Chiński virus ? Analiza loga z HT


(Tramall) #1

Witam

Jestem tu nowy , więc witam wszystkich. Do rzeczy: czyszcząc bratu komputer złapałem dziwne badziewie. Na każdej partycji pojawił się plik efsdf.exe , oczywiście nie da się go usunąć AVG rozpoznaje go jako : Koń trojański Downloader.Generic6.AGCV , nie można wejść na poszczególne dyski i w menu pod prawym przyciskiem myszki pojawiły się dziwne krzaki . Google odsyła do jakiś chińskich stron. Byłbym wdzięczny za analizę loga i pomoc w usunięciu tego draństwa, poniżej log z HijackThis:

Logfile of HijackThis v1.99.1

Scan saved at 18:50:19, on 2008-09-23

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Gigabyte\ET5\GUI.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

C:\urve\PreviewServer.exe

C:\urve\Apache2\bin\apache.exe

C:\urve\Apache2\bin\apache.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\EloSrvce.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\urve\bin\mysqld-nt.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\VoipDiscount.com\VoipDiscount\VoipDiscount.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:!!PORTABLE!!\SYSTEM\ANTYVIR\Trojan Remover 6.6.0.exe

D:!!PORTABLE!!\SYSTEM\ANTYVIR\Scan & Repair Utilities 2007.exe

C:\DOCUME~1\Ja\USTAWI~1\Temp\4000007200043e6d7b222\Scan & Repair Utilities 2007 Active Monitor.exe

C:\Program Files\Gadu-Gadu\gg.exe

D:!!PORTABLE!!\SYSTEM\ANTYVIR\HijackThis 1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe

O4 - HKLM..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM..\Run: [TweakMASTER] "D:!!PORTABLE!!\SYSTEM\TWEAK\TweakMaster 2.04\TMTray.exe"

O4 - HKLM..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"

O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"

O4 - HKCU..\Run: [scan & Repair Utilities 2007 Active Monitor] "D:!!PORTABLE!!\SYSTEM\ANTYVIR\Scan & Repair Utilities 2007 Active Monitor.exe"

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: CyberLinkVirtualPreview.lnk = C:\urve\PreviewServer.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O16 - DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} (ilhtrapp Object) - http://dvrlink.net/webdvr/webdvr2.5.10.2_32.0.0.0.cab

O17 - HKLM\System\CCS\Services\Tcpip..{55F8C8CC-EB68-4FF5-8485-E9E79B4B0244}: NameServer = 172.16.1.246 172.16.1.228

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,avgrsstx.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" -r (file missing)

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: EloSystemService - Elo Touchsystems - C:\WINDOWS\system32\EloSrvce.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: MySQL - Unknown owner - C:\urve\bin\mysqld-nt.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: FIM Speedway GP3 Drivers Auto Removal (pr2aq6eb) (pr2aq6eb) - Techland Sp.z o.o. - C:\WINDOWS\system32\pr2aq6eb.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\RpcSandraSrv.exe

Pozdrawiam

Poniżej log z ComboFixa

http://wklejto.pl/10755


(Dmirecki) #2

Pokaż log z ComboFix


(Tramall) #3

ComboFix : http://wklejto.pl/10755


(Dmirecki) #4

Wklej do notatnika:

Windows Registry Editor Version 5.00


[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ADVXDWIN] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\alertsvc.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ALOGSERV] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\amon.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AMON9X] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\anti - trojan.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\antivir] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ANTS] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arvmon.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ATCON] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ATUPDATER] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ATWATCH] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoGuarder.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoTrace] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVGCC32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvgServ] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVGSERV9] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVGW] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avkpop] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvkServ] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avkservice] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avkwctl9] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpmon.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avpnt.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Avrep32.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avsynmgr.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVWINNT] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVXMONITOR9X] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVXMONITORNT] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVXQUAR] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVXW] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\BullGuard] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCAPP.EXE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfgWiz] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfind.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\claw95ct.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\clrav.com] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CMGRDIAN] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CONNECTIONMONITOR] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CPDClnt] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CTRL] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\defalert] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\defscangui] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DEFWATCH] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DOORS] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dv95.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dv95_o.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EFINET32.EXE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EFPEADM] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\espwatch.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ETRUSTCIPE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EVPN] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EXPERT] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\f - agnt95.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\f - prot.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\f - prot95.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\f - stopw.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fameh32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fch32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fih32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\findt2005.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fnrb32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fp - win.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPROT95.EXE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsaa] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsm32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsma32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsmb32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\gbmenu] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GBPOLL] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GENERICS] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GUARD] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IAMSTATS] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icmoon.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\icssuppnt.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IsHelp.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ISRV95] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\jed.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\killhidepid.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kpf.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\LDPROMENU] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\LDSCAN] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\lockdownadvanced.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\lucomserver.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\LUSPT] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcafee] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCAGENT] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCMNHDLR] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCTOOL] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCUPDATE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCVSRTE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MCVSSHLD] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MGHTML] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MINILOG] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Monitor.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MPFSERVICE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MWATCH] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\n32scan.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVENGNAVEX15] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navrunr.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navsched.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navw.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ndd32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NeoWatchLog] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\netutils] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nisserv.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\notstart.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\npscheck] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\npssvc] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nsched32.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nspclean.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ntrtscan] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NTVDM] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NTXconfig] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NVSVC32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NWService] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NWTOOL16] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\offguard.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PADMIN] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\padmin.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pav.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pavmail.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pavproxy] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pcciomon.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pccmain.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pccwin97] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pcntmon] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pcscan] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\per.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\perd.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pertsk.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\perupd.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pervac.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pervacd.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pfwagent.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pfwcon.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\POP3TRAP] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\POPROXY] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PORTMONITOR] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pqremove.com] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PROCESSMONITOR] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\procexp] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PROGRAMAUDITOR] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pview95] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pview95.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rapapp.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavCopy.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStore.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravt08.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\REALMON] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedt32.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rescue.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwolusr.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RTVSCN95] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RULAUNCH] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sbserv] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sfc.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\smartassistant.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SPYXX] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREngPS.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SS3EDIT] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SweepNet] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SWNETSUP] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SymProxySvc] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SYMTRAY] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\syscheck.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Syscheck2.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TAUMON] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TCM] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TDS - 3] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\tds2 - 98.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\tds2 - nt.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TFAK] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\th.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\th32.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\th32upd.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\thav.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\thd.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\thd32.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\thmail.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ToolsUp.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vbcmserv] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VbCons] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VCONTROL.EXE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VET32.EXE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vet98.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VIR - HELP] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPC32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPTRAY] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VSMAIN] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vsmon] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vsscan40.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WATCHDOG]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\webscan.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WEBTRAP] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WGFE95] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WIMMUN32] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WrAdmin] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WrCtrl] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ZAP.EXE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ZAPD.EXE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ZAPPRG.EXE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zapro.exe] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ZAPS.EXE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ZCAP.EXE] 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zlclient.exe]

Plik => Zapisz jako typ =>wszystkie pliki => zapisz pod nazwą FIX.reg

Startujesz do trybu awaryjnego i uruchamiasz plik FIX.reg

Potem już wchodzisz normalnie do systemu => Pokazujesz log z ComboFix + SilentRunners


(Tramall) #5

Witam

Log z ComboFixa : http://wklej.org/id/6682/

Log z Silent Runners : http://wklej.org/id/6684/

Pozdrawiam


(huber2t) #6

Do wyleczenia pendrive z wirusów użyj

Perlovg Removal Tool

Flash Disinfector

lub format

otwórz notatnik i wklej

Z menu Notatnika -> Plik -> Zapisz jako -> Zmień rozszerzenie z .txt na wszystkie pliki -> zapisz pod nazwą Fix.reg

Uruchom ten plik, uruchom ponownie komputer

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar całego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!