Avast wykrył wirusa w pamięci operacujnej - proszę o pomoc


(Jasiek13n) #1

Witam,

Avast wykrył mi wirusa pamięci operacyjnej, kiedy prosi o ponowne uruchomienie komputera znów wyskakuje ten sam komunikat. Czy mogę prosić o sprawdzenie loga i podania dalszych wskazówek co muszę z tym zrobić

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:13:11, on 2008-07-03

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\HASPSrv.exe

C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\PROGRA~1\NEOSTR~1\Watch.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\NIZIO\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM..\Run: [WHITNEY_S2P] C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe

O4 - HKLM..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus ... nicode.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip..{59841478-553E-411D-B6AA-E4D01E679A01}: NameServer = 194.204.159.1 217.98.63.164

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: HASPSrv - ComArch - C:\WINDOWS\system32\HASPSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 5186 bytes'


(huber2t) #2

fix w hijackthis

Pokaż Log z combofix


(Jasiek13n) #3

ComboFix 08-07-02.3 - NIZIO 2008-07-03 11:52:13.1 - FAT32 x86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.224 [GMT 2:00]

Running from: C:\Documents and Settings\NIZIO\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))

.

2008-07-03 07:58 . 2008-07-03 07:58

2008-07-03 07:58 . 2008-07-03 07:58

2008-07-03 07:57 . 2008-07-03 07:57

2008-06-19 10:58 . 2008-06-19 10:58

2008-06-19 10:58 . 2008-06-19 10:58

2008-06-16 08:02 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-06-16 08:02 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-14 09:43 . 2008-06-14 09:43

2008-06-12 07:42 . 2008-06-12 07:42

2008-06-11 12:33 . 2008-06-11 12:33

2008-06-03 12:35 . 2008-06-03 12:35

2008-06-03 08:07 . 2008-06-03 08:07

2008-06-03 08:06 . 2008-06-03 08:07

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-27 11:21 --------- d-----w C:\Program Files\Panda Security

2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe

2008-05-15 08:56 --------- d-----w C:\Program Files\Google

2008-05-15 08:49 --------- d-----w C:\Program Files\Java

2008-05-15 08:45 --------- d-----w C:\Program Files\Common Files\Java

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys

2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll

2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll

2008-04-21 07:04 662,016 ----a-w C:\WINDOWS\system32\wininet.dll

2008-04-21 07:04 662,016 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll

2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-09 21:06 7311360]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-09 21:06 86016]

"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 19:07 24576]

"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 19:07 20480]

"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [2003-10-16 19:07 53248]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]

"WHITNEY_S2P"="C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe" [2006-03-27 07:35 229376]

"HP Software Update"="c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 15:41 49152]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]

"nwiz"="nwiz.exe" [2005-12-09 21:06 1519616 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]

"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-09-10 11:20:47 962661]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP LaserJet Director.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP LaserJet Director.lnk

backup=C:\WINDOWS\pss\HP LaserJet Director.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^NIZIO^Menu Start^Programy^Autostart^OpenOffice.org 2.0.lnk]

path=C:\Documents and Settings\NIZIO\Menu Start\Programy\Autostart\OpenOffice.org 2.0.lnk

backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^NIZIO^Menu Start^Programy^Autostart^Picture Motion Browser Media Check Tool.lnk]

path=C:\Documents and Settings\NIZIO\Menu Start\Programy\Autostart\Picture Motion Browser Media Check Tool.lnk

backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-09-20 15:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

--a------ 2007-07-09 09:39 2119104 C:\Program Files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]

--a------ 2007-03-23 13:20 227328 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2006-08-03 05:12 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"C:\Program Files\AvRack\rtlrack.exe"=

"C:\Program Files\Gadu-Gadu\gg.exe"=

"C:\Program Files\Common Files\Nero\Nero Web\SetupX.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

R2 HASPSrv;HASPSrv;C:\WINDOWS\system32\HASPSrv.exe [2007-07-19 20:14]

S2 MSSQL$INSERTGT;SQL Server (INSERTGT);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sINSERTGT []

S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []

S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};C:\WINDOWS\TEMP\2A.tmp []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{cafe2547-7d50-11dc-a3d5-4d6564696130}]

\Shell\Auto\command - Cn911.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ff54c452-5fac-11dc-b86e-4d6564696130}]

\Shell\Auto\command - Cn911.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

*Newly Created Service* - CATCHME

.

