Co jest grane z moim kompem i pamiecią!

Jakubica · 16 Sierpień 2008 10:11

avast wykryl ze w moim komputerze jest wirus w pamieci operacyjnej wiec prosze was o pomoc!!.Czytalem juz wiele tematow i wiem mniej wiecej co i jak wiec daje loga z hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:35:03, on 2008-08-16

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\Program Files\AutoConnect\AutoConnect.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\PC Tools Firewall Plus\FWService.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Glary Utilities\Integrator.exe

C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MegauploadToolbar\megauploadtoolbar.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MegauploadToolbar\megauploadtoolbar.dll

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM…\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

O4 - HKLM…\Run: [avast!] “C:\Program Files\Alwil Software\Avast4\ashDisp.exe”

O4 - HKLM…\Run: [00PCTFW] “C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe” -s

O4 - HKCU…\Run: [Creative WebCam Tray] “C:\Program Files\Creative\Shared Files\CamTray.exe”

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe

O4 - HKCU…\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun

O4 - HKCU…\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip…{D44DEA91-9907-42EE-9712-B236E2D94B8B}: NameServer = 213.241.79.37 83.238.255.76

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

O23 - Service: PSQOJ - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\Bartek\USTAWI~1\Temp\PSQOJ.exe

O23 - Service: PVMPXRI - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\Bartek\USTAWI~1\Temp\PVMPXRI.exe

–

End of file - 7251 bytes

Avast alarmuje ze mam rootkita na c:\b3b9u.com ale nie wiem czy to prawda bo skanowalem kompa anty rootkitowymi programami a one nic nie mowily ze mam rootkita.Za kazdym razem kiedy wlączam kompa avast alarmuje ze rootkit siedzi w kompie a kiedy biore opceje ignoruj (czyli tą zalecaną) wyskakuje komunikat ze wirus siedzi w pamieci operacyjnej i ze praca na komputerze jest niebezpieczna i proponuje mi restart a przy procedurze uruchamiania bedzie skanowal.Kiedy zaakceptuje jego komunikat to skanuje kompa po restarcie ale nic nie wykrywa a gdy juz po skanowaniu zaladuje pulpit i wszystkie programy to znowy sie drze ze wirus w pamieci operacyjnej i wszystko sie zaczyna od nowa!

JAK MAM GO USUNĄC i czy to prawda co mowi avast

spandaupol · 16 Sierpień 2008 10:16

Usuń te wpisy w HJT

Uruchom HijackThis - Do a system scan only - w oknie programu pokaże się log - zaznacz kratki przy podanych wpisach - klikasz Fix checked

Pobierz Combofix ale nie uruchamiaj wklej do notatnika:

Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe

Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum.

Usuń ręcznie folder C:\Qoobox , usuń instalkę Combofix z dysku.

Jakubica · 16 Sierpień 2008 10:23

no dobra zrobilem te fixy w HJT i tera mam zainstalowac combofix i dac loga tutaj

Jakubica · 16 Sierpień 2008 10:24

aaa juz rozumiem plik w notatniku sorry za moja glupotę

Jakubica · 16 Sierpień 2008 10:42

ComboFix 08-08-14.05 - Bartek 2008-08-16 12:29:26.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.84 [GMT 2:00]

Running from: C:\Documents and Settings\Bartek\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Bartek\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::

C:\DOCUME~1\Bartek\USTAWI~1\Temp\PSQOJ.exe

C:\DOCUME~1\Bartek\USTAWI~1\Temp\PVMPXRI.exe

C:\WINDOWS\system32\ckvo.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\autorun.inf

C:\b3b9u.com

C:\DOCUME~1\Bartek\USTAWI~1\Temp\PSQOJ.exe

C:\DOCUME~1\Bartek\USTAWI~1\Temp\PVMPXRI.exe

C:\Documents and Settings\Bartek\Cookies\bartek@a.amd[2].txt

C:\WINDOWS\system32\ckvo.exe

C:\WINDOWS\system32\ckvo0.dll

C:\WINDOWS\system32\ckvo1.dll

D:\1rfw8hjr.com

D:\Autorun.inf

D:\b3b9u.com

E:\1rfw8hjr.com

E:\Autorun.inf

E:\b3b9u.com

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PSQOJ

-------\Legacy_PVMPXRI

-------\Service_PSQOJ

-------\Service_PVMPXRI

((((((((((((((((((((((((( Files Created from 2008-07-16 to 2008-08-16 )))))))))))))))))))))))))))))))

.

