Dziwne zachowanie komputera - problem z wirusami

klpo942 · 6 Wrzesień 2007 09:29

Witam

Mam następujący problem:

Przy uruchamianiu Dodaj/Usuń komputer się samoczynnie restartuje.
Coś usunęło mi pliki wykonujące Avasta. Nic nie daje próba jego ponownego zainstalowania, bo tuż po instalacji te pliki znowu znikają. Podobnie jest, gdy próbowałem zainstalować Spybota S&D.
Tryb awaryjny nie wchodzi – próba jego uruchomienia kończy się restartem

Skanery online MKS-Vira i ESETa wykryły min nst. wirusy, ale mimo ich usunięcia problem się dalej powtarza.:

Win32.bagle.jm

Trojan.Downloader.Agent.bng

Psw.Delf.sp

Adware.WhenU.B.1

Trojan.mnless.mga

Załączam logi:

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:20:54, on 2007-09-06

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\StopHid.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\DAEMON Tools\daemon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

D:\Program Files\Microsoft Office\Office10\WINWORD.EXE

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - D:\PROGRA~1\STARDO~1\SDIEInt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [StopHid] StopHid.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [EdHTML] d:\Program Files\Binboy\EdHTMLv5.0\EdHTML.exe /none

O4 - HKCU\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Download with Star Downloader - D:\Program Files\Star Downloader\sdie.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{AB57C736-934F-4B78-8E8E-93644B4005A3}: NameServer = 220.67.222.222 157.25.5.18

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)

O23 - Service: avast! Antivirus - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)

O23 - Service: avast! Mail Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: NBService - Nero AG - D:\Program Files\Nero 7\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


--

End of file - 5509 bytes

Silent Runner:

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"EdHTML" = "d:\Program Files\Binboy\EdHTMLv5.0\EdHTML.exe /none" ["Binboy Software"]

"DAEMON Tools" = ""d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"StopHid" = "StopHid.exe" [null data]

"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]

{FFFFFEF0-5B30-21D4-945D-000000000000}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\PROGRA~1\STARDO~1\SDIEInt.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]

"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"

  -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"

                   \InProcServer32\(Default) = "D:\Program Files\Nero 7\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "d:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

  -> {HKLM...CLSID} = "WPDShServiceObj Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "d:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"

  -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"

                   \InProcServer32\(Default) = "D:\Program Files\Nero 7\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "d:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Mariusz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "Mariusz" & "All Users" startup folders:

---------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "D:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

PDFCreator\Driver = "pdfcmnnt.dll" [null data]



---------- (launch time: 2007-09-06 11:21:57)

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 46 seconds.

---------- (total run time: 107 seconds)

jessica · 6 Wrzesień 2007 11:09

Logi są czyste.

Natomiast objawy opisane przez Ciebie wskazują na 99%, że masz Rootkita Bagle-hidires, ze szkodliwą usługą “m_hook”, albo usługą “rosa”, albo usługą “srosa”.

Jeśli tak jest rzeczywiście, to tego Rootkita załatwi -->ComboFix (na dole tej strony z linku) -

Log z ComboFixa wklej na -->http://wklej.org/, a w poście daj tylko link.

Po użyciu ComboFixa:

W międzyczasie zajmij się naprawą Trybu Awaryjnego":

Po zakończeniu całej tej “przygody” trzeba będzie przeinstalować wszystkie programy ochronne: Antivirus, AntiSpy…

jessi

klpo942 · 6 Wrzesień 2007 11:43

ComboFix zadziałał! Oprócz tego wygenerował mi też ten kod: http://wklej.org/id/07426c1b24

Wielkie dzięki jessi!

Wszystko znów działa, tak jak powinno.

Sądząc po drugim pliku, chyba to była infekcja “srosa”.:

2006-09-15 01:10 265303 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hidr.exe.vir

2007-08-02 18:13 671 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\Mariusz\Pulpit\Internet Explorer.lnk.vir

2007-09-05 12:52 63956 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.vir

2007-09-06 13:20 119 --a------ C:\Qoobox\BackEnv\PROGRAMS.folder.cf

2007-09-06 13:20 146 --a------ C:\Qoobox\BackEnv\profiles.folder.cf

2007-09-06 13:20 159 --a------ C:\Qoobox\BackEnv\CACHE.folder.cf

2007-09-06 13:20 161 --a------ C:\Qoobox\BackEnv\STARTUP.folder.cf

2007-09-06 13:20 169 --a------ C:\Qoobox\BackEnv\LOCAL SETTINGS.folder.cf

2007-09-06 13:20 200 --a------ C:\Qoobox\BackEnv\APPDATA.folder.cf

2007-09-06 13:20 214 --a------ C:\Qoobox\BackEnv\LOCAL APPDATA.folder.cf

2007-09-06 13:20 2993 --a------ C:\Qoobox\BackEnv\setpath.bat

2007-09-06 13:20 39 --a------ C:\Qoobox\BackEnv\MY PICTURES.folder.cf

2007-09-06 13:20 57 --a------ C:\Qoobox\BackEnv\DESKTOP.folder.cf

2007-09-06 13:20 61 --a------ C:\Qoobox\BackEnv\FAVORITES.folder.cf

2007-09-06 13:20 61 --a------ C:\Qoobox\BackEnv\PERSONAL.folder.cf

2007-09-06 13:20 61 --a------ C:\Qoobox\BackEnv\TEMPLATES.folder.cf

2007-09-06 13:20 92 --a------ C:\Qoobox\BackEnv\START MENU.folder.cf

2007-09-06 13:22 637923 --a------ C:\Qoobox\snapshot_2007-09-06_132229,15.cf



Zmienna PATH folderu

Numer seryjny woluminu: 46B1-FA5D

C:\QOOBOX

| snapshot_2007-09-06_132229,15.cf

|   

+---BackEnv

| setpath.bat

| profiles.folder.cf

| APPDATA.folder.cf

| TEMPLATES.folder.cf

| PERSONAL.folder.cf

| LOCAL SETTINGS.folder.cf

| LOCAL APPDATA.folder.cf

| PROGRAMS.folder.cf

| START MENU.folder.cf

| STARTUP.folder.cf

| CACHE.folder.cf

| DESKTOP.folder.cf

| FAVORITES.folder.cf

| MY PICTURES.folder.cf

|       

\---Quarantine

    +---C

    | +---ComboFix

    | +---DOCUME~1

    | | \---Mariusz

    | | \---Pulpit

    | | Internet Explorer.lnk.vir

    | |               

    | \---WINDOWS

    | \---system32

    | \---drivers

    | srosa.sys.vir

    | hidr.exe.vir

    |                   

    \---Registry_backups

Jeszcze raz dzięki.

jessica · 6 Wrzesień 2007 12:16

Tak, jeśli naprawiłeś już Tryb Awaryjny oraz przeinstalowałeś Antivirusa, to najgorsze już za Tobą.

Jeszcze usuń klucz rejestru tej “srosa”:

Te poniższe wpisy są niby prawidłowe, ale nie podoba mi się data ich modyfikacji, bo powinna być taka sama, jak data instalacji całego systemu.

Czyżby coś się podczepiło?

Na wszelki wypadek użyj SDFix

Uwaga: Da się go uruchomić tylko w Trybie Awaryjnym.

Pokaż Report.txt znajdujący się w folderze SDFix.

Lepiej żeby nic się nie podczepiło, bo dotyczy to pliku podstawowego oraz jego kopii, a w takim przypadku trzeba by było doinstalować z płytki instalacyjnej systemu.

Ale bądźmy dobrej myśli - może te pliki wcale nie są zarażone.

EDIT:

Usuń ręcznie folder C:\ Qoobox

jessi

klpo942 · 6 Wrzesień 2007 13:32

Na moje oko czysto:

Running From: C:\DOCUME~1\Mariusz\Pulpit\Silent\SDfix\SDFix


Safe Mode:

Checking Services: 


Restoring Windows Registry Values

Restoring Windows Default Hosts File


Rebooting...


Normal Mode:

Checking Files: 


No Trojan Files Found


Removing Temp Files...


ADS Check:


C:\WINDOWS

No streams found. 


C:\WINDOWS\system32

No streams found. 


C:\WINDOWS\system32\svchost.exe

No streams found.


C:\WINDOWS\system32\ntoskrnl.exe

No streams found.


                                 Final Check:


Remaining Services:

------------------


Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]


Remaining Files:

---------------


Files with Hidden Attributes:


C:\Documents and Settings\Mariusz\Dane aplikacji\Microsoft\Virtual PC\VPCKeyboard.dll

C:\System Volume Information\_restore{EF676799-18F2-4715-B669-68E07FDC9943}\RP55\A0022335.dll

C:\System Volume Information\_restore{EF676799-18F2-4715-B669-68E07FDC9943}\RP56\A0022348.dll


                                 Finished

jessica · 6 Wrzesień 2007 13:36

Tak, chyba w porządku.

jessi

klpo942 · 6 Wrzesień 2007 13:44

Dzięki bardzo za pomoc i poświęcony czas.

Gutek · 6 Wrzesień 2007 19:12

Hm…

wyłącz i włącz przywracanie systemu

klpo942 · 7 Wrzesień 2007 07:27

Ok, zniknęło.

Run by Mariusz on 2007-09-07 at 09:20


Microsoft Windows XP [Wersja 5.1.2600]


Running From: C:\DOCUME~1\Mariusz\Pulpit\Silent\SDfix\SDFix


Safe Mode:

Checking Services: 


Restoring Windows Registry Values

Restoring Windows Default Hosts File


Rebooting...


Normal Mode:

Checking Files: 


No Trojan Files Found


Removing Temp Files...


ADS Check:


C:\WINDOWS

No streams found. 


C:\WINDOWS\system32

No streams found. 


C:\WINDOWS\system32\svchost.exe

No streams found.


C:\WINDOWS\system32\ntoskrnl.exe

No streams found.


                                 Final Check:


Remaining Services:

------------------


Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"D:\\Program Files\\Skype\\Phone\\Skype.exe"="D:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]


Remaining Files:

---------------


Files with Hidden Attributes:


C:\Documents and Settings\Mariusz\Dane aplikacji\Microsoft\Virtual PC\VPCKeyboard.dll


                                 Finished

Dzięki

Gutek · 7 Wrzesień 2007 21:32

Już Ok