Trojan.Packed.nsanti, w32.gammima.ag


(Walk) #1

mam takie wirusy oraz jakies hacktools jak sie tego pozbyc log z combofix:

ComboFix 09-01-21.04 - WalK 2009-01-27 12:24:54.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.2047.1425 [GMT 1:00]

Uruchomiony z: e:\documents and settings\WalK\Moje dokumenty\Downloads\ComboFix.exe

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)

FW: Symantec Endpoint Protection *enabled*

* Utworzono nowy punkt przywracania

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

e:\windows\expiorer.exe

F:\Autorun.inf

F:\iq.bat

F:\j60osk9.cmd

F:\qoes.bat

G:\Autorun.inf

G:\iq.bat

G:\j60osk9.cmd

G:\qoes.bat

G:\x2tpc.cmd

.

((((((((((((((((((((((((( Pliki utworzone od 2008-12-27 do 2009-01-27 )))))))))))))))))))))))))))))))

.

2009-01-22 22:51 . 2009-01-22 22:51

2009-01-21 22:19 . 2009-01-22 08:55

2009-01-21 19:15 . 2009-01-21 19:15

2009-01-15 22:42 . 2009-01-15 22:43

2009-01-13 14:37 . 2009-01-13 14:38

2009-01-13 13:55 . 2009-01-13 13:55

2009-01-13 11:30 . 2009-01-13 11:30

2009-01-13 09:29 . 2004-08-04 00:44 70,144 --a------ e:\windows\AhnRpta.exe

2009-01-12 20:42 . 2009-01-12 20:50 183 --a------ e:\windows\wcx_ftp.ini

2009-01-10 15:07 . 2009-01-10 15:07 1,172 --a------ e:\windows\bestplayer.ini

2009-01-10 15:07 . 2009-01-10 15:07 69 --a------ e:\windows\bestplayer.bpp

2009-01-10 15:07 . 2009-01-10 15:07 0 --a------ e:\windows\bestplayer.bbt

2009-01-10 00:45 . 2009-01-27 12:25

2009-01-10 00:45 . 2009-01-10 09:08

2009-01-10 00:45 . 2009-01-08 02:06

2009-01-10 00:45 . 2009-01-08 02:59

2009-01-10 00:45 . 2009-01-08 02:59

2009-01-10 00:45 . 2009-01-08 02:59

2009-01-10 00:45 . 2009-01-08 02:59

2009-01-10 00:45 . 2009-01-10 00:45

2009-01-09 13:48 . 2009-01-09 13:48

2009-01-09 13:48 . 2009-01-09 13:48

2009-01-08 23:26 . 2009-01-08 23:26

2009-01-08 20:40 . 2009-01-08 20:40

2009-01-08 20:16 . 2009-01-08 20:16 421 --a------ e:\windows\ODBC.INI

2009-01-08 20:15 . 2003-06-19 01:31 17,920 --a------ e:\windows\system32\mdimon.dll

2009-01-08 20:13 . 2009-01-08 20:13

2009-01-08 20:12 . 2009-01-08 20:14

2009-01-08 20:12 . 2009-01-08 20:12

2009-01-08 20:08 . 2009-01-08 20:08

2009-01-08 20:05 . 2009-01-08 20:05 717,296 --a------ e:\windows\system32\drivers\sptd.sys

2009-01-08 18:53 . 2009-01-08 18:53

2009-01-08 18:53 . 2009-01-10 21:24 202,352 --a------ e:\windows\system32\PnkBstrB.exe

2009-01-08 18:53 . 2009-01-10 21:24 138,624 --a------ e:\windows\system32\drivers\PnkBstrK.sys

2009-01-08 18:53 . 2009-01-08 18:53 66,872 --a------ e:\windows\system32\PnkBstrA.exe

2009-01-08 18:05 . 2009-01-08 18:42

2009-01-08 16:49 . 2009-01-08 16:49

2009-01-08 16:24 . 2008-06-18 18:01 77,824 --a------ e:\windows\SET14.tmp

2009-01-08 16:24 . 2008-06-19 16:20 57,344 --a------ e:\windows\ALCMTR.EXE

2009-01-08 16:19 . 2007-11-14 15:18 553 --a------ e:\windows\USetup.iss

2009-01-08 16:18 . 2005-07-15 16:48 40,960 -r------- e:\windows\system32\ChCfg.exe