2008-08-16 11:33 . 2008-08-16 11:33

2008-08-14 20:15 . 2008-08-14 18:13 89,901 -r-hs---- C:\t1ypkh.exe

2008-08-14 10:57 . 2008-08-14 14:56 250 --a------ C:\WINDOWS\gmer.ini

2008-08-14 10:00 . 2008-08-14 10:06

2008-08-13 19:15 . 2008-08-13 19:15

2008-08-13 19:14 . 2008-08-16 12:35

2008-08-13 19:13 . 2008-08-13 19:22

2008-08-13 19:13 . 2008-08-13 19:13

2008-08-13 19:13 . 2008-07-28 11:29 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys

2008-08-13 19:13 . 2008-07-17 16:53 93,952 --a------ C:\WINDOWS\system32\drivers\pctfw.sys

2008-08-13 19:13 . 2008-07-28 16:44 57,624 --a------ C:\WINDOWS\system32\drivers\FWAuthdriver.sys

2008-08-13 19:02 . 2008-08-13 19:03 636 --ahs---- C:\WINDOWS\system32\drivers\b931E.DAT

2008-08-13 19:02 . 2008-08-13 19:03 636 --ahs---- C:\WINDOWS\system32\drivers\9e81D.DAT

2008-08-13 19:02 . 2008-08-13 19:03 636 --ahs---- C:\WINDOWS\system32\drivers\0261C.DAT

2008-08-13 19:02 . 2008-08-13 19:02 196 --ahs---- C:\WINDOWS\system32\drivers\a861B.DAT

2008-08-13 19:02 . 2008-08-13 19:02 196 --ahs---- C:\WINDOWS\system32\drivers\2641A.DAT

2008-08-13 19:02 . 2008-08-13 19:02 196 --ahs---- C:\WINDOWS\system32\drivers\02619.DAT

2008-08-13 19:00 . 2008-08-13 19:00 2,021,790 --a------ C:\WINDOWS\system32\2a012.mht

2008-08-13 19:00 . 2008-08-13 19:00 185,824 --a------ C:\WINDOWS\system32\60813.sys

2008-08-13 18:52 . 2008-08-13 18:52 2,021,790 --a------ C:\WINDOWS\system32\b019.mht

2008-08-13 18:52 . 2008-08-13 18:52 185,824 --a------ C:\WINDOWS\system32\217A.sys

2008-08-13 18:45 . 2008-08-13 18:45

2008-08-11 14:08 . 2008-08-13 09:58

2008-08-11 11:02 . 2008-08-11 11:02

2008-08-11 11:02 . 2008-08-11 11:03

2008-08-11 10:18 . 2008-08-11 10:18

2008-07-24 17:12 . 2008-07-24 17:12

2008-07-24 17:12 . 2008-07-24 18:01

2008-07-24 17:12 . 2008-07-24 17:12

2008-07-19 16:59 . 2008-07-19 16:59

2008-07-19 16:58 . 2008-07-19 16:58

2008-07-18 09:38 . 2008-07-18 09:38

2008-07-18 09:37 . 2008-07-18 10:22 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

2008-07-17 08:41 . 2008-07-17 08:41

2008-07-17 08:41 . 2008-07-17 08:41 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll

2008-07-17 08:40 . 2008-08-13 11:22

2008-07-16 17:10 . 2008-07-16 17:10 189 --a------ C:\WINDOWS\disneysy.ini

2008-07-16 17:10 . 2008-07-16 17:12 43 --a------ C:\WINDOWS\disney.ini

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-16 10:35 --------- d-----w C:\Program Files\AutoConnect

2008-08-13 17:34 --------- d-----w C:\Documents and Settings\Bartek\Dane aplikacji\Skype

2008-08-13 17:21 --------- d-----w C:\Documents and Settings\Bartek\Dane aplikacji\MegauploadToolbar

2008-08-13 12:08 --------- d-----w C:\Program Files\sXe Injected

2008-08-13 12:02 --------- d-----w C:\Program Files\MegauploadToolbar

2008-08-13 06:53 --------- d-----w C:\Documents and Settings\Bartek\Dane aplikacji\skypePM

2008-08-11 11:40 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-08-11 11:34 --------- d-----w C:\Documents and Settings\Bartek\Dane aplikacji\foobar2000

2008-07-17 06:34 --------- d-----w C:\Program Files\Azureus

2008-07-17 06:32 --------- d-----w C:\Documents and Settings\Bartek\Dane aplikacji\Azureus

2008-07-04 07:16 --------- d-----w C:\Program Files\ivo

2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2004-08-06 13:37 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Creative WebCam Tray”=“C:\Program Files\Creative\Shared Files\CamTray.exe” [2005-10-27 12:00 299008]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 02:44 15360]

