Mam najnowszego Nortona, ktory tylko wykrył trojana VUNDO ale nie moze sie go pozbyc. Moj komp jest zamulony, internet niestety tez, nie wiem czemu antywirus skanuje pliki przez 3 doby i nic. Gdzies sie dowiedziałam o combofixie, wiec zrobiłam skan.
Log umieściłam pod linkiem http://wklejto.pl/59257 - nie jestem pewna czy dobrze zrobiłam, ale gdy ma sie takie G***** na kompie robi sie wszystko zeby sie pozbyc. MOZE KTOŚ MÓGŁBY RZUCIC OKIEM I COS PORADZIC?
POZDRAWIAM;]
Nigdy nie słyszałam o takim Trojanie, w necie tez nie ma takiego - czy na pewno to taka nazwa?
Wobec tego:
Ściągnij -->Avenger.
wklej do niego ten tekst:
Files to delete:
c:\windows\system32\drivers\kztvnj.sys
Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kztvnj
Drivers to delete:
kztvnj
Kliknij w " Execute" i zatwierdź restart komputera.
Zrestartuj komputer.
Daj Raport z Avengera z C:\avenger.txt.
Aha, na “wklejt” wklejaj tekst, a nie plik, bo zamiast normalnego logu wychodzi jakaś sieczka.
jessi
PRZEPRASZAM TROJAN VUNDO, JUZ ROBIĘ - DZIEKI
– Dodane 03.03.2010 (Śr) 12:30 –
ŚWIETNIE, ŚCIĄGNĘŁAM, WKLEIŁAM I SYSTEM ZACZĄŁ ŚWIROWAĆ PRZEZ CHWILE WINDOWS NIE CHCIAŁ ODPALIC WYSTAPIŁ JAKIS BŁĄD, A PO ZAŁADOWANIU aVENGER ZNIKNĄŁ I NIE MAM TEGO PLIKU, O CO CHODZI?
Dziwne, bo w logu nie widać ani jednego pliku z tej infekcji, a VUNDO ma zawsze bardzo dużo plików.
EDIT:
Ja też nie wiem.
Sp[róbuj jeszcze raz.
jessi
NIE WIEM DLACZEGO PO RESTARCIE SYSTEM PRZED ZAŁADOWANIE WINDOWSA REPERUJE COS, DOPIERO PÓZNIEJ PO KOLEJNYM RESTARCIE WIDOWS SIĘ WŁĄCZA, AVENGER ZNIKA A NORTON POKAZUJE KOMUNIKAT ZE WYKRYŁ VUNDO, MOZE JEST INNY SPOSÓB?
Owszem, jest: sformatowanie dysku.
I z tego, co widzę, to chyba tego nie unikniesz, bo wygląda na to, że Twój SYSTEM jest bardzo uszkodzony, skoro tak źle reaguje.
Tę infekcję na ogół da się łatwo usunąć Avengerem, ale u Ciebie to się nie udaje.
Trudno się mówi. Nic tu po mnie.
jessi
jeszcze raz - moze bedzie czytelniej- log z combofix:
ComboFix 10-03-01.01 - lindz courtney 2010-03-02 10:40:12.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1250.48.1033.18.2037.736 [GMT 0:00]
Uruchomiony z: c:\users\lindz courtney\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Norton AntiVirus *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\drv\Tuner\Yuan\Resources_desktop.ini
c:\windows\system32\drivers\kztvnj.sys . . . . nie udało się usunąć
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_kztvnj
-------\Service_kztvnj
((((((((((((((((((((((((( Pliki utworzone od 2010-02-02 do 2010-03-02 )))))))))))))))))))))))))))))))
.
