Trojan Tr/crypt.zpack.gen - Problem Ze Zwalczeniem Szkodnika

[kocjano]

Proszę o pomoc w pozbyciu się trojana o nazwie TR/Crypt.ZPACK.Gen

Próbowałem już kilku antywirusów i programów zwalczających spyware. Żaden niestety go nie usuwał skutecznie. Wirus pomimo usunięcia co jakiś czas odradza się. Nie czyni on widocznych szkód, ale wyskakujące co parę minut komunikaty od antywira o jego obecności są denerwujące.

Dzięki!

 

Podaję logi z ComboFixa i HiJacka:

 

 

ComboFix:

 

ComboFix 09-07-22.01 - profil 2009-07-22 22:36.1.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.511.322 [GMT 2:00]

Uruchomiony z: c:\documents and settings\profil\Pulpit\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

 

((((((((((((((((((((((((( Pliki utworzone od 2009-06-22 do 2009-07-22 )))))))))))))))))))))))))))))))

.

 

2009-07-22 20:29 . 2009-07-22 20:29 -------- d-----w- c:\program files\Trend Micro

2009-07-22 12:35 . 2009-07-22 12:35 -------- d-----w- c:\documents and settings\profil\Ustawienia lokalne\Dane aplikacji\stellarium

2009-07-22 12:25 . 2009-07-22 12:25 -------- d-----w- c:\documents and settings\profil\Dane aplikacji\Stellarium

2009-07-22 12:25 . 2009-07-22 12:25 -------- d-----w- c:\program files\Stellarium

2009-07-22 09:41 . 2001-10-26 15:29 5632 ----a-w- c:\windows\system32\ptpusb.dll

2009-07-22 09:41 . 2004-08-03 22:44 159232 ----a-w- c:\windows\system32\ptpusd.dll

2009-07-22 09:41 . 2004-08-03 20:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2009-07-22 09:41 . 2004-08-03 20:58 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys

2009-07-14 12:24 . 2009-07-14 12:24 -------- d-sh--w- C:\FOUND.001

2009-07-09 09:47 . 2009-07-09 09:47 -------- d-sh--w- C:\FOUND.000

2009-07-06 19:47 . 2009-07-06 19:47 -------- d-----w- c:\program files\Nowe Gadu-Gadu

2009-07-06 12:51 . 2009-06-22 15:05 3015544 ----a-w- c:\documents and settings\profil\Dane aplikacji\Simply Super Software\Trojan Remover\qfq8B.exe

2009-07-06 12:51 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2009-07-06 12:51 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2009-07-06 12:51 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2009-07-06 12:51 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2009-07-06 12:51 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2009-07-06 12:51 . 2009-07-06 12:51 -------- d-----w- c:\program files\Trojan Remover

2009-07-06 12:51 . 2009-07-06 12:51 -------- d-----w- c:\documents and settings\profil\Dane aplikacji\Simply Super Software

2009-07-06 12:51 . 2009-07-06 12:51 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Simply Super Software

2009-07-06 11:48 . 2009-07-06 11:48 -------- d-----r- c:\documents and settings\LocalService\Ulubione

2009-07-06 09:07 . 2004-08-03 21:08 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys

2009-07-06 08:49 . 2008-12-11 06:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-07-06 08:49 . 2009-07-06 08:49 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\TEMP

2009-07-06 08:49 . 2009-04-03 09:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-07-06 08:49 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-07-06 08:49 . 2009-07-06 08:49 -------- d-----w- c:\program files\Common Files\PC Tools

2009-07-06 08:49 . 2008-12-10 09:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-07-06 08:49 . 2009-07-06 08:49 -------- d-----w- c:\program files\Spyware Doctor

2009-07-06 08:49 . 2009-07-06 08:49 -------- d-----w- c:\documents and settings\profil\Dane aplikacji\PC Tools

2009-07-06 08:49 . 2009-07-06 08:49 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\PC Tools

2009-07-06 08:45 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-07-06 08:45 . 2009-03-24 14:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-07-06 08:45 . 2009-02-13 10:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-07-06 08:45 . 2009-02-13 10:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-07-06 08:45 . 2009-07-06 08:45 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Avira

2009-07-06 08:15 . 2009-07-06 08:15 -------- d-----w- c:\documents and settings\LocalService\Menu Start

2009-07-06 08:15 . 2009-07-06 08:15 16456 ----a-w- c:\documents and settings\profil\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2009-07-06 08:14 . 2009-07-06 08:14 -------- d-----w- c:\windows\system32\wbem\AutoRecover

2009-07-06 08:14 . 2009-07-06 08:14 -------- d-s---w- c:\windows\system32\Microsoft

2009-07-06 08:06 . 2004-08-03 22:44 221184 ----a-w- c:\windows\system32\wmpns.dll

2009-07-06 08:01 . 2004-08-03 22:43 516768 ------w- c:\windows\system32\ativvaxx.dll

2009-07-06 08:01 . 2004-08-03 22:43 32768 ------w- c:\windows\system32\ativtmxx.dll

2009-07-06 08:01 . 2004-08-03 22:42 6656 ------w- c:\windows\system32\kbdinmal.dll

2009-07-06 08:01 . 2004-08-03 21:07 46464 ------w- c:\windows\system32\drivers\gagp30kx.sys

2009-07-06 08:01 . 2004-08-03 20:59 11136 ------w- c:\windows\system32\drivers\sffdisk.sys

2009-07-06 08:01 . 2004-08-03 20:59 10240 ------w- c:\windows\system32\drivers\sffp_sd.sys

2009-07-06 08:01 . 2004-08-03 20:41 404990 ------w- c:\windows\system32\drivers\slntamr.sys

2009-07-06 08:01 . 2004-08-03 20:41 129535 ------w- c:\windows\system32\drivers\slnt7554.sys

2009-07-06 08:01 . 2004-08-03 20:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys

2009-07-06 08:01 . 2004-08-03 20:29 63488 ------w- c:\windows\system32\drivers\atinxsxx.sys

2009-07-06 08:01 . 2004-08-03 20:29 31744 ------w- c:\windows\system32\drivers\atinxbxx.sys

2009-07-06 08:01 . 2004-08-03 20:29 13824 ------w- c:\windows\system32\drivers\atinttxx.sys

2009-07-06 08:00 . 2009-07-06 08:00 -------- d-----w- c:\windows\ServicePackFiles

2009-07-06 07:52 . 2009-07-06 07:52 -------- d-----w- c:\documents and settings\profil\Dane aplikacji\Media Player Classic

2009-07-06 07:52 . 2004-08-03 20:43 15872 ----a-w- c:\windows\system32\spupdsvc.exe

2009-07-06 07:49 . 2009-07-06 07:49 -------- d-----w- c:\windows\EHome

2009-07-06 07:49 . 2009-07-06 07:49 -------- d-----w- c:\windows\ShellNew

2009-07-06 06:57 . 2009-07-06 06:57 -------- d-----w- c:\documents and settings\profil\Ustawienia lokalne\Dane aplikacji\ACDSee

2009-07-06 06:57 . 2009-07-06 06:57 -------- d-----w- c:\documents and settings\profil\Dane aplikacji\ACD Systems

2009-07-06 06:54 . 2009-07-06 06:54 -------- d-----w- c:\program files\Common Files\ACD Systems

2009-07-06 06:54 . 2009-07-06 06:54 -------- d-----w- c:\program files\ACD Systems

2009-07-06 06:54 . 2009-07-06 06:54 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\ACD Systems

2009-07-06 06:54 . 2009-07-06 06:54 -------- d-----w- c:\windows\Downloaded Installations

2009-07-06 06:51 . 2009-07-06 06:51 -------- d-----w- c:\program files\Avira

2009-07-06 06:50 . 2008-11-06 16:33 684032 ----a-w- c:\windows\system32\divx.dll

2009-07-06 06:45 . 2004-03-02 14:37 125184 ------w- c:\windows\system32\drivers\imagesrv.sys

2009-07-06 06:45 . 2004-03-02 14:37 5504 ------w- c:\windows\system32\drivers\imagedrv.sys

2009-07-06 06:45 . 2000-06-26 08:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll

2009-07-06 06:45 . 2004-07-26 14:16 476320 ------w- c:\windows\system32\ImagXpr7.dll

2009-07-06 06:45 . 2004-07-26 14:16 471040 ------w- c:\windows\system32\ImagXRA7.dll

2009-07-06 06:45 . 2004-07-26 14:16 262144 ------w- c:\windows\system32\ImagXR7.dll

2009-07-06 06:45 . 2009-07-06 06:45 -------- d-----w- c:\program files\Common Files\Ahead

2009-07-06 06:45 . 2004-07-26 14:16 1568768 ------w- c:\windows\system32\ImagX7.dll

2009-07-06 06:45 . 2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

2009-07-06 06:45 . 2009-07-06 06:45 -------- d-----w- c:\program files\Ahead

2009-07-06 06:43 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll

2009-07-06 06:43 . 2008-12-07 18:08 795648 ----a-w- c:\windows\system32\xvidcore.dll

