ماهان سرور
آکوستیک ، فوم شانه تخم مرغی ، پنل صداگیر ، یونولیت
دستگاه جوجه کشی حرفه ای
فروش آنلاین لباس کودک
خرید فالوور ایرانی
خرید فالوور اینستاگرام
خرید ممبر تلگرام
[ + افزودن آگهی متنی جدید ]
w32.fujacks.ce!infچطورميشه پاكش كرد
با سلام خدمت دوستان
توي يكي از سيستمهاي شبكه ويروسي با نام w32.fujacks.ce!infافتاده كه sysmantec,macاونو lيشناسه يك بارclean ويك بارdelميكنن ولي بازم ويندوزو به هم ميريزه وپيغام Schost.exe,lsasc.exe cannot read memory...ميده combofixهم نتونست كاري بكنه لطفا راهي نشون بديد ممنون
درود
چطوری رفیق؟!!
موسستون خوب هستند؟!
خوب بعد از اجرای Combofix شما متنه Logَ رو اینجا Paste کنید.
بعد هم آویرا بنصبید.
Last edited by picher_s; 06-02-2010 at 12:17.
...........
با استرینگر مکافی هم میتونی پاکش کنی
lo combo
ComboFix 10-02-01.02 - Administrator 02/08/2010 8:19.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1256.981.1033.18.959.400 [GMT 3.5:30]
Running from: f:\anti viruse\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\c.exe
c:\windows\kb913800.exe
c:\windows\system32\asycfilt.dllkLMYS
c:\windows\system32\c_30218.nls
c:\windows\system32\cryptcom.dll
c:\windows\system32\dllcache\asycfilt.dllkLMYS
c:\windows\system32\dllcache\dsound.dllIExRj
c:\windows\system32\drivers\dHook.sys
c:\windows\system32\dsound.dllIExRj
c:\windows\system32\fyddos.dll
c:\windows\system32\iscsrunsrv.dll
c:\windows\system32\t320067.dll
c:\windows\system32\t320067.ini
c:\windows\system32\t322044.dll
c:\windows\system32\t322044.ini
c:\windows\system32\t329139.dll
c:\windows\system32\t329139.ini
c:\windows\Temp\1057.exe
c:\windows\Temp\1716000.exe
c:\windows\Temp\1835328.exe
c:\windows\Temp\2475250.exe
c:\windows\Temp\2498109.exe
c:\windows\Temp\2580500.exe
c:\windows\Temp\2607234.exe
c:\windows\Temp\2659375.exe
c:\windows\Temp\2688859.exe
c:\windows\Temp\2773671.exe
c:\windows\Temp\2800281.exe
c:\windows\Temp\2807468.exe
c:\windows\Temp\2852562.exe
c:\windows\Temp\2934875.exe
c:\windows\Temp\2964734.exe
c:\windows\Temp\3015390.exe
c:\windows\Temp\3097781.exe
c:\windows\Temp\3130500.exe
c:\windows\Temp\432359.exe
c:\windows\Temp\4495546.exe
c:\windows\Temp\4553593.exe
c:\windows\Temp\458656.exe
c:\windows\Temp\4680656.exe
c:\windows\Temp\4707062.exe
c:\windows\Temp\4849625.exe
c:\windows\Temp\4876343.exe
c:\windows\Temp\4960921.exe
c:\windows\Temp\4997343.exe
c:\windows\Temp\5005078.exe
c:\windows\Temp\5014734.exe
c:\windows\Temp\5029906.exe
c:\windows\Temp\5048281.exe
c:\windows\Temp\5064906.exe
c:\windows\Temp\5080796.exe
c:\windows\Temp\5102250.exe
c:\windows\Temp\5125234.exe
c:\windows\Temp\5221703.exe
c:\windows\Temp\5333234.exe
c:\windows\Temp\542656.exe
c:\windows\Temp\5491875.exe
c:\windows\Temp\570234.exe
c:\windows\Temp\5882984.exe
c:\windows\Temp\5926140.exe
c:\windows\Temp\608328.exe
c:\windows\Temp\663000.exe
c:\windows\Temp\748968.exe
c:\windows\Temp\788250.exe
c:\windows\Temp\796734.exe
c:\windows\Temp\815109.exe
c:\windows\Temp\910375.exe
c:\windows\Temp\939546.exe
c:\windows\TEMP\Win_XP\Win_XP\WindowsXP-KB958644-x86-ENU.exe
D:\cconter.exe
