od jakiegoś czasu mam problem z wirusem. jakiś czas temu pozbyłam się go ale jak widać nie na długo. tych zainfekowanych plików jest coraz więcej. moj antywirus G Data sobie z nimi nie radzi. nawet ich nie znajduje. o co tutaj chodzi? jak mam sie pozbyć tych wirusów? proszę o pomoc
log z combofix
ComboFix 08-11-04.02 - admin 2008-11-05 13:00:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.217 [GMT 1:00]
Uruchomiony z: C:\ComboFix.exe
* Utworzono nowy punkt przywracania
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
C:\i.exe
C:\itsduel.exe
C:\nq0cq.cmd
C:\pnt.com
c:\windows\system32_004042_.tmp.dll
c:\windows\system32_004043_.tmp.dll
c:\windows\system32_004044_.tmp.dll
c:\windows\system32_004045_.tmp.dll
c:\windows\system32_004052_.tmp.dll
c:\windows\system32_004053_.tmp.dll
c:\windows\system32_004054_.tmp.dll
c:\windows\system32_004055_.tmp.dll
c:\windows\system32_004057_.tmp.dll
c:\windows\system32_004058_.tmp.dll
c:\windows\system32_004061_.tmp.dll
c:\windows\system32_004062_.tmp.dll
c:\windows\system32_004064_.tmp.dll
c:\windows\system32_004065_.tmp.dll
c:\windows\system32_004066_.tmp.dll
c:\windows\system32_004068_.tmp.dll
c:\windows\system32_004071_.tmp.dll
c:\windows\system32_004072_.tmp.dll
c:\windows\system32_004076_.tmp.dll
c:\windows\system32_004077_.tmp.dll
c:\windows\system32_004079_.tmp.dll
c:\windows\system32_004082_.tmp.dll
c:\windows\system32_004084_.tmp.dll
c:\windows\system32_004085_.tmp.dll
c:\windows\system32_004086_.tmp.dll
c:\windows\system32_004087_.tmp.dll
c:\windows\system32_004088_.tmp.dll
c:\windows\system32_004091_.tmp.dll
c:\windows\system32_004092_.tmp.dll
c:\windows\system32_004093_.tmp.dll
c:\windows\system32_004094_.tmp.dll
c:\windows\system32_004095_.tmp.dll
c:\windows\system32_004100_.tmp.dll
c:\windows\system32\8_exception.nls
c:\windows\system32\amvo.exe
c:\windows\system32\amvo0.dll
c:\windows\system32\amvo1.dll
c:\windows\system32\Bitkv1.dll
c:\windows\system32\ckvo.exe
c:\windows\system32\ckvo0.dll
c:\windows\system32\ckvo1.dll
c:\windows\system32\ckvo2.dll
C:\xih9.cmd
D:\08dgu.com
D:\a9.com
D:\Autorun.inf
D:\b.exe
D:\d.com
D:\itsduel.exe
D:\nq0cq.cmd
D:\pnt.com
D:\xih9.cmd
E:\08dgu.com
E:\a9.com
E:\Autorun.inf
E:\b.exe
E:\d.com
E:\itsduel.exe
E:\nq0cq.cmd
E:\pnt.com
E:\xih9.cmd
F:\08dgu.com
F:\a9.com
F:\Autorun.inf
F:\b.exe
F:\d.com
F:\itsduel.exe
F:\nq0cq.cmd
F:\pnt.com
F:\xih9.cmd
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_runtime
((((((((((((((((((((((((( Pliki utworzone od 2008-10-05 do 2008-11-05 )))))))))))))))))))))))))))))))
.
