Troja Vundo i inne robactwo w kompie prosze o spr.logów

Leon1 · 13 Maj 2008 18:11

Pobierz i uruchom narzędzie The Avenger Zaznaczasz tekst podany do usunięcia na forum

kopiuj >> klikasz na Paste Script from Clipboard >> Execute >> Potwierdzasz i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

potem nowy log Combofix

apollo13 · 14 Maj 2008 17:24

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Dodatek Service Pack 2)

Wed May 14 19:11:00 2008

19:11:00: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: file “C:\WINDOWS\system32\iycjpiar.exe” not found!

Deletion of file “C:\WINDOWS\system32\iycjpiar.exe” failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

–> the object does not exist

File “C:\WINDOWS\system32\irpghjdl.exe” deleted successfully.

File “C:\WINDOWS\system32\rpnokefs.exe” deleted successfully.

File “C:\WINDOWS\system32\lypvtnyb.exe” deleted successfully.

File “C:\WINDOWS\system32\lnyrxeuf.exe” deleted successfully.

File “C:\WINDOWS\system32\gvgefljd.exe” deleted successfully.

Registry key “HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” deleted successfully.

Registry key “HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix” deleted successfully.

Registry key “HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drmupgds” deleted successfully.

Registry key “HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process” deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

W dniu 14.05.2008 , o godzinie 19:24 został dopisany post przez apollo13

ComboFix 08-05-12.1 - Administrator 2008-05-14 19:18:02.6 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.45 [GMT 1:00]

Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))

.

2010-05-12 18:04 . 2010-05-12 18:05

2010-05-12 08:07 . 2007-07-04 15:27 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL

2009-05-12 20:24 . 2009-05-12 20:24 731,136 --a------ C:\avenger.exe

2009-05-12 18:59 . 2009-05-12 18:59

2009-04-17 17:58 . 2009-04-17 17:58

2009-03-19 21:32 . 2009-03-19 21:32

2008-05-13 21:56 . 2008-05-13 21:56 2,986,038 --a------ C:\screenz wynikiem testu.bmp

2008-05-13 20:43 . 2008-05-13 20:43

2008-05-13 20:24 . 2008-05-13 20:36

2008-05-13 20:24 . 2006-07-14 16:41 332,288 -----c— C:\WINDOWS\system32\dllcache\netapi32.dll

2008-05-13 19:44 . 2008-05-14 19:14

2008-05-13 19:44 . 2008-05-13 19:44

2008-04-30 19:03 . 2008-04-30 19:46

2008-04-30 18:44 . 2008-04-30 18:44

2008-04-14 12:26 . 2008-04-14 12:29

2008-04-14 12:23 . 2008-04-14 12:23

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-12 17:04 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\MSN6

2010-05-12 12:58 --------- d-----w C:\Program Files\SkanerOnline

2009-05-12 17:59 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab

2009-05-12 17:14 --------- d-----w C:\Program Files\Norton Security Scan

2009-04-17 18:38 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles

2009-03-25 16:33 --------- d-----w C:\Program Files\SubEdit-Player

2008-05-14 18:13 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-05-14 18:11 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent

2008-05-14 14:36 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Skype

2008-05-14 10:59 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\skypePM

2008-05-13 18:44 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-03-05 19:50 32,256 ----a-w C:\WINDOWS\system32\NTSecurity.exe

2007-12-09 16:01 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-08-04 00:44 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“a-winpoet-service”=“C:\Program Files\DialNet\winpppoverethernet.exe” [2007-07-06 07:40 405504]

“z-WrDialer”=“C:\Program Files\DialNet\WrDialer.exe” [2007-07-11 16:11 561152]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:44 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

“Windows Printing Driver”= WinPrint.exe

“NT Security Service”= NTSecurity.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“VIDC.YV12”= yv12vfw.dll

[HKLM~\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk]

path=C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk

backup=C:\WINDOWS\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnkStartup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

–a------ 2007-07-04 15:27 110592 C:\PROGRA~1\DialNet\FPLICE~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

–a------ 2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

–a------ 2004-08-04 00:44 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

–a------ 2007-04-03 23:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

–a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-04 00:44 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

–a------ 2007-06-13 14:49 16377344 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]

-ra------ 2007-02-06 00:30 176128 C:\WINDOWS\system32\S3Trayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2007-11-12 15:51 21877544 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

–a------ 2007-06-15 16:45 1826816 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

–a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

-ra------ 2006-09-21 09:36 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

“MSConfig”=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“UpdatesDisableNotify”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“C:\Program Files\uTorrent\uTorrent.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R0 ViBus;ViBus;C:\WINDOWS\system32\DRIVERS\ViBus.sys [2007-03-26 08:26]

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-03-29 04:36]

R0 ViPrt;VIA SATA IDE Device Driver;C:\WINDOWS\system32\DRIVERS\ViPrt.sys [2007-03-26 08:26]

R2 TopWinPoETDriver;WinPoET PPPoE Optimized Driver;C:\WINDOWS\system32\DRIVERS\WrKPoET2000.sys [2007-07-04 15:27]

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-02-27 09:14]

R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2007-03-05 02:54]

R3 WrKPoET2000;WrKPoET2000;C:\Program Files\DialNet\WrKPoET2000.sys [2007-07-04 15:27]

R3 WRSWanDD;WinPoET PPPoE Adapter;C:\WINDOWS\system32\DRIVERS\WrKPoETNic2000.sys [2007-07-04 15:27]

S3 FPD;Fine Point Packet Service;C:\WINDOWS\system32\drivers\fpd.sys []

S4 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:44]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the ‘Scheduled Tasks’ folder

“2008-05-07 17:44:01 C:\WINDOWS\Tasks\1-Click Maintenance.job”

C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe

“2009-05-12 17:16:32 C:\WINDOWS\Tasks\Norton Security Scan.job”

C:\Program Files\Norton Security Scan\Nss.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-14 19:20:14

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-05-14 19:22:06

ComboFix-quarantined-files.txt 2008-05-14 18:22:02

Pre-Run: 7,554,220,032 bajtów wolnych

Post-Run: 7,621,230,592 bajtów wolnych

138

Leon1 · 14 Maj 2008 17:34

Otwórz notatnik i wklej

zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart

powstanie plik o takiej ikonie

w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

zrób optymalizacje uruchamiania http://cybertrash.netarteria.pl/cyber/index.php/topic,378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE

apollo13 · 17 Maj 2008 12:57

a dzięki panowie już chyba nie mam wirów tylko cos tym kasperskim nie chce skanowac:)

Pozdrawiam:D