2009-07-06 06:43 . 2008-12-07 18:08 130048 ----a-w- c:\windows\system32\xvidvfw.dll

2009-07-06 06:43 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll

2009-07-06 06:43 . 2008-12-11 00:33 86016 ----a-w- c:\windows\system32\dpl100.dll

2009-07-06 06:43 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll

2009-07-06 06:43 . 2009-02-09 18:56 67584 ----a-w- c:\windows\system32\ff_vfw.dll

2009-07-06 06:43 . 2009-07-06 06:43 -------- d-----w- c:\program files\K-Lite Codec Pack

 

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-06 08:16 . 2001-10-26 14:15 49492 ----a-w- c:\windows\system32\perfc015.dat

2009-07-06 08:16 . 2001-10-26 14:15 355486 ----a-w- c:\windows\system32\perfh015.dat

2009-07-06 08:10 . 2009-03-16 19:01 86327 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat

2009-06-22 03:53 . 2009-06-22 03:53 37376 ----a-w- c:\documents and settings\profil\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll

2009-06-22 03:04 . 2009-06-22 03:04 11264 ----a-w- c:\documents and settings\profil\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll

2009-07-22 15:11 . 2009-03-16 19:39 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2004-08-03 22:44 . 2001-10-26 14:49 164746 --sh--r- c:\windows\system32\gowbgsx.dll

.

 

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-02-19 1262888]

 

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ares"="c:\program files\Ares\Ares.exe" [2008-12-16 887808]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2003-09-29 155648]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-06-01 1059720]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2536:TCP"= 2536:TCP:pmttdihi

 

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-07-06 130936]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-07-06 108289]

R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2009-03-17 81356]

R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2009-03-17 39182]

R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [2009-03-17 9804]

R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [2009-03-17 6085]

S2 bvgscsde;Microsoft Installer;c:\windows\system32\svchost.exe -k netsvcs [2001-10-26 14336]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-07-06 348752]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

bvgscsde

lsfowagm

.

.

------- Skan uzupełniający -------

.

IE: &Winamp Search - c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

FF - ProfilePath - c:\documents and settings\profil\Dane aplikacji\Mozilla\Firefox\Profiles\4xvxg21s.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - [www.pajacyk.pl]

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=

FF - component: c:\documents and settings\profil\Dane aplikacji\Mozilla\Firefox\Profiles\4xvxg21s.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

FF - plugin: c:\documents and settings\profil\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [http://www.gmer.net]

Rootkit scan 2009-07-22 22:38

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

 

skanowanie ukrytych procesów ...

 

skanowanie ukrytych wpisów autostartu ...

 

skanowanie ukrytych plików ...

 

skanowanie pomyślnie ukończone

ukryte pliki: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bvgscsde]

"ServiceDll"="c:\windows\system32\gowbgsx.dll"

--

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lsfowagm]

"ServiceDll"="c:\windows\system32\gowbgsx.dll"

.

Czas ukończenia: 2009-07-22 22:38

ComboFix-quarantined-files.txt 2009-07-22 20:38

 

Przed: 1 002 848 256 bajtów wolnych

Po: 1 053 749 248 bajtów wolnych

 

180

 

 

Hijack:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:30:17, on 2009-07-22

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Ares\Ares.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\System32\CTSvcCDA.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ACD Systems\ACDSee\7.0\ACDSee7.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [go.microsoft.com/fwlink/?LinkId=69157]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [go.microsoft.com/fwlink/?LinkId=54896]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [go.microsoft.com/fwlink/?LinkId=54896]

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: IEPluginBHO - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\profil\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

 

--

End of file - 4310 bytes

Edytowane 25 Lipca 2009 przez kocjano

[Kolobos]

Masz Conficker'a. Zainstaluj latke ze strony MS oraz zamknij otwarte porty przy pomocy wwdc.exe

 

Uzyj CFScript.txt z combofix:

 

Folder::

C:\FOUND.001

C:\FOUND.000

 

File::

c:\windows\system32\gowbgsx.dll

 

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2536:TCP"=-

 

NetSvcs::

bvgscsde

lsfowagm

 

Driver::

bvgscsde

lsfowagm

[kocjano]

co to za łatka?

proszę o więcej szczegółów, bo nie wiem o co chodzi ani skąd to wziąć.

[Kolobos]

Wpisz w google: Conficker Microsoft to sie dowiesz.

