Problem z wirusem , gebyv.exe

soulreaver · 29 Grudzień 2007 15:50

mam wielki problem z wirusem gniezdzi sie on w system32 usuanalem go kilka razy ale zawsze sie odnawia znajduje sie on w system32/gebyv.exe blokuje systemowe narzedzia np msconfig oraz programy autostartu wie ktos moze jak to usunac ?

hijack log :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:50:10, on 2007-12-29

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Rundll32.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\egui .exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F3 - REG:win.ini: load=C:\WINDOWS\system32\gebyv.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Kuba\Pulpit\msconfig .exe /auto

O4 - HKLM\..\Run: [postSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" DllStart

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CEFE71-E185-457E-A227-1E7D00B479A0}: NameServer = 194.204.159.1,193.11.121.20

O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


--

End of file - 4888 bytes

Gutek · 29 Grudzień 2007 16:20

Użyj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone.

Daj log z ComboFix

soulreaver · 29 Grudzień 2007 17:36

log z combofix po wykonaniu skanów tymi programami :

ComboFix 07-12-21.4 - Kuba 2007-12-29 18:30:47.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.534 [GMT 1:00] Running from: C:\Documents and Settings\Kuba\Pulpit\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\gebyv.dll C:\WINDOWS\system32\vybeg.ini C:\WINDOWS\system32\vybeg.ini2 . ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 ))))))))))))))))))))))))))))))) . 2007-12-29 18:33 . 2007-12-29 18:33 344,576 --------- C:\WINDOWS\system32\gebyv.dll 2007-12-29 18:15 . 2007-12-29 18:33 348,160 --a------ C:\WINDOWS\system32\gebyv.exe 2007-12-29 18:05 . 2004-08-04 00:44 153,088 --a------ C:\WINDOWS\system32\irftp.exe 2007-12-29 18:05 . 2004-08-04 00:44 153,088 --a–c— C:\WINDOWS\system32\dllcache\irftp.exe 2007-12-29 18:05 . 2004-08-04 00:44 27,648 --a------ C:\WINDOWS\system32\irmon.dll 2007-12-29 18:05 . 2004-08-04 00:44 27,648 --a–c— C:\WINDOWS\system32\dllcache\irmon.dll 2007-12-29 18:05 . 2004-08-04 00:44 8,192 --a------ C:\WINDOWS\system32\wshirda.dll 2007-12-29 18:05 . 2004-08-04 00:44 8,192 --a–c— C:\WINDOWS\system32\dllcache\wshirda.dll 2007-12-29 17:11 . 2007-12-29 17:11 348,160 --a------ C:\WINDOWS\system32\RCX8.tmp 2007-12-29 17:09 . 2007-12-29 18:33 2007-12-29 16:26 . 2007-12-29 16:26 2007-12-29 16:10 . 2007-12-29 16:10 348,160 --a------ C:\WINDOWS\system32\RCX2.tmp 2007-12-29 16:09 . 2007-12-29 16:09 2007-12-29 13:13 . 2007-12-29 13:13 348,160 --a------ C:\WINDOWS\system32\RCX1.tmp 2007-12-29 03:30 . 2007-12-29 03:30 2007-12-29 02:33 . 2007-12-29 14:57 2007-12-29 02:29 . 2007-12-29 02:29 348,160 --a------ C:\WINDOWS\system32\pmkhe.Vexe 2007-12-29 01:57 . 2007-12-29 01:57 2007-12-29 01:18 . 2007-12-29 01:18 2007-12-29 00:45 . 2007-12-29 00:45 348,160 --a------ C:\WINDOWS\system32\RCXC.tmp 2007-12-28 23:52 . 2007-12-28 23:53 143 --a------ C:\WINDOWS\system32\mcrh.tmp 2007-12-28 23:51 . 2007-12-28 23:51 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll 2007-12-28 20:56 . 2007-12-28 20:56 2007-12-27 15:53 . 2007-12-27 15:53 64,512 --a------ C:\WINDOWS\system32\gzmrt.dll 2007-12-27 00:03 . 2007-12-27 00:03 2007-12-27 00:03 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-12-27 00:03 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe 2007-12-27 00:03 . 2007-12-27 00:04 165,437 --a------ C:\WINDOWS\system32\nvapps.xml 2007-12-27 00:03 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu 2007-12-25 23:40 . 2007-12-25 23:40 2007-12-18 15:46 . 2007-12-18 15:46 319,488 --a------ C:\WINDOWS\system32\adssite_sidebar.dll 2007-12-11 01:37 . 2007-12-11 01:37 2007-12-11 01:35 . 2007-12-11 01:35 2007-12-05 17:33 . 2007-12-29 13:16 77,353 --a------ C:\WINDOWS\system32\adssite_sidebar_uninstall.exe 2007-11-29 23:51 . 2007-11-29 23:51 2007-11-29 23:51 . 