Sprawdzenie Loga, Wirus W Pamięci Operacyjnej

[Arekak]

Witam, mam problem z wirusem. Cały czas avast wykrywa mi jakiegoś syfa w pamięci operacyjnej i karze uruchomić ponownie. Zrobiłem już to pare razy i nie wykrył nic. Dodam jeszcze, że przedwczoraj zainstalowałem avasta i jak puściłem skan to wykrył 1862 zainfekowanych plików, wszystkie są w kwarantannie. Zdecydowana większość była zarażona przez Kavos [TRJ]

 

Log z Hijackthis:

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Log z hijackthis"

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:57:32, on 2009-03-22

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

D:\DiskeeperLite\DKService.exe

C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Vtune\TBPanel.exe

C:\WINDOWS\PixArt\PAC207\Monitor.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\PROGRA~1\MyPortal\Speed-X\SpeedX.exe

D:\Nowe Gadu-Gadu\gg.exe

D:\Nowe Gadu-Gadu\spellchecker_gg.exe

D:\Mozilla Firefox\firefox.exe

E:\Nie używane pliki pulpitu\COS.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: SHOUTcast Toolbar Search Class - {14f0d511-36a2-41ca-ae01-ba4f87282c97} - C:\Program Files\SHOUTcast Radio Toolbar\shoutcasttb.dll

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Pomocnik rejestracji usługi Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: SHOUTcast Loader - {ccec60fc-2608-4e58-9659-3ffc159e8ea9} - C:\Program Files\SHOUTcast Radio Toolbar\shoutcasttb.dll

O3 - Toolbar: SHOUTcast Radio Toolbar - {0457331d-8ca6-4f97-9c26-6a9ef2b2dba8} - C:\Program Files\SHOUTcast Radio Toolbar\shoutcasttb.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Gainward] C:\Program Files\Vtune\TBPanel.exe /A

O4 - HKLM\..\Run: [bootSkin Startup Jobs] "C:\PROGRA~1\STARDOCK\WINCUS~1\BOOTSKIN\BootSkin.exe" /StartupJobs

O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"

O4 - HKCU\..\Run: [speedX] C:\PROGRA~1\MyPortal\Speed-X\SpeedX.exe

O4 - HKCU\..\Run: [NBJ] "C:\program files\ahead\nero backitup\nbj.exe"

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O8 - Extra context menu item: &SHOUTcast Search - C:\Documents and Settings\All Users\Dane aplikacji\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - D:\DiskeeperLite\DKService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Performance Driver Service - Unknown owner - C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 5631 bytes

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Log z ComboFix"

ComboFix 09-03-19.02 - Arek 2009-03-22 13:20:41.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.511.279 [GMT 1:00]

Uruchomiony z: c:\documents and settings\Arek\Pulpit\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090321-0] *On-access scanning disabled* (Updated)

* Utworzono nowy punkt przywracania

.

 

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\autorun.inf

C:\gyn.cmd

C:\jm3cx96.bat

c:\windows\system32\_000008_.tmp.dll

c:\windows\system32\nmdfgds0.dll

c:\windows\system32\nmdfgds1.dll

c:\windows\system32\olhrwef.exe

C:\xsia.bat

D:\Autorun.inf

D:\gyn.cmd

D:\jm3cx96.bat

D:\xsia.bat

E:\Autorun.inf

E:\gyn.cmd

E:\jm3cx96.bat

E:\xsia.bat

 

.

((((((((((((((((((((((((( Pliki utworzone od 2009-02-22 do 2009-03-22 )))))))))))))))))))))))))))))))

.