“AutoConnect”=“C:\Program Files\AutoConnect\AutoConnect.exe” [2006-12-03 01:14 310784]

“DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” [2008-04-01 11:39 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“MULTIMEDIA KEYBOARD”=“C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe” [2002-07-25 02:45 167936]

“GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-27 01:47 31016]

“SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-03-23 12:06 888832]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50 155648]

“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792]

“00PCTFW”=“C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe” [2008-07-29 08:42 2602904]

“SoundMan”=“SOUNDMAN.EXE” [2004-07-01 12:23 67584 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“SynchronousMachineGroupPolicy”= 0 (0x0)

“SynchronousUserGroupPolicy”= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

“NoStrCmpLogical”= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoSMBalloonTip”= 1 (0x1)

“MemCheckBoxInRunDlg”= 0 (0x0)

“NoAutoTrayNotify”= 0 (0x0)

“NoResolveTrack”= 0 (0x0)

“NoResolveSearch”= 1 (0x1)

“NoWelcomeScreen”= 1 (0x1)

“NoRecentDocsNetHood”= 1 (0x1)

“NoDesktopCleanupWizard”= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“msacm.l3fhg”= mp3fhg.acm

“msacm.divxa32”= divxa32.acm

“VIDC.X264”= x264vfw.dll

“VIDC.HFYU”= huffyuv.dll

“vidc.i263”= i263_32.drv

“VIDC.YV12”= yv12vfw.dll

“VIDC.FFDS”= ffdshow.ax

“msacm.ac3filter”= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“UpdatesDisableNotify”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=

“C:\Program Files\Microsoft Office\Office12\GROOVE.EXE”=

“C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=

“E:\Gry\Half-Life\hl.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“E:\Tactical Ops\System\TacticalOps.exe”=

“E:\Gry\cs1.6\hl.exe”=

“E:\Gry\cs1.6\hlds.exe”=

“E:\Gry\Half-Life\The All-Seeing Eye\eye.exe”=

“E:\Gry\flatout 2\FlatOut2.exe”=

“E:\Gry\SecondLife\SLVoice.exe”=

“E:\Gry\cs 1.6v\hl.exe”=

“E:\Gry\cs 1.6v\hlds.exe”=

“C:\Program Files\Tlen.pl\tlen.exe”=

“C:\Program Files\SopCast\adv\SopAdver.exe”=

“C:\Program Files\SopCast\SopCast.exe”=

“E:\Gry\F1 2007\F1Challenge2007.exe”=

“E:\Gry\OperationFlashpoint\ofp.exe”=

“E:\Gry\F1 2008\F1 Challenge 2008.exe”=

“C:\Documents and Settings\Bartek\Pulpit\samp server\samp-server.exe”=

“C:\Program Files\BitComet\BitComet.exe”=

“E:\Gry\test driver unlimited\TestDriveUnlimited.exe”=

“E:\Gry\metin 2\metin2.bin”=

“C:\Program Files\Skype\Phone\Skype.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“14935:TCP”= 14935:TCP:BitComet 14935 TCP

“14935:UDP”= 14935:UDP:BitComet 14935 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]

R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 10:02]

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-07-28 11:29]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]

R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 07:41]

R3 FWAuth;FWAuth Driver;C:\WINDOWS\system32\drivers\FWAuthDriver.sys [2008-07-28 16:44]

R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\DRIVERS\V0260Vid.sys [2006-11-04 00:45]

S0 02619;02619;C:\WINDOWS\system32\drivers\02619.SYS []

S0 0261C;0261C;C:\WINDOWS\system32\drivers\0261C.SYS []

S1 2641A;2641A;C:\WINDOWS\system32\drivers\2641A.SYS []

S1 9e81D;9e81D;C:\WINDOWS\system32\drivers\9e81D.SYS []

S2 a861B;a861B;C:\WINDOWS\system32\drivers\a861B.SYS []

S2 b931E;b931E;C:\WINDOWS\system32\drivers\b931E.SYS []

S3 217A;217A;C:\WINDOWS\system32\217A.sys [2008-08-13 18:52]

S3 60813;60813;C:\WINDOWS\system32\60813.sys [2008-08-13 19:00]

S3 DarkSpy;DarkSpy;C:\WINDOWS\system32\DarkSpyKernel.sys []

S3 ddsxeiservice;ddsxeiservice2;C:\Program Files\sXe Injected\ddsxei.sys [2008-04-29 20:15]

S3 jfdcd;jfdcd;C:\DOCUME~1\Bartek\USTAWI~1\Temp\jfdcd.sys []

S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\A.tmp []

S3 RenameMe;RenameMe;C:\WINDOWS\system32\RenameMe.sys [2006-08-12 20:21]

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ad80ab15-0faa-11dd-b83a-0018f6659a89}]

\Shell\AutoRun\command - I:\1rfw8hjr.com

\Shell\explore\Command - I:\1rfw8hjr.com

\Shell\open\Command - I:\1rfw8hjr.com

.