  • ORPHANS REMOVED - - - -

MSConfigStartUp-HP AutoIndexer - C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe

MSConfigStartUp-HP SchedIndexer - C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe

MSConfigStartUp-WinampAgent - C:\Program Files\Winamp\winampa.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-03 11:56:21

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services{DEF85C80-216A-43ab-AF70-1665EDBE2780}]

"ImagePath"="\??\C:\WINDOWS\TEMP\2A.tmp"

.

Completion time: 2008-07-03 11:57:13

ComboFix-quarantined-files.txt 2008-07-03 09:57:06

Pre-Run: 816,513,024 bajtów wolnych

Post-Run: 6,649,004,032 bajtów wolnych

127 --- E O F --- 2008-06-23 11:11:24

Jak byś mógł to napisz co mam zrobić z tym i poprzednim


(Spandau) #4

Pobierz Combofixale nie uruchamiaj wklej do notatnika:

Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe

Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum

Usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj tym Dr.WEB CureIt! daj raport na forum


(Jasiek13n) #5

ComboFix 08-07-02.3 - NIZIO 2008-07-03 15:14:50.3 - FAT32 x86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.243 [GMT 2:00]

Running from: C:\Documents and Settings\NIZIO\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\NIZIO\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))

.

2008-07-03 07:58 . 2008-07-03 07:58

2008-07-03 07:58 . 2008-07-03 07:58

2008-07-03 07:57 . 2008-07-03 07:57

2008-06-19 10:58 . 2008-06-19 10:58

2008-06-19 10:58 . 2008-06-19 10:58

2008-06-16 08:02 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-06-16 08:02 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-12 07:42 . 2008-06-12 07:42

2008-06-03 08:07 . 2008-06-03 08:07

2008-06-03 08:06 . 2008-06-03 08:07

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-27 11:21 --------- d-----w C:\Program Files\Panda Security

2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe

2008-05-15 08:56 --------- d-----w C:\Program Files\Google

2008-05-15 08:49 --------- d-----w C:\Program Files\Java

2008-05-15 08:45 --------- d-----w C:\Program Files\Common Files\Java

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys

2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll

2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll

2008-04-21 07:04 662,016 ----a-w C:\WINDOWS\system32\wininet.dll

2008-04-21 07:04 662,016 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll

2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe

.

((((((((((((((((((((((((((((( snapshot@2008-07-03_11.56.45.76 )))))))))))))))))))))))))))))))))))))))))

.

  • 2008-07-03 09:48:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat

  • 2008-07-03 13:07:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat

  • 2008-07-03 13:09:06 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_530.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-09 21:06 7311360]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-09 21:06 86016]

"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 19:07 24576]

"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 19:07 20480]

"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [2003-10-16 19:07 53248]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]

"WHITNEY_S2P"="C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe" [2006-03-27 07:35 229376]

"HP Software Update"="c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 15:41 49152]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]

"nwiz"="nwiz.exe" [2005-12-09 21:06 1519616 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]

"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-09-10 11:20:47 962661]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP LaserJet Director.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP LaserJet Director.lnk

backup=C:\WINDOWS\pss\HP LaserJet Director.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^NIZIO^Menu Start^Programy^Autostart^OpenOffice.org 2.0.lnk]

path=C:\Documents and Settings\NIZIO\Menu Start\Programy\Autostart\OpenOffice.org 2.0.lnk

backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^NIZIO^Menu Start^Programy^Autostart^Picture Motion Browser Media Check Tool.lnk]

path=C:\Documents and Settings\NIZIO\Menu Start\Programy\Autostart\Picture Motion Browser Media Check Tool.lnk

backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-09-20 15:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

--a------ 2007-07-09 09:39 2119104 C:\Program Files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]