2009-01-08 16:17 . 2008-03-05 18:07 520,192 --a------ e:\windows\RtlExUpd.dll

2009-01-08 08:30 . 2009-01-08 08:32

2009-01-08 08:16 . 2009-01-08 08:16

2009-01-08 03:02 . 2004-08-03 23:58 5,504 --a------ e:\windows\system32\drivers\MSTEE.sys

2009-01-08 03:00 . 2004-08-04 01:44 77,312 --a------ e:\windows\system32\usbui.dll

2009-01-08 03:00 . 2004-08-04 00:07 14,080 --a------ e:\windows\system32\drivers\CmBatt.sys

2009-01-08 03:00 . 2001-08-17 22:57 14,080 --a------ e:\windows\system32\drivers\battc.sys

2009-01-08 03:00 . 2001-08-17 22:58 9,344 --a------ e:\windows\system32\drivers\compbatt.sys

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-13 16:03 --------- d-----w e:\program files\NAPI-PROJEKT

2009-01-08 22:08 --------- d-----w e:\program files\SubEdit-Player

2009-01-08 17:01 --------- d-----w e:\program files\Common Files\InstallShield

2009-01-08 15:40 --------- d-----w e:\program files\Realtek

2009-01-08 15:18 --------- d--h--w e:\program files\InstallShield Installation Information

2009-01-08 01:17 --------- d-----w e:\program files\ATI

2009-01-08 01:10 --------- d-----w e:\program files\microsoft frontpage

2009-01-08 01:09 --------- d-----w e:\program files\Usługi online

2009-01-07 22:55 --------- d-----w e:\documents and settings\WalK\Dane aplikacji\ATI

2009-01-07 22:55 --------- d-----w e:\documents and settings\All Users\Dane aplikacji\ATI

2009-01-07 22:51 --------- d-----w e:\program files\ATI Technologies

2009-01-07 21:53 --------- d-----w e:\program files\ASUS

2009-01-07 21:04 --------- d-----w e:\program files\K-Lite Codec Pack

2009-01-07 21:01 --------- d-----w e:\program files\Konnekt

2009-01-07 20:13 --------- d-----w e:\program files\Toshiba

2009-01-07 19:34 --------- d-----w e:\program files\BitLord

2009-01-07 19:21 --------- d-----w e:\program files\Common Files\Symantec Shared

2009-01-07 19:20 --------- d-----w e:\documents and settings\All Users\Dane aplikacji\Symantec

2009-01-07 19:19 805 ----a-w e:\windows\system32\drivers\SYMEVENT.INF

2009-01-07 19:19 60,800 ----a-w e:\windows\system32\S32EVNT1.DLL

2009-01-07 19:19 123,952 ----a-w e:\windows\system32\drivers\SYMEVENT.SYS

2009-01-07 19:19 10,563 ----a-w e:\windows\system32\drivers\SYMEVENT.CAT

2009-01-07 19:19 --------- d-----w e:\program files\Symantec

2009-01-07 19:03 --------- d-----w e:\documents and settings\All Users\Dane aplikacji\stamina

2009-01-07 18:41 --------- d-----w e:\program files\Atheros

2009-01-07 18:41 --------- d-----w e:\documents and settings\WalK\Dane aplikacji\InstallShield

2009-01-07 18:41 --------- d-----w e:\documents and settings\All Users\Dane aplikacji\Atheros

