Jak wlaczam komputer pokazuje mi ze mam virusa w pliku sysrest.sys
a ogolnie na kompie mam tez virusa kgdb32.dll
Jak sie pozbyc wirusow z tych plikow?
Jak wlaczam komputer pokazuje mi ze mam virusa w pliku sysrest.sys
a ogolnie na kompie mam tez virusa kgdb32.dll
Jak sie pozbyc wirusow z tych plikow?
ComboFix 08-06-20.4 - komputer 2008-07-01 9:40:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.552 [GMT 2:00]
Running from: C:\Documents and Settings\komputer\Pulpit\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\Update.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_sysrest.sys
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.
2008-07-01 09:47 . 2008-07-01 09:47
2008-06-30 18:20 . 2008-06-30 18:20
2008-06-30 17:54 . 2008-06-30 17:54
2008-06-30 17:11 . 2008-06-30 17:11 3,302 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-30 17:10 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-30 17:10 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-30 17:10 . 2008-03-01 23:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-30 17:10 . 2008-02-29 23:48 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-30 17:10 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-30 17:10 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-30 17:10 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-30 16:47 . 2008-06-30 16:47 94,208 --a------ C:\WINDOWS\system32\pphc3a0j0e9en.exe
2008-06-30 16:45 . 2008-06-30 16:45 34,304 --a------ C:\WINDOWS\system32\lphc3a0j0e9en.exe
2008-06-26 11:51 . 2008-06-28 12:41
2008-06-25 12:21 . 2008-07-01 09:43
2008-06-22 16:06 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-06-22 16:06 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-06-22 16:06 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-06-22 16:06 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-06-22 16:06 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-06-22 16:06 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-06-22 16:06 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-06-22 16:05 . 2008-06-22 16:05
2008-06-21 13:57 . 2008-06-21 13:57
2008-06-16 22:50 . 2008-06-16 22:52
2008-06-16 22:49 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmpC6.tmp
2008-06-16 22:49 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmpC5.tmp
2008-06-12 08:54 . 2004-07-19 15:31 385,024 -ra------ C:\WINDOWS\system32\xvid.ax
2008-06-11 16:05 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 16:05 . 2008-06-14 20:01 273,024 -----c— C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-04 20:24 . 2008-06-04 20:24 36,734 --a------ C:\WINDOWS\system32\OggDSuninst.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 07:32 --------- d-----w C:\Documents and Settings\komputer\Dane aplikacji\Skype
2008-06-30 16:22 --------- d–h--w C:\Program Files\InstallShield Installation Information
2008-06-30 16:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 20:49 --------- d-----w C:\Program Files\OpenAL
2008-05-16 12:50 --------- d-----w C:\Documents and Settings\komputer\Dane aplikacji\MySpace
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-01-13 10:48 1 ----a-w C:\Documents and Settings\komputer\SI.bin
2007-11-02 19:29 336 ----a-w C:\Documents and Settings\komputer\newss.reg
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{140BD8E3-C167-11D4-B4A3-080000180323}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-05-10 16:36 2111176]
“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-05-28 14:52 23458344]
“MsgCenterExe”=“C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe” []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]
“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42 32768]
“SigmatelSysTrayApp”=“sttray.exe” [2006-05-26 16:58 282624 C:\WINDOWS\sttray.exe]
“Symantec PIF AlertEng”=“C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” [2007-03-12 18:30 517768]
“HPDJ Taskbar Utility”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe” [2002-11-04 21:11 188416]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-04-16 12:51 135168]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2007-04-16 12:51 155648]
“Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [2007-04-16 12:51 131072]
“ISUSPM”=“C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” []
“NAV Agent”=“C:\PROGRA~1\NORTON~1\navapw32.exe” [2001-08-16 18:52 74832]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 02:11 132496]
“Flashget”=“C:\Program Files\FlashGet\FlashGet.exe” [2007-09-25 10:10 2007088]
“lphc3a0j0e9en”=“C:\WINDOWS\system32\lphc3a0j0e9en.exe” [2008-06-30 16:45 34304]
“sysrest32.exe”=“C:\WINDOWS\system32\sysrest32.exe” []
“SMrhc7a0j0e9en”=“C:\Program Files\rhc7a0j0e9en\rhc7a0j0e9en.exe” [2008-06-30 17:27 335360]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“Symantec NetDriver Warning”=“C:\PROGRA~1\SYMNET~1\SNDWarn.exe” [2005-07-29 11:37 218232]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=$ĺSF3.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“AntiVirusOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\Program Files\Gadu-Gadu\gg.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=
“C:\Program Files\BearShare\BearShare.exe”=
“C:\Program Files\Internet Explorer\IEXPLORE.EXE”=
“C:\Program Files\SopCast\SopCast.exe”=
“C:\Program Files\SopCast\adv\SopAdver.exe”=
“C:\Program Files\Azureus\Azureus.exe”=
“C:\Documents and Settings\komputer\Application Data\PowerChallenge\PowerSoccer\PowerSoccer.exe”=
“C:\Program Files\rFactor\rFactor.exe”=
“C:\Program Files\FlashGet\FlashGet.exe”=
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“15428:TCP”= 15428:TCP:BitComet 15428 TCP
“15428:UDP”= 15428:UDP:BitComet 15428 UDP
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{aedf28bf-353a-11dd-a0fa-0012252a20d8}]
\Shell\AutoRun\command - jjcx.com
\Shell\explore\Command - jjcx.com
\Shell\open\Command - jjcx.com
.
Contents of the ‘Scheduled Tasks’ folder
“2008-06-20 18:00:14 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job”
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 09:46:26
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en
C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine
C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun
C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun\HKCU
C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun\HKCU\RunOnce
C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun\HKLM
C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun\HKLM\RunOnce
C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun\StartMenuAllUsers
C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun\StartMenuCurrentUser
C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\BrowserObjects
C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Packages
scan completed successfully
hidden files: 11
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\pphc3a0j0e9en.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-07-01 9:57:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-01 07:57:33
Pre-Run: 7,415,808,000 bajtów wolnych
Post-Run: 7,452,028,928 bajt˘w wolnych
157 — E O F — 2008-06-21 08:36:10
Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:
File::
C:\WINDOWS\system32\pphc3a0j0e9en.exe
C:\WINDOWS\system32\lphc3a0j0e9en.exe
C:\WINDOWS\system32\sysrest32.exe
Folder::
C:\Program Files\rhc7a0j0e9en
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lphc3a0j0e9en"=-
"sysrest32.exe"=-
"SMrhc7a0j0e9en"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aedf28bf-353a-11dd-a0fa-0012252a20d8}]
Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->
Rozpocznie się usuwanie i powstanie log, daj ten log na forum.
Logi dajesz na http://wklejto.pl a w poście dajesz tylko link
W dniu 01.07.2008 , o godzinie 10:26 został dopisany post przez qwertyx
fix w hijackthis
Log combofix wyglada na czysty
usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.
Przeczyść komputer Ccleanerem
Wykonaj optymalizację autostartu
Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja
Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum
lub