2003-03-19 13:19 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-29 16:53 --------- d-----w C:\Program Files\Warcraft III 2007-12-29 04:07 --------- d-----w C:\Program Files\Gadu-Gadu 2007-12-29 01:26 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-12-28 22:54 --------- d-----w C:\Program Files\QuickTime 2007-12-28 22:16 --------- d-----w C:\Program Files\MoorHunt 2007-12-27 16:51 40,737 ----a-w C:\WINDOWS\system32\rightonadz-uninst.exe 2007-12-20 21:59 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-12-05 00:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll 2007-12-05 00:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll 2007-12-05 00:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll 2007-12-05 00:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe 2007-12-05 00:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys 2007-12-05 00:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll 2007-12-05 00:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll 2007-12-05 00:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll 2007-12-05 00:41 5,611,520 ----a-w C:\WINDOWS\system32\nvdispsr.dll 2007-12-05 00:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll 2007-12-05 00:41 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll 2007-12-05 00:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll 2007-12-05 00:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe 2007-12-05 00:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe 2007-12-05 00:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll 2007-12-05 00:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll 2007-12-05 00:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll 2007-12-05 00:41 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll 2007-12-05 00:41 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll 2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll 2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll 2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll 2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll 2007-12-05 00:41 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll 2007-12-05 00:41 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll 2007-12-05 00:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll 2007-12-05 00:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll 2007-12-05 00:41 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll 2007-12-05 00:41 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll 2007-12-05 00:41 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll 2007-12-05 00:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll 2007-12-05 00:41 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll 2007-12-05 00:41 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll 2007-12-05 00:41 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll 2007-12-05 00:41 3,715,072 ----a-w C:\WINDOWS\system32\nvvitvsr.dll 2007-12-05 00:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll 2007-12-05 00:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll 2007-12-05 00:41 3,334,144 ----a-w C:\WINDOWS\system32\nvgamesr.dll 2007-12-05 00:41 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll 2007-12-05 00:41 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll 2007-12-05 00:41 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll 2007-12-05 00:41 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll 2007-12-05 00:41 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll 2007-12-05 00:41 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll 2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll 2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll 2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll 2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll 2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll 2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll 2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll 2007-12-05 00:41 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll 2007-12-05 00:41 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll 2007-12-05 00:41 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll 2007-12-05 00:41 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll 2007-12-05 00:41 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll 2007-12-05 00:41 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll 2007-12-05 00:41 270,336 ----a-w C:\WINDOWS\system32\nvrsru.dll 2007-12-05 00:41 266,240 ----a-w C:\WINDOWS\system32\nvrsptb.dll 2007-12-05 00:41 266,240 ----a-w C:\WINDOWS\system32\nvrsja.dll 2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrstr.dll 2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrssl.dll 2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrssk.dll 2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll 2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrshu.dll 2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrsth.dll 2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrssv.dll 2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrspl.dll 2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrsno.dll 