BA7A2A98), hook not defined
Function NtSuspendProcess (FD) intercepted (805D4A3E->8AB6C978), hook not defined
Function NtSuspendThread (FE) intercepted (805D48B0->8AB62E20), hook not defined
Function NtTerminateProcess (101) intercepted (805D299E->A87F464E), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtTerminateThread (102) intercepted (805D2B98->A87F4316), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtUnmapViewOfSection (10B) intercepted (805B2E14->8AB74330), hook not defined
Function NtWriteVirtualMemory (115) intercepted (805B4394->A87F434E), hook C:\WINDOWS\System32\drivers\pxrts.sys
Functions checked: 284, intercepted: 35, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Searching for masking processes and drivers - complete
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 41
Number of modules loaded: 461
Scanning memory - complete
3. Scanning disks
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51808.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51809.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51810.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51811.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51812.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51813.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51814.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51815.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51816.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51818.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51819.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51820.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51821.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51822.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51823.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51824.tmp
Direct reading C:\WINDOWS\system32\dllcache\ddraw.dll
Direct reading C:\WINDOWS\system32\dllcache\olepro32.dll
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Danger - process debugger "360hotfix.exe" = "ntsd -d"
Danger - process debugger "360rp.exe" = "ntsd -d"
Danger - process debugger "360rpt.exe" = "ntsd -d"
Danger - process debugger "360safe.exe" = "ntsd -d"
Danger - process debugger "360safebox.exe" = "ntsd -d"
Danger - process debugger "360sd.exe" = "ntsd -d"
Danger - process debugger "360se.exe" = "ntsd -d"
Danger - process debugger "360SoftMgrSvc.exe" = "ntsd -d"
Danger - process debugger "360speedld.exe" = "ntsd -d"
Danger - process debugger "360tray.exe" = "ntsd -d"
Danger - process debugger "ast.exe" = "ntsd -d"
Danger - process debugger "avcenter.exe" = "ntsd -d"
Danger - process debugger "avgnt.exe" = "ntsd -d"
Danger - process debugger "avguard.exe" = "ntsd -d"
Danger - process debugger "avmailc.exe" = "ntsd -d"
Danger - process debugger "avp.exe" = "ntsd -d"
Danger - process debugger "avwebgrd.exe" = "ntsd -d"
Danger - process debugger "bdagent.exe" = "ntsd -d"
Danger - process debugger "CCenter.exe" = "ntsd -d"
Danger - process debugger "ccSvcHst.exe" = "ntsd -d"
Danger - process debugger "egui.exe" = "ntsd -d"
Danger - process debugger "ekrn.exe" = "ntsd -d"
Danger - process debugger "kavstart.exe" = "ntsd -d"
Danger - process debugger "kissvc.exe" = "ntsd -d"
Danger - process debugger "kmailmon.exe" = "ntsd -d"
Danger - process debugger "kpfw32.exe" = "ntsd -d"
Danger - process debugger "kpfwsvc.exe" = "ntsd -d"
Danger - process debugger "krnl360svc.exe" = "ntsd -d"
Danger - process debugger "kswebshield.exe" = "ntsd -d"
Danger - process debugger "KVMonXP.kxp" = "ntsd -d"
Danger - process debugger "KVSrvXP.exe" = "ntsd -d"
Danger - process debugger "kwatch.exe" = "ntsd -d"
Danger - process debugger "livesrv.exe" = "ntsd -d"
Danger - process debugger "Mcagent.exe" = "ntsd -d"
Danger - process debugger "mcmscsvc.exe" = "ntsd -d"
Danger - process debugger "McNASvc.exe" = "ntsd -d"
Danger - process debugger "Mcods.exe" = "ntsd -d"
Danger - process debugger "McProxy.exe" = "ntsd -d"
Danger - process debugger "McSACore.exe" = "ntsd -d"
Danger - process debugger "Mcshield.exe" = "ntsd -d"
Danger - process debugger "mcsysmon.exe" = "ntsd -d"
Danger - process debugger "mcvsshld.exe" = "ntsd -d"
Danger - process debugger "MpfSrv.exe" = "ntsd -d"
Danger - process debugger "MPMon.exe" = "ntsd -d"
Danger - process debugger "MPSVC.exe" = "ntsd -d"
Danger - process debugger "MPSVC1.exe" = "ntsd -d"
Danger - process debugger "MPSVC2.exe" = "ntsd -d"
Danger - process debugger "msksrver.exe" = "ntsd -d"
Danger - process debugger "qutmserv.exe" = "ntsd -d"
Danger - process debugger "RavMonD.exe" = "ntsd -d"
Danger - process debugger "RavTask.exe" = "ntsd -d"
Danger - process debugger "RsAgent.exe" = "ntsd -d"
Danger - process debugger "rsnetsvr.exe" = "ntsd -d"
Danger - process debugger "RsTray.exe" = "ntsd -d"
Danger - process debugger "safeboxTray.exe" = "ntsd -d"
Danger - process debugger "ScanFrm.exe" = "ntsd -d"
Danger - process debugger "sched.exe" = "ntsd -d"
Danger - process debugger "seccenter.exe" = "ntsd -d"
Danger - process debugger "SfCtlCom.exe" = "ntsd -d"
Danger - process debugger "TMBMSRV.exe" = "ntsd -d"
Danger - process debugger "TmProxy.exe" = "ntsd -d"
Danger - process debugger "UfSeAgnt.exe" = "ntsd -d"
Danger - process debugger "vsserv.exe" = "ntsd -d"
Danger - process debugger "zhudongfangyu.exe" = "ntsd -d"
Danger - process debugger "ذق¸´¹¤¾ك.exe" = "ntsd -d"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: terminal connections to the PC are allowed
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 260115, extracted from archives: 224008, malicious software found 0, suspicions - 0
Scanning finished at 2010/02/16 03:35:15 ب.ظ
Time of scanning: 04:02:27
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address [ برای مشاهده لینک ، لطفا با نام کاربری خود وارد شوید یا ثبت نام کنید ] conference

picher_s

17-02-2010, 16:33

درود

آقا رضا این Log رو اشتباه گذاشتی!!!!

لطفا یه نگاه به این بنداز

برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنیدمنتظرم.

راستی پسر سیستمت اینقدر مشکل امنیتی هم داره.

>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: terminal connections to the PC are allowed
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed

ببین همون تاپیک یه جاش در مورد رفع این مشکلات هم نوشتم.