Awda2.exe po amvo

Logan18 · 20 Kwiecień 2008 14:13

na kazdym dysku widzi pliki awda2.exe. usunalem amvo przez CFScripty z ktoregos tam wczesniejszego posta, ktos mial tego samego trojana. teraz mi go nie widzi, ale problem jest z tymi awdami. Nie znam sie kompletnie na niczym, wiec jak wyjdzie ze komp sam sie zjada to sie nie smiac prosze tu log z combo fixa.

ComboFix 08-04-18.3 - Logan 2008-04-20 16:09:38.4 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.504 [GMT 2:00]

Running from: C:\Documents and Settings\Logan\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))

.

2008-04-20 15:03 . 2008-04-20 15:03

2008-04-20 14:32 . 2008-04-20 14:32

2008-04-20 14:32 . 2008-04-20 15:10 10,880 --a------ C:\WINDOWS\system32\drivers\pxark.sys

2008-04-16 11:56 . 2008-01-23 18:43 107,528 -r-hs---- C:\awda2.exe

2008-04-15 14:28 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe

2008-04-12 12:17 . 2008-04-12 12:17 63,880 --a------ C:\WINDOWS\system32{46a6d792-4adc-cb61-1a73-a0fee555ff4d}.dll-uninst.exe

2008-04-07 14:39 . 2008-04-07 14:39 329,728 --a------ C:\WINDOWS\system32{46a6d792-4adc-cb61-1a73-a0fee555ff4d}.dll

2008-04-05 10:37 . 2008-04-05 10:37

2008-04-02 20:05 . 2008-04-02 20:05

2008-03-30 13:16 . 2008-03-30 13:16

2008-03-29 12:52 . 2008-03-29 12:52

2008-03-20 17:16 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys

2008-03-14 22:56 --------- d-----w C:\Program Files\Common Files\DAZ

2008-03-09 10:05 --------- d-----w C:\Program Files\AnswerWorks 4.0

2008-03-09 10:01 --------- d-----w C:\Documents and Settings\Logan\Dane aplikacji\Autodesk

2008-03-09 10:01 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Autodesk

2008-03-09 10:00 --------- d-----w C:\Program Files\Common Files\Autodesk Shared

2008-03-09 10:00 --------- d-----w C:\Program Files\Autodesk

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll

2008-02-20 05:38 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-02-16 22:35 3,080,704 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-02-15 09:23 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe

2008-01-21 15:26 679,936 ----a-w C:\WINDOWS\system32\xvidcore.dll

2008-01-21 15:26 155,648 ----a-w C:\WINDOWS\system32\xvidvfw.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{efcc8272-3b7a-2836-17a5-8355e0d05e5f}]

2008-04-07 14:39 329728 --a------ C:\WINDOWS\system32{46a6d792-4adc-cb61-1a73-a0fee555ff4d}.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360]

“Gadu-Gadu”=“C:\Gadu-Gadu\gg.exe” [2007-07-09 09:39 2119104]

“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe” [2005-09-08 11:06 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2006-10-31 08:35 7634944]

“nwiz”=“nwiz.exe” [2006-10-31 08:35 1622016 C:\WINDOWS\system32\nwiz.exe]

“ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2007-01-22 22:19 52840]

“CorelDRAW Graphics Suite 11b”="" []

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-07-21 15:39 77824]

“NvMediaCenter”=“C:\WINDOWS\System32\NvMcTray.dll” [2006-10-31 08:35 86016]

“RTHDCPL”=“RTHDCPL.EXE” [2007-01-30 12:54 16116224 C:\WINDOWS\RTHDCPL.exe]

“SkyTel”=“SkyTel.EXE” [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]

“Symantec PIF AlertEng”=“C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” [2007-03-12 18:30 517768]

“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2005-06-06 23:46 57344]

“NWEReboot”="" []

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

Przyspieszenie uruchomienia programu AutoCAD.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 16:18:22 10872]

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-04-15 14:30:18 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\LimeWire\LimeWire.exe”=

“D:\BitSpirit\BitSpirit.exe”=

“G:\3d\monitor.exe”=

“G:\3d\manager.exe”=

“G:\3d\server.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“19150:TCP”= 19150:TCP:BitComet 19150 TCP

“19150:UDP”= 19150:UDP:BitComet 19150 UDP

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-04-20 15:10]

R2 CSIScanner;CSIScanner;“C:\Program Files\PrevxCSI\PrevxCSI.exe” /service []

S3 autorun;autorun;c:\huadio.tmp []

S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-07-23 18:56]

*Newly Created Service* - CSISCANNER

*Newly Created Service* - ERASERUTILDRV10741

.

Contents of the ‘Scheduled Tasks’ folder

“2008-04-18 18:00:02 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Logan.job”

C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exef/TASK:

“2008-04-20 12:58:10 C:\WINDOWS\Tasks\Norton Security Scan.job”

C:\Program Files\Norton Security Scan\Nss.exe

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-20 16:10:38

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

“ImagePath”="??\G:\L]

[\system\npkcrypt.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\autorun]

“ImagePath”="??\c:\huadio.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npkcrypt]

“ImagePath”="??\G:\L]

.

Completion time: 2008-04-20 16:10:59

ComboFix2.txt 2008-04-20 13:03:16

ComboFix-quarantined-files.txt 2008-04-20 14:10:56

Pre-Run: 3,347,357,696 bajtów wolnych

Post-Run: 3,495,583,744 bajtów wolnych

127 — E O F — 2008-04-09 15:27:54

Leon1 · 20 Kwiecień 2008 14:59

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

zrób optymalizacje uruchamiania http://cybertrash.netarteria.pl/cyber/index.php/topic,378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE

włącz przywracanie systemu

Gutek · 21 Kwiecień 2008 14:58

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350