--a------ 2007-03-23 13:20 227328 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2006-08-03 05:12 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"C:\Program Files\AvRack\rtlrack.exe"=

"C:\Program Files\Gadu-Gadu\gg.exe"=

"C:\Program Files\Common Files\Nero\Nero Web\SetupX.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

R2 HASPSrv;HASPSrv;C:\WINDOWS\system32\HASPSrv.exe [2007-07-19 20:14]

S2 MSSQL$INSERTGT;SQL Server (INSERTGT);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sINSERTGT []

S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []

S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};C:\WINDOWS\TEMP\2A.tmp []

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-03 15:17:02

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services{DEF85C80-216A-43ab-AF70-1665EDBE2780}]

"ImagePath"="\??\C:\WINDOWS\TEMP\2A.tmp"

.

Completion time: 2008-07-03 15:17:53

ComboFix-quarantined-files.txt 2008-07-03 13:17:48

ComboFix3.txt 2008-07-03 09:57:16

ComboFix2.txt 2008-07-03 13:04:20

Pre-Run: 6,478,725,120 bajtów wolnych

Post-Run: 6,468,206,592 bajtów wolnych

123 --- E O F --- 2008-06-23 11:11:24

I co dalej??

W dniu 03.07.2008 , o godzinie 15:45 został dopisany post przez jasiek13n

Proces w pamięci: C:\WINDOWS\system32\services.exe:624;;BackDoor.MaosBoot;Zniszczony.;


(jessica) #6

1) daj log z > mbr.exe >http://www.searchengines.pl/index.php?show...mp;#entry470953

http://www.searchengines.pl/index.php?s ... opic=31936

2) Wklej do Notatnika :

File::

C:\WINDOWS\TEMP\2A.tmp

C:\WINDOWS\Temp\bca4e2da.$$$

C:\WINDOWS\Temp\fa56d7ec.$$$


Driver::

{DEF85C80-216A-43ab-AF70-1665EDBE2780}


Registry::

[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]

>>Plik>>Zapisz jako... >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

-->CFScript3.gif

Ma się rozpocząć usuwanie. (i powstanie log).

Daj ten log, który powstanie w trakcie usuwania.

Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:**** Qoobox.

EDIT::

Ale log z ComboFixa wklej na:

http://wklej.org/

albo na:

http://wklejto.pl/

a w poście daj tylko link.

jessi


(Gutek) #7

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=253052


(Jasiek13n) #8

http://www.wklej.org/id/a2c7f0368d

I jak ??


(huber2t) #9

Wykonaj jeszcze to

W dniu 04.07.2008 , o godzinie 10:07 został dopisany post przez huber2t

Log ok


(Jasiek13n) #10

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

MBR rootkit code detected !

malicious code @ sector 0x950e4c1 size 0x2c3 !

copy of MBR has been found in sector 62 !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.


(Spandau) #11

Najpierw przeskanuj tym Dr.WEB CureIt!

potem ponownie użyj MBR.EXE zgodnie z tą instrukcją http://www.searchengines.pl/index.php?s ... ntry470953 i daj raport


(Jasiek13n) #12

Jestem w trakcie skanu, ale jeśli Avast zawsze na początku włączania komputera dawał informację o tym wirusie w pamięci operacyjnej a teraz już tego nie ma to znaczy, że może być już ok, czy lepiej się jeszcze upewnić ?


(Spandau) #13

Z tego wynika że nie jest jeszcze OK więc przeskanuj komputer tym co podałem a potem ponownie użyj MBR.EXE. Wejdź w tryb awaryjny z obsługą linii komend wpisz

C:\mbr.exe -f


(Jasiek13n) #14

Napisze po kolei wszystkie utworzone logi:

1.Proces w pamięci: C:\WINDOWS\system32\services.exe:588;;BackDoor.MaosBoot;Zniszczony.;

2.Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

MBR rootkit code detected !

malicious code @ sector 0x950e4c1 size 0x2c3 !

copy of MBR has been found in sector 62 !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

3.Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK


(Spandau) #15

Jest OK


(Jasiek13n) #16

Wielkie dzięki !!