Trojan Pakes.CWB


(Ryszrd Lebmor) #1

Witam

Proszę o pomoc

AVG znalazł Pakes.CWB i usunął ale po każdym restarcie systemu trojan wraca - jak to na stałe usunąć ?

z góry dziękuje za pomoc i pozdrawiam

ryszard

Oto wynik skanu ComboFix


ComboFix 09-03-23.01 - Administrator 2009-03-25 19:08:04.2 - NTFSx86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.1.1250.1.1045.18.1023.842 [GMT 1:00]

Uruchomiony z: H:\ComboFix.exe

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

.

((((((((((((((((((((((((( Pliki utworzone od 2009-02-25 do 2009-03-25 )))))))))))))))))))))))))))))))

.

2009-03-25 18:28 . 2009-03-25 18:28 36,724,320 --a------ H:\setup_7.0.0.290_25.03.2009_19-45.exe

2009-03-25 18:23 . 2009-03-25 18:23 2,934,667 -ra------ H:\ComboFix.exe

2009-03-25 18:20 . 2009-03-25 18:20 288,654 --a------ H:\SafeBootKeyRepair.exe

2009-03-25 17:01 . 2009-03-25 17:01

2009-03-25 17:00 . 2009-03-25 17:00

2009-03-25 17:00 . 2009-03-25 17:00 410,984 --a------ h:\windows\system32\deploytk.dll

2009-03-25 17:00 . 2009-03-25 17:00 73,728 --a------ h:\windows\system32\javacpl.cpl

2009-03-25 16:42 . 2009-03-25 16:42 731,136 --a------ H:\avenger.exe

2009-03-25 13:29 . 2009-03-25 13:39

2009-03-25 13:28 . 2009-03-25 13:28 23,608,320 --a------ H:\sdsetup.exe

2009-03-25 12:58 . 2009-03-25 17:02

2009-03-25 12:58 . 2009-03-25 17:01

2009-03-25 12:56 . 2009-03-25 12:56 16,409,960 --a------ H:\spybotsd162.exe

2009-03-25 12:42 . 2004-08-03 14:02 168,728 --a------ h:\windows\system32\wuaucpl.cpl

2009-03-25 12:33 . 2003-04-16 13:00 426,042 --a--c--- h:\windows\system32\dllcache\voicepad.dll

2009-03-25 12:33 . 2003-04-16 13:00 150,016 --a--c--- h:\windows\system32\dllcache\winzm.ime

2009-03-25 12:33 . 2003-04-16 13:00 150,016 --a--c--- h:\windows\system32\dllcache\winsp.ime

2009-03-25 12:33 . 2003-04-16 13:00 150,016 --a--c--- h:\windows\system32\dllcache\winpy.ime

2009-03-25 12:33 . 2003-04-16 13:00 86,074 --a--c--- h:\windows\system32\dllcache\voicesub.dll

2009-03-25 12:33 . 2003-04-16 13:00 74,752 --a--c--- h:\windows\system32\dllcache\winar30.ime

2009-03-25 12:33 . 2003-04-16 13:00 69,120 --a--c--- h:\windows\system32\dllcache\wingb.ime

2009-03-25 12:33 . 2003-04-16 13:00 61,952 --a--c--- h:\windows\system32\dllcache\winime.ime

2009-03-25 12:33 . 2003-04-16 13:00 48,256 --a--c--- h:\windows\system32\dllcache\w32.dll

2009-03-25 12:33 . 2003-04-16 13:00 41,600 --a--c--- h:\windows\system32\dllcache\weitekp9.dll

2009-03-25 12:33 . 2003-04-16 13:00 31,360 --a--c--- h:\windows\system32\dllcache\weitekp9.sys

2009-03-25 12:31 . 2003-04-16 13:00 13,463,552 --a--c--- h:\windows\system32\dllcache\hwxjpn.dll

2009-03-25 12:30 . 2001-10-26 17:29 2,134,528 --a--c--- h:\windows\system32\dllcache\EXCH_smtpsnap.dll

2009-03-25 12:29 . 2003-04-16 13:00 3,346,432 --a--c--- h:\windows\system32\dllcache\msgr3en.dll

2009-03-25 12:28 . 2003-04-16 13:00 1,172,992 --a--c--- h:\windows\system32\dllcache\comsvcs.dll

2009-03-25 12:27 . 2003-04-16 13:00 1,268,224 --a--c--- h:\windows\system32\dllcache\cimwin32.dll

2009-03-25 12:25 . 2001-10-26 17:30 117,248 --a------ h:\windows\system32\ksproxy.ax

2009-03-25 12:25 . 2001-08-17 22:07 83,712 --a------ h:\windows\system32\drivers\NABTSFEC.sys

2009-03-25 12:25 . 2002-09-20 17:18 57,856 --a------ h:\windows\system32\drivers\redbook.sys

2009-03-25 12:25 . 2001-08-17 22:07 18,560 --a------ h:\windows\system32\drivers\WSTCODEC.SYS

2009-03-25 12:25 . 2002-08-29 01:33 16,384 --a------ h:\windows\system32\drivers\CCDECODE.sys

2009-03-25 12:25 . 2002-08-29 01:27 4,992 --a------ h:\windows\system32\drivers\MSTEE.sys

2009-03-25 12:25 . 2001-10-26 17:27 4,096 --a------ h:\windows\system32\ksuser.dll

2009-03-25 12:24 . 2002-09-20 18:06 38,024 --a------ h:\windows\system32\drivers\termdd.sys

2009-03-25 11:55 . 2009-03-25 18:46

2009-03-25 11:55 . 2002-01-16 14:46

2009-03-25 11:55 . 2008-03-14 09:38

2009-03-25 11:55 . 2002-01-16 14:46

2009-03-25 11:55 . 2002-01-16 14:46

2009-03-25 11:55 . 2002-01-16 14:46

2009-03-25 11:55 . 2002-01-16 14:46

2009-03-25 11:55 . 2009-03-25 11:55

2009-03-24 13:48 . 2009-03-24 13:59 754 --a------ h:\windows\WORDPAD.INI

2009-03-24 13:34 . 2009-03-25 17:04

2009-03-24 13:33 . 2009-03-24 14:22

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-25 17:39 --------- d-----w h:\documents and settings\marta\Dane aplikacji\AVG7

.

------- Sigcheck -------

2008-04-13 19:53 36608 3bb22519a194418d5fec05d800a19ad0 h:\windows\SoftwareDistribution\Download\85612d9569f9a4d033130e1ccf6503f1\ip6fw.sys

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 h:\windows\system32\drivers\ip6fw.sys

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="h:\windows\System32\CTFMON.EXE" [2003-04-16 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gainward"="h:\program files\VDOTool\TBPanel.exe" [2007-11-27 2169368]

"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2007-11-28 8523776]

"NeroFilterCheck"="h:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"SecurDisc"="h:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]

"InCD"="h:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]

"AVG7_CC"="h:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848]

"Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2007-11-28 81920]

"SunJavaUpdateSched"="h:\program files\Java\jre6\bin\jusched.exe" [2009-03-25 148888]

"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 h:\windows\RTHDCPL.EXE]

"SkyTel"="SkyTel.EXE" [2007-08-03 h:\windows\SkyTel.exe]

"SoundMan"="SOUNDMAN.EXE" [2008-03-26 h:\windows\soundman.exe]

"nwiz"="nwiz.exe" [2007-11-28 h:\windows\system32\nwiz.exe]

"C-Media Mixer"="Mixer.exe" [2002-10-15 h:\windows\mixer.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="h:\windows\System32\CTFMON.EXE" [2003-04-16 13312]

"AVG7_Run"="h:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-28 219136]

h:\documents and settings\marta\Menu Start\Programy\Autostart\

20080801_mapuj_dysk.bat [2008-12-04 49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Taskman"="h:\recycler\S-1-5-21-0613934743-5944072580-288826801-6677\svchost.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"h:\Program Files\Gadu-Gadu\gg.exe"=

"h:\Program Files\Grisoft\AVG7\avginet.exe"=

"h:\Program Files\Grisoft\AVG7\avgamsvr.exe"=

"h:\Program Files\Grisoft\AVG7\avgcc.exe"=

"h:\Program Files\Grisoft\AVG7\avgemc.exe"=

"h:\WINDOWS\system32\sessmgr.exe"=

"\\hp-serwer\crm\CRMDeweloper.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

--- Inne Usługi/Sterowniki w Pamięci ---

*NewlyCreated* - NVCAP

*NewlyCreated* - NVXBAR

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{H36BF4V6-ZE47-SY2M-F9LQ-0B77YC0H4X5R}]

h:\recycler\S-7-0-20-2738721359-2706227227-538580231-5774\Services.exe

.

.

------- Skan uzupełniający -------

.

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/L ... nstall.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-25 19:09:01

Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

**************************************************************************

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

  • > 'winlogon.exe'(572)

h:\windows\System32\ODBC32.dll

h:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

  • > 'lsass.exe'(628)

h:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

h:\windows\System32\dssenh.dll

.

Czas ukończenia: 2009-03-25 19:10:44

ComboFix-quarantined-files.txt 2009-03-25 18:09:27

ComboFix2.txt 2009-03-25 17:46:53

Przed: 35 181 580 288 bajtów wolnych

Po: 35,172,454,400 bajtów wolnych

138 --- E O F --- 2009-03-16 15:43:00


(Spandau) #2

wklej do notatnika:

Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe

Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum.

Loga wklej na www.wklejto.pl lub http://www.wklej.org/ a w poście daj linka


(Ryszrd Lebmor) #3

Dzikuję bardzo - pomogło

oprócz

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{H36BF4V6-ZE47-SY2M-F9LQ-0B77YC0H4X5R}]

h:\recycler\S-7-0-20-2738721359-2706227227-538580231-5774\Services.exe

usunąłem jeszcze

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Taskman"="h:\recycler\S-1-5-21-0613934743-5944072580-288826801-6677\svchost.exe"

i wszystko gra - dzieki i pozdrawiam

Ryszard