 

2009-03-21 13:02 . 2009-03-21 13:02 <DIR> d-------- c:\program files\Executive Software

2009-03-20 13:33 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2009-03-20 13:31 . 2009-03-20 13:31 <DIR> d-------- c:\program files\Panda Security

2009-03-16 19:15 . 2009-03-16 19:15 <DIR> d-------- c:\windows\system32\Futuremark

2009-03-16 19:15 . 2009-03-16 19:15 <DIR> d-------- c:\program files\Common Files\Futuremark Shared

2009-03-16 19:15 . 2008-09-17 15:14 27,672 -ra------ c:\windows\system32\drivers\Entech.sys

2009-03-11 20:51 . 2009-03-11 20:51 <DIR> dr------- c:\program files\Skype

2009-03-11 20:51 . 2009-03-11 20:51 <DIR> d-------- c:\documents and settings\Arek\Dane aplikacji\Skype

2009-03-11 18:27 . 2009-03-11 18:27 <DIR> d-------- C:\LexmarkDiag

2009-03-11 18:17 . 2009-03-11 18:17 <DIR> d-------- C:\LXKZ600

2009-03-09 08:55 . 2009-03-09 08:55 <DIR> d--hs---- C:\FOUND.008

2009-03-05 20:51 . 2009-03-05 20:51 <DIR> d-------- c:\program files\Streamripper

2009-03-01 16:28 . 2009-03-01 16:28 <DIR> d--hs---- C:\FOUND.007

2009-03-01 11:24 . 2008-05-01 09:30 <DIR> d--h----- c:\documents and settings\Anna\Ustawienia lokalne

2009-03-01 11:24 . 2009-03-01 11:24 <DIR> dr------- c:\documents and settings\Anna\Ulubione

2009-03-01 11:24 . 2008-05-01 09:30 <DIR> d--h----- c:\documents and settings\Anna\Szablony

2009-03-01 11:24 . 2008-05-01 09:30 <DIR> d-------- c:\documents and settings\Anna\Pulpit

2009-03-01 11:24 . 2009-03-01 11:24 <DIR> dr------- c:\documents and settings\Anna\Moje dokumenty

2009-03-01 11:24 . 2008-05-01 09:30 <DIR> dr------- c:\documents and settings\Anna\Menu Start

2009-03-01 11:24 . 2008-05-01 09:30 <DIR> dr-h----- c:\documents and settings\Anna\Dane aplikacji

2009-03-01 11:24 . 2009-03-01 11:24 <DIR> d-------- c:\documents and settings\Anna

2009-03-01 11:13 . 2009-03-01 11:13 <DIR> d-------- c:\documents and settings\Gość\Dane aplikacji\Sony Ericsson

2009-03-01 11:12 . 2008-05-01 09:30 <DIR> d--h----- c:\documents and settings\Gość\Ustawienia lokalne

2009-03-01 11:12 . 2008-05-01 09:30 <DIR> d--h----- c:\documents and settings\Gość\Ustawienia lokalne

2009-03-01 11:12 . 2009-03-01 11:12 <DIR> dr------- c:\documents and settings\Gość\Ulubione

2009-03-01 11:12 . 2009-03-01 11:12 <DIR> dr------- c:\documents and settings\Gość\Ulubione

2009-03-01 11:12 . 2008-05-01 09:30 <DIR> d--h----- c:\documents and settings\Gość\Szablony

2009-03-01 11:12 . 2008-05-01 09:30 <DIR> d--h----- c:\documents and settings\Gość\Szablony

2009-03-01 11:12 . 2008-05-01 09:30 <DIR> d-------- c:\documents and settings\Gość\Pulpit

2009-03-01 11:12 . 2008-05-01 09:30 <DIR> d-------- c:\documents and settings\Gość\Pulpit

2009-03-01 11:12 . 2009-03-01 11:12 <DIR> dr------- c:\documents and settings\Gość\Moje dokumenty

2009-03-01 11:12 . 2009-03-01 11:12 <DIR> dr------- c:\documents and settings\Gość\Moje dokumenty

2009-03-01 11:12 . 2008-05-01 09:30 <DIR> dr------- c:\documents and settings\Gość\Menu Start

2009-03-01 11:12 . 2008-05-01 09:30 <DIR> dr------- c:\documents and settings\Gość\Menu Start

2009-03-01 11:12 . 2009-03-01 11:12 <DIR> d-------- c:\documents and settings\Gość\Dane aplikacji\Nowe Gadu-Gadu

2009-03-01 11:12 . 2008-05-01 09:30 <DIR> dr-h----- c:\documents and settings\Gość\Dane aplikacji

2009-03-01 11:12 . 2008-05-01 09:30 <DIR> dr-h----- c:\documents and settings\Gość\Dane aplikacji

2009-03-01 11:12 . 2009-03-01 11:12 <DIR> d-------- c:\documents and settings\Gość

2009-02-28 19:41 . 2008-05-01 09:38 <DIR> d-------- c:\program files\AviSynth 2.5

2009-02-26 18:58 . 2009-02-26 18:58 <DIR> d-------- c:\documents and settings\Arek\Dane aplikacji\Nowe Gadu-Gadu

 

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-14 21:20 --------- d-----w c:\program files\SHOUTcast Radio Toolbar

2009-02-14 21:20 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\SHOUTcast Radio Toolbar

2009-02-13 15:31 --------- d-----w c:\program files\ArtMoney

2009-02-01 14:43 --------- d-----w c:\documents and settings\Arek\Dane aplikacji\BitTorrent

2009-02-01 14:41 --------- d-----w c:\program files\DNA

2009-02-01 14:41 --------- d-----w c:\program files\BitTorrent

2009-02-01 14:41 --------- d-----w c:\documents and settings\Arek\Dane aplikacji\DNA

2009-02-01 13:50 --------- d-----w c:\program files\FileZilla FTP Client

2009-02-01 13:50 --------- d-----w c:\documents and settings\Arek\Dane aplikacji\FileZilla

2009-01-28 17:55 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\nView_Profiles

2009-01-27 20:09 107,888 ----a-w c:\windows\system32\CmdLineExt.dll

2009-01-27 20:09 --------- d--h--r c:\documents and settings\Arek\Dane aplikacji\SecuROM

2009-01-27 19:33 --------- d-----w c:\program files\MSBuild

2009-01-27 19:30 --------- d-----w c:\program files\Reference Assemblies

2009-01-24 18:20 --------- d-----w c:\program files\ATITool

2009-01-24 18:13 --------- d-----w c:\program files\NVIDIA Corporation

2009-01-24 18:13 --------- d-----w c:\program files\AGEIA Technologies

2009-01-24 18:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-24 12:05 --------- d-----w c:\documents and settings\Arek\Dane aplikacji\InstallShield

2009-01-07 10:28 453,152 ----a-w c:\windows\system32\NVUNINST.EXE

2008-07-08 13:30 32 ------w c:\documents and settings\All Users\Dane aplikacji\ezsid.dat

2008-06-16 09:08 0 ------w c:\documents and settings\Arek\mohaabof.exe

2004-10-01 14:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe

2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll

2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll

2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll

.

 

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{14f0d511-36a2-41ca-ae01-ba4f87282c97}"= "c:\program files\SHOUTcast Radio Toolbar\shoutcasttb.dll" [2008-09-17 1275176]

 

[HKEY_CLASSES_ROOT\clsid\{14f0d511-36a2-41ca-ae01-ba4f87282c97}]

[HKEY_CLASSES_ROOT\SHOUTcastTb.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib\{8613efdf-b530-4b1d-b970-b09f99977813}]

[HKEY_CLASSES_ROOT\SHOUTcastTb.AOLTBSearch]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpeedX"="c:\progra~1\MyPortal\Speed-X\SpeedX.exe" [2006-06-27 46718]

"NBJ"="c:\program files\ahead\nero backitup\nbj.exe" [2005-06-02 1957888]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gainward"="c:\program files\Vtune\TBPanel.exe" [2007-06-26 2158592]

"BootSkin Startup Jobs"="c:\progra~1\STARDOCK\WINCUS~1\BOOTSKIN\BootSkin.exe" [2004-04-26 270336]

"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-06 13680640]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-06 86016]

"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-02-05 81000]