Contents of the ‘Scheduled Tasks’ folder

2008-08-16 C:\WINDOWS\Tasks\GlaryInitialize.job

C:\Program Files\Glary Utilities\initialize.exe [2008-03-25 21:44]

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-16 12:35:33

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

“ImagePath”="??\C:\WINDOWS\system32\A.tmp"

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\PC Tools Firewall Plus\FWService.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Glary Utilities\Integrator.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Netropa\Multimedia Keyboard\Traymon.exe

C:\Program Files\Netropa\Onscreen Display\osd.exe

C:\WINDOWS\SoftwareDistribution\Download\c2931765f1055e791aa5f27823577013\update\update.exe

.

**************************************************************************

.

Completion time: 2008-08-16 12:39:58 - machine was rebooted

ComboFix-quarantined-files.txt 2008-08-16 10:39:18

Pre-Run: 5,782,216,704 bajtów wolnych

Post-Run: 5,736,701,952 bajt˘w wolnych

239 — E O F — 2008-08-13 12:53:38

Jakubica · 16 Sierpień 2008 10:43

log z kombofix prosze o dalsze instrukcje

spandaupol · 16 Sierpień 2008 10:52

Pobierz Combofix ale nie uruchamiaj wklej do notatnika:

Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe

Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum.

Usuń ręcznie folder C:\Qoobox , usuń instalkę Combofix z dysku.

Jakubica · 16 Sierpień 2008 15:42

jeszcze raz to samo bo juz raz robilem to przez combofixa

spandaupol · 16 Sierpień 2008 15:44

Tak, skrypt powstał na podstawie loga z Combofixa który dałeś.

Jakubica · 16 Sierpień 2008 15:51

a duzo jeszcze razy bede to powtarzal :-o

Jakubica · 16 Sierpień 2008 15:51

spandaupol · 16 Sierpień 2008 15:54

Do momentu aż twój system będzie bez wirusów. Nie wiem ile jeszcze razy.

Jakubica · 16 Sierpień 2008 16:11

podczas robienia tego czegos w combofixa pokazal sie niebieski ekran z powarznym bledem systemowym i zrzucaniem pamieci fizycznej czy jakos tak ale mam loga wiec go daje

Jakubica · 16 Sierpień 2008 16:11

ComboFix 08-08-15.04 - Bartek 2008-08-16 17:57:04.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.210 [GMT 2:00]

Running from: C:\Documents and Settings\Bartek\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Bartek\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::

C:\DOCUME~1\Bartek\USTAWI~1\Temp\jfdcd.sys

C:\t1ypkh.exe

C:\WINDOWS\system32\217A.sys

C:\WINDOWS\system32\60813.sys

C:\WINDOWS\system32\A.tmp

D:\t1ypkh.exe

E:\t1ypkh.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\t1ypkh.exe

C:\WINDOWS\system32\217A.sys

C:\WINDOWS\system32\60813.sys

D:\t1ypkh.exe

E:\t1ypkh.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_DARKSPY

-------\Legacy_JFDCD

-------\Legacy_MEMSWEEP2

-------\Service_02619

-------\Service_0261C

-------\Service_2641A

-------\Service_9e81D

-------\Service_a861B

-------\Service_b931E

-------\Service_DarkSpy

-------\Service_jfdcd

-------\Service_MEMSWEEP2

-------\Legacy_217A

-------\Legacy_60813

-------\Service_217A

-------\Service_60813

((((((((((((((((((((((((( Files Created from 2008-07-16 to 2008-08-16 )))))))))))))))))))))))))))))))

.

2008-08-16 12:40 . 2008-08-16 12:40

2008-08-16 12:40 .

2008-08-16 11:33 . 2008-08-16 11:33

2008-08-14 10:57 . 2008-08-14 14:56 250 --a------ C:\WINDOWS\gmer.ini

2008-08-14 10:00 . 2008-08-14 10:06

2008-08-13 19:15 . 2008-08-13 19:15

2008-08-13 19:14 . 2008-08-16 18:01