Witam!

Od niedzieli mam taki problem : komputer w czasie pracy sam się wyłącza. Zainstalowałam Nod32, ale nie mogę zeskanować komputera do końca, bo nie zdążam. Zauważyłam trzy pliki o nazwie Reboot.exe, a w jednym z portali wyczytałam, że może to być wirus, przez który właśnie sam komputer się wyłącza. Usunęłam je, ale wiadomo - nic to nie dało. Co mam zrobić?

Daj log z Combofix

Możesz też podać Temp. z Everest Ultimate

zainstalowałam to jak trzeba, bez antywirka, komputer się wyłączył, włączył i widać już tylko tyle, żadnego raportu: http://img152.imageshack.us/img152/4079 … fixut6.png

W dniu 08.07.2008 , o godzinie 12:18 został dopisany post przez IllegalPrincess

ComboFix 08-07-07.3 - User 2008-07-08 11:58:37.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.171 [GMT 2:00]

Running from: C:\Documents and Settings\User\Desktop\Combo-Fix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Application Data\ErrorProtector Free

C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\Abbr

C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\ActivationCode

C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\HOURS

C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\ProductCode

C:\Documents and Settings\Brygida\ResErrors.log

C:\Documents and Settings\Multimedia\ResErrors.log

C:\Documents and Settings\User\Application Data\ErrorProtector Free

C:\Documents and Settings\User\Application Data\ErrorProtector Free\Logs\update.log

C:\Documents and Settings\User\ravmonlog

C:\Documents and Settings\User\ResErrors.log

C:\kmd.exe

C:\Program Files\Common Files\update

C:\Program Files\Common Files\update\updated.exe

C:\Program Files\GamesBar\oberontb.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MICROSOFT_AGENT

-------\Service_Microsoft Agent

((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))

.

2008-07-07 19:42 . 2008-07-07 19:42

2008-07-07 15:43 . 2008-07-07 15:43

2008-07-07 15:43 . 2008-07-07 15:43

2008-07-03 12:10 . 2008-07-03 12:10 95,232 -r-hsc— C:\WINDOWS\system32\dllcache\qxchost.exe

2008-07-02 14:47 . 2008-07-02 14:47 1,103,742 --a------ C:\rqr.exe

2008-07-02 14:47 . 2008-02-11 08:05 628,224 --ahs---- C:\WINDOWS\system32\Juchde.exe

2008-07-02 14:47 . 2008-02-11 06:07 118,784 --a------ C:\WINDOWS\system32\cscaer.exe

2008-07-02 14:47 . 2007-03-23 16:52 56,552 --ahs---- C:\WINDOWS\system32\Juchdp.exe

2008-07-02 14:47 . 2005-04-09 21:12 30,720 --a------ C:\WINDOWS\system32\reotspnwy.dll

2008-07-02 14:47 . 2008-07-01 08:07 18,988 --ahs---- C:\WINDOWS\system32\ortecxar.pif

2008-07-02 14:47 . 2008-07-08 12:08 4,676 --ahs---- C:\WINDOWS\system32\wrda.sys

2008-07-02 14:47 . 2008-07-01 09:11 391 --ahs---- C:\WINDOWS\system32\vburcs.cmd

2008-07-01 13:54 . 2008-07-01 07:04 30,512 --ahs---- C:\WINDOWS\system32\brecxar.CPX

2008-07-01 13:54 . 2008-03-04 08:55 24,493 --ahs---- C:\WINDOWS\system32\erecxar.CPX

2008-07-01 13:54 . 2008-05-22 08:20 21,031 --ahs---- C:\WINDOWS\system32\arecxar.CPX

2008-07-01 13:54 . 2007-03-05 23:59 8,091 --ahs---- C:\WINDOWS\system32\crecxar.CPX

2008-07-01 13:54 . 2008-07-02 14:47 296 --ahs---- C:\WINDOWS\system32\dremxar.CPX

2008-06-30 15:52 . 2008-06-30 15:51 90,232 --ahs---- C:\WINDOWS\system32\wanrs(2).exe

2008-06-30 15:30 . 2008-07-02 14:43

2008-06-11 15:09 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 15:09 . 2008-06-13 15:10 272,128 -----c— C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-10 18:56 . 2008-06-10 18:56 34,312 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys

2008-06-10 18:48 . 2008-06-10 18:48 53,256 --a------ C:\WINDOWS\system32\drivers\easdrv.sys

2008-06-10 18:47 . 2008-06-10 18:47 39,944 --a------ C:\WINDOWS\system32\drivers\eamon.sys

2008-06-10 16:56 . 2008-06-10 16:56 88,696 -r-hs---- C:\WINDOWS\system32\wans.exe

2008-06-09 19:59 . 2008-07-03 21:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-06-09 19:59 . 2008-06-09 19:59 1,409 --a------ C:\WINDOWS\QTFont.for

2008-06-09 19:58 . 2008-06-09 19:58

2008-06-09 19:53 . 2008-06-09 19:55

2008-06-09 19:53 . 2008-06-09 19:57

2008-06-09 19:51 . 2008-06-09 19:51

2008-06-09 19:50 . 2008-06-09 19:50

2008-06-09 19:50 . 2008-06-09 19:50

2008-06-08 22:12 . 2008-06-08 22:12

2008-06-08 22:02 . 2008-06-08 22:12

2008-06-08 15:55 . 2008-06-08 15:55

2008-06-08 15:54 . 2008-06-08 15:54

2008-06-08 15:54 . 2008-06-08 15:54

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-08 09:59 --------- d-----w C:\Program Files\GamesBar

2008-07-08 09:53 --------- d-----w C:\Program Files\Neostrada TP

2008-07-02 12:42 --------- d-----w C:\Documents and Settings\User\Application Data\Skype

2008-06-20 11:18 --------- d-----w C:\Program Files\Lx_cats

2008-06-19 20:25 --------- d-----w C:\Documents and Settings\User\Application Data\GanymedeNet

2008-06-08 23:27 30,588 ----a-w C:\Documents and Settings\User\Application Data\wklnhst.dat

2008-06-06 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia

2008-06-06 15:18 --------- d-----w C:\Program Files\Legacy Interactive

2008-06-01 16:35 --------- d-----w C:\Program Files\Alwil Software

2008-05-30 20:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-05-16 21:04 --------- d-----w C:\Documents and Settings\User\Application Data\Yahoo!

2008-05-16 21:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

2008-05-16 18:52 --------- d—a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-05-16 18:50 --------- d-----w C:\Program Files\Yahoo!

2008-05-16 18:50 --------- d-----w C:\Program Files\Shockwave.com

2008-05-11 13:25 --------- d-----w C:\Program Files\Neoact

2008-05-10 13:55 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-05-10 13:55 --------- d-----w C:\Program Files\LucasArts

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2007-01-24 20:26 7,902 ----a-w C:\Program Files\hs_err_pid5380.log

2002-06-07 00:47 520 ----a-w C:\Documents and Settings\User\setup.bat

2002-05-21 15:05 2,383,872 ----a-w C:\Documents and Settings\User\gta3.exe

2002-04-26 14:37 338,432 ----a-w C:\Documents and Settings\User\Mss32.dll

2001-12-27 22:00 100,864 ----a-w C:\Documents and Settings\User\uha.exe

2000-08-06 22:11 20,992 ----a-w C:\Documents and Settings\User\pak.exe

2008-02-11 06:05 628,224 --sha-w C:\WINDOWS\system32\Juchde.exe

2007-03-23 14:52 56,552 --sha-w C:\WINDOWS\system32\Juchdp.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-10 14:00 15360]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2006-06-12 17:33 20002856]

“NBJ”=“C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” [2005-08-31 10:47 1961984]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-05-15 20:40 68856]

“ares”=“C:\Program Files\Ares\Ares.exe” [2007-05-04 02:32 961024]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 09:39 2119104]

“AQQ”=“C:\PROGRA~1\WapSter\AQQ\AQQ.exe” [2007-02-28 14:18 2351864]

“Picasa Media Detector”=“C:\Program Files\Picasa2\PicasaMediaDetector.exe” [2008-02-26 03:23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-08-05 13:56 64512]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]

“WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 18:07 24576]

“SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 11:38 866816]

“WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 18:07 20480]

“WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 18:07 53248]

“LXCGCATS”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll” [2005-07-20 19:48 73728]

“lxcgmon.exe”=“C:\Program Files\Lexmark 2300 Series\lxcgmon.exe” [2005-07-21 08:08 200704]

“EzPrint”=“C:\Program Files\Lexmark 2300 Series\ezprint.exe” [2005-08-01 14:05 94208]

“FaxCenterServer”=“C:\Program Files\Lexmark Fax Solutions\fm3032.exe” [2005-07-12 15:36 299008]

“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2008-03-28 23:37 413696]

“egui”=“C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” [2008-06-10 18:52 1447168]

“VTTimer”=“VTTimer.exe” [2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe]

“VTTrayp”=“VTtrayp.exe” [2005-03-11 17:33 147456 C:\WINDOWS\system32\VTTrayp.exe]