"SoundMan"="SOUNDMAN.EXE" [2006-08-03 c:\windows\soundman.exe]

"nwiz"="nwiz.exe" [2009-02-06 c:\windows\system32\nwiz.exe]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStrCmpLogical"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"= 1 (0x1)

"MemCheckBoxInRunDlg"= 0 (0x0)

"NoResolveTrack"= 0 (0x0)

"NoWelcomeScreen"= 1 (0x1)

"NoRecentDocsNetHood"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.I420"= i420vfw.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]

--a------ 2009-02-01 15:41 342848 c:\program files\DNA\btdna.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs]

--a------ 2004-04-26 16:21 270336 c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2005-11-08 23:00 128920 d:\daemon tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]

--a------ 2009-01-01 16:21 207680 c:\program files\Gigabyte\ET5\GUI.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

--------- 2005-07-08 16:25 1397760 c:\program files\Ahead\InCD\InCD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-22 21:20 155648 c:\program files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--a------ 2003-12-08 17:35 32768 c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

-ra------ 2006-11-24 01:06 487424 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ATI Smart"=2 (0x2)

"Ati HotKey Poller"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"InCDsrv"=2 (0x2)

"WLSetupSvc"=3 (0x3)

"usnjsvc"=3 (0x3)

"Creative Service for CDROM Access"=2 (0x2)

"avast! Web Scanner"=3 (0x3)

"avast! Mail Scanner"=3 (0x3)

"aswUpdSv"=2 (0x2)

"avast! Antivirus"=2 (0x2)

"Diskeeper"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\EA GAMES\\MOHAA\\MOHAA.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"d:\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"d:\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-20 28544]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-21 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-21 20560]

R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2008-12-11 3575808]

S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]

S3 cpuz;cpuz;\??\c:\documents and settings\Arek\Pulpit\cpuz.sys --> c:\documents and settings\Arek\Pulpit\cpuz.sys [?]

S3 MarkFun_NT;MarkFun_NT;c:\program files\Gigabyte\ET5\MARKFUN.W32 [2008-07-04 17912]

S3 MouseCap;MouseCapture Driver;c:\windows\system32\drivers\MouseCap.sys [2005-08-08 6640]

S3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [2007-05-29 508160]

S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\drivers\se46bus.sys [2008-05-23 61536]

S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;c:\windows\system32\drivers\se46mdfl.sys [2008-05-23 9360]

S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;c:\windows\system32\drivers\se46mdm.sys [2008-05-23 97088]

S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\se46mgmt.sys [2008-05-28 88624]

S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se46nd5.sys [2008-06-02 18704]

S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;c:\windows\system32\drivers\se46obex.sys [2008-05-24 86432]

S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se46unic.sys [2008-05-28 90800]

S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\drivers\w200bus.sys [2008-08-24 61504]

S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\drivers\w200mdfl.sys [2008-09-14 9328]

S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\drivers\w200mdm.sys [2008-09-14 97056]

S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w200mgmt.sys [2008-10-12 88560]

S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\drivers\w200obex.sys [2008-10-12 86368]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69e1275d-9ded-11dd-883a-4d6564696130}]

\Shell\AutoRun\command - G:\2fiji.com

\Shell\explore\Command - G:\2fiji.com

\Shell\open\Command - G:\2fiji.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8832ff32-28ca-11dd-8655-4d6564696130}]

\Shell\AutoRun\command - H:\dbrxubcw.com

\Shell\open\Command - H:\dbrxubcw.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8832ff33-28ca-11dd-8655-4d6564696130}]

\Shell\AutoRun\command - m9ma.exe

\Shell\explore\Command - m9ma.exe

\Shell\open\Command - m9ma.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8dd25bfa-71cb-11dd-87a4-4d6564696130}]

\Shell\AutoRun\command - G:\u9dyi.exe

\Shell\explore\Command - G:\u9dyi.exe

\Shell\open\Command - G:\u9dyi.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8dd25bfb-71cb-11dd-87a4-4d6564696130}]

\Shell\AutoRun\command - H:\u9dyi.exe

\Shell\explore\Command - H:\u9dyi.exe

\Shell\open\Command - H:\u9dyi.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{995fbde2-1b94-11dd-8621-4d6564696130}]

\Shell\AutoRun\command - H:\m9ma.exe

\Shell\explore\Command - H:\m9ma.exe

\Shell\open\Command - H:\m9ma.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc9f0a9e-7db8-11dd-87c7-4d6564696130}]

\Shell\AutoRun\command - I:\jm3cx96.bat

\Shell\open\Command - I:\jm3cx96.bat

.