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\1033\MSOHELP.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\1033\SCHDPL32.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\1033\UNPACK.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\DSSM.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\EXCEL.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\FINDER.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\GRAPH.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\INFOPATH.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSACCESS.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSE7.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSOHTMED.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSPUB.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSQRY32.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSTORDB.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\MSTORE.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\OIS.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\OSA.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\OUTLOOK.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\POWERPNT.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\PPTVIEW.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\PROFLWIZ.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\SELFCERT.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\SETLANG.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\UNBIND.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\WAVTOASF.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Microsoft Office\OFFICE11\WINWORD.EXE
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Mozilla Firefox\crashreporter.exe
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Mozilla Firefox\firefox.exe
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Mozilla Firefox\uninstall\helper.exe
d:\recycler\S-1-5-21-1801674531-1770027372-839522115-500\Dd1\Mozilla Firefox\updater.exe
-- Previous Run --
Infected copy of c:\windows\system32\rpcss.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rpcss.dll
Infected copy of c:\windows\system32\rpcss.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rpcss.dll
Infected copy of c:\windows\system32\lpk.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{C25D4C75-A720-4842-9297-DC6EC4F855A0}\RP9\A0001238.dll
Infected copy of c:\windows\system32\rpcss.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rpcss.dll
Infected copy of c:\windows\system32\lpk.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{C25D4C75-A720-4842-9297-DC6EC4F855A0}\RP9\A0001238.dll
Infected copy of c:\windows\system32\asycfilt.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{C25D4C75-A720-4842-9297-DC6EC4F855A0}\RP9\A0001241.dll
Infected copy of c:\windows\system32\rpcss.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rpcss.dll
Infected copy of c:\windows\system32\lpk.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{C25D4C75-A720-4842-9297-DC6EC4F855A0}\RP9\A0001238.dll
Infected copy of c:\windows\system32\asycfilt.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{C25D4C75-A720-4842-9297-DC6EC4F855A0}\RP9\A0001241.dll
Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll
--------
Infected copy of c:\windows\system32\xmlprov.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\xmlprov.dll
Infected copy of c:\windows\system32\ntmssvc.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntmssvc.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BACKGROUND_SWITCH
-------\Legacy_MEDIACENTER
-------\Legacy_SLENUMHOOK2
-------\Legacy_WINDOWSREMOTE
-------\Service_BackGround switch
-------\Service_MediaCenter
-------\Service_WindowsRemote
-------\Legacy_iScsSrv
-------\Service_iScsSrv
((((((((((((((((((((((((( Files Created from 2010-01-08 to 2010-02-08 )))))))))))))))))))))))))))))))
.