“SoundMan”=“SOUNDMAN.EXE” [2005-09-22 10:42 90112 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-10 14:00 15360]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

“RunNarrator”=“Narrator.exe” [2004-08-10 14:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

“InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“msacm.l3codecp”= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusOverride”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\JoWooD\Alien Nations\Bin\AN.exe”=

“C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe”=

“C:\Program Files\Messenger\msmsgs.exe”=

“C:\Program Files\eMule\emule.exe”=

“C:\Program Files\Ares\Ares.exe”=

“C:\Program Files\Alien Nations 2 PL\Bin\Game.exe”=

“C:\Program Files\WapSter\AQQ\AQQ.exe”=

“C:\PROGRA~1\WapSter\AQQ\AQQ.exe”=

“C:\WINDOWS\system32\wans.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“14967:TCP”= 14967:TCP:NortonAV

“13395:TCP”= 13395:TCP:NortonAV

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]

R2 WANS;Windows Automated Network Service;C:\WINDOWS\system32\wans.exe [2008-06-10 16:56]

S2 SRVStarter_Lerex;Service Starter: Lerex;C:\WINDOWS\system32\Juchdp.exe [2007-03-23 16:52]

S2 SRVStarter_nerw;Service Starter: nerw;C:\WINDOWS\system32\Juchdp.exe [2007-03-23 16:52]

S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};C:\WINDOWS\TEMP\C.tmp []

S3 TrojanFindDriverNT;TrojanFindDriverNT;C:\WINDOWS\system32\NtDriver.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

\Shell\AutoRun\command - J:\n1deiect.com

\Shell\explore\Command - J:\n1deiect.com

\Shell\open\Command - J:\n1deiect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{9892df6d-9980-11db-b352-000e50e9b2ac}]

\Shell\AutoRun\command - I:\ntde1ect.com

\Shell\explore\Command - I:\ntde1ect.com

\Shell\open\Command - I:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{9dc3d4b6-f279-11dc-b5f5-000e50e9b2ac}]

\Shell\AutoRun\command - I:\oufddh.exe

\Shell\explore\Command - I:\oufddh.exe

\Shell\open\Command - I:\oufddh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ec2f4e5f-1d26-11dd-b64b-000e50e9b2ac}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explore.exe

.

• • • • ORPHANS REMOVED - - - -

HKCU-Run-Komunikator - C:\Program Files\Tlen.pl\tlen.exe

HKLM-Run-Onet.pl AutoUpdate - C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe

HKLM-Run-Ad Muncher - C:\Program Files\Ad Muncher\AdMunch.exe

HKLM-Run-tguard - C:\Program Files\Beniamin\tguard.exe

Notify-WgaLogon - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-08 12:05:53

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SRVStarter_Lerex]

“ImagePath”="“C:\WINDOWS\system32\Juchdp.exe” /Name:SRVStarter_Lerex /App:“C:\WINNT\system32\Juchde.exe”"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SRVStarter_nerw]

“ImagePath”="“C:\WINDOWS\system32\Juchdp.exe” /Name:SRVStarter_nerw /App:“C:\WINDOWS\system32\Juchde.exe”"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services{DEF85C80-216A-43ab-AF70-1665EDBE2780}]

“ImagePath”="??\C:\WINDOWS\TEMP\C.tmp"

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\ehome\ehrecvr.exe

C:\WINDOWS\ehome\ehSched.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\Juchde.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehmsas.exe

C:\WINDOWS\system32\lxcgcoms.exe

C:\WINDOWS\system32\mspaint.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\Neostrada TP\Watch.exe

.

**************************************************************************

.

Completion time: 2008-07-08 12:17:44 - machine was rebooted [user]

ComboFix-quarantined-files.txt 2008-07-08 10:17:29

Pre-Run: 124,922,736,640 bytes free

Post-Run: 125,820,563,456 bajt˘w wolnych

226 — E O F — 2008-06-20 12:34:40

W dniu 08.07.2008 , o godzinie 12:19 został dopisany post przez IllegalPrincess

wybaczcie, że tak, ale komputer by mi się wyłączył i by wszystko na marne poszło.

Wklej do Notatnika:

File::

C:\WINDOWS\system32\dllcache\qxchost.exe

C:\rqr.exe

C:\WINDOWS\system32\wans.exe


Driver::

{DEF85C80-216A-43ab-AF70-1665EDBE2780}

TrojanFindDriverNT


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo oraz:

1. Wykonaj skan Dr. Web CureIt

2. Daj loga z mbr.exe

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16t=253052