- - - - USUNIĘTO PUSTE WPISY - - - -

 

HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe

MSConfigStartUp-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

MSConfigStartUp-DmwClient - c:\program files\DMW Client 3\dmwclient.exe

MSConfigStartUp-ICQ - d:\icq6\ICQ.exe

MSConfigStartUp-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe

 

 

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://start.icq.com/

IE: &SHOUTcast Search - c:\documents and settings\All Users\Dane aplikacji\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html

FF - ProfilePath - c:\documents and settings\Arek\Dane aplikacji\Mozilla\Firefox\Profiles\8fm7yv9w.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-chromesbox-en-us&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-ab-en-us&query=

FF - plugin: d:\mozilla firefox\plugins\np-mswmp.dll

FF - plugin: d:\mozilla firefox\plugins\npbittorrent.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-22 13:21:41

Windows 5.1.2600 Dodatek Service Pack 3 FAT NTAPI

 

skanowanie ukrytych procesów ...

 

skanowanie ukrytych wpisów autostartu ...

 

skanowanie ukrytych plików ...

 

skanowanie pomyślnie ukończone

ukryte pliki: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MarkFun_NT]

"ImagePath"="\??\c:\program files\Gigabyte\ET5\markfun.w32"

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

 

[HKEY_USERS\S-1-5-21-1801674531-926492609-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:6e,95,c3,cd,5c,f9,64,bd,9f,63,ec,78,c0,e9,c5,69,26,e1,69,8e,0e,

2e,9a,12,51,91,1e,a4,da,d7,3c,d6,ca,da,fb,5e,5d,97,c2,6f,31,37,4a,c3,70,9b,\

"rkeysecu"=hex:a3,87,61,76,bf,f9,fa,17,d4,14,dc,1a,09,f3,01,a4

.

Czas ukończenia: 2009-03-22 13:22:30

ComboFix-quarantined-files.txt 2009-03-22 12:22:30

 

Przed: 5 879 316 480 bajtów wolnych

Po: 5,943,721,984 bajtów wolnych

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

278

Edytowane 22 Marca 2009 przez Arekak

[Kolobos]

Dlaczego nie dales log'a z combofix? Do tego logi dajemy w spoilerze, popraw swoj post.

[Kolobos]

Podlacz zainfekowane nosniki i uzyj Flash Disinfector.

 

Uzyj CFScript.txt z combofix:

 

Folder::

C:\FOUND.008

C:\FOUND.007

 

File::

c:\documents and settings\Arek\mohaabof.exe

 

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69e1275d-9ded-11dd-883a-4d6564696130}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8832ff32-28ca-11dd-8655-4d6564696130}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8832ff33-28ca-11dd-8655-4d6564696130}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8dd25bfa-71cb-11dd-87a4-4d6564696130}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8dd25bfb-71cb-11dd-87a4-4d6564696130}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{995fbde2-1b94-11dd-8621-4d6564696130}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc9f0a9e-7db8-11dd-87c7-4d6564696130}]

 

DDS::

FF - ProfilePath - c:\documents and settings\Arek\Dane aplikacji\Mozilla\Firefox\Profiles\8fm7yv9w.default\

FF - prefs.js: browser.search.defaulturl -

FF - prefs.js: keyword.URL -

 

Po wykonaniu zablokuj dostep do klucza mountpoints2 w rejestrze.

[Arekak]

Dzięki, zrobiłem wszystko co napisałeś.