2010-02-08 04:11 . 2004-08-03 23:56 22016 ----a-w- c:\windows\system32\lpk.dll
2010-02-07 05:06 . 2010-02-07 05:06 21576704 -csha-w- c:\windows\system32\dllcache\qmgr.dll
2010-02-07 05:06 . 2010-02-07 05:06 21576704 --sha-w- c:\windows\system32\qmgr.dll
2010-02-07 05:03 . 2010-02-07 05:11 -------- d-----w- c:\windows\system32\TFLKKZ7L8O
2010-02-07 04:58 . 2010-02-07 04:59 -------- d-----w- c:\windows\system32\SA4T7LX8MJ
2010-02-07 04:40 . 2004-08-03 23:56 65024 ----a-w- c:\windows\system32\asycfilt.dll
2010-02-07 04:40 . 2010-02-07 04:40 33604 ----a-w- c:\windows\system\TrJcv.DRV
2010-02-07 04:40 . 2010-02-07 04:39 36164 ----a-w- c:\windows\system\HoBjm.DRV
2010-02-07 04:38 . 2010-02-07 04:38 27136 ----a-w- c:\windows\system32\Intelproc.dll
2010-02-07 04:37 . 2010-02-07 04:37 72792 ----a-w- c:\documents and settings\NetworkService\Application Data\Dbg32.Sys
2010-02-07 04:29 . 2010-02-07 04:30 -------- d-----w- c:\windows\system32\MHFNC6IVDB
2010-02-07 04:26 . 2010-02-07 04:28 -------- d-----w- c:\windows\system32\LZUDXCLW9R
2010-02-07 03:44 . 2010-02-07 03:47 -------- d-----w- c:\windows\system32\C139BMFUG7
2010-02-07 03:41 . 2010-02-07 03:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\ACD Systems
2010-02-07 03:38 . 2010-02-07 03:42 -------- d-----w- c:\windows\system32\BFA0RP22H2
2010-02-07 03:35 . 2010-02-07 03:38 -------- d-----w- c:\windows\system32\AVZ48MPJEE
2010-02-07 03:34 . 2010-02-07 03:34 10368 --sh--w- c:\windows\bfgdc.exe
2010-02-07 03:33 . 2010-02-07 03:35 -------- d-----w- c:\windows\system32\APKR2A67A3
2010-02-07 03:29 . 2010-02-07 03:29 239959 ------w- c:\windows\system32\panp.exe
2010-02-07 03:29 . 2010-02-07 03:30 -------- d-----w- c:\windows\system32\9QDKJ9LCSP
2010-02-07 03:28 . 2010-02-07 05:02 275992 ------w- c:\windows\system32\iscslogsrv.dll
2010-02-06 13:01 . 2010-02-06 13:05 -------- d-----w- C:\My Photos
2010-02-06 10:41 . 2010-02-06 10:41 378440 ----a-w- c:\windows\system32\uvafuz.exe
2010-02-06 10:39 . 2010-02-06 10:41 -------- d-----w- c:\windows\system32\8SIQAOSXI9
2010-02-06 10:37 . 2010-02-06 10:38 -------- d-----w- c:\windows\system32\7TGC4M2WZF
2010-02-06 10:28 . 2006-07-12 11:20 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2010-02-06 10:12 . 2010-02-06 10:15 -------- d-----w- c:\windows\system32\2V606FGZ33
2010-02-06 10:08 . 2010-02-07 03:41 54784 ----a-w- c:\windows\system32\tcpsves.exe
2010-02-06 10:07 . 2010-02-06 10:09 -------- d-----w- c:\windows\system32\1SI839RYWR
2010-02-06 10:06 . 2010-02-06 10:07 -------- d-----w- c:\windows\system32\iB
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-02-08 04:53 . 2010-02-06 06:14 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-07 13:29 . 2010-02-06 06:14 -------- d-----w- c:\program files\Symantec
2010-02-07 12:46 . 2010-02-06 08:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Babylon
2010-02-07 04:37 . 2010-02-07 04:38 72792 ----a-w- c:\documents and settings\NetworkService\Application Data\Bug.Tmp
2010-02-06 10:28 . 2010-02-06 08:37 -------- d-----w- c:\program files\InstallShield Installation Information
2010-02-06 10:12 . 2010-02-06 09:47 -------- d-----w- c:\program files\ScannerU
2010-02-06 09:58 . 2010-02-06 09:57 -------- d-----w- c:\program files\VIA
2010-02-06 09:57 . 2010-02-06 09:57 -------- d-----w- c:\program files\S3
2010-02-06 09:57 . 2010-02-06 08:37 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-06 09:49 . 2010-02-06 09:49 -------- d-----w- c:\program files\NewSoft
2010-02-06 09:31 . 2010-02-06 09:31 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{90B5E602-1867-449D-86FD-FC9DEA4434BF}\NewShortcut1_5B69D3033CA54B39B5ECE7D 051297E77.exe
2010-02-06 09:31 . 2010-02-06 09:29 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-06 09:30 . 2010-02-06 09:29 -------- d-----w- c:\program files\Zero G Registry
2010-02-06 09:29 . 2010-02-06 09:29 -------- d-----w- c:\program files\HP
2010-02-06 09:27 . 2010-02-06 09:27 -------- d-----w- c:\program files\Common Files\SWF Studio
2010-02-06 09:19 . 2010-02-06 09:19 -------- d-----w- c:\program files\Common Files\L&H
2010-02-06 09:19 . 2010-02-06 09:19 -------- d-----w- c:\program files\Microsoft.NET
2010-02-06 09:19 . 2010-02-06 09:19 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-06 09:18 . 2010-02-06 09:18 -------- d-----w- c:\program files\Microsoft Works
2010-02-06 09:11 . 2010-02-06 09:06 -------- d-----w- c:\program files\The KMPlayer
2010-02-06 09:10 . 2010-02-06 09:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\ACD Systems
2010-02-06 09:09 . 2010-02-06 09:09 -------- d-----w- c:\program files\Common Files\ACD Systems
2010-02-06 09:09 . 2010-02-06 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2010-02-06 09:09 . 2010-02-06 09:09 -------- d-----w- c:\program files\ACD Systems
2010-02-06 08:52 . 2010-02-06 08:50 -------- d-----w- c:\program files\DAP
2010-02-06 08:52 . 2010-02-06 08:52 2368 ----a-w- c:\windows\system32\SVKP.sys
2010-02-06 08:50 . 2010-02-06 08:50 50688 ----a-w- c:\windows\system32\wbhelp2.dll
2010-02-06 08:48 . 2010-02-06 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2010-02-06 08:48 . 2010-02-06 08:48 -------- d-----w- c:\program files\Babylon
2010-02-06 08:48 . 2010-02-06 08:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-06 08:47 . 2010-02-06 08:47 -------- d-----w- c:\program files\Yahoo!
2010-02-06 08:47 . 2010-02-06 08:47 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-06 08:47 . 2010-02-06 08:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\InterTrust
2010-02-06 08:39 . 2010-02-06 08:39 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-02-06 08:39 . 2010-02-06 08:38 -------- d-----w- c:\program files\CyberLink
2010-02-06 08:38 . 2010-02-06 08:37 -------- d-----w- c:\program files\JetAudio
2010-02-06 08:32 . 2010-02-06 08:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-02-06 06:15 . 2010-02-06 06:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-06 06:15 . 2010-02-06 06:15 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-06 06:15 . 2010-02-06 06:15 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-06 06:15 . 2010-02-06 06:15 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-06 06:15 . 2010-02-06 06:15 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-06 06:14 . 2010-02-06 06:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-06 06:02 . 2010-02-06 06:02 -------- d-----w- c:\program files\microsoft frontpage
2010-02-06 06:01 . 2010-02-06 06:01 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-06 05:59 . 2010-02-06 05:59 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-06 05:58 . 2010-02-06 05:58 -------- d-----w- c:\program files\Windows Media Connect 2
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RgmptwC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RjmktrC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RlmuthC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RqmrtmC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RtmqtfC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RwmrtsC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RwmttmC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RzmmttC.dll
2004-08-17 16:30 . 2004-08-17 16:30 351772 --sh--w- c:\windows\system32\RzmotrC.dll
.