2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrsda.dll 2007-12-05 00:41 249,856 ----a-w C:\WINDOWS\system32\nvrsfi.dll 2007-12-05 00:41 249,856 ----a-w C:\WINDOWS\system32\nvrscs.dll 2007-12-05 00:41 245,760 ----a-w C:\WINDOWS\system32\nvrseng.dll 2007-12-05 00:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll 2007-12-05 00:41 225,280 ----a-w C:\WINDOWS\system32\nvrszhc.dll 2007-12-05 00:41 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll 2007-12-05 00:41 2,854,912 ----a-w C:\WINDOWS\system32\nvmoblsr.dll 2007-12-05 00:41 2,519,040 ----a-w C:\WINDOWS\system32\nvwssr.dll 2007-12-05 00:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll 2007-12-05 00:41 196,608 ----a-w C:\WINDOWS\system32\nvwrsko.dll 2007-12-05 00:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll 2007-12-05 00:41 167,936 ----a-w C:\WINDOWS\system32\nvwrszht.dll 2007-12-05 00:41 163,840 ----a-w C:\WINDOWS\system32\nvwrszhc.dll 2007-12-05 00:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe 2007-12-05 00:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe 2007-12-05 00:41 126,976 ----a-w C:\WINDOWS\system32\nvrszht.dll 2007-12-05 00:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll 2007-12-05 00:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe 2007-12-05 00:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll 2007-12-05 00:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe 2007-12-05 00:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll 2007-12-05 00:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll 2007-12-05 00:41 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{10F3E8BD-257A-4702-A2F5-DC02055B068C}] 2007-12-27 15:53 64512 --a------ C:\WINDOWS\system32\gzmrt.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}] 2007-12-18 15:46 319488 --a------ C:\WINDOWS\system32\adssite_sidebar.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{61823416-8EA1-4E1D-8246-A85AE7CE8A57}] 2007-12-29 18:33 344576 --------- C:\WINDOWS\system32\gebyv.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{E23553EA-949B-4D97-9EAA-260A75E571F3}] C:\WINDOWS\system32\pmkhe.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” [2007-12-29 17:11] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“RUNDLL32.exe” [2004-08-03 23:44 C:\WINDOWS\system32\rundll32.exe] “MSConfig”=“C:\Documents and Settings\Kuba\Pulpit\msconfig .exe” [] “postSetupCheck”=“C:\WINDOWS\System32\Rundll32.exe” [2004-08-03 23:44] “egui”=“C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” [2007-12-29 16:32] “BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-03 23:44 C:\WINDOWS\system32\bthprops.cpl] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-08-09 19:22:31] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 19:05:56] [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows] “load”=C:\WINDOWS\system32\gebyv.exe [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\gebyv [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] “Weflirt”=“C:\Program Files\Weflirt\weflirt.exe” -background “AlcoholAutomount”=“C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” /automount “ares”=“C:\Program Files\Ares\Ares.exe” -h “ctfmon.exe”=C:\WINDOWS\system32\ctfmon.exe “DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg .exe” /tray “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “RTHDCPL”=RTHDCPL.EXE “postSetupCheck”=C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\gzmrt.dll” DllStart “nwiz”=nwiz.exe /install “NvMediaCenter”=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit “Alcmtr”=ALCMTR.EXE “KAL”=C:\Program Files\PI\KAL.exe “NvCplDaemon”=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys [2007-11-23 21:50] R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-23 21:52] R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys [2007-11-23 21:50] R2 ekrn;Eset Service;“C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe” [2007-11-23 21:51] R3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-27 13:24] S3 EhttpSrv;Eset HTTP Server;“C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe” [2007-11-23 21:53] . Contents of the ‘Scheduled Tasks’ folder “2007-12-29 15:17:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-29 18:34:17 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … C:\WINDOWS\system32\vybeg.ini 6516 bytes scan completed successfully hidden files: 1 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180] -> C:\WINDOWS\system32\gebyv.dll . Completion time: 2007-12-29 18:34:46 - machine was rebooted . 2007-08-09 19:04:25 — E O F —

