Virus sysrest.sys i kgdb32.dll

(Pocztapeel) #1

Jak wlaczam komputer pokazuje mi ze mam virusa w pliku sysrest.sys

a ogolnie na kompie mam tez virusa kgdb32.dll

Jak sie pozbyc wirusow z tych plikow?

(huber2t) #2

Podaj log z Combofix

(Pocztapeel) #3

ComboFix 08-06-20.4 - komputer 2008-07-01 9:40:22.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.552 [GMT 2:00]

Running from: C:\Documents and Settings\komputer\Pulpit\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\sysrest32.exe

C:\WINDOWS\system32\Update.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_sysrest.sys

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))

.

2008-07-01 09:47 . 2008-07-01 09:47

2008-06-30 18:20 . 2008-06-30 18:20

2008-06-30 17:54 . 2008-06-30 17:54

2008-06-30 17:11 . 2008-06-30 17:11 3,302 --a------ C:\WINDOWS\system32\tmp.reg

2008-06-30 17:10 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-06-30 17:10 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-06-30 17:10 . 2008-03-01 23:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe

2008-06-30 17:10 . 2008-02-29 23:48 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe

2008-06-30 17:10 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2008-06-30 17:10 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-06-30 17:10 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-06-30 16:47 . 2008-06-30 16:47 94,208 --a------ C:\WINDOWS\system32\pphc3a0j0e9en.exe

2008-06-30 16:45 . 2008-06-30 16:45 34,304 --a------ C:\WINDOWS\system32\lphc3a0j0e9en.exe

2008-06-26 11:51 . 2008-06-28 12:41

2008-06-25 12:21 . 2008-07-01 09:43

2008-06-22 16:06 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll

2008-06-22 16:06 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll

2008-06-22 16:06 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll

2008-06-22 16:06 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll

2008-06-22 16:06 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll

2008-06-22 16:06 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll

2008-06-22 16:06 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll

2008-06-22 16:05 . 2008-06-22 16:05

2008-06-21 13:57 . 2008-06-21 13:57

2008-06-16 22:50 . 2008-06-16 22:52

2008-06-16 22:49 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmpC6.tmp

2008-06-16 22:49 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmpC5.tmp

2008-06-12 08:54 . 2004-07-19 15:31 385,024 -ra------ C:\WINDOWS\system32\xvid.ax

2008-06-11 16:05 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 16:05 . 2008-06-14 20:01 273,024 -----c— C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-04 20:24 . 2008-06-04 20:24 36,734 --a------ C:\WINDOWS\system32\OggDSuninst.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-01 07:32 --------- d-----w C:\Documents and Settings\komputer\Dane aplikacji\Skype

2008-06-30 16:22 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-06-30 16:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-06-16 20:49 --------- d-----w C:\Program Files\OpenAL

2008-05-16 12:50 --------- d-----w C:\Documents and Settings\komputer\Dane aplikacji\MySpace

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-01-13 10:48 1 ----a-w C:\Documents and Settings\komputer\SI.bin

2007-11-02 19:29 336 ----a-w C:\Documents and Settings\komputer\newss.reg

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{140BD8E3-C167-11D4-B4A3-080000180323}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-05-10 16:36 2111176]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-05-28 14:52 23458344]

“MsgCenterExe”=“C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe” []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42 32768]

“SigmatelSysTrayApp”=“sttray.exe” [2006-05-26 16:58 282624 C:\WINDOWS\sttray.exe]

“Symantec PIF AlertEng”=“C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” [2007-03-12 18:30 517768]

“HPDJ Taskbar Utility”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe” [2002-11-04 21:11 188416]

“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-04-16 12:51 135168]

“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2007-04-16 12:51 155648]

“Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [2007-04-16 12:51 131072]

“ISUSPM”=“C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” []

“NAV Agent”=“C:\PROGRA~1\NORTON~1\navapw32.exe” [2001-08-16 18:52 74832]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 02:11 132496]

“Flashget”=“C:\Program Files\FlashGet\FlashGet.exe” [2007-09-25 10:10 2007088]

“lphc3a0j0e9en”=“C:\WINDOWS\system32\lphc3a0j0e9en.exe” [2008-06-30 16:45 34304]

“sysrest32.exe”=“C:\WINDOWS\system32\sysrest32.exe” []

“SMrhc7a0j0e9en”=“C:\Program Files\rhc7a0j0e9en\rhc7a0j0e9en.exe” [2008-06-30 17:27 335360]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“Symantec NetDriver Warning”=“C:\PROGRA~1\SYMNET~1\SNDWarn.exe” [2005-07-29 11:37 218232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“AppInit_DLLs”=$ĺSF3.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“AntiVirusOverride”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

“C:