------- Sigcheck -------
[7] 2007-02-18 . 9941382A1C2289F5FB4C87D0DAACC21C . 360704 . . [5.1.2600.2956] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2007-02-18 . 2E231F82BF3BACCC360B03BE39BB0620 . 360704 . . [5.1.2600.2956] . . c:\windows\system32\drivers\tcpip.sys
[-] 2010-02-07 05:06 . DE24F1D4FF06E44F6B8D630FD5E25356 . 21576704 . . [1.0.0.1] . . c:\windows\system32\qmgr.dll
[-] 2010-02-07 05:06 . DE24F1D4FF06E44F6B8D630FD5E25356 . 21576704 . . [1.0.0.1] . . c:\windows\system32\dllcache\qmgr.dll
[-] 2004-08-03 23:56 . 873C66E52C06F7110EAC11AA7D825F40 . 249344 . . [------] . . c:\windows\system32\xmlprov.dll
[7] 2004-08-03 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\xmlprov.dll
[-] 2004-08-03 23:56 . 873C66E52C06F7110EAC11AA7D825F40 . 249344 . . [------] . . c:\windows\system32\appmgmts.dll
[7] 2004-08-03 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\appmgmts.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-09 4617720]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Device Detector"="DevDetect.exe -autorun" [X]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-07 125368]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 303104]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2006-05-01 890880]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 442368]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
"VTTimer"="VTTimer.exe" [2004-01-15 49152]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 67584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
KYESCAN.lnk - c:\progra~1\ScannerU\KYESCAN.exe [2010-2-6 172032]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
R2 BulkUsb;Genius ColorPage USB Scanner;c:\windows\system32\drivers\usbscan.sys [2010/02/06 01:17 ب.ظ 15104]
R2 fars;feas;c:\windows\system32\APKR2A67A3\J001.exe [2010/02/07 07:04 ق.ظ 73728]
R2 fuj;ilk;c:\windows\system32\1SI839RYWR\D001.exe [2010/02/06 01:37 ب.ظ 65536]
R2 gu;cf;c:\windows\system32\TFLKKZ7L8O\J001.exe [2010/02/07 08:35 ق.ظ 65536]
R2 nhfg;mgh;c:\windows\bfgdc.exe [2010/02/07 07:04 ق.ظ 10368]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2010/02/06 12:22 ب.ظ 2368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010/02/06 09:57 ق.ظ 102448]
S2 saytst;saytst;c:\windows\system32\uvafuz.exe [2010/02/06 02:11 ب.ظ 378440]
S2 TCPZ;TCP Half Open Limited Patcher ( TCP-Z);\??\c:\windows\system32\drivers\tcpz-x86d.sys --> c:\windows\system32\drivers\tcpz-x86d.sys [?]
S2 VMservices;VMservices;c:\windows\system32\panp.exe [2010/02/07 06:59 ق.ظ 239959]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007/10/07 08:48 ب.ظ 116664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iScsSrv REG_MULTI_SZ iScsSrv iSCS
nhibbwvy REG_MULTI_SZ nhibbwvy
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{LMS03AB-B707-11d2-9CBD-0000F87A369E}]
2010-02-06 10:41 274432 ----a-w- c:\program files\Microsoft Office\svchost.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.live.com
uInternet Settings,ProxyOverride = <local>
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
IE: Download &all with DAP - c:\progra~1\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {5EF5C567-4593-4747-86A9-50801BDA98D5} = 20.0.0.30,217.219.187.0
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{36341DC2-9E82-4F3A-BD91-92A15251AA0F} - c:\documents and settings\Administrator\Application Data\Dbg32.Sys
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [ برای مشاهده لینک ، با نام کاربری خود وارد شوید یا ثبت نام کنید ]
Rootkit scan 2010-02-08 08:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{ 5EF5C567-4593-4747-86A9-50801BDA98D5}]
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(4640)
c:\windows\system32\msi.dll
c:\program files\Babylon\Babylon-Pro\CAPTLIB.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\ACD Systems\EN\DevDetect.exe
c:\windows\system32\VTTimer.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\drwtsn32.exe
.
