CentrumXP Forum Tematyka portalu CentrumXP.pl Bezpieczeństwo Co to za WIRUSY?!!!

Co to za WIRUSY?!!!

Witam wszystkich
Niewiem co to takiego – czy virus, trojan, robak, czy moźe poprostu jakaś luka w zabezpieczeniach. Mam Avast!4.1 Home i ostatnio często, a nawet bardzo często (średnio 3–5 razy na godzinę) pojawiają mi się komunikaty o wirusach (chyba). Poniźej przedstawiam podgląd logu Avasta:

2004–12–22 19:27:06 ZARZĄDZANIE NTSYSTEM 1364 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–22 19:34:02 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSSystem32sysmsvc.exe" file.
2004–12–22 19:36:37 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–22 19:43:49 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–22 19:45:03 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–22 20:06:38 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–22 20:33:22 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–22 20:43:13 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–22 20:49:07 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–22 20:57:44 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–22 20:59:54 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–22 21:16:02 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–22 21:19:08 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–22 21:21:34 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–22 21:27:41 SYSTEM 1448 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 09:51:05 SYSTEM 1452 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 09:59:47 SYSTEM 1452 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 10:07:08 SYSTEM 1452 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 10:22:28 SYSTEM 1452 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 10:30:05 SYSTEM 1452 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 12:12:41 SYSTEM 1440 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–23 12:15:17 SYSTEM 1440 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–23 12:15:32 SYSTEM 1440 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 12:30:48 SYSTEM 1440 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–23 12:35:51 SYSTEM 1440 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–23 14:34:11 SYSTEM 1440 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–23 15:15:21 SYSTEM 1440 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–23 16:10:50 SYSTEM 1440 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:System Volume Information\_restore{7D7F0D86–4E9F–4832–BA85–4B4E10B8F8DA}RP6A0000530.exe" file.
2004–12–23 17:47:05 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 17:59:13 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 18:27:13 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 18:31:41 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 18:35:06 SYSTEM 1456 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–23 18:44:14 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 18:47:35 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 18:51:16 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 18:58:40 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 19:10:02 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 19:12:01 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 19:13:38 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 19:14:54 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 19:22:45 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 19:25:36 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 19:45:36 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 19:51:57 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 19:53:54 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 19:58:29 SYSTEM 1456 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–23 20:04:41 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 20:10:37 SYSTEM 1456 Sign of "Win32:Rbot–IA [Trj]" has been found in "C:WINDOWSsystem32sysmsvc.exe" file.
2004–12–23 20:30:45 SYSTEM 1456 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–23 20:47:14 SYSTEM 1456 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–23 20:57:58 SYSTEM 1456 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–23 22:04:49 SYSTEM 1456 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–24 09:40:29 SYSTEM 1460 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–24 12:21:39 SYSTEM 1460 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–24 13:05:42 SYSTEM 1460 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.
2004–12–24 13:26:43 SYSTEM 1460 Sign of "Win32:SpyBot–A1149 [Trj]" has been found in "C:WINDOWSsystem32wvsvc.exe" file.

Wcześniej szukałem wirusów o takiej nazwie na kilku stronach poświęconych tej tematyce jednak bez rezultatu stąd moja prośba o porade co to moźe być i ewentualnie jak to usunąć.
Mam jeszcze jeden problem (właściwie powstał on podczas pisania tego postu). Otóź gdy skanowałem mój komp Hijackthis to po spojrzeniu na log zauwaźyłem niepokojący proces: lsass.exe o którym przed chwilą przeczytałem na forum i nie jestem pewien czy to czasem nie jest właśnie wirus. Niewiem czy to jest teź spowodowane tymi wirusami ale mniej więcej od tygodnia mam strasznie słaby transfer (wcześniej miałem około 400–550 kb/s, teraz nie przekracza 70–80 kb/s). Acha i jeszcze jedno – w menedźerze zadań mam 4–5 włączonych procesów: svchost.exe. Poniźej zamieszczam log Hijack this:

Logfile of HijackThis v1.99.0
Scan saved at 13:43:39, on 2004–12–24
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32LEXPPS.EXE
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
C:WINDOWSSystem32 vsvc32.exe
C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
C:WINDOWSExplorer.EXE
C:WINDOWShtpatch.exe
C:WINDOWSSystem32RunDll32.exe
C:PROGRA~1ALWILS~1Avast4ashDisp.exe
C:Program FilesElaborate BytesCloneCDCloneCDTray.exe
C:Program FilesD–Toolsdaemon.exe
C:Program FilesBitSpiritBitSpirit.exe
C:WINDOWSSystem32ctfmon.exe
C:Program FilesGadu–Gadugg.exe
C:WINDOWSSystem32wuauclt.exe
C:PROGRA~1INCRED~1inIMApp.exe
C:WINDOWSSystem32wuauclt.exe
E:InstalatoryHijack thisHijackThis.exe

R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.onet.pl/
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: IDM Helper – {0055C089–8582–441B–A0BF–17B458C2A3A8} – C:Program FilesInternet Download ManagerIDMIECC.dll
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O2 – BHO: Local Spool Net support DLL – {41943050–65CC–454B–81E4–9C8A9D7CBAEA} – C:WINDOWSSystem32localsplnet.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O4 – HKLM..Run: [HTpatch] C:WINDOWShtpatch.exe
O4 – HKLM..Run: [SiSUSBRG] C:WINDOWSSiSUSBrg.exe
O4 – HKLM..Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 – HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 – HKLM..Run: [nwiz] nwiz.exe /install
O4 – HKLM..Run: [avast!] C:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 – HKLM..Run: [CloneCDElbyCDFL] "C:Program FilesElaborate BytesCloneCDElbyCheck.exe" /L ElbyCDFL
O4 – HKLM..Run: [CloneCDTray] "C:Program FilesElaborate BytesCloneCDCloneCDTray.exe"
O4 – HKLM..Run: [DAEMON Tools–1033] "C:Program FilesD–Toolsdaemon.exe" –lang 1045
O4 – HKLM..Run: [Resume copy] copyfstq.exe /startup
O4 – HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 – HKLM..Run: [CBitSpirit] "C:Program FilesBitSpiritBitSpirit.exe" /start
O4 – HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 – HKCU..Run: [Gadu–Gadu] "C:Program FilesGadu–Gadugg.exe" /tray
O4 – HKCU..Run: [IncrediMail] C:PROGRA~1INCRED~1inIncMail.exe /c
O4 – Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE
O8 – Extra context menu item: &Add animation to IncrediMail Style Box – C:PROGRA~1INCRED~1in esourcesWebMenuImg.htm
O8 – Extra context menu item: Download All Links with IDM – C:Program FilesInternet Download ManagerIEGetAll.htm
O8 – Extra context menu item: Download with IDM – C:Program FilesInternet Download ManagerIEExt.htm
O8 – Extra context menu item: Pobierz z &BitSpirit – C:Program FilesBitSpiritsurl.htm
O12 – Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O23 – Service: avast! iAVS4 Control Service – Unknown – C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown – C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 – Service: LexBce Server – Lexmark International, Inc. – C:WINDOWSsystem32LEXBCES.EXE
O23 – Service: NVIDIA Display Driver Service – NVIDIA Corporation – C:WINDOWSSystem32 vsvc32.exe

Proszę Was o pomoc bo nie znam się za bardzo na tym – początki są zawsze trudne. Przepraszam teź za obszernego posta ale chciałem to ująć w jednym a nie rozmieszczać kilka naraz tymbardziej źe odnoszą się do jednego tematu. Jeśli ktoś moźe pomóc proszę o porady i wskazówki.
Pozdrawiam i źyczę wszystkim uźytkownikom tego forum Wesołych Świąt Boźego Narodzenia.

marex1011

Odpowiedzi: 1

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.QQ
http://www.sophos.com/virusinfo/analyses/w32rbotnz.html
lsass.exe to jest proces systemowy

wins

Dodano: 24.12.2004 17:12:54

marex1011

Dodano:: 24.12.2004 17:01:01
Komentarzy:: 1

Strona 1 / 1