[kocjano]

Zrobiłem skaner programem, który powinien usunąć m. in. tego confickera, ale nic nie znalazł. Wykonałem ten CFScript w ComboFixie, a to cholerstwo o nazwie TR/Crypt.ZPACK.Gen dalej wyskakuje.

[Kolobos]

Moze w koncu napiszesz gdzie DOKLADNIE wykrywa ten zainfekowany plik oraz jaka ma nazwe?

Daj tez log z combofix, ktory sie utworzyl po uzyciu CFScript.txt.

 

 

 

Ps. Nie miales uzywac programow tylko zainstalowac aktualizacje.

Edytowane 25 Lipca 2009 przez Kolobos

[kocjano]

Oto log z Combofixa:

 

ComboFix 09-07-22.01 - profil 2009-07-25 21:21.2.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.511.212 [GMT 2:00]

Uruchomiony z: c:\documents and settings\profil\Pulpit\ComboFix.exe

Użyto następujących komend :: c:\documents and settings\profil\Pulpit\CFScript.txt.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

 

FILE ::

"c:\windows\system32\gowbgsx.dll"

.

 

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\FOUND.000

c:\found.000\FILE0000.CHK

 

.

((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_BVGSCSDE

-------\Legacy_LSFOWAGM

-------\Service_bvgscsde

-------\Service_lsfowagm

 

 

((((((((((((((((((((((((( Pliki utworzone od 2009-06-25 do 2009-07-25 )))))))))))))))))))))))))))))))

.

 

2009-07-24 21:29 . 2009-07-24 21:29 -------- d--h--w- c:\windows\PIF

2009-07-24 13:01 . 2009-07-24 13:01 -------- d-----w- c:\documents and settings\profil\Ustawienia lokalne\Dane aplikacji\Identities

2009-07-24 12:47 . 2009-07-24 12:47 -------- d-----w- c:\program files\PowerQuest

2009-07-24 12:14 . 2009-07-24 12:25 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2009-07-24 12:12 . 2009-07-24 12:12 -------- d-----w- c:\program files\ANI

2009-07-24 12:12 . 2004-07-27 09:20 36864 ----a-w- c:\windows\system32\ANIOApi.dll

2009-07-24 12:12 . 2004-07-27 09:20 28205 ----a-w- c:\windows\system32\ANIO.sys

2009-07-24 12:12 . 2004-07-27 09:20 11904 ----a-w- c:\windows\system32\anio4.sys

2009-07-22 20:29 . 2009-07-22 20:29 -------- d-----w- c:\program files\Trend Micro

2009-07-22 12:35 . 2009-07-22 12:35 -------- d-----w- c:\documents and settings\profil\Ustawienia lokalne\Dane aplikacji\stellarium

2009-07-22 12:25 . 2009-07-22 12:25 -------- d-----w- c:\documents and settings\profil\Dane aplikacji\Stellarium

2009-07-22 12:25 . 2009-07-22 12:25 -------- d-----w- c:\program files\Stellarium

2009-07-22 09:41 . 2001-10-26 15:29 5632 ----a-w- c:\windows\system32\ptpusb.dll

2009-07-22 09:41 . 2004-08-03 22:44 159232 ----a-w- c:\windows\system32\ptpusd.dll

2009-07-22 09:41 . 2004-08-03 20:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2009-07-22 09:41 . 2004-08-03 20:58 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys

2009-07-06 19:47 . 2009-07-06 19:47 -------- d-----w- c:\program files\Nowe Gadu-Gadu

2009-07-06 12:51 . 2009-06-22 15:05 3015544 ----a-w- c:\documents and settings\profil\Dane aplikacji\Simply Super Software\Trojan Remover\qfq8B.exe

2009-07-06 12:51 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2009-07-06 12:51 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2009-07-06 12:51 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2009-07-06 12:51 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2009-07-06 12:51 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2009-07-06 12:51 . 2009-07-06 12:51 -------- d-----w- c:\program files\Trojan Remover

2009-07-06 12:51 . 2009-07-06 12:51 -------- d-----w- c:\documents and settings\profil\Dane aplikacji\Simply Super Software

2009-07-06 12:51 . 2009-07-06 12:51 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Simply Super Software

2009-07-06 11:48 . 2009-07-06 11:48 -------- d-----r- c:\documents and settings\LocalService\Ulubione

2009-07-06 09:07 . 2004-08-03 21:08 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys

2009-07-06 08:49 . 2008-12-11 06:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-07-06 08:49 . 2009-07-06 08:49 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\TEMP