2008-12-28 22:48 2,330,643 ----a-w e:\windows\system32\x264vfw.dll

2008-12-08 20:45 92,488 ----a-w e:\windows\system32\drivers\SysPlant.sys

2008-12-08 20:43 42,312 ----a-w e:\windows\system32\drivers\WPSDRVnt.sys

2008-12-08 20:43 357,704 ----a-w e:\windows\system32\sysfer.dll

2008-12-08 20:43 107,848 ----a-w e:\windows\system32\SymVPN.dll

2008-12-08 20:42 49,480 ----a-w e:\windows\system32\FwsVpn.dll

2008-12-08 11:53 57,344 ----a-w e:\windows\system32\ff_vfw.dll

2008-12-07 18:08 795,648 ----a-w e:\windows\system32\xvidcore.dll

2008-12-07 18:08 130,048 ----a-w e:\windows\system32\xvidvfw.dll

2008-10-28 22:35 684,032 ----a-w e:\windows\system32\divx.dll

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="e:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"Konnekt"="e:\program files\Konnekt\konnekt.exe" [2005-05-24 503808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ACU"="e:\program files\Atheros\ACU.exe" [2008-04-09 450648]

"ccApp"="e:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]

"ATKMEDIA"="e:\program files\ASUS\ATK Media\DMedia.exe" [2008-06-24 159744]

"StartCCC"="e:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"RTHDCPL"="RTHDCPL.EXE" [2008-06-20 e:\windows\RTHDCPL.EXE]

"SoundMan"="SOUNDMAN.EXE" [2006-02-14 e:\windows\SoundMan.exe]

"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 e:\windows\ALCWZRD.EXE]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3fhg"= mp3fhg.acm

"msacm.divxa32"= divxa32.acm

"VIDC.X264"= x264vfw.dll

"VIDC.HFYU"= huffyuv.dll

"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-06-12 02:38 34672 e:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]

--a------ 2008-11-23 01:36 203720 e:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATKHOTKEY]

--a------ 2007-04-19 11:32 225280 e:\program files\ATK Hotkey\HControl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2009-01-07 19:47 133104 e:\documents and settings\WalK\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"e:\Program Files\Konnekt\konnekt.exe"=

"e:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe"=

"e:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE"=

"e:\Program Files\Common Files\Symantec Shared\ccApp.exe"=

"e:\Program Files\BitLord\BitLord.exe"=

"f:\gry\America's Army\System\ArmyOps.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;e:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-07 99376]

R3 WSIMD;wsimd Service;e:\windows\system32\drivers\wsimd.sys [2009-01-07 57408]

S3 COH_Mon;COH_Mon;e:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{db857f0a-dcea-11dd-99b1-00235480f97f}]

\Shell\AutoRun\command - H:\xcisvxl.com

\Shell\open\Command - H:\xcisvxl.com

.

Zawartość folderu 'Zaplanowane zadania'

2009-01-27 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1292428093-682003330-1003.job

  • e:\documents and settings\WalK\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2009-01-07 19:47]

.

  • USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-cdoosoft - e:\windows\system32\olhrwef.exe

ShellExecuteHooks-{BB4C402F-882A-4526-8C08-51278EA437C1} - e:\windows\system32\afmain0.dll

MSConfigStartUp-vamsoft - e:\windows\system32\vamsoft.exe

.

------- Skan uzupełniający -------

.

IE: E&ksport do programu Microsoft Excel - e:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {7F5E8811-C897-4AA2-8313-DB5066AEE869} = 194.204.159.1,194.204.152.34

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-27 12:26:05

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

  • > 'winlogon.exe'(1200)

e:\windows\system32\Ati2evxx.dll

.

Czas ukończenia: 2009-01-27 12:27:03

ComboFix-quarantined-files.txt 2009-01-27 11:27:00

ComboFix2.txt 2009-01-10 08:37:02

Przed: 14 998 573 056 bajtów wolnych

Po: 15,009,792,000 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

212


(Gregor479) #2

http://dobreprogramy.pl/index.php?dz=22 ... 6.7.5.2561

zainstaloj to napewno pomoze


(huber2t) #3

Do wyleczenia pendrive z wirusów użyj tych programów

otwórz notatnik i wklej

Z menu Notatnika -> Plik -> Zapisz jako -> Zmień rozszerzenie z .txt na wszystkie pliki -> zapisz pod nazwą Fix.reg

Uruchom ten plik, uruchom ponownie komputer

usuń ręcznie folder C:\Qoobox , usuń instalkę Combofix z dysku.

Przeczyść system Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar całego komputera http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum