Problem z nkp2.exe i amvo.exe


(system) #1

Witam

Mam problem z trojanami pod postacią nkp2.exe i amvo.exe. Nie wiem w jaki sposób mogę je usunąć. Bardzo proszę o sprawdzenie logów z Combofix i hijackthis. Z góry dzięki

Log z Combofix:

ComboFix 08-10-16.08 - Gacek 2008-10-17 19:10:28.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1187 [GMT 2:00]

Uruchomiony z: K:\Documents and Settings\Gacek\Pulpit\ComboFix.exe

* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA!!

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

D:\Autorun.inf

E:\Autorun.inf

K:\Autorun.inf

K:\Documents and Settings\Gacek\Dane aplikacji\BITS

K:\Documents and Settings\Gacek\Dane aplikacji\BITS\BITS.ini

K:\Documents and Settings\Gacek\Dane aplikacji\BITS\DHTTable.dat

K:\Documents and Settings\Gacek\Dane aplikacji\BITS\ProxyList.ini

K:\Program Files\FlashGet Network

K:\Program Files\FlashGet Network\FlashGet universal\dbtrans_verbose.log

K:\Program Files\FlashGet Network\FlashGet universal\fgoption.ini

K:\Program Files\FlashGet Network\FlashGet universal\P2PCfg.ini

K:\Program Files\FlashGet Network\FlashGet universal\p2spmgr.ini

K:\Program Files\FlashGet Network\FlashGet universal\p4spmgr.ini

K:\Program Files\FlashGet Network\FlashGet universal\Profiles\config.dat

K:\Program Files\FlashGet Network\FlashGet universal\Profiles\tasks.dat

K:\Program Files\FlashGet Network\FlashGet universal\transaction.log

K:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll

K:\WINDOWS\system32\setup.ini

.

((((((((((((((((((((((((( Pliki utworzone od 2008-09-17 do 2008-10-17 )))))))))))))))))))))))))))))))

.

2008-10-17 19:02 . 2008-10-17 19:02

2008-10-17 19:02 . 2008-10-17 19:09

2008-10-17 19:02 . 2008-10-17 19:02 26,424 --a--c--- K:\WINDOWS\system32\drivers\pxark.sys

2008-10-17 18:15 . 2008-10-17 19:01 1,635 --a--c--- K:\Documents and Settings\Gacek\nkp2.exe

2008-10-17 18:08 . 2008-10-17 18:08

2008-10-17 18:08 . 2008-10-17 18:08

2008-10-17 18:08 . 2008-10-17 18:08

2008-10-17 18:08 . 2008-10-16 20:25 38,496 --a--c--- K:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-10-17 18:08 . 2008-10-16 20:25 15,504 --a--c--- K:\WINDOWS\system32\drivers\mbam.sys

2008-10-17 17:56 . 2008-10-17 17:57

2008-10-04 15:07 . 2008-10-05 11:51

2008-09-21 20:38 . 2008-05-19 18:16 186,407 --a--c--- K:\WINDOWS\system32\nvapps.nvb

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-17 17:09 --------- dc----w K:\Program Files\neostrada tp

2008-10-17 16:44 --------- dc-h--w K:\Program Files\InstallShield Installation Information

2008-10-04 13:06 --------- dc----w K:\Program Files\Java

2008-10-01 14:58 --------- dc----w K:\Documents and Settings\Gacek\Dane aplikacji\foobar2000

2008-09-08 19:56 --------- dc----w K:\Documents and Settings\Gacek\Dane aplikacji\Canon

2008-09-03 14:32 --------- dc----w K:\Documents and Settings\Gacek\Dane aplikacji\dvdcss

2008-09-01 20:50 --------- dc----w K:\Program Files\Common Files\EZB Systems

2008-08-30 19:48 52,736 -c--a-w K:\WINDOWS\ipuninst.exe

2008-08-22 18:25 21,840 -c--atw K:\WINDOWS\system32\SIntfNT.dll

2008-08-22 18:25 17,212 -c--atw K:\WINDOWS\system32\SIntf32.dll

2008-08-22 18:25 12,067 -c--atw K:\WINDOWS\system32\SIntf16.dll

2008-08-12 11:48 6,144 -c--a-w K:\Documents and Settings\Gacek\systems.exe

2008-08-03 15:11 23,040 -c--a-w K:\Documents and Settings\Gacek\service3.exe

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="K:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-25 94208]

"swg"="K:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-10-04 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="K:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]

"WOOWATCH"="K:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 20480]

"WinampAgent"="K:\Programy\Winamp\Winampa.exe" [2003-04-02 12288]

"TkBellExe"="K:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-03 180269]

"NvMediaCenter"="K:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]

"SunJavaUpdateSched"="K:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"CHotkey"="mHotkey.exe" [2003-07-29 K:\WINDOWS\mHotkey.exe]

"ledpointer"="CNYHKey.exe" [2003-08-26 K:\WINDOWS\CNYHKey.exe]

"nwiz"="nwiz.exe" [2008-05-16 K:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="K:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

K:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Gamma Loader.lnk - K:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-24 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoFileAssociate"= 0 (0x0)

"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"K:\Programy\Gadu-Gadu\gg.exe"=

"K:\Programy\eMule\emule.exe"=

"K:\Programy\DC++\DCPlusPlus.exe"=

"D:\CS\hl.exe"=

"K:\Program Files\TVUPlayer\TVUPlayer.exe"=

"K:\Program Files\uTorrent\uTorrent.exe"=

"K:\Programy\Kodak\Kodak EasyShare software\bin\EasyShare.exe"=

"D:\FM 08\fm.exe"=

"D:\FEAR\FEAR.exe"=

"K:\Program Files\SopCast\adv\SopAdver.exe"=

"K:\Program Files\SopCast\SopCast.exe"=

"K:\Program Files\Java\jre1.6.0_05\launch4j-tmp\JD-WinLauncher.exe"=

"K:\WINDOWS\system32\java.exe"=

R0 pxark;pxark;K:\WINDOWS\system32\drivers\pxark.sys [2008-10-17 26424]

R2 CSIScanner;CSIScanner;K:\Program Files\PrevxCSI\prevxcsi.exe [2008-10-17 877624]

R2 SVKP;SVKP;K:\WINDOWS\system32\SVKP.sys [2007-12-22 2368]

R3 Stmatm;ATM/ADSL miniport;K:\WINDOWS\system32\DRIVERS\stmatm.sys [2003-08-12 60255]

R3 TaurusUsb;ADSL Modem USB Service;K:\WINDOWS\system32\DRIVERS\torususb.sys [2006-05-25 684265]

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

.

------- Skan uzupełniający -------

.

FireFox -: Profile - K:\Documents and Settings\Gacek\Dane aplikacji\Mozilla\Firefox\Profiles\5fqwgih2.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.onet.pl/

FF -: plugin - K:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll

FF -: plugin - K:\Programy\Acrobat Reader\Reader\browser\nppdf32.dll

FF -: plugin - K:\Programy\QuickTime\Plugins\npqtplugin.dll

FF -: plugin - K:\Programy\QuickTime\Plugins\npqtplugin2.dll

FF -: plugin - K:\Programy\QuickTime\Plugins\npqtplugin3.dll

FF -: plugin - K:\Programy\QuickTime\Plugins\npqtplugin4.dll

FF -: plugin - K:\Programy\QuickTime\Plugins\npqtplugin5.dll

FF -: plugin - K:\Programy\QuickTime\Plugins\npqtplugin6.dll

FF -: plugin - K:\Programy\QuickTime\Plugins\npqtplugin7.dll

FF -: plugin - K:\Programy\Real Player\Netscape6\nppl3260.dll

FF -: plugin - K:\Programy\Real Player\Netscape6\nprjplug.dll

FF -: plugin - K:\Programy\Real Player\Netscape6\nprpjplug.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-17 19:11:25

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone

ukryte pliki: 0

A teraz log z hijackthis:

Logfile of HijackThis v1.99.1

Scan saved at 18:55:33, on 2008-10-17

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

K:\WINDOWS\System32\smss.exe

K:\WINDOWS\system32\winlogon.exe

K:\WINDOWS\system32\services.exe

K:\WINDOWS\system32\lsass.exe

K:\WINDOWS\system32\svchost.exe

K:\WINDOWS\System32\svchost.exe

K:\WINDOWS\system32\spoolsv.exe

K:\WINDOWS\System32\FTRTSVC.exe

K:\WINDOWS\system32\nvsvc32.exe

K:\WINDOWS\system32\svchost.exe

K:\WINDOWS\system32\UAService7.exe

K:\WINDOWS\Explorer.EXE

K:\WINDOWS\mHotkey.exe

K:\WINDOWS\CNYHKey.exe

K:\Programy\Winamp\Winampa.exe

K:\Documents and Settings\Gacek\service2.exe

K:\Program Files\Common Files\Real\Update_OB\realsched.exe

K:\WINDOWS\system32\RUNDLL32.EXE

K:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

K:\Program Files\neostrada tp\neostradatp.exe

K:\Program Files\neostrada tp\ComComp.exe

K:\PROGRA~1\NEOSTR~1\Toaster.exe

K:\PROGRA~1\NEOSTR~1\Inactivity.exe

K:\PROGRA~1\NEOSTR~1\PollingModule.exe

K:\Program Files\neostrada tp\Watch.exe

K:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

K:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

K:\Program Files\Mozilla Firefox\firefox.exe

K:\Programy\Trojany, Wormy i inne\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - K:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - K:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - k:\program files\google\googletoolbar2.dll

O3 - Toolbar: Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - k:\program files\google\googletoolbar2.dll

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE K:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [CHotkey] mHotkey.exe

O4 - HKLM..\Run: [ledpointer] CNYHKey.exe

O4 - HKLM..\Run: [WOOWATCH] K:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM..\Run: [WinampAgent] "K:\Programy\Winamp\Winampa.exe"

O4 - HKLM..\Run: [Advanced DHTML Enable] K:\Documents and Settings\Gacek\service2.exe

O4 - HKLM..\Run: [TkBellExe] "K:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE K:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM..\Run: [sunJavaUpdateSched] "K:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "K:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU..\Run: [amva] K:\WINDOWS\system32\amvo.exe

O4 - HKCU..\Run: [swg] K:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = K:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip..{A63314A0-AFE7-486C-B415-653A0994D64C}: NameServer = 194.204.159.1 217.98.63.164

O23 - Service: Autodesk Licensing Service - Autodesk - K:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - K:\WINDOWS\System32\FTRTSVC.exe

O23 - Service: Google Updater Service (gusvc) - Google - K:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - K:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - K:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - K:\WINDOWS\system32\UAService7.exe


(Leon$) #2

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S ... Tool.shtml

Flash Disinfector http://www.searchengines.pl/index.php?s ... ntry369724

lub format

Pobierz CCleaner http://www.filehippo.com/download_ccleaner/

przeskanuj nim i wyczyść rejestr.

zrób optymalizacje uruchamiania

http://cybertrash.netarteria.pl/cyber/i ... 378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html gdy będą wirusy pokaż raport stronę uruchomić przez IE

:slight_smile: