Mam wirusa kavo0.dll,proszę o sprawdzenie loga


(mały67) #1

ComboFix 08-05-09.1 - mariusz 2008-05-10 22:29:56.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.113 [GMT 2:00]

Running from: C:\Documents and Settings\mariusz\Pulpit\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\autorun.inf

C:\WINDOWS\system32\kavo.exe

C:\WINDOWS\system32\kavo1.dll

E:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-04-10 to 2008-05-10 )))))))))))))))))))))))))))))))

.

2008-04-18 10:01 . 2008-04-18 10:06

2008-04-17 08:50 . 2008-04-17 08:49 116,606 -r-hs---- C:\x1dg.exe

2008-04-17 08:49 . 2008-04-14 07:58 116,759 -r-hs---- C:\vt6e.cmd

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-10 20:28 --------- d-----w C:\Program Files\Neostrada TP

2008-05-10 17:43 --------- d-----w C:\Program Files\lg_fwupdate

2008-05-06 11:53 --------- d-----w C:\Documents and Settings\mariusz\Dane aplikacji\AdobeUM

2008-04-20 15:57 --------- d-----w C:\Documents and Settings\mariusz\Dane aplikacji\Skype

2008-04-20 14:09 --------- d-----w C:\Documents and Settings\mariusz\Dane aplikacji\skypePM

2008-03-16 21:03 2,864 ----a-w C:\WINDOWS\system32\winsock.dll

2008-02-26 16:58 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2004-10-01 13:00 40,960 -c--a-w C:\Program Files\Uninstall_CDS.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44 15360]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-23 18:45 68856]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 12:54 2131392]

"PowerBar"="C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 10:26 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]

"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 04:06 1397760]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-08-25 09:13 249856]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 18:07 24576]

"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 18:07 20480]

"WOOTASKBARICON"="C:\Program Files\Neostrada TP\taskbaricon.exe" [2003-10-16 18:07 53248]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-08-21 11:34:21 966756]

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"=

"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"=

"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"=

"C:\Program Files\BitComet\BitComet.exe"=

"C:\Program Files\Messenger\msmsgs.exe"=

"C:\Program Files\MSN Messenger\msnmsgr.exe"=

"C:\Program Files\MSN Messenger\livecall.exe"=

"C:\Program Files\Gadu-Gadu\gg.exe"=

"C:\Program Files\Internet Explorer\iexplore.exe"=

"C:\Program Files\Skype\Phone\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"20921:TCP"= 20921:TCP:BitComet 20921 TCP

"20921:UDP"= 20921:UDP:BitComet 20921 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6d83d672-1d1f-11dd-bcd9-4d6564696130}]

\Shell\AutoRun\command - F:\x1dg.exe

\Shell\explore\Command - F:\x1dg.exe

\Shell\open\Command - F:\x1dg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{917d8668-9d04-11dc-baf6-4d6564696130}]

\Shell\AutoRun\command - F:\x1dg.exe

\Shell\explore\Command - F:\x1dg.exe

\Shell\open\Command - F:\x1dg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{fa73497e-7b59-11dc-ba86-4d6564696130}]

\Shell\AutoRun\command - F:\x1dg.exe

\Shell\explore\Command - F:\x1dg.exe

\Shell\open\Command - F:\x1dg.exe

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-10 22:32:36

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-05-10 22:34:14

ComboFix-quarantined-files.txt 2008-05-10 20:34:10

Pre-Run: 1,230,106,624 bajtów wolnych

Post-Run: 1,243,508,736 bajtów wolnych

111


(Szwejas2) #2

Wklej to do notatnika:

>>Plik>>Zapisz jako... >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i ENTER) Ma się rozpocząć usuwanie. Powstanie log

Po restarcie usuń ręcznie folder C: \Qoobox.

Po tym daj nowy log z Combo.


(mały67) #3

Ok.Zaraz zabieram się do pracy.

W dniu 10.05.2008 , o godzinie 23:15 został dopisany post przez mały67

oto nowy log ale komp sie nie restartował

ComboFix 08-05-09.1 - mariusz 2008-05-10 23:07:44.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.90 [GMT 2:00]

Running from: C:\Documents and Settings\mariusz\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\mariusz\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

C:\vt6e.cmd

C:\x1dg.exe

C:\WINDOWS\system32\NtmsData :#:

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\vt6e.cmd

C:\x1dg.exe

.

((((((((((((((((((((((((( Files Created from 2008-04-10 to 2008-05-10 )))))))))))))))))))))))))))))))

.

2008-04-18 10:01 . 2008-04-18 10:06

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-10 21:04 --------- d-----w C:\Program Files\Neostrada TP

2008-05-10 17:43 --------- d-----w C:\Program Files\lg_fwupdate

2008-05-06 11:53 --------- d-----w C:\Documents and Settings\mariusz\Dane aplikacji\AdobeUM

2008-04-20 15:57 --------- d-----w C:\Documents and Settings\mariusz\Dane aplikacji\Skype

2008-04-20 14:09 --------- d-----w C:\Documents and Settings\mariusz\Dane aplikacji\skypePM

2008-03-16 21:03 2,864 ----a-w C:\WINDOWS\system32\winsock.dll

2008-02-26 16:58 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2004-10-01 13:00 40,960 -c--a-w C:\Program Files\Uninstall_CDS.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44 15360]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-23 18:45 68856]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 12:54 2131392]

"PowerBar"="C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 10:26 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]

"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 04:06 1397760]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-08-25 09:13 249856]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 18:07 24576]

"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 18:07 20480]

"WOOTASKBARICON"="C:\Program Files\Neostrada TP\taskbaricon.exe" [2003-10-16 18:07 53248]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-08-21 11:34:21 966756]

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"=

"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"=

"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"=

"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"=

"C:\Program Files\BitComet\BitComet.exe"=

"C:\Program Files\Messenger\msmsgs.exe"=

"C:\Program Files\MSN Messenger\msnmsgr.exe"=

"C:\Program Files\MSN Messenger\livecall.exe"=

"C:\Program Files\Gadu-Gadu\gg.exe"=

"C:\Program Files\Internet Explorer\iexplore.exe"=

"C:\Program Files\Skype\Phone\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"20921:TCP"= 20921:TCP:BitComet 20921 TCP

"20921:UDP"= 20921:UDP:BitComet 20921 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-10 23:09:58

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-05-10 23:11:32

ComboFix-quarantined-files.txt 2008-05-10 21:11:28

ComboFix2.txt 2008-05-10 20:34:15

Pre-Run: 1,211,940,864 bajtów wolnych

Post-Run: 1,216,897,024 bajtów wolnych

101


(huber2t) #4

Log wyglada na czysty

Usuń ręcznie folder C: \Qoobox,usuń instalkę Combofix z dysku

Wykonaj optymalizację autostartu

Wyłącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

Włącz przywracanie systemu.


(mały67) #5

Dzięki za pomoc. Wszystko jest ok.


(huber2t) #6

Przeskanuj jeszcze Kasperskim jeśli chcesz i daj raport na forum