2009-07-06 08:49 . 2009-04-03 09:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-07-06 08:49 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-07-06 08:49 . 2009-07-06 08:49 -------- d-----w- c:\program files\Common Files\PC Tools

2009-07-06 08:49 . 2008-12-10 09:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-07-06 08:49 . 2009-07-06 08:49 -------- d-----w- c:\program files\Spyware Doctor

2009-07-06 08:49 . 2009-07-06 08:49 -------- d-----w- c:\documents and settings\profil\Dane aplikacji\PC Tools

2009-07-06 08:49 . 2009-07-06 08:49 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\PC Tools

2009-07-06 08:45 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-07-06 08:45 . 2009-03-24 14:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-07-06 08:45 . 2009-02-13 10:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-07-06 08:45 . 2009-02-13 10:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-07-06 08:45 . 2009-07-06 08:45 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Avira

2009-07-06 08:15 . 2009-07-06 08:15 -------- d-----w- c:\documents and settings\LocalService\Menu Start

2009-07-06 08:15 . 2009-07-06 08:15 16456 ----a-w- c:\documents and settings\profil\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2009-07-06 08:14 . 2009-07-06 08:14 -------- d-----w- c:\windows\system32\wbem\AutoRecover

2009-07-06 08:14 . 2009-07-06 08:14 -------- d-s---w- c:\windows\system32\Microsoft

2009-07-06 08:06 . 2004-08-03 22:44 221184 ----a-w- c:\windows\system32\wmpns.dll

2009-07-06 08:01 . 2006-05-03 16:29 1408000 ----a-w- c:\windows\system32\ativvaxx.dll

2009-07-06 08:01 . 2004-08-03 22:43 32768 ------w- c:\windows\system32\ativtmxx.dll

2009-07-06 08:01 . 2004-08-03 22:42 6656 ------w- c:\windows\system32\kbdinmal.dll

2009-07-06 08:01 . 2004-08-03 21:07 46464 ------w- c:\windows\system32\drivers\gagp30kx.sys

2009-07-06 08:01 . 2004-08-03 20:59 11136 ------w- c:\windows\system32\drivers\sffdisk.sys

2009-07-06 08:01 . 2004-08-03 20:59 10240 ------w- c:\windows\system32\drivers\sffp_sd.sys

2009-07-06 08:01 . 2004-08-03 20:41 404990 ------w- c:\windows\system32\drivers\slntamr.sys

2009-07-06 08:01 . 2004-08-03 20:41 129535 ------w- c:\windows\system32\drivers\slnt7554.sys

2009-07-06 08:01 . 2004-08-03 20:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys

2009-07-06 08:01 . 2004-08-03 20:29 63488 ------w- c:\windows\system32\drivers\atinxsxx.sys

2009-07-06 08:01 . 2004-08-03 20:29 31744 ------w- c:\windows\system32\drivers\atinxbxx.sys

2009-07-06 08:01 . 2004-08-03 20:29 13824 ------w- c:\windows\system32\drivers\atinttxx.sys

2009-07-06 08:00 . 2009-07-06 08:00 -------- d-----w- c:\windows\ServicePackFiles

2009-07-06 07:52 . 2009-07-06 07:52 -------- d-----w- c:\documents and settings\profil\Dane aplikacji\Media Player Classic

2009-07-06 07:52 . 2004-08-03 20:43 15872 ----a-w- c:\windows\system32\spupdsvc.exe

2009-07-06 07:49 . 2009-07-06 07:49 -------- d-----w- c:\windows\EHome

2009-07-06 07:49 . 2009-07-06 07:49 -------- d-----w- c:\windows\ShellNew

2009-07-06 06:57 . 2009-07-06 06:57 -------- d-----w- c:\documents and settings\profil\Ustawienia lokalne\Dane aplikacji\ACDSee

2009-07-06 06:57 . 2009-07-06 06:57 -------- d-----w- c:\documents and settings\profil\Dane aplikacji\ACD Systems

2009-07-06 06:54 . 2009-07-06 06:54 -------- d-----w- c:\program files\Common Files\ACD Systems

2009-07-06 06:54 . 2009-07-06 06:54 -------- d-----w- c:\program files\ACD Systems

2009-07-06 06:54 . 2009-07-06 06:54 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\ACD Systems

2009-07-06 06:54 . 2009-07-06 06:54 -------- d-----w- c:\windows\Downloaded Installations

2009-07-06 06:51 . 2009-07-06 06:51 -------- d-----w- c:\program files\Avira

2009-07-06 06:50 . 2008-11-06 16:33 684032 ----a-w- c:\windows\system32\divx.dll

2009-07-06 06:45 . 2004-03-02 14:37 125184 ------w- c:\windows\system32\drivers\imagesrv.sys

