Pomoc przy usunięciu trojana Win 32:Gamona{Trj}

Dla specjalistów Bezpieczeństwo
#1

proszę o pomoc przy usunięciu trojana Win 32:Gamona{Trj} wyjątkowo wredny typek

podaję skan z Hijack’a

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:57:18, on 2009-01-24

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\ATK0100\HControl.exe

C:\WINNT\sm56hlpr.exe

C:\WINNT\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Wireless Console 2\wcourier.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\WINNT\system32\ASWLSVC.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINNT\ATK0100\ATKOSD.exe

C:\WINNT\system32\ASWL2K.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\wdfmgr.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINNT\system32\wscntfy.exe

C:\WINNT\System32\alg.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Winamp\winamp.exe

C:\WINNT\system32\wuauclt.exe

C:\PROGRA~1\Mozilla Firefox\firefox.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINNT\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM…\Run: [HControl] C:\WINNT\ATK0100\HControl.exe

O4 - HKLM…\Run: [sMSERIAL] C:\WINNT\sm56hlpr.exe

O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM…\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”

O4 - HKCU…\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKCU…\Run: [RegPowerClean] “C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe”

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - HKCU…\Run: [kamsoft] C:\WINNT\system32\ckvo.exe

O4 - HKCU…\Run: [cdoosoft] C:\WINNT\system32\olhrwef.exe

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-20…\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS\S-1-5-18…\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User ‘Default user’)

O4 - HKUS.DEFAULT…\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘Default user’)

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ASWLSVC - Unknown owner - C:\WINNT\system32\ASWLSVC.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

End of file - 7586 bytes

#2

Podaj log z Combofix. Instrukcja :arrow: viewtopic.php?f=16&t=36654

Logi dajesz na wklej.org lub wklej.eu a w poście Podajesz tylko link.

#3

podaję logo z comboFixa nie bardzo wiem jak uzyskać link

ComboFix 09-01-21.04 - Gordis 2009-01-24 22:15:51.1 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.895.460 [GMT 1:00]

Uruchomiony z: c:\documents and settings\Gordis\Pulpit\ComboFix.exe

AV: avast! antivirus 4.7.1296 [VPS 090115-0] *On-access scanning disabled* (Outdated)

* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\uvsqfgwd.cmd

c:\winnt\system32\ckvo.exe

c:\winnt\system32\ckvo0.dll

D:\Autorun.inf

D:\uvsqfgwd.cmd

E:\Autorun.inf

E:\uvsqfgwd.cmd

.

((((((((((((((((((((((((( Pliki utworzone od 2008-12-24 do 2009-01-24 )))))))))))))))))))))))))))))))

.

2009-01-24 22:14 . 2008-11-08 08:06 109,879 -r-hs---- C:\sq.com

2009-01-24 21:09 . 2009-01-24 21:09 108,512 -r-hs---- c:\winnt\system32\olhrwef.exe

2009-01-24 21:09 . 2009-01-24 22:18 95,744 -r-hs---- c:\winnt\system32\nmdfgds0.dll

2009-01-24 20:05 . 2009-01-24 20:05

2009-01-14 16:47 . 2009-01-14 16:47 54,156 --ah----- c:\winnt\QTFont.qfn

2009-01-14 16:47 . 2009-01-14 16:47 1,409 --a------ c:\winnt\QTFont.for

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-02 10:34 32 ----a-w c:\documents and settings\All Users\Dane aplikacji\ezsid.dat

2008-02-10 14:43 19,849,648 ----a-w c:\program files\setuppol.exe

2008-02-10 14:29 846,720 ----a-w c:\program files\GoogleToolbarInstaller.exe

2008-09-17 19:54 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-09-17 19:54 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-09-17 19:54 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-09-17 19:54 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-09-17 19:54 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2008-03-18 15:43 1,890 --sha-w c:\winnt\system32\KGyGaAvL.sys

2008-03-18 15:43 56 --sh–r c:\winnt\system32\011FE61BDB.sys

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“StartCCC”=“c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 90112]

“Gadu-Gadu”=“c:\program files\Gadu-Gadu\gg.exe” [2007-11-14 2131392]