************************************************** ************************
.
Completion time: 2010-02-08 0809 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-08 05:01
Pre-Run: 15,466,172,416 bytes free
Post-Run: 15,296,925,696 bytes free
- - End Of File - - BDFFA68F7E28FD23B9576EA7497BA5AB
با اجازه دوستان
از استارآپ دو فايلي كه پيغام پيدا نشدن ميده رو بردار . كمبوفيكس كه اكثر ويروس ها رو برات پاك كرده !!
با همون آويرا يا سيمانتك بعد آپديت فول اسكن بزن و دوباره كمبو رو اجرا كن مشكلت حل ميشه .
درود
ما هم با اجازه سعيد
رضا خان اين سيستم باحال ماله كجاست؟
تا به حال اينقدر مشكل نديده بودم Combofixگزارش بده.
حتما يه فايلهاي سيستميت رو با SFC /Scannow دوباره جايگزين كن.Infected copy of c:\windows\system32\asycfilt.dll was found and disinfected
fujackc.ce!inf avz log
سلام ممنون ازت اگه بشه كمكي بكني خيلي كمكم كردي فردا آخره ماهه ومن بايد به سيستم كليه شعب وصل بشم
راستي ويروسي كه سيمانتك ميشناسه وكلين مكنه fujackc.ce!infوسايتش ميكه مربوط به فايلهاي HTMLاست
log avz pc khodam
Attention !!! Database was last updated 2009/08/17 it is necessary to update the bases using automatic updates (File/Database update)
>>>> Danger - the avz.exe file is changed, check of its CRC by Trusted Objects Database failed
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 2010/02/16 1153 ق.ظ
Database loaded: signatures - 237476, NN profile(s) - 2, microprograms of healing - 56, signature database released 17.08.2009 20:49
Heuristic microprograms loaded: 374
SPV microprograms loaded: 9
Digital signatures of system files loaded: 134337
Heuristic analyzer mode: Medium heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=085700)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055C700
KiST = 80504450 (284)
Function NtAlertResumeThread (0C) intercepted (805D4B3A->8A89D590), hook not defined
Function NtAlertThread (0D) intercepted (805D4AEA->8A811350), hook not defined
Function NtAllocateVirtualMemory (11) intercepted (805A8A9E->8ADC50F8), hook not defined
Function NtAssignProcessToJobObject (13) intercepted (805D65FE->A87F41CC), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtConnectPort (1F) intercepted (805A45B4->8AD620C8), hook not defined
Function NtCreateKey (29) intercepted (80623786->BA7A2A8E), hook not defined
Function NtCreateMutant (2B) intercepted (80616D52->8AB5DEF8), hook not defined
Function NtCreateThread (35) intercepted (805D0FD4->A87F4206), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtDeleteKey (3F) intercepted (80623C16->BA7A2A93), hook not defined
Function NtDeleteValueKey (41) intercepted (80623DE6->BA7A2A9D), hook not defined
Function NtFreeVirtualMemory (53) intercepted (805B2F7E->8AB741B0), hook not defined
Function NtImpersonateAnonymousToken (59) intercepted (805F8A32->8AB65F90), hook not defined
Function NtImpersonateThread (5B) intercepted (805D77BE->8AAC26A8), hook not defined
Function NtLoadKey (62) intercepted (80625982->BA7A2AA2), hook not defined
Function NtMapViewOfSection (6C) intercepted (805B2006->8AB7E8D0), hook not defined
Function NtOpenEvent (72) intercepted (8060E702->8AB66AE8), hook not defined
Function NtOpenProcess (7A) intercepted (805CB3FC->A87F451A), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtOpenProcessToken (7B) intercepted (805ED722->8AB6C570), hook not defined
Function NtOpenThread (80) intercepted (805CB688->A87F43F6), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtOpenThreadToken (81) intercepted (805ED740->8AB749F0), hook not defined