Gutek · 29 Grudzień 2007 18:32

Wklej do Notatnika:

File::

C:\WINDOWS\system32\gebyv.dll

C:\WINDOWS\system32\gebyv.exe

C:\WINDOWS\system32\RCX8.tmp

C:\WINDOWS\system32\RCX2.tmp

C:\WINDOWS\system32\RCX1.tmp

C:\WINDOWS\system32\pmkhe.Vexe

C:\WINDOWS\system32\RCXC.tmp

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\adssite_sidebar.dll

C:\WINDOWS\system32\adssite_sidebar_uninstall.exe

C:\WINDOWS\system32\rightonadz-uninst.exe

C:\WINDOWS\system32\gzmrt.dll


Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10F3E8BD-257A-4702-A2F5-DC02055B068C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61823416-8EA1-4E1D-8246-A85AE7CE8A57}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E23553EA-949B-4D97-9EAA-260A75E571F3}]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]

"load"=-

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe ) Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe ) – podobnie jak na tym obrazku –>

soulreaver · 29 Grudzień 2007 21:01

log ktory chciales

ComboFix 07-12-21.4 - Kuba 2007-12-29 21:55:41.7 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.680 [GMT 1:00] Running from: C:\Documents and Settings\Kuba\Pulpit\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\gebyv.dll C:\WINDOWS\system32\vybeg.ini C:\WINDOWS\system32\vybeg.ini2 . ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 ))))))))))))))))))))))))))))))) . 2007-12-29 21:58 . 2007-12-29 21:58 344,576 --------- C:\WINDOWS\system32\gebyv.dll 2007-12-29 21:58 . 2007-12-29 21:58 319 --ahs---- C:\WINDOWS\system32\vybeg.ini 2007-12-29 21:56 . 2007-12-29 21:58 348,160 --a------ C:\WINDOWS\system32\gebyv.exe 2007-12-29 21:40 . 2007-12-29 21:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-29 21:40 . 2007-12-29 21:40 1,409 --a------ C:\WINDOWS\QTFont.for 2007-12-29 18:05 . 2004-08-04 00:44 153,088 --a------ C:\WINDOWS\system32\irftp.exe 2007-12-29 18:05 . 2004-08-04 00:44 153,088 --a–c— C:\WINDOWS\system32\dllcache\irftp.exe 2007-12-29 18:05 . 2004-08-04 00:44 27,648 --a------ C:\WINDOWS\system32\irmon.dll 2007-12-29 18:05 . 2004-08-04 00:44 27,648 --a–c— C:\WINDOWS\system32\dllcache\irmon.dll 2007-12-29 18:05 . 2004-08-04 00:44 8,192 --a------ C:\WINDOWS\system32\wshirda.dll 2007-12-29 18:05 . 2004-08-04 00:44 8,192 --a–c— C:\WINDOWS\system32\dllcache\wshirda.dll 2007-12-29 17:09 . 2007-12-29 21:58 2007-12-29 16:26 . 2007-12-29 16:26 2007-12-29 16:09 . 2007-12-29 16:09 2007-12-29 03:30 . 2007-12-29 03:30 2007-12-29 02:33 . 2007-12-29 14:57 2007-12-29 01:57 . 2007-12-29 01:57 2007-12-29 01:18 . 2007-12-29 01:18 2007-12-28 23:51 . 2007-12-28 23:51 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll 2007-12-28 20:56 . 2007-12-28 20:56 2007-12-27 00:03 . 2007-12-27 00:03 2007-12-27 00:03 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-12-27 00:03 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe 2007-12-27 00:03 . 2007-12-27 00:04 165,437 --a------ C:\WINDOWS\system32\nvapps.xml 2007-12-27 00:03 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu 2007-12-25 23:40 . 2007-12-25 23:40 2007-12-11 01:37 . 2007-12-11 01:37 2007-12-11 01:35 . 2007-12-11 01:35 2007-11-29 23:51 . 2007-11-29 23:51 2007-11-29 23:51 . 2003-03-19 13:19 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-29 17:41 --------- d-----w C:\Program Files\Warcraft III 2007-12-29 04:07 --------- d-----w C:\Program Files\Gadu-Gadu 2007-12-29 01:26 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-12-28 22:54 --------- d-----w C:\Program Files\QuickTime 2007-12-28 22:16 --------- d-----w C:\Program Files\MoorHunt 2007-12-20 21:59 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-12-05 00:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll 2007-12-05 00:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll 2007-12-05 00:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll 2007-12-05 00:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe 2007-12-05 00:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys 2007-12-05 00:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll 2007-12-05 00:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll 2007-12-05 00:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll 2007-12-05 00:41 5,611,520 ----a-w C:\WINDOWS\system32\nvdispsr.dll 2007-12-05 00:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll 2007-12-05 00:41 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll 2007-12-05 00:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll 2007-12-05 00:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe 2007-12-05 00:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe 2007-12-05 00:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll 2007-12-05 00:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll 2007-12-05 00:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll 2007-12-05 00:41 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll 2007-12-05 00:41 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll 2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll 2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll 2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll 2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll 2007-12-05 00:41 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll 2007-12-05 00:41 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll 2007-12-05 00:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll 2007-12-05 00:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll 2007-12-05 00:41 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll 2007-12-05 00:41 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll 2007-12-05 00:41 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll 2007-12-05 00:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll 2007-12-05 00:41 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll 2007-12-05 00:41 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll 2007-12-05 00:41 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll 2007-12-05 00:41 3,715,072 ----a-w C:\WINDOWS\system32\nvvitvsr.dll 2007-12-05 00:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll 2007-12-05 00:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll 2007-12-05 00:41 3,334,144 ----a-w C:\WINDOWS\system32\nvgamesr.dll 2007-12-05 00:41 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll 2007-12-05 00:41 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll 2007-12-05 00:41 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll 2007-12-05 00:41 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll 2007-12-05 00:41 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll 2007-12-05 00:41 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll 2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll 2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll 2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll 2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll 2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll 2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll 2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll 2007-12-05 00:41 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll 2007-12-05 00:41 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll 2007-12-05 00:41 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll 2007-12-05 00:41 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll 2007-12-05 00:41 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll 2007-12-05 00:41 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll 2007-12-05 00:41 270,336 ----a-w C:\WINDOWS\system32\nvrsru.dll 2007-12-05 00:41 266,240 ----a-w C:\WINDOWS\system32\nvrsptb.dll 2007-12-05 00:41 266,240 ----a-w C:\WINDOWS\system32\nvrsja.dll 2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrstr.dll 2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrssl.dll 2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrssk.dll 2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll 2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrshu.dll 2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrsth.dll 2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrssv.dll 2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrspl.dll 2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrsno.dll 2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrsda.dll 2007-12-05 00:41 249,856 ----a-w C:\WINDOWS\system32\nvrsfi.dll 2007-12-05 00:41 249,856 ----a-w C:\WINDOWS\system32\nvrscs.dll 2007-12-05 00:41 245,760 ----a-w C:\WINDOWS\system32\nvrseng.dll 2007-12-05 00:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll 2007-12-05 00:41 225,280 ----a-w C:\WINDOWS\system32\nvrszhc.dll 2007-12-05 00:41 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll 2007-12-05 00:41 2,854,912 ----a-w C:\WINDOWS\system32\nvmoblsr.dll 2007-12-05 00:41 2,519,040 ----a-w C:\WINDOWS\system32\nvwssr.dll 2007-12-05 00:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll 2007-12-05 00:41 196,608 ----a-w C:\WINDOWS\system32\nvwrsko.dll 2007-12-05 00:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll 2007-12-05 00:41 167,936 ----a-w C:\WINDOWS\system32\nvwrszht.dll 2007-12-05 00:41 163,840 ----a-w C:\WINDOWS\system32\nvwrszhc.dll 2007-12-05 00:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe 2007-12-05 00:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe 2007-12-05 00:41 126,976 ----a-w C:\WINDOWS\system32\nvrszht.dll 2007-12-05 00:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll 2007-12-05 00:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe 2007-12-05 00:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll 2007-12-05 00:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe 2007-12-05 00:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll 2007-12-05 00:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll 2007-12-05 00:41 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll 2007-12-05 00:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{ABE0897A-D42F-4727-A641-95286084E4F9}] 2007-12-29 21:58 344576 --------- C:\WINDOWS\system32\gebyv.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” [2007-12-29 17:11] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“RUNDLL32.exe” [2004-08-03 23:44 C:\WINDOWS\system32\rundll32.exe] “MSConfig”=“C:\Documents and Settings\Kuba\Pulpit\msconfig .exe” [] “egui”=“C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” [2007-12-29 16:32] “BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-03 23:44 C:\WINDOWS\system32\bthprops.cpl] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-08-09 19:22:31] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 19:05:56] [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows] “load”=C:\WINDOWS\system32\gebyv.exe [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\gebyv [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] “Weflirt”=“C:\Program Files\Weflirt\weflirt.exe” -background “AlcoholAutomount”=“C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” /automount “ares”=“C:\Program Files\Ares\Ares.exe” -h “ctfmon.exe”=C:\WINDOWS\system32\ctfmon.exe “DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg .exe” /tray “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “RTHDCPL”=RTHDCPL.EXE “postSetupCheck”=C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\gzmrt.dll” DllStart “nwiz”=nwiz.exe /install “NvMediaCenter”=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit “Alcmtr”=ALCMTR.EXE “KAL”=C:\Program Files\PI\KAL.exe “NvCplDaemon”=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys [2007-11-23 21:50] R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-23 21:52] R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys [2007-11-23 21:50] R2 ekrn;Eset Service;“C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe” [2007-11-23 21:51] R3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-27 13:24] S3 EhttpSrv;Eset HTTP Server;“C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe” [2007-11-23 21:53] . Contents of the ‘Scheduled Tasks’ folder “2007-12-29 15:17:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-29 21:58:46 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180] -> C:\WINDOWS\system32\gebyv.dll . Completion time: 2007-12-29 21:59:18 - machine was rebooted C:\ComboFix2.txt … 2007-12-29 21:53 C:\ComboFix3.txt … 2007-12-29 18:34 . 2007-08-09 19:04:25 — E O F —