2009-07-06 06:45 . 2004-03-02 14:37 5504 ------w- c:\windows\system32\drivers\imagedrv.sys

2009-07-06 06:45 . 2000-06-26 08:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll

2009-07-06 06:45 . 2004-07-26 14:16 476320 ------w- c:\windows\system32\ImagXpr7.dll

2009-07-06 06:45 . 2004-07-26 14:16 471040 ------w- c:\windows\system32\ImagXRA7.dll

2009-07-06 06:45 . 2004-07-26 14:16 262144 ------w- c:\windows\system32\ImagXR7.dll

2009-07-06 06:45 . 2009-07-06 06:45 -------- d-----w- c:\program files\Common Files\Ahead

2009-07-06 06:45 . 2004-07-26 14:16 1568768 ------w- c:\windows\system32\ImagX7.dll

2009-07-06 06:45 . 2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

2009-07-06 06:45 . 2009-07-06 06:45 -------- d-----w- c:\program files\Ahead

2009-07-06 06:43 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll

2009-07-06 06:43 . 2008-12-07 18:08 795648 ----a-w- c:\windows\system32\xvidcore.dll

2009-07-06 06:43 . 2008-12-07 18:08 130048 ----a-w- c:\windows\system32\xvidvfw.dll

2009-07-06 06:43 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll

2009-07-06 06:43 . 2008-12-11 00:33 86016 ----a-w- c:\windows\system32\dpl100.dll

2009-07-06 06:43 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll

2009-07-06 06:43 . 2009-02-09 18:56 67584 ----a-w- c:\windows\system32\ff_vfw.dll

2009-07-06 06:43 . 2009-07-06 06:43 -------- d-----w- c:\program files\K-Lite Codec Pack

 

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-06 08:16 . 2001-10-26 14:15 49492 ----a-w- c:\windows\system32\perfc015.dat

2009-07-06 08:16 . 2001-10-26 14:15 355486 ----a-w- c:\windows\system32\perfh015.dat

2009-07-06 08:10 . 2009-03-16 19:01 86327 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat

2009-06-22 03:53 . 2009-06-22 03:53 37376 ----a-w- c:\documents and settings\profil\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll

2009-06-22 03:04 . 2009-06-22 03:04 11264 ----a-w- c:\documents and settings\profil\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll

2009-07-22 15:11 . 2009-03-16 19:39 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

 

((((((((((((((((((((((((((((( SnapShot@2009-07-22_20.38.13 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-25 19:24 . 2009-07-25 19:24 16384 c:\windows\Temp\Perflib_Perfdata_2ac.dat

+ 2009-07-24 21:37 . 2006-05-03 16:45 77824 c:\windows\system32\ReinstallBackups\0001\DriverFiles\Oemdspif.dll

+ 2009-07-24 21:37 . 2001-11-09 14:01 24064 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ativcoxx.dll

+ 2009-07-24 21:37 . 2006-05-03 16:15 17408 c:\windows\system32\ReinstallBackups\0001\DriverFiles\atitvo32.dll

+ 2009-07-24 21:37 . 2006-05-03 16:43 53248 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ATIDDC.DLL

+ 2009-07-24 21:37 . 2006-05-03 16:45 26112 c:\windows\system32\ReinstallBackups\0001\DriverFiles\Ati2mdxx.exe

+ 2009-07-24 21:37 . 2006-05-03 16:44 61440 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ati2evxx.dll

+ 2009-07-24 21:37 . 2003-06-03 01:31 73728 c:\windows\system32\ReinstallBackups\0000\DriverFiles\Oemdspif.dll

+ 2009-07-24 21:37 . 2001-11-09 14:01 24064 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ativcoxx.dll

+ 2009-07-24 21:37 . 2003-06-03 00:38 17408 c:\windows\system32\ReinstallBackups\0000\DriverFiles\atitvo32.dll

+ 2009-07-24 21:37 . 2003-06-03 01:31 77824 c:\windows\system32\ReinstallBackups\0000\DriverFiles\atipdlxx.dll

+ 2009-07-24 21:37 . 2003-06-03 01:29 73728 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ATIDDC.DLL

+ 2009-07-24 21:37 . 2001-09-04 19:24 28672 c:\windows\system32\ReinstallBackups\0000\DriverFiles\Ati2mdxx.exe

+ 2009-07-24 21:37 . 2003-06-03 01:31 90112 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati2evxx.dll