2008-11-05 12:55 . 2008-11-05 12:55 3,024,895 -ra------ C:\ComboFix.exe
2008-11-05 12:27 . 2008-11-05 12:28
2008-11-05 12:27 . 2008-11-05 12:54 751 --a------ c:\windows\wincmd.ini
2008-11-05 12:27 . 2008-08-08 07:04 545 --a------ c:\windows\UC.PIF
2008-11-05 12:27 . 2008-08-08 07:04 545 --a------ c:\windows\RAR.PIF
2008-11-05 12:27 . 2008-08-08 07:04 545 --a------ c:\windows\PKZIP.PIF
2008-11-05 12:27 . 2008-08-08 07:04 545 --a------ c:\windows\PKUNZIP.PIF
2008-11-05 12:27 . 2008-08-08 07:04 545 --a------ c:\windows\NOCLOSE.PIF
2008-11-05 12:27 . 2008-08-08 07:04 545 --a------ c:\windows\LHA.PIF
2008-11-05 12:27 . 2008-08-08 07:04 545 --a------ c:\windows\ARJ.PIF
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 11:29 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\G DATA
2008-09-26 17:00 45,768 ----a-w c:\windows\system32\drivers\MiniIcpt.sys
2008-09-26 17:00 41,928 ----a-w c:\windows\system32\drivers\GDTdiIcpt.sys
2008-09-26 17:00 32,072 ----a-w c:\windows\system32\drivers\HookCentre.sys
2008-09-26 17:00 --------- d-----w c:\program files\G DATA AntiVirus
2008-09-26 17:00 --------- d-----w c:\program files\Common Files\G DATA
2008-09-26 16:59 --------- d–h--w c:\program files\InstallShield Installation Information
2008-09-26 16:59 --------- d-----w c:\documents and settings\admin\Dane aplikacji\InstallShield
2008-09-26 16:47 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\EPSON
2008-09-26 16:45 --------- d–h--w c:\program files\Avago-HP
2008-09-26 16:45 --------- d-----w c:\program files\HP
2008-09-24 04:41 --------- d-----w c:\program files\VersalSoft
2008-09-24 04:41 --------- d-----w c:\program files\Universal
2008-09-23 18:11 103,570 --sh–r C:\je26200.com
2008-09-23 17:54 104,123 --sh–r C:\xlk9.com
2008-09-16 08:20 101,266 --sh–r C:\tknapl.exe
2008-09-15 16:48 99,286 --sh–r C:\rdsfk.com
2008-09-14 11:30 --------- d-----w c:\documents and settings\admin\Dane aplikacji\Gadu-Gadu
2008-09-14 11:25 --------- d-----w c:\program files\Gadu-Gadu
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2006-03-02 15360]
“EPSON Stylus DX4400 Series”=“c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE” [2007-03-01 180736]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ATIPTA”=“c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2002-07-12 290816]
“UpdReg”=“c:\windows\UpdReg.EXE” [2000-05-11 90112]
“Jet Detection”=“c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe” [2001-11-29 28672]
“CTStartup”=“c:\program files\Creative\Splash Screen\CTEaxSpl.EXE” [2001-12-20 28672]
“NeroCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]
“Samsung Common SM”=“c:\windows\Samsung\ComSMMgr\ssmmgr.exe” [2005-07-03 372736]
“AVKTray”=“c:\program files\G DATA AntiVirus\AVKTray\AVKTray.exe” [2007-10-11 603720]
“WINDVDPatch”=“CTHELPER.EXE” [2002-07-02 c:\windows\system32\CTHELPER.EXE]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2006-03-02 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“msacm.ctmp3”= c:\windows\system32\ctmp3.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
R2 AVKProxy;G DATA AntiVirus Proxy;c:\program files\Common Files\G DATA\AVKProxy\AVKProxy.exe [2007-10-11 714312]
R2 AVKService;G DATA Scheduler;c:\program files\G DATA AntiVirus\AVK\AVKService.exe [2007-09-27 407112]
R2 AVKWCtl;Strażnik AntiVirus;c:\program files\G DATA AntiVirus\AVK\AVKWCtl.exe [2007-10-08 1091144]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [2008-09-26 41928]
R3 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2008-09-26 45768]
R3 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2008-09-26 32072]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{156d73e4-496c-11dc-8caa-ae6996d1728a}]
\Shell\AutoRun\command - H:\yew.bat
\Shell\explore\Command - H:\yew.bat
\Shell\open\Command - H:\yew.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{23d60b6a-c9c0-11dc-8d06-a405f147e88b}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4755a9f8-8714-11dd-8dac-00b0c40059f3}]
\Shell\AutoRun\command - H:\i.exe
\Shell\explore\Command - H:\i.exe
\Shell\open\Command - H:\i.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8fa9c22c-ad79-11dc-8cec-c5e13a3fce8b}]
\shell\Setup\command - setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b83dd1e6-8a38-11dd-8dc1-00b0c40059f3}]
\Shell\AutoRun\command - H:\b.com
\Shell\explore\Command - H:\b.com
\Shell\open\Command - H:\b.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{bc7f12a1-218e-11dd-8d49-fa018591c58b}]
\Shell\AutoRun\command - tpfbusg.cmd
\Shell\explore\Command - tpfbusg.cmd
\Shell\open\Command - tpfbusg.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c89a53a6-4e70-11dd-8d6d-d5490983748a}]
\Shell\AutoRun\command - tpfbusg.cmd
\Shell\explore\Command - tpfbusg.cmd
\Shell\open\Command - tpfbusg.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c8b968be-b842-11dc-8cf4-e921fe70668a}]
\shell\Setup\command - setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e1ea89a6-1a3d-11dc-8c7c-e489bee79c8a}]
\shell\Setup\command - H:\setup.exe
.
.
------- Skan uzupełniający -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.pl/
O8 -: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 13:04:47
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h???s???w? ?w???w???w4???.??w4???4???TA?s4???:8???wd??w???w-??w?????????C@?\???\??????s????\??????s\???@:8?A??s@:8??C@?x???
|?w???@
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\documents and settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\MsPMSPSv.exe
.
**************************************************************************
.
Czas ukończenia: 2008-11-05 13:09:29 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2008-11-05 12:09:15
Przed: 30 020 440 064 bajtów wolnych
Po: 30,618,718,208 bajtów wolnych
WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Home Edition” /noexecute=optin /fastdetect
225 — E O F — 2008-09-22 01:08:18