“MSMSGS”=“c:\program files\Messenger\msmsgs.exe” [2004-08-04 1694208]

“cdoosoft”=“c:\winnt\system32\olhrwef.exe” [2009-01-24 108512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“HControl”=“c:\winnt\ATK0100\HControl.exe” [2006-10-14 110592]

“SMSERIAL”=“c:\winnt\sm56hlpr.exe” [2006-03-21 544768]

“SynTPEnh”=“c:\program files\Synaptics\SynTP\SynTPEnh.exe” [2006-05-25 786521]

“Wireless Console 2”=“c:\program files\Wireless Console 2\wcourier.exe” [2005-10-17 987136]

“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2008-11-26 81000]

“RTHDCPL”=“RTHDCPL.EXE” [2006-10-30 c:\winnt\RTHDCPL.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\winnt\system32\CTFMON.EXE” [2004-08-04 15360]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

“nlsf”=“move” [X]

“tscuninstall”=“c:\winnt\system32\tscupgrd.exe” [2004-08-04 44544]

c:\documents and settings\Gordis\Menu Start\Programy\Autostart\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“msacm.l3acm”= l3codecp.acm

“vidc.XVID”= xvid.dll

“vidc.DIV3”= DivXc32.dll

“vidc.DIV4”= DivXc32f.dll

“vidc.3ivx”= 3ivxVfWCodec.dll

“msacm.divxa32”= divxa32.acm

“VIDC.i263”= i263_32.drv

“msacm.imc”= imc32.acm

[HKLM~\startupfolder\C:^Documents and Settings^Gordis^Menu Start^Programy^Autostart^CCC.lnk]

path=c:\documents and settings\Gordis\Menu Start\Programy\Autostart\CCC.lnk

backup=c:\winnt\pss\CCC.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Control Center]

–a------ 2006-11-10 17:11 1725440 c:\program files\ASUS\WLAN Card Utilities\Center.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

–a------ 2007-11-14 11:54 2131392 c:\program files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

–a------ 2007-03-26 12:12 161328 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-02-01 17:22 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

–a------ 2008-02-14 17:04 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

-r------- 2006-05-16 11:04 2879488 c:\winnt\SkyTel.exe

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“c:\Program Files\Gadu-Gadu\gg.exe”=

“c:\Program Files\Skype\Phone\Skype.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“8461:TCP”= 8461:TCP:GoD High Port

“8462:TCP”= 8462:TCP:GoD Low Port

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2009-01-24 111184]

R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\winnt\ATK0100\ASNDIS5.sys [2008-02-10 16269]

R3 AtcL002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Adapter;c:\winnt\system32\drivers\atl02_xp.sys [2008-02-10 27776]

R3 SynMini;USB2.0 1.3M WebCam;c:\winnt\system32\drivers\SynMini.sys [2008-02-10 1116544]

R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\winnt\system32\drivers\SynScan.sys [2008-02-10 7808]

R4 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2009-01-24 20560]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-31 337800]

— Inne Usługi/Sterowniki w Pamięci —

*NewlyCreated* - ASWFSBLK

*NewlyCreated* - ASWSP

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{28f4b5f6-b664-11dd-95d4-001d6034892f}]

\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{741ce07a-f85d-11dc-94c9-001d6034892f}]

\Shell\AutoRun\command - I:\sq.com

\Shell\explore\Command - I:\sq.com

\Shell\open\Command - I:\sq.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{cb602e74-cdc5-11dd-95f5-001d6034892f}]

\Shell\AutoRun\command - H:\sq.com

\Shell\explore\Command - H:\sq.com

\Shell\open\Command - H:\sq.com

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]

msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb

.

Zawartość folderu ‘Zaplanowane zadania’

2008-10-28 c:\winnt\Tasks\rpc.job

  • c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []

.

        • USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-RegPowerClean - c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe

HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe

Notify-WgaLogon - (no file)

MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.interia.pl/

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

FF - ProfilePath - c:\documents and settings\Gordis\Dane aplikacji\Mozilla\Firefox\Profiles\xrwu8a92.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.interia.pl/

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-24 22:18:57

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

              • ‘winlogon.exe’(856)

c:\winnt\system32\Ati2evxx.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\winnt\SYSTEM32\ATI2EVXX.EXE

c:\winnt\SYSTEM32\ATI2EVXX.EXE

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\winnt\SYSTEM32\ASWLSVC.EXE

c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE

c:\program files\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\MOM.EXE

c:\winnt\system32\ASWL2K.exe

c:\winnt\system32\wdfmgr.exe

c:\winnt\ATK0100\ATKOSD.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\winnt\system32\wscntfy.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

c:\program files\ALWIL SOFTWARE\AVAST4\SETUP\AVAST.SETUP

.

**************************************************************************

.

Czas ukończenia: 2009-01-24 22:21:33 - komputer został uruchomiony ponownie [Gordis]

ComboFix-quarantined-files.txt 2009-01-24 21:21:32

Przed: 17 103 142 912 bajtów wolnych

Po: 17,151,885,312 bajtów wolnych

175 — E O F — 2008-06-21 16:16:56

#4

Wylecz pendriva lub kartę pamięci

Flash Disinfector, Perlovga Removal Tool

lub format

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\sq.com

c:\winnt\system32\olhrwef.exe

c:\winnt\system32\nmdfgds0.dll

H:\sq.com

I:\sq.com


Registry::

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28f4b5f6-b664-11dd-95d4-001d6034892f}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{741ce07a-f85d-11dc-94c9-001d6034892f}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb602e74-cdc5-11dd-95f5-001d6034892f}]

Z menu notatnika wybierz Plik :arrow: Zapisz jako :arrow: CFScript.txt.

Przeciągnij i upuść plik zapisany plik (CFScript.txt) na ikonę ComboFix.exe.

Rozpocznie się usuwanie, program wygeneruje log, dasz go na forum.

Na czas skanowania Combofixem wyłącz wszystkie antywirusy i firewalle.

#5

Podaję skan z ComboFix’a

ComboFix 09-01-21.04 - Gordis 2009-01-24 22:43:51.2 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.895.465 [GMT 1:00]

Uruchomiony z: c:\documents and settings\Gordis\Pulpit\ComboFix.exe

Użyto następujących komend :: c:\documents and settings\Gordis\Pulpit\CFScript.txt…txt

AV: avast! antivirus 4.8.1296 [VPS 090124-0] *On-access scanning disabled* (Updated)

* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!

FILE ::

C:\sq.com

c:\winnt\system32\nmdfgds0.dll

c:\winnt\system32\olhrwef.exe

H:\sq.com

I:\sq.com

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\autorun.inf

C:\sq.com

C:\uvsqfgwd.cmd

c:\winnt\system32\nmdfgds0.dll

c:\winnt\system32\olhrwef.exe

D:\Autorun.inf

D:\uvsqfgwd.cmd

E:\Autorun.inf

E:\uvsqfgwd.cmd

.

((((((((((((((((((((((((( Pliki utworzone od 2008-12-24 do 2009-01-24 )))))))))))))))))))))))))))))))

.

2009-01-24 22:19 . 2009-01-24 22:19 95,744 -r-hs---- c:\winnt\system32\nmdfgds1.dll

2009-01-24 20:05 . 2009-01-24 20:05

2009-01-14 16:47 . 2009-01-14 16:47 54,156 --ah----- c:\winnt\QTFont.qfn

2009-01-14 16:47 . 2009-01-14 16:47 1,409 --a------ c:\winnt\QTFont.for

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-02 10:34 32 ----a-w c:\documents and settings\All Users\Dane aplikacji\ezsid.dat

2008-02-10 14:43 19,849,648 ----a-w c:\program files\setuppol.exe

2008-02-10 14:29 846,720 ----a-w c:\program files\GoogleToolbarInstaller.exe

2008-09-17 19:54 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-09-17 19:54 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-09-17 19:54 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-09-17 19:54 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-09-17 19:54 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2008-03-18 15:43 1,890 --sha-w c:\winnt\system32\KGyGaAvL.sys

2008-03-18 15:43 56 --sh–r c:\winnt\system32\011FE61BDB.sys

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“StartCCC”=“c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 90112]

“Gadu-Gadu”=“c:\program files\Gadu-Gadu\gg.exe” [2007-11-14 2131392]

“MSMSGS”=“c:\program files\Messenger\msmsgs.exe” [2004-08-04 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“HControl”=“c:\winnt\ATK0100\HControl.exe” [2006-10-14 110592]

“SMSERIAL”=“c:\winnt\sm56hlpr.exe” [2006-03-21 544768]

“SynTPEnh”=“c:\program files\Synaptics\SynTP\SynTPEnh.exe” [2006-05-25 786521]

“Wireless Console 2”=“c:\program files\Wireless Console 2\wcourier.exe” [2005-10-17 987136]

“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2008-11-26 81000]

“RTHDCPL”=“RTHDCPL.EXE” [2006-10-30 c:\winnt\RTHDCPL.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\winnt\system32\CTFMON.EXE” [2004-08-04 15360]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

“nlsf”=“move” [X]

“tscuninstall”=“c:\winnt\system32\tscupgrd.exe” [2004-08-04 44544]

c:\documents and settings\Gordis\Menu Start\Programy\Autostart\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“msacm.l3acm”= l3codecp.acm

“vidc.XVID”= xvid.dll

“vidc.DIV3”= DivXc32.dll

“vidc.DIV4”= DivXc32f.dll

“vidc.3ivx”= 3ivxVfWCodec.dll

“msacm.divxa32”= divxa32.acm

“VIDC.i263”= i263_32.drv

“msacm.imc”= imc32.acm

[HKLM~\startupfolder\C:^Documents and Settings^Gordis^Menu Start^Programy^Autostart^CCC.lnk]

path=c:\documents and settings\Gordis\Menu Start\Programy\Autostart\CCC.lnk

backup=c:\winnt\pss\CCC.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Control Center]

–a------ 2006-11-10 17:11 1725440 c:\program files\ASUS\WLAN Card Utilities\Center.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

–a------ 2007-11-14 11:54 2131392 c:\program files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

–a------ 2007-03-26 12:12 161328 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-02-01 17:22 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

–a------ 2008-02-14 17:04 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

-r------- 2006-05-16 11:04 2879488 c:\winnt\SkyTel.exe

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“c:\Program Files\Gadu-Gadu\gg.exe”=

“c:\Program Files\Skype\Phone\Skype.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“8461:TCP”= 8461:TCP:GoD High Port

“8462:TCP”= 8462:TCP:GoD Low Port

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2009-01-24 111184]

R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\winnt\ATK0100\ASNDIS5.sys [2008-02-10 16269]

R3 AtcL002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Adapter;c:\winnt\system32\drivers\atl02_xp.sys [2008-02-10 27776]

R3 SynMini;USB2.0 1.3M WebCam;c:\winnt\system32\drivers\SynMini.sys [2008-02-10 1116544]

R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\winnt\system32\drivers\SynScan.sys [2008-02-10 7808]

R4 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2009-01-24 20560]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-31 337800]

— Inne Usługi/Sterowniki w Pamięci —

*NewlyCreated* - ASWFSBLK

*NewlyCreated* - ASWSP

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{28f4b5f6-b664-11dd-95d4-001d6034892f}]

\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{741ce07a-f85d-11dc-94c9-001d6034892f}]

\Shell\AutoRun\command - I:\sq.com

\Shell\explore\Command - I:\sq.com

\Shell\open\Command - I:\sq.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{cb602e74-cdc5-11dd-95f5-001d6034892f}]

\Shell\AutoRun\command - H:\sq.com

\Shell\explore\Command - H:\sq.com

\Shell\open\Command - H:\sq.com

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]

msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb

.

Zawartość folderu ‘Zaplanowane zadania’

2008-10-28 c:\winnt\Tasks\rpc.job

  • c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []

.

        • USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-cdoosoft - c:\winnt\system32\olhrwef.exe

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.interia.pl/

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

FF - ProfilePath - c:\documents and settings\Gordis\Dane aplikacji\Mozilla\Firefox\Profiles\xrwu8a92.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.interia.pl/

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-24 22:44:55

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

              • ‘winlogon.exe’(856)

c:\winnt\system32\Ati2evxx.dll

.

Czas ukończenia: 2009-01-24 22:46:00

ComboFix-quarantined-files.txt 2009-01-24 21:45:58

ComboFix2.txt 2009-01-24 21:21:36

Przed: 17 101 864 960 bajtów wolnych

Po: 17,101,668,352 bajtów wolnych

158 — E O F — 2008-06-21 16:16:56

#6

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S … Tool.shtml

Flash Disinfector http://www.searchengines.pl/index.php?s … ntry369724

lub format

zastosuj ATF Cleaner http://cybertrash.pl/images/tata/ATF/ATF.html

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile:

#7

Panowie, zrobiłem tego loga w combofixie. Co mam teraz zrobić? Jestem trochę laikiem i nie bardzo znam się na usuwaniu robaków. Proszę o łopatologiczną instrukcję.

Wklejam loga:

ComboFix 09-01-21.04 - Greg 2009-01-25 21:02:42.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.1279.795 [GMT 1:00]

Uruchomiony z: c:\documents and settings\Greg\Pulpit\ComboFix.exe

Użyto następujących komend :: c:\documents and settings\Greg\Pulpit\CFScript.txt

* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!

FILE ::

C:\sq.com

c:\winnt\system32\nmdfgds0.dll

c:\winnt\system32\olhrwef.exe

H:\sq.com

I:\sq.com

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\uvsqfgwd.cmd

c:\windows\system32\drivers\downld

c:\windows\system32\mpg4c32.dll

D:\uvsqfgwd.cmd

E:\uvsqfgwd.cmd

.

((((((((((((((((((((((((( Pliki utworzone od 2008-12-25 do 2009-01-25 )))))))))))))))))))))))))))))))

.

2009-01-25 20:57 . 2009-01-25 20:57

2009-01-25 20:56 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll

2009-01-25 20:56 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\UNRAR3.dll

2009-01-25 20:56 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll

2009-01-25 20:56 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll

2009-01-25 20:56 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll

2009-01-25 20:55 . 2009-01-25 20:56

2009-01-25 20:55 . 2009-01-25 20:55

2009-01-25 20:55 . 2009-01-25 20:55

2009-01-25 20:35 . 2009-01-25 20:35 250 --a------ c:\windows\gmer.ini

2009-01-25 20:13 . 2009-01-25 20:13 95,744 -r-hs---- c:\windows\system32\nmdfgds0.dll

2009-01-24 22:09 . 2009-01-24 22:09 95,744 -r-hs---- c:\windows\system32\nmdfgds1.dll

2009-01-24 22:08 . 2009-01-24 22:09 108,512 --a------ c:\windows\system32\olhrwef.exe.vir

2009-01-24 22:08 . 2009-01-25 20:33 182 --a------ C:\autorun.inf.vir

2009-01-04 12:54 . 2009-01-04 12:54

2009-01-04 12:54 . 2009-01-04 12:54 249,856 --------- c:\windows\Setup1.exe

2009-01-04 12:54 . 2009-01-04 12:54 73,216 --a------ c:\windows\ST6UNST.EXE

2009-01-04 12:42 . 2009-01-04 12:53

2009-01-04 12:30 . 2009-01-04 13:08

2009-01-04 12:30 . 2009-01-04 12:30

2009-01-04 12:27 . 2009-01-04 12:27

2009-01-04 12:24 . 2009-01-04 12:24

2009-01-04 12:23 . 2009-01-04 12:24

2009-01-04 12:23 . 2002-01-05 16:48 974,848 --a------ c:\windows\system32\mfc70.dll

2009-01-04 12:23 . 2002-01-05 15:40 487,424 --a------ c:\windows\system32\msvcp70.dll

2009-01-04 12:23 . 2002-01-05 03:37 344,064 --a------ c:\windows\system32\msvcr70.dll

2009-01-04 12:23 . 2007-09-27 15:22 261,632 --a------ c:\windows\system32\mcdvd_32.dll

2009-01-04 12:23 . 2003-05-22 13:26 221,215 --a------ c:\windows\system32\divxdec.ax

2009-01-04 12:23 . 2003-05-22 00:50 156,910 --a------ c:\windows\WMSysPr8.prx

2009-01-04 12:23 . 2003-05-22 00:50 82,944 --a------ c:\windows\system32\vct3216.acm

2009-01-04 12:23 . 2004-09-06 17:06 53,248 --a------ c:\windows\system32\xvid.ax

2009-01-04 12:23 . 2003-05-22 00:50 38,912 --a------ c:\windows\system32\alf2cd.acm

2009-01-04 12:23 . 2003-05-21 13:50 24,576 --a------ c:\windows\system32\msxml3a.dll

2009-01-04 12:23 . 2000-03-14 21:55 13,239 --a------ c:\windows\system32\Scg726.acm

2009-01-04 11:48 . 2009-01-04 11:48 1,700,352 --a------ c:\windows\system32\gdiplus.dll

2009-01-03 15:56 . 2009-01-03 15:56

2009-01-03 15:36 . 2009-01-03 15:36

2009-01-03 15:36 . 2009-01-03 15:49

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-08 20:01 --------- d-----w c:\program files\eMule

2008-12-29 17:52 --------- d–h--w c:\program files\InstallShield Installation Information

2008-12-21 12:20 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\TVU Networks

2008-12-14 15:06 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll

2008-12-13 12:45 --------- d-----w c:\program files\IrfanView

2008-12-08 20:11 --------- d-----w c:\program files\BS.Player ControlBar

2008-12-08 19:26 --------- d-----w c:\program files\Webteh

2008-12-08 19:26 --------- d-----w c:\documents and settings\Greg\Dane aplikacji\BSplayer Pro

2008-12-06 18:08 --------- d-----w c:\program files\NAPI-PROJEKT

2008-12-05 22:59 --------- d-----w c:\program files\SubEdit-Player

2008-11-30 21:36 --------- d-----w c:\program files\Common Files\Onet.pl

2008-11-30 21:36 --------- d-----w c:\documents and settings\Greg\Dane aplikacji\Czat

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“MSMSGS”=“c:\program files\Messenger\msmsgs.exe” [2001-08-02 1077277]

“NvMediaCenter”=“c:\windows\System32\NVMCTRAY.DLL” [2003-10-06 49152]

“Gadu-Gadu”=“c:\program files\Gadu-Gadu\gg.exe” [2007-05-10 2111176]

“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2008-11-26 81000]

“NvCplDaemon”=“c:\windows\System32\NvCpl.dll” [2003-10-06 5058560]

“WinampAgent”=“c:\program files\Winamp\winampa.exe” [2008-08-04 36352]

“DAEMON Tools-1033”=“c:\program files\D-Tools\daemon.exe” [2004-08-22 81920]

“NeroFilterCheck”=“c:\program files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-01 153136]

“TrojanScanner”=“c:\program files\Trojan Remover\Trjscan.exe” [2009-01-01 1231752]

“nwiz”=“nwiz.exe” [2003-10-06 c:\windows\system32\nwiz.exe]

“SoundMan”=“SOUNDMAN.EXE” [2007-04-16 c:\windows\soundman.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\System32\CTFMON.EXE” [2001-10-26 13312]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-11 111184]

.

        • USUNIĘTO PUSTE WPISY - - - -

HKLM-Run-Onet.pl AutoUpdate - c:\program files\Common Files\Onet.pl\NewAutoUpdate.exe

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.bsplayer-search.com/startpage

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab

FF - ProfilePath - c:\documents and settings\Greg\Dane aplikacji\Mozilla\Firefox\Profiles\yzoxvr4x.default\

FF - prefs.js: browser.startup.homepage - www.google.pl

FF - plugin: c:\documents and settings\Greg\Dane aplikacji\Mozilla\Firefox\Profiles\yzoxvr4x.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-25 21:03:40

Windows 5.1.2600 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

              • ‘winlogon.exe’(540)

c:\windows\system32\ODBC32.dll

              • ‘lsass.exe’(596)

c:\windows\system32\mswsock.dll

c:\windows\System32\wshtcpip.dll

c:\windows\System32\dssenh.dll

.

Czas ukończenia: 2009-01-25 21:04:46

ComboFix-quarantined-files.txt 2009-01-25 20:04:43

Przed: 5 529 456 640 bajtów wolnych

Po: 5,585,260,544 bajtów wolnych

135