+ 2003-06-03 01:31 . 2006-05-03 16:45 77824 c:\windows\system32\Oemdspif.dll

+ 2006-05-03 16:10 . 2006-05-03 16:10 40960 c:\windows\system32\drivers\ati2erec.dll

- 2003-06-03 00:38 . 2003-06-03 00:38 17408 c:\windows\system32\atitvo32.dll

+ 2003-06-03 00:38 . 2006-05-03 16:15 17408 c:\windows\system32\atitvo32.dll

+ 2003-06-03 01:29 . 2006-05-03 16:43 53248 c:\windows\system32\ATIDDC.DLL

+ 2001-09-04 19:24 . 2006-05-03 16:45 26112 c:\windows\system32\Ati2mdxx.exe

+ 2003-06-03 01:31 . 2006-05-03 16:44 61440 c:\windows\system32\ati2evxx.dll

+ 2006-05-03 16:45 . 2006-05-03 16:45 41984 c:\windows\system32\ati2edxx.dll

+ 2009-07-24 12:47 . 2009-07-24 12:47 22486 c:\windows\Installer\{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}\ARPPRODUCTICON.exe

+ 2002-09-16 15:14 . 2002-09-16 15:14 4228 c:\windows\system32\drivers\PQNTDRV.sys

+ 2009-07-24 21:37 . 2006-05-03 16:45 114688 c:\windows\system32\ReinstallBackups\0001\DriverFiles\atipdlxx.dll

+ 2009-07-24 21:37 . 2006-05-03 16:54 307200 c:\windows\system32\ReinstallBackups\0001\DriverFiles\atiiiexx.dll

+ 2009-07-24 21:37 . 2003-06-03 00:50 845728 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ati3d1ag.dll

+ 2009-07-24 21:37 . 2003-06-03 01:30 282624 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ati2evxx.exe

+ 2009-07-24 21:37 . 2003-06-03 01:41 301568 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ati2dvag.dll

+ 2009-07-24 21:37 . 2003-06-03 03:52 278528 c:\windows\system32\ReinstallBackups\0000\DriverFiles\atiiiexx.dll

+ 2009-07-24 21:37 . 2003-06-03 00:50 845728 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati3d1ag.dll

+ 2009-07-24 21:37 . 2003-06-03 01:40 576512 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati2mtag.sys

+ 2009-07-24 21:37 . 2003-06-03 01:30 282624 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati2evxx.exe

+ 2009-07-24 21:37 . 2003-06-03 01:41 301568 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati2dvag.dll

+ 2003-06-03 01:31 . 2006-05-03 16:45 114688 c:\windows\system32\atipdlxx.dll

+ 2006-05-03 16:15 . 2006-05-03 16:15 151552 c:\windows\system32\atikvmag.dll

+ 2009-03-17 18:50 . 2006-05-03 16:54 307200 c:\windows\system32\atiiiexx.dll

+ 2006-04-28 20:05 . 2006-04-28 20:05 127614 c:\windows\system32\atiicdxx.dat

+ 2006-05-03 16:12 . 2006-05-03 16:12 286720 c:\windows\system32\ATIDEMGR.dll

+ 2009-03-17 18:50 . 2006-05-03 09:57 520192 c:\windows\system32\ati2sgag.exe

+ 2003-06-03 01:30 . 2006-05-03 16:43 413696 c:\windows\system32\ati2evxx.exe

+ 2003-06-03 01:41 . 2006-05-03 16:51 258048 c:\windows\system32\ati2dvag.dll

+ 2009-07-06 08:04 . 2006-05-03 16:09 282624 c:\windows\system32\ati2cqag.dll

+ 2002-09-16 15:16 . 2002-09-16 15:16 1357032 c:\windows\system32\XMNT2002.exe

+ 2009-07-24 21:37 . 2006-05-03 16:18 5033984 c:\windows\system32\ReinstallBackups\0001\DriverFiles\atioglxx.dll

+ 2009-07-24 21:37 . 2006-05-03 16:35 2693280 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ati3duag.dll

+ 2009-07-24 21:37 . 2003-06-03 01:04 1033856 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ati3d2ag.dll

+ 2009-07-24 21:37 . 2006-05-03 16:50 1540608 c:\windows\system32\ReinstallBackups\0001\DriverFiles\ati2mtag.sys

+ 2009-07-24 21:37 . 2003-06-03 02:29 4706304 c:\windows\system32\ReinstallBackups\0000\DriverFiles\atioglxx.dll

+ 2009-07-24 21:37 . 2003-06-03 01:21 1082112 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati3duag.dll

+ 2009-07-24 21:37 . 2003-06-03 01:04 1033856 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati3d2ag.dll

+ 2003-06-03 01:40 . 2006-05-03 16:50 1540608 c:\windows\system32\drivers\ati2mtag.sys

+ 2003-06-03 02:29 . 2006-05-03 16:18 5033984 c:\windows\system32\atioglxx.dll

+ 2006-05-03 16:21 . 2006-05-03 16:21 6684672 c:\windows\system32\atioglx1.dll

+ 2003-06-03 01:21 . 2006-05-03 16:35 2693280 c:\windows\system32\ati3duag.dll

+ 2009-07-24 12:47 . 2009-07-24 12:47 2262016 c:\windows\Installer\261f46.msi

.

-- Migawka wyzerowana --

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-02-19 1262888]

 

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ares"="c:\program files\Ares\Ares.exe" [2008-12-16 887808]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2003-09-29 155648]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

 

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-07-06 130936]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-07-06 108289]

R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2009-03-17 81356]

R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2009-03-17 39182]

R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [2009-03-17 9804]

R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [2009-03-17 6085]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-07-06 348752]

.

.

------- Skan uzupełniający -------

.

IE: &Winamp Search - c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

FF - ProfilePath - c:\documents and settings\profil\Dane aplikacji\Mozilla\Firefox\Profiles\4xvxg21s.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.pajacyk.pl

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=

FF - component: c:\documents and settings\profil\Dane aplikacji\Mozilla\Firefox\Profiles\4xvxg21s.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

FF - plugin: c:\documents and settings\profil\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-25 21:24

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

 

skanowanie ukrytych procesów ...

 

skanowanie ukrytych wpisów autostartu ...

 

skanowanie ukrytych plików ...

 

skanowanie pomyślnie ukończone

ukryte pliki: 0

 

**************************************************************************

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

 

- - - - - - - > 'winlogon.exe'(520)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\windows\SYSTEM32\ATI2EVXX.EXE

c:\windows\SYSTEM32\ATI2EVXX.EXE

c:\program files\AVIRA\ANTIVIR DESKTOP\AVGUARD.EXE

c:\windows\SYSTEM32\CTSVCCDA.EXE

c:\program files\JAVA\JRE6\BIN\JQS.EXE

c:\windows\SYSTEM32\WDFMGR.EXE

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Czas ukończenia: 2009-07-25 21:25 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2009-07-25 19:25

 

Przed: 180 281 344 bajtów wolnych

Po: 161 775 616 bajtów wolnych

 

264

 

 

 

 

 

Pliki, w których wykrywany był trojan w przeciągu kilku ostatnich dni:

 

C:\WINDOWS\system32\x

C:\WINDOWS\system32\gowbgsx.dll

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\XP2HMAKH\jacee[1].gif

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\RTS4MQMO\czblvatb[1].gif

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\TZSMDNNN\wnxehtmo[1].jpg

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\RTS4MQMO\jmfs[1].png

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\RTS4MQMO\jmfs[1].jpg

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\TZSMDNNN\keapci[1].bmp

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\RTS4MQMO\fkhcfd[1].jpg

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\RTS4MQMO\xiwwlkmg[1].gif

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\TZSMDNNN\eoioemuy[1].jpg

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\RTS4MQMO\ikeewou[1].png

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\RTS4MQMO\vnmvymh[1].png

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\TZSMDNNN\qrifmjgq[1].bmp

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\RTS4MQMO\ylrmf[1].bmp

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\RTS4MQMO\bpqzz[1].gif

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\RTS4MQMO\heqzz[1].bmp

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\RTS4MQMO\ylrmf[1].bmp

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\RTS4MQMO\ctyji[1].jpg

 

Pierwsze dwa pliki zgłaszane były wielokrotnie. Pozostałe jednorazowo. Za każdym razem podczas detekcji pliki były usuwane.

[Kolobos]

Zrob skan przy pomocy Dr.Web CureIt oraz Malwarebytes Anti-Malware.

 

C:\WINDOWS\system32\x <- tego tez nie widac w logu

C:\WINDOWS\system32\gowbgsx.dll <- tego pliku juz nie ma.

 

Napisz w jakim DOKLADNIE pliku infekcja jest wykrywana TERAZ, a nie wczesniej.

[kocjano]

Od dwóch dni nie było żadnej detekcji.

Zrobiłem skany Dr.Web CureIt oraz Malwarebytes Anti-Malware - nic nie znalazły.

Najwyraźniej robal przepadł.

Kolobos, dzięki za pomoc!