Gutek · 30 Grudzień 2007 00:09

Wklej do Notatnika:

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

Spróbuj jeszcze raz

soulreaver · 4 Styczeń 2008 16:33

chyba sie pozbylem tego gowna

log :

ComboFix 08-01-04.1 - Kuba 2008-01-04 17:22:11.24 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.738 [GMT 1:00]

Running from: C:\Documents and Settings\Kuba\Pulpit\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))

.

2008-01-04 16:31 . 2008-01-04 16:31 348,160 --a------ C:\WINDOWS\system32\RCX68A.tmp

2008-01-04 16:31 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-03 14:33 . 2008-01-03 14:40

2008-01-03 14:33 . 2008-01-04 14:38 1,044,280 —hs---- C:\WINDOWS\system32\tweidfne.ini

2008-01-02 14:28 . 2008-01-03 14:28 1,036,222 —hs---- C:\WINDOWS\system32\nbjomiwc.ini

2008-01-01 08:25 . 2008-01-01 08:25

2007-12-31 17:24 . 2007-12-31 17:24

2007-12-29 18:05 . 2004-08-04 00:44 153,088 --a------ C:\WINDOWS\system32\irftp.exe

2007-12-29 18:05 . 2004-08-04 00:44 153,088 --a–c— C:\WINDOWS\system32\dllcache\irftp.exe

2007-12-29 18:05 . 2004-08-04 00:44 27,648 --a------ C:\WINDOWS\system32\irmon.dll