Function NtProtectVirtualMemory (89) intercepted (805B83DA->A87F4292), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtQueryValueKey (B1) intercepted (806219BE->8A844F20), hook not defined
Function NtReplaceKey (C1) intercepted (80625832->BA7A2AAC), hook not defined
Function NtRestoreKey (CC) intercepted (8062513E->BA7A2AA7), hook not defined
Function NtResumeThread (CE) intercepted (805D4976->8AB6CE70), hook not defined
Function NtSetContextThread (D5) intercepted (805D16F6->A87F418E), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtSetInformationProcess (E4) intercepted (805CDE46->8AB74648), hook not defined
Function NtSetInformationThread (E5) intercepted (805CC0CA->8AB74CE0), hook not defined
Function NtSetValueKey (F7) intercepted (80621D0C->BA7A2A98), hook not defined
Function NtSuspendProcess (FD) intercepted (805D4A3E->8AB6C978), hook not defined
Function NtSuspendThread (FE) intercepted (805D48B0->8AB62E20), hook not defined
Function NtTerminateProcess (101) intercepted (805D299E->A87F464E), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtTerminateThread (102) intercepted (805D2B98->A87F4316), hook C:\WINDOWS\System32\drivers\pxrts.sys
Function NtUnmapViewOfSection (10B) intercepted (805B2E14->8AB74330), hook not defined
Function NtWriteVirtualMemory (115) intercepted (805B4394->A87F434E), hook C:\WINDOWS\System32\drivers\pxrts.sys
Functions checked: 284, intercepted: 35, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Searching for masking processes and drivers - complete
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 41
Number of modules loaded: 461
Scanning memory - complete
3. Scanning disks
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51808.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51809.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51810.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51811.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51812.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51813.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51814.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51815.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51816.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51818.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51819.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51820.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51821.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51822.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51823.tmp
Direct reading C:\Documents and Settings\Administrator\Local Settings\temp\jar_cache51824.tmp
Direct reading C:\WINDOWS\system32\dllcache\ddraw.dll
Direct reading C:\WINDOWS\system32\dllcache\olepro32.dll
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Danger - process debugger "360hotfix.exe" = "ntsd -d"
Danger - process debugger "360rp.exe" = "ntsd -d"
Danger - process debugger "360rpt.exe" = "ntsd -d"
Danger - process debugger "360safe.exe" = "ntsd -d"
Danger - process debugger "360safebox.exe" = "ntsd -d"
Danger - process debugger "360sd.exe" = "ntsd -d"
Danger - process debugger "360se.exe" = "ntsd -d"
Danger - process debugger "360SoftMgrSvc.exe" = "ntsd -d"
Danger - process debugger "360speedld.exe" = "ntsd -d"
Danger - process debugger "360tray.exe" = "ntsd -d"
Danger - process debugger "ast.exe" = "ntsd -d"
Danger - process debugger "avcenter.exe" = "ntsd -d"
Danger - process debugger "avgnt.exe" = "ntsd -d"
Danger - process debugger "avguard.exe" = "ntsd -d"
Danger - process debugger "avmailc.exe" = "ntsd -d"
Danger - process debugger "avp.exe" = "ntsd -d"
Danger - process debugger "avwebgrd.exe" = "ntsd -d"
Danger - process debugger "bdagent.exe" = "ntsd -d"
Danger - process debugger "CCenter.exe" = "ntsd -d"
Danger - process debugger "ccSvcHst.exe" = "ntsd -d"
Danger - process debugger "egui.exe" = "ntsd -d"
Danger - process debugger "ekrn.exe" = "ntsd -d"
Danger - process debugger "kavstart.exe" = "ntsd -d"
Danger - process debugger "kissvc.exe" = "ntsd -d"
Danger - process debugger "kmailmon.exe" = "ntsd -d"
Danger - process debugger "kpfw32.exe" = "ntsd -d"
Danger - process debugger "kpfwsvc.exe" = "ntsd -d"
Danger - process debugger "krnl360svc.exe" = "ntsd -d"
Danger - process debugger "kswebshield.exe" = "ntsd -d"
Danger - process debugger "KVMonXP.kxp" = "ntsd -d"
Danger - process debugger "KVSrvXP.exe" = "ntsd -d"
Danger - process debugger "kwatch.exe" = "ntsd -d"
Danger - process debugger "livesrv.exe" = "ntsd -d"
Danger - process debugger "Mcagent.exe" = "ntsd -d"
Danger - process debugger "mcmscsvc.exe" = "ntsd -d"
Danger - process debugger "McNASvc.exe" = "ntsd -d"
Danger - process debugger "Mcods.exe" = "ntsd -d"
Danger - process debugger "McProxy.exe" = "ntsd -d"
Danger - process debugger "McSACore.exe" = "ntsd -d"
Danger - process debugger "Mcshield.exe" = "ntsd -d"
Danger - process debugger "mcsysmon.exe" = "ntsd -d"
Danger - process debugger "mcvsshld.exe" = "ntsd -d"
Danger - process debugger "MpfSrv.exe" = "ntsd -d"
Danger - process debugger "MPMon.exe" = "ntsd -d"
Danger - process debugger "MPSVC.exe" = "ntsd -d"
Danger - process debugger "MPSVC1.exe" = "ntsd -d"
Danger - process debugger "MPSVC2.exe" = "ntsd -d"
Danger - process debugger "msksrver.exe" = "ntsd -d"
Danger - process debugger "qutmserv.exe" = "ntsd -d"
Danger - process debugger "RavMonD.exe" = "ntsd -d"
Danger - process debugger "RavTask.exe" = "ntsd -d"
Danger - process debugger "RsAgent.exe" = "ntsd -d"
Danger - process debugger "rsnetsvr.exe" = "ntsd -d"
Danger - process debugger "RsTray.exe" = "ntsd -d"
Danger - process debugger "safeboxTray.exe" = "ntsd -d"
Danger - process debugger "ScanFrm.exe" = "ntsd -d"
Danger - process debugger "sched.exe" = "ntsd -d"
Danger - process debugger "seccenter.exe" = "ntsd -d"
Danger - process debugger "SfCtlCom.exe" = "ntsd -d"
Danger - process debugger "TMBMSRV.exe" = "ntsd -d"
Danger - process debugger "TmProxy.exe" = "ntsd -d"
Danger - process debugger "UfSeAgnt.exe" = "ntsd -d"
Danger - process debugger "vsserv.exe" = "ntsd -d"
Danger - process debugger "zhudongfangyu.exe" = "ntsd -d"
Danger - process debugger "ذق¸´¹¤¾ك.exe" = "ntsd -d"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: terminal connections to the PC are allowed
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 260115, extracted from archives: 224008, malicious software found 0, suspicions - 0
Scanning finished at 2010/02/16 0315 ب.ظ
Time of scanning: 04:02:27
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address [ برای مشاهده لینک ، با نام کاربری خود وارد شوید یا ثبت نام کنید ] conference
درود
آقا رضا این Log رو اشتباه گذاشتی!!!!
لطفا یه نگاه به این بنداز
منتظرم.کد:برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید
راستی پسر سیستمت اینقدر مشکل امنیتی هم داره.
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: terminal connections to the PC are allowed
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
ببین همون تاپیک یه جاش در مورد رفع این مشکلات هم نوشتم.
هم اکنون 1 کاربر در حال مشاهده این تاپیک میباشد. (0 کاربر عضو شده و 1 مهمان)
قوانين ايجاد تاپيک در انجمن
جواب بصورت نقل قول