2010-03-02 10:53 . 2010-03-02 11:04 -------- d-----w- c:\users\lindz courtney\AppData\Local\temp
2010-03-02 10:53 . 2010-03-02 10:53 -------- d-----w- c:\users\user\AppData\Local\temp
2010-03-02 10:53 . 2010-03-02 10:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-02 10:53 . 2010-03-02 10:53 -------- d-----w- c:\users\Nick\AppData\Local\temp
2010-03-02 10:53 . 2010-03-02 10:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-01 21:50 . 2010-03-01 21:50 -------- d-----w- c:\users\lindz courtney\AppData\Local\Symantec
2010-02-27 17:14 . 2010-02-27 17:19 -------- d-----w- c:\program files\Common Files\3DO Shared
2010-02-27 17:14 . 2010-02-27 17:14 -------- d-----w- c:\program files\3DO
2010-02-25 09:20 . 2010-02-25 09:20 -------- d-----w- c:\program files\CCleaner
2010-02-24 15:22 . 2010-03-02 10:36 -------- d-----w- c:\users\lindz courtney\AppData\Local\CrashDumps
2010-02-24 13:57 . 2010-02-24 13:57 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\DivX
2010-02-22 12:27 . 2010-03-01 21:51 -------- d-----w- c:\users\lindz courtney\AppData\Local\Tific
2010-02-22 12:27 . 2010-02-22 12:27 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\Tific
2010-02-17 13:54 . 2010-02-17 13:54 -------- d-----w- c:\programdata\Sony Corporation
2010-02-17 11:21 . 2010-02-17 11:20 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-17 11:20 . 2010-02-17 11:21 -------- d-----w- c:\program files\Symantec
2010-02-17 11:20 . 2010-02-24 18:15 -------- d-----w- c:\windows\system32\drivers\NAV
2010-02-17 11:20 . 2010-02-17 11:20 -------- d-----w- c:\program files\Norton AntiVirus
2010-02-17 11:18 . 2010-02-17 11:18 -------- d-----w- c:\program files\NortonInstaller
2010-02-14 14:40 . 2010-02-17 11:09 -------- d-----w- c:\programdata\Kaspersky Lab
2010-02-14 14:32 . 2010-02-17 11:02 0 ----a-w- c:\users\lindz courtney\AppData\Local\Sjoxoc.bin
2010-02-14 14:32 . 2010-02-14 14:32 120 ----a-w- c:\users\lindz courtney\AppData\Local\Bnelet.dat
2010-02-14 14:29 . 2010-02-14 15:51 -------- d-sh–w- c:\users\lindz courtney\AppData\Roaming\lowsec
2010-02-10 14:53 . 2010-02-10 14:54 -------- d-----w- c:\users\lindz courtney\AppData\Local\Adobe
2010-02-08 18:59 . 2010-02-08 18:59 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\Birdstep Technology
2010-02-08 18:53 . 2010-02-08 18:59 -------- d-----w- c:\programdata\Birdstep Technology
2010-02-08 18:52 . 2009-02-17 19:38 112128 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-02-08 18:52 . 2008-12-30 10:57 103040 ----a-w- c:\windows\system32\drivers\ewusbfake.sys
2010-02-08 18:52 . 2008-12-13 10:27 102784 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-02-08 18:52 . 2008-04-14 08:36 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2010-02-08 18:52 . 2007-08-09 03:06 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-02-08 18:51 . 2010-02-08 18:51 -------- d-----w- c:\program files\Huawei Modems
2010-02-08 18:51 . 2010-02-08 18:51 70667 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2010-02-08 18:51 . 2010-02-08 18:51 -------- d-----w- c:\program files\3 Mobile Broadband
2010-02-07 15:28 . 2010-02-07 15:28 -------- d-----w- c:\program files\PlayLogic
2010-02-06 16:19 . 2010-02-06 16:19 -------- d-----w- c:\program files\directx
2010-02-06 16:18 . 1998-10-29 16:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-02-05 23:10 . 2010-02-14 17:37 -------- d-----w- c:\users\lindz courtney\AppData\Local\Microsoft Games
2010-02-05 18:13 . 2010-02-05 18:13 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\Yahoo!
2010-02-05 18:13 . 2010-02-13 12:20 -------- d-----w- c:\users\lindz courtney\AppData\Local\Google
2010-02-05 17:22 . 2010-02-05 17:22 680 ----a-w- c:\users\lindz courtney\AppData\Local\d3d9caps.dat
2010-02-05 15:48 . 2010-02-24 15:08 -------- d-----w- c:\users\Public
2010-02-05 15:47 . 2010-02-05 15:47 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\PeerNetworking
2010-02-05 15:35 . 2010-02-25 19:50 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\BitTorrent
2010-02-05 15:34 . 2010-02-05 15:34 -------- d-----w- c:\users\lindz courtney\Phone Browser
2010-02-05 15:29 . 2010-02-05 15:29 -------- d–h--w- c:\users\lindz courtney\AppData\Local\acer eNM
2010-02-05 15:29 . 2010-02-05 15:29 -------- d-----w- c:\users\lindz courtney\AppData\Local\PlayMovie
2010-02-05 15:28 . 2010-02-25 11:10 93512 ----a-w- c:\users\lindz courtney\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-05 15:28 . 2010-02-14 14:27 -------- d-----w- c:\users\lindz courtney\AppData\Local\VirtualStore
2010-02-05 15:18 . 2010-02-25 07:48 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\vlc
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 21:53 . 2010-03-01 21:53 56320 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\OCS\Download\tific-devcon.exe
2010-02-24 15:48 . 2010-03-02 08:12 1324720 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100301.032\NAVEX15.SYS
2010-02-24 15:48 . 2010-03-02 08:12 84912 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100301.032\NAVENG.SYS
2010-02-24 15:48 . 2010-03-02 08:12 2747440 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100301.032\CCERASER.DLL
2010-02-24 15:48 . 2010-03-02 08:12 259440 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100301.032\ECMSVR32.DLL
2010-02-17 11:26 . 2007-08-08 23:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-17 11:20 . 2010-02-17 11:21 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-17 11:20 . 2010-02-17 11:21 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-17 11:20 . 2009-01-10 16:11 -------- d-----w- c:\programdata\Norton
2010-02-17 11:18 . 2009-01-10 16:10 -------- d-----w- c:\programdata\NortonInstaller
2010-02-17 11:15 . 2007-08-08 23:36 -------- d-----w- c:\programdata\Symantec
2010-02-12 10:19 . 2009-02-17 20:59 -------- d-----w- c:\program files\Google
2010-02-12 07:58 . 2010-02-12 07:58 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbE6C7.tmp.exe
2010-02-11 18:45 . 2010-02-11 18:45 676912 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100211.001\BHDrvx64.sys
2010-02-11 18:45 . 2010-02-11 18:45 611216 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100211.001\bbRGen.dll
2010-02-11 18:45 . 2010-02-11 18:45 536112 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100211.001\BHDrvx86.sys
2010-02-11 18:45 . 2010-02-11 18:45 201616 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100211.001\BHRules.dll
2010-02-11 18:45 . 2010-02-11 18:45 1406352 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100211.001\BHEngine.dll
2010-02-11 07:50 . 2010-02-11 07:50 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb8DE4.tmp.exe
2010-02-08 19:16 . 2009-10-17 18:30 -------- d-----w- c:\programdata\Yahoo! Companion
2010-02-08 18:51 . 2007-08-08 22:07 -------- d–h--w- c:\program files\InstallShield Installation Information
2010-01-22 15:32 . 2010-01-22 15:32 -------- d-----w- c:\program files\BitTorrent
2010-01-14 11:12 . 2009-10-03 04:25 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-06 20:05 . 2009-12-06 20:05 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-06 19:56 . 2009-12-06 19:56 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb1FD1.tmp.exe
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Sidebar”=“c:\program files\Windows Sidebar\sidebar.exe” [2008-01-19 1233920]
“Speech Recognition”=“c:\windows\Speech\Common\sapisvr.exe” [2008-01-19 49664]
“ehTray.exe”=“c:\windows\ehome\ehTray.exe” [2008-01-19 125952]
“MoneyAgent”=“c:\program files\Microsoft Money\System\mnyexpr.exe” [2002-07-17 200767]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Windows Defender”=“c:\program files\Windows Defender\MSASCui.exe” [2008-01-19 1008184]
“RtHDVCpl”=“RtHDVCpl.exe” [2007-07-06 4669440]
“eAudio”=“c:\acer\Empowering Technology\eAudio\eAudio.exe” [2007-06-11 1286144]
“eDataSecurity Loader”=“c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe” [2007-04-25 457216]
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-03-08 40048]
“PLFSetL”=“c:\windows\PLFSetL.exe” [2007-07-05 94208]
“LManager”=“c:\progra~1\LAUNCH~1\LManager.exe” [2007-06-27 752136]
“PlayMovie”=“c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe” [2007-05-24 206952]
“IAAnotif”=“c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe” [2007-03-21 174872]
“Apoint”=“c:\program files\Apoint2K\Apoint.exe” [2007-06-06 159744]
“WarReg_PopUp”=“c:\acer\WR_PopUp\WarReg_PopUp.exe” [2006-11-05 57344]
“Acer Tour Reminder”=“c:\acer\AcerTour\Reminder.exe” [2007-05-22 151552]
“SamsungPCSuiteTrayApplication”=“c:\program files\Samsung\Samsung PC Studio 7\LaunchApplication.exe” [2008-06-27 278528]
“IgfxTray”=“c:\windows\system32\igfxtray.exe” [2008-02-11 141848]
“HotKeysCmds”=“c:\windows\system32\hkcmd.exe” [2008-02-11 166424]
“Persistence”=“c:\windows\system32\igfxpers.exe” [2008-02-11 133656]
“Skytel”=“Skytel.exe” [2007-06-15 1826816]
“SunJavaUpdateSched”=“c:\program files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 144784]
“Windows Mobile-based device management”=“c:\windows\WindowsMobile\wmdcBase.exe” [2007-05-31 648072]
“QuickTime Task”=“c:\program files\QuickTime\QTTask.exe” [2008-01-10 385024]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“Samsung.PCSync”=“c:\program files\Samsung\Samsung PC Studio 7\PcSync2.exe” [2007-12-04 1241088]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-8-8 535336]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“EnableUIADesktopToggle”= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=c:\windows\System32\eNetHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“aux”=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=“Driver”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=“Service”
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001
R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [2008-10-13 28544]
R0 SymDS;Symantec Data Store;c:\windows\System32\drivers\NAV\1105000.07F\symds.sys [2010-02-24 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NAV\1105000.07F\symefa.sys [2010-02-24 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2010-02-11 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NAV\1105000.07F\cchpx86.sys [2010-02-24 501888]
R1 IDSVix86;IDSVix86;c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100224.002\IDSvix86.sys [2010-02-26 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\System32\drivers\NAV\1105000.07F\ironx86.sys [2010-02-24 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\drivers\NAV\1105000.07F\symtdiv.sys [2010-02-24 340016]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-08-08 50688]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccsvchst.exe [2010-02-24 126392]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [2007-08-08 32256]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-02-17 102448]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\System32\drivers\ewusbfake.sys [2010-02-08 103040]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2007-08-08 179712]
— Inne Usługi/Sterowniki w Pamięci —
*NewlyCreated* - KZTVNJ
*Deregistered* - kztvnj
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Zawartość folderu ‘Zaplanowane zadania’
2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://en.uk.acer.yahoo.com/
mStart Page = hxxp://en.uk.acer.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki… - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - {6FAC4823-815E-4361-836E-46D65ED2550B} - c:\program files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
IE: {{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {4CF088BD-BE95-40a5-BE9B-677F8683EDEA} - c:\program files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocach … .0.1.1.cab
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKCU-Run-Acer Tour Reminder - (no file)
AddRemove-RegPowerClean_is1 - c:\program files\Winferno\RegistryPowerCleaner\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 11:04
Windows 6.0.6001 Service Pack 1 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NAV]
“ImagePath”="“c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe” /s “NAV” /m “c:\program files\Norton AntiVirus\Engine\17.5.0.127\diMaster.dll” /prefetch:1"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kztvnj]
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\program files\Samsung\Samsung PC Studio 7\PhoneBrowser.dll
c:\program files\Samsung\Samsung PC Studio 7\PCSCM_Samsung.dll
c:\program files\Samsung\Samsung PC Studio 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Samsung\Samsung PC Studio 7\Resource\PhoneBrowser_Samsung.ngr
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\windows\system32\WUDFHost.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ENET\ENMTRAY.EXE
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
c:\program files\Windows Media Player\wmplayer.exe
.
**************************************************************************
.
Czas ukończenia: 2010-03-02 11:12:07 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2010-03-02 11:12
Przed: 16 331 173 888 bytes free
Po: 16 150 065 152 bytes free
jesli chodzi o avenger - sciagam, odpalam zatwierdzam ''YES" dwa razy po wkejeniu tego co zamieściłas w poscie i zaczyna restart. Poczym system cos wykrywa, reperuje i kiedy po włączeniu widowsa szukam pliku avenger.txt nie moge go znalesc. Ale lipa.
– Dodane 03.03.2010 (Śr) 13:14 –
jest jeszcze jeden problem, nie chce sie restartowac sam, po wyłączeniu zamiast ladowac sie od nowa pokazuje sie poczatkowe okno z logo AcER i musze sama go wyłączac bo kompletnie nic sie nie dzieje.
– Dodane 03.03.2010 (Śr) 13:28 –
jest jeszcze jeden problem, nie chce sie restartowac sam, po wyłączeniu zamiast ladowac sie od nowa pokazuje sie poczatkowe okno z logo AcER i musze sama go wyłączac bo kompletnie nic sie nie dzieje.
Teraz widzę jeszcze jeden obiekt do usunięcia. Ale nie sądzę, by ten obiekt utrudniał działanie Avengera.
Ale trzeba przynajmniej spróbować:
Wklej do Notatnika :
File::
c:\windows\system32\drivers\kztvnj.sys
Folder::
c:\users\lindz courtney\AppData\Roaming\lowsec
Driver::
kztvnj
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kztvnj]
>>Plik>>Zapisz jako… >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-------->
Ma się rozpocząć usuwanie. (i powstanie log).
Jeśli w logu nie będzie widać, że plik c:\windows\system32\drivers\kztvnj.sys został usunięty, to dalej próbuj z Avengerem.
jessi
wygląda na to ze jest wporzadku już, przepraszam ze tu wklejam nowy log z combo:
(teraz norton skanuje, zobaczymy)
dziekuje jessi:)
ComboFix 10-03-01.01 - lindz courtney 2010-03-03 12:36:53.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1250.48.1033.18.2037.923 [GMT 0:00]
Uruchomiony z: c:\users\lindz courtney\Desktop\ComboFix.exe
Użyto następujących komend :: c:\users\lindz courtney\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Norton AntiVirus *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FILE ::
“c:\windows\system32\drivers\kztvnj.sys”
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\lindz courtney\AppData\Roaming\lowsec
c:\users\lindz courtney\AppData\Roaming\lowsec\local.ds
c:\users\lindz courtney\AppData\Roaming\lowsec\user.ds
c:\users\lindz courtney\AppData\Roaming\lowsec\user.ds.lll
c:\windows\system32\drivers\kztvnj.sys
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_KZTVNJ
-------\Service_kztvnj
((((((((((((((((((((((((( Pliki utworzone od 2010-02-03 do 2010-03-03 )))))))))))))))))))))))))))))))
.
2010-03-03 12:46 . 2010-03-03 12:53 -------- d-----w- c:\users\lindz courtney\AppData\Local\temp
2010-03-03 12:46 . 2010-03-03 12:46 -------- d-----w- c:\users\user\AppData\Local\temp
2010-03-03 12:46 . 2010-03-03 12:46 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-03 12:46 . 2010-03-03 12:46 -------- d-----w- c:\users\Nick\AppData\Local\temp
2010-03-03 12:46 . 2010-03-03 12:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-03 12:34 . 2010-03-03 12:35 -------- d-----w- C:\32788R22FWJFW
2010-03-02 13:59 . 2010-03-02 13:59 -------- d-----w- c:\windows\BDOSCAN8
2010-03-02 12:18 . 2010-03-02 12:18 -------- d-----w- c:\program files\SkanerOnline
2010-03-01 21:50 . 2010-03-01 21:50 -------- d-----w- c:\users\lindz courtney\AppData\Local\Symantec
2010-02-27 17:14 . 2010-02-27 17:19 -------- d-----w- c:\program files\Common Files\3DO Shared
2010-02-27 17:14 . 2010-02-27 17:14 -------- d-----w- c:\program files\3DO
2010-02-25 09:20 . 2010-02-25 09:20 -------- d-----w- c:\program files\CCleaner
2010-02-24 15:22 . 2010-03-03 11:59 -------- d-----w- c:\users\lindz courtney\AppData\Local\CrashDumps
2010-02-24 13:57 . 2010-02-24 13:57 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\DivX
2010-02-22 12:27 . 2010-03-01 21:51 -------- d-----w- c:\users\lindz courtney\AppData\Local\Tific
2010-02-22 12:27 . 2010-02-22 12:27 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\Tific
2010-02-17 13:54 . 2010-02-17 13:54 -------- d-----w- c:\programdata\Sony Corporation
2010-02-17 11:21 . 2010-02-17 11:20 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-17 11:20 . 2010-02-17 11:21 -------- d-----w- c:\program files\Symantec
2010-02-17 11:20 . 2010-02-24 18:15 -------- d-----w- c:\windows\system32\drivers\NAV
2010-02-17 11:20 . 2010-02-17 11:20 -------- d-----w- c:\program files\Norton AntiVirus
2010-02-17 11:18 . 2010-02-17 11:18 -------- d-----w- c:\program files\NortonInstaller
2010-02-14 14:40 . 2010-02-17 11:09 -------- d-----w- c:\programdata\Kaspersky Lab
2010-02-14 14:32 . 2010-02-17 11:02 0 ----a-w- c:\users\lindz courtney\AppData\Local\Sjoxoc.bin
2010-02-14 14:32 . 2010-02-14 14:32 120 ----a-w- c:\users\lindz courtney\AppData\Local\Bnelet.dat
2010-02-10 14:53 . 2010-02-10 14:54 -------- d-----w- c:\users\lindz courtney\AppData\Local\Adobe
2010-02-08 18:59 . 2010-02-08 18:59 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\Birdstep Technology
2010-02-08 18:53 . 2010-02-08 18:59 -------- d-----w- c:\programdata\Birdstep Technology
2010-02-08 18:52 . 2009-02-17 19:38 112128 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-02-08 18:52 . 2008-12-30 10:57 103040 ----a-w- c:\windows\system32\drivers\ewusbfake.sys
2010-02-08 18:52 . 2008-12-13 10:27 102784 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-02-08 18:52 . 2008-04-14 08:36 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2010-02-08 18:52 . 2007-08-09 03:06 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-02-08 18:51 . 2010-02-08 18:51 -------- d-----w- c:\program files\Huawei Modems
2010-02-08 18:51 . 2010-02-08 18:51 70667 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2010-02-08 18:51 . 2010-02-08 18:51 -------- d-----w- c:\program files\3 Mobile Broadband
2010-02-07 15:28 . 2010-02-07 15:28 -------- d-----w- c:\program files\PlayLogic
2010-02-06 16:19 . 2010-02-06 16:19 -------- d-----w- c:\program files\directx
2010-02-06 16:18 . 1998-10-29 16:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-02-05 23:10 . 2010-02-14 17:37 -------- d-----w- c:\users\lindz courtney\AppData\Local\Microsoft Games
2010-02-05 18:13 . 2010-02-05 18:13 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\Yahoo!
2010-02-05 18:13 . 2010-02-13 12:20 -------- d-----w- c:\users\lindz courtney\AppData\Local\Google
2010-02-05 17:22 . 2010-02-05 17:22 680 ----a-w- c:\users\lindz courtney\AppData\Local\d3d9caps.dat
2010-02-05 15:48 . 2010-02-24 15:08 -------- d-----w- c:\users\Public
2010-02-05 15:47 . 2010-02-05 15:47 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\PeerNetworking
2010-02-05 15:35 . 2010-02-25 19:50 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\BitTorrent
2010-02-05 15:34 . 2010-02-05 15:34 -------- d-----w- c:\users\lindz courtney\Phone Browser
2010-02-05 15:29 . 2010-02-05 15:29 -------- d–h--w- c:\users\lindz courtney\AppData\Local\acer eNM
2010-02-05 15:29 . 2010-02-05 15:29 -------- d-----w- c:\users\lindz courtney\AppData\Local\PlayMovie
2010-02-05 15:28 . 2010-02-25 11:10 93512 ----a-w- c:\users\lindz courtney\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-05 15:28 . 2010-02-14 14:27 -------- d-----w- c:\users\lindz courtney\AppData\Local\VirtualStore
2010-02-05 15:18 . 2010-02-25 07:48 -------- d-----w- c:\users\lindz courtney\AppData\Roaming\vlc
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 11:46 . 2010-03-03 11:46 338 ----a-w- c:\program files\jbkpdr.txt
2010-03-01 21:53 . 2010-03-01 21:53 56320 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\OCS\Download\tific-devcon.exe
2010-02-17 11:26 . 2007-08-08 23:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-17 11:20 . 2010-02-17 11:21 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-17 11:20 . 2010-02-17 11:21 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-17 11:20 . 2009-01-10 16:11 -------- d-----w- c:\programdata\Norton
2010-02-17 11:18 . 2009-01-10 16:10 -------- d-----w- c:\programdata\NortonInstaller
2010-02-17 11:15 . 2007-08-08 23:36 -------- d-----w- c:\programdata\Symantec
2010-02-12 10:19 . 2009-02-17 20:59 -------- d-----w- c:\program files\Google
2010-02-12 07:58 . 2010-02-12 07:58 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbE6C7.tmp.exe
2010-02-11 18:45 . 2010-02-11 18:45 676912 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100211.001\BHDrvx64.sys
2010-02-11 18:45 . 2010-02-11 18:45 611216 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100211.001\bbRGen.dll
2010-02-11 18:45 . 2010-02-11 18:45 536112 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100211.001\BHDrvx86.sys
2010-02-11 18:45 . 2010-02-11 18:45 201616 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100211.001\BHRules.dll
2010-02-11 18:45 . 2010-02-11 18:45 1406352 ----a-w- c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100211.001\BHEngine.dll
2010-02-11 07:50 . 2010-02-11 07:50 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb8DE4.tmp.exe
2010-02-08 19:16 . 2009-10-17 18:30 -------- d-----w- c:\programdata\Yahoo! Companion
2010-02-08 18:51 . 2007-08-08 22:07 -------- d–h--w- c:\program files\InstallShield Installation Information
2010-01-22 15:32 . 2010-01-22 15:32 -------- d-----w- c:\program files\BitTorrent
2010-01-14 11:12 . 2009-10-03 04:25 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-06 20:05 . 2009-12-06 20:05 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-06 19:56 . 2009-12-06 19:56 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb1FD1.tmp.exe
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Sidebar”=“c:\program files\Windows Sidebar\sidebar.exe” [2008-01-19 1233920]
“Speech Recognition”=“c:\windows\Speech\Common\sapisvr.exe” [2008-01-19 49664]
“ehTray.exe”=“c:\windows\ehome\ehTray.exe” [2008-01-19 125952]
“MoneyAgent”=“c:\program files\Microsoft Money\System\mnyexpr.exe” [2002-07-17 200767]
“Acer Tour Reminder”="" [bU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Windows Defender”=“c:\program files\Windows Defender\MSASCui.exe” [2008-01-19 1008184]
“RtHDVCpl”=“RtHDVCpl.exe” [2007-07-06 4669440]
“eAudio”=“c:\acer\Empowering Technology\eAudio\eAudio.exe” [2007-06-11 1286144]
“eDataSecurity Loader”=“c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe” [2007-04-25 457216]
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-03-08 40048]
“PLFSetL”=“c:\windows\PLFSetL.exe” [2007-07-05 94208]
“LManager”=“c:\progra~1\LAUNCH~1\LManager.exe” [2007-06-27 752136]
“PlayMovie”=“c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe” [2007-05-24 206952]
“IAAnotif”=“c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe” [2007-03-21 174872]
“Apoint”=“c:\program files\Apoint2K\Apoint.exe” [2007-06-06 159744]
“WarReg_PopUp”=“c:\acer\WR_PopUp\WarReg_PopUp.exe” [2006-11-05 57344]
“Acer Tour Reminder”=“c:\acer\AcerTour\Reminder.exe” [2007-05-22 151552]
“SamsungPCSuiteTrayApplication”=“c:\program files\Samsung\Samsung PC Studio 7\LaunchApplication.exe” [2008-06-27 278528]
“IgfxTray”=“c:\windows\system32\igfxtray.exe” [2008-02-11 141848]
“HotKeysCmds”=“c:\windows\system32\hkcmd.exe” [2008-02-11 166424]
“Persistence”=“c:\windows\system32\igfxpers.exe” [2008-02-11 133656]
“Skytel”=“Skytel.exe” [2007-06-15 1826816]
“SunJavaUpdateSched”=“c:\program files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 144784]
“Windows Mobile-based device management”=“c:\windows\WindowsMobile\wmdcBase.exe” [2007-05-31 648072]
“QuickTime Task”=“c:\program files\QuickTime\QTTask.exe” [2008-01-10 385024]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“Samsung.PCSync”=“c:\program files\Samsung\Samsung PC Studio 7\PcSync2.exe” [2007-12-04 1241088]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-8-8 535336]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“EnableUIADesktopToggle”= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=c:\windows\System32\eNetHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“aux”=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=“Driver”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=“Service”
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001
R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [2008-10-13 28544]
R0 SymDS;Symantec Data Store;c:\windows\System32\drivers\NAV\1105000.07F\symds.sys [2010-02-24 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NAV\1105000.07F\symefa.sys [2010-02-24 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2010-02-11 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NAV\1105000.07F\cchpx86.sys [2010-02-24 501888]
R1 IDSVix86;IDSVix86;c:\programdata\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100224.002\IDSvix86.sys [2010-02-26 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\System32\drivers\NAV\1105000.07F\ironx86.sys [2010-02-24 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\drivers\NAV\1105000.07F\symtdiv.sys [2010-02-24 340016]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-08-08 50688]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccsvchst.exe [2010-02-24 126392]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [2007-08-08 32256]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\System32\drivers\ewusbfake.sys [2010-02-08 103040]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2007-08-08 179712]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-02-17 102448]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Zawartość folderu ‘Zaplanowane zadania’
2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://en.uk.acer.yahoo.com/
mStart Page = hxxp://en.uk.acer.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki… - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - {6FAC4823-815E-4361-836E-46D65ED2550B} - c:\program files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
IE: {{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {4CF088BD-BE95-40a5-BE9B-677F8683EDEA} - c:\program files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocach … .0.1.1.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 12:52
Windows 6.0.6001 Service Pack 1 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NAV]
“ImagePath”="“c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe” /s “NAV” /m “c:\program files\Norton AntiVirus\Engine\17.5.0.127\diMaster.dll” /prefetch:1"
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\program files\Samsung\Samsung PC Studio 7\PhoneBrowser.dll
c:\program files\Samsung\Samsung PC Studio 7\PCSCM_Samsung.dll
c:\program files\Samsung\Samsung PC Studio 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Samsung\Samsung PC Studio 7\Resource\PhoneBrowser_Samsung.ngr
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\conime.exe
c:\program files\Norton AntiVirus\Engine\17.5.0.127\hsplayer.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ENET\ENMTRAY.EXE
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Norton AntiVirus\Engine\17.5.0.127\WSCStub.exe
.
**************************************************************************
.
Czas ukończenia: 2010-03-03 13:00:38 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2010-03-03 13:00
ComboFix2.txt 2010-03-02 11:12
Przed: 16 548 777 984 bytes free
Po: 16 295 120 896 bytes free
No proszę, teraz jednak ten plik dał się usunąć.
Do Notatnika wklej:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"=-
Z Menu Notatnika >> Plik >> Zapisz jako >> Ustaw rozszerzenie na Wszystkie pliki >> Zapisz jako > FIX.REG >>
plik uruchom (dwuklik i OK).
Usuń ręcznie folder C:\Qoobox.
Usuń kopie szkodników z folderu “System Volume Information” poprzez chwilowe wyłączenie “Przywracania Systemu”:
jessi
OK, ZROBIONE 
A LOGI Z COMBO MAM ZOSTAWIĆ?
– Dodane 03.03.2010 (Śr) 14:46 –
I czy plik fix.reg tez moge juz usunąć? (a propo po co sie to robi??)
Logi z Combo możesz usunąć, chyba nie będą Ci potrzebne?
Ten Fix.Reg był po to, by usunąć z Autostartu bezplikowy element (po co ma obciążać Autostart, skoro i tak nic nie uruchomi, bo jest bezplikowy?)
Po użyciu tego Fix’a możesz go oczywiście usunąć.
jessi
jeszcze raz dziekuje za pomoc, niech Bozia w dzieciach wynagrodzi 
pozdrawiam!