2007-12-29 18:05 . 2004-08-04 00:44 27,648 --a–c— C:\WINDOWS\system32\dllcache\irmon.dll

2007-12-29 18:05 . 2004-08-04 00:44 8,192 --a------ C:\WINDOWS\system32\wshirda.dll

2007-12-29 18:05 . 2004-08-04 00:44 8,192 --a–c— C:\WINDOWS\system32\dllcache\wshirda.dll

2007-12-29 17:09 . 2007-12-30 16:14

2007-12-29 16:26 . 2007-12-29 16:26

2007-12-29 03:30 . 2007-12-29 03:30

2007-12-29 02:33 . 2007-12-29 14:57

2007-12-29 01:57 . 2007-12-29 01:57

2007-12-29 01:18 . 2007-12-29 01:18

2007-12-28 23:51 . 2007-12-28 23:51 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll

2007-12-28 20:56 . 2007-12-28 20:56

2007-12-27 00:03 . 2007-12-27 00:03

2007-12-27 00:03 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE

2007-12-27 00:03 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe

2007-12-27 00:03 . 2007-12-27 00:04 165,437 --a------ C:\WINDOWS\system32\nvapps.xml

2007-12-27 00:03 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu

2007-12-25 23:40 . 2007-12-25 23:40

2007-12-11 01:37 . 2007-12-11 01:37

2007-12-11 01:35 . 2007-12-11 01:35

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-04 15:18 --------- d-----w C:\Program Files\Warcraft III

2008-01-02 20:56 --------- d-----w C:\Program Files\MoorHunt

2007-12-31 16:26 --------- d–h--w C:\Program Files\InstallShield Installation Information

2007-12-31 16:24 --------- d-----w C:\Program Files\THQ

2007-12-29 04:07 --------- d-----w C:\Program Files\Gadu-Gadu

2007-12-29 01:26 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-12-28 22:54 --------- d-----w C:\Program Files\QuickTime

2007-12-05 00:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll

2007-12-05 00:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll

2007-12-05 00:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll

2007-12-05 00:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe

2007-12-05 00:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys

2007-12-05 00:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll

2007-12-05 00:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll

2007-12-05 00:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll

2007-12-05 00:41 5,611,520 ----a-w C:\WINDOWS\system32\nvdispsr.dll

2007-12-05 00:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll

2007-12-05 00:41 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll

2007-12-05 00:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll

2007-12-05 00:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe

2007-12-05 00:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe

2007-12-05 00:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll

2007-12-05 00:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll

2007-12-05 00:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll

2007-12-05 00:41 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll

2007-12-05 00:41 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll

2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll

2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll

2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll

2007-12-05 00:41 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll

2007-12-05 00:41 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll

2007-12-05 00:41 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll

2007-12-05 00:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll

2007-12-05 00:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll

2007-12-05 00:41 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll

2007-12-05 00:41 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll

2007-12-05 00:41 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll

2007-12-05 00:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll

2007-12-05 00:41 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll

2007-12-05 00:41 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll

2007-12-05 00:41 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll

2007-12-05 00:41 3,715,072 ----a-w C:\WINDOWS\system32\nvvitvsr.dll

2007-12-05 00:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll

2007-12-05 00:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll

2007-12-05 00:41 3,334,144 ----a-w C:\WINDOWS\system32\nvgamesr.dll

2007-12-05 00:41 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll

2007-12-05 00:41 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll

2007-12-05 00:41 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll

2007-12-05 00:41 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll

2007-12-05 00:41 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll

2007-12-05 00:41 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll

2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll

2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll

2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll

2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll

2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll

2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll

2007-12-05 00:41 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll

2007-12-05 00:41 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll

2007-12-05 00:41 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll

2007-12-05 00:41 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll

2007-12-05 00:41 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll

2007-12-05 00:41 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll

2007-12-05 00:41 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll

2007-12-05 00:41 270,336 ----a-w C:\WINDOWS\system32\nvrsru.dll

2007-12-05 00:41 266,240 ----a-w C:\WINDOWS\system32\nvrsptb.dll

2007-12-05 00:41 266,240 ----a-w C:\WINDOWS\system32\nvrsja.dll

2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrstr.dll

2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrssl.dll

2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrssk.dll

2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll

2007-12-05 00:41 258,048 ----a-w C:\WINDOWS\system32\nvrshu.dll

2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrsth.dll

2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrssv.dll

2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrspl.dll

2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrsno.dll

2007-12-05 00:41 253,952 ----a-w C:\WINDOWS\system32\nvrsda.dll

2007-12-05 00:41 249,856 ----a-w C:\WINDOWS\system32\nvrsfi.dll

2007-12-05 00:41 249,856 ----a-w C:\WINDOWS\system32\nvrscs.dll

2007-12-05 00:41 245,760 ----a-w C:\WINDOWS\system32\nvrseng.dll

2007-12-05 00:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll

2007-12-05 00:41 225,280 ----a-w C:\WINDOWS\system32\nvrszhc.dll

2007-12-05 00:41 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll

2007-12-05 00:41 2,854,912 ----a-w C:\WINDOWS\system32\nvmoblsr.dll

2007-12-05 00:41 2,519,040 ----a-w C:\WINDOWS\system32\nvwssr.dll

2007-12-05 00:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll

2007-12-05 00:41 196,608 ----a-w C:\WINDOWS\system32\nvwrsko.dll

2007-12-05 00:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll

2007-12-05 00:41 167,936 ----a-w C:\WINDOWS\system32\nvwrszht.dll

2007-12-05 00:41 163,840 ----a-w C:\WINDOWS\system32\nvwrszhc.dll

2007-12-05 00:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe

2007-12-05 00:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe

2007-12-05 00:41 126,976 ----a-w C:\WINDOWS\system32\nvrszht.dll

2007-12-05 00:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll

2007-12-05 00:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe

2007-12-05 00:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll

2007-12-05 00:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe

2007-12-05 00:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll

2007-12-05 00:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll

2007-12-05 00:41 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll

.

----a-w 486,856 2007-12-30 15:14:07 C:\Program Files\DAEMON Tools Lite\daemon .exe

----a-w 1,410,304 2008-01-01 10:41:15 C:\Program Files\ESET\ESET NOD32 Antivirus\egui .exe

[/code]

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2007-12-05 01:41 8523776]

“egui”=“C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” []

“BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-03 23:44 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” []

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-08-09 19:22:31]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 19:05:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

“Weflirt”=“C:\Program Files\Weflirt\weflirt.exe” -background

“AlcoholAutomount”=“C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” /automount

“ares”=“C:\Program Files\Ares\Ares.exe” -h

“ctfmon.exe”=C:\WINDOWS\system32\ctfmon.exe

“DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe”

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg .exe” /tray

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

“RTHDCPL”=RTHDCPL.EXE

“postSetupCheck”=C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\gzmrt.dll” DllStart

“nwiz”=nwiz.exe /install

“NvMediaCenter”=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

“Alcmtr”=ALCMTR.EXE

“KAL”=C:\Program Files\PI\KAL.exe

“NvCplDaemon”=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-23 21:52]

R3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-27 13:24]

.

Contents of the ‘Scheduled Tasks’ folder

“2007-12-29 15:17:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-04 17:23:15

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-01-04 17:23:34

.

2007-08-09 19:04:25 — E O F —

Gutek · 4 Styczeń 2008 18:35

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

Wklej do Notatnika:

File::

C:\WINDOWS\system32\tweidfne.ini

C:\WINDOWS\system32\nbjomiwc.ini

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

soulreaver · 4 Styczeń 2008 18:51

http://www.wklej.org/id/64af486270

Gutek · 4 Styczeń 2008 18:57

Już powinno być Ok

soulreaver · 4 Styczeń 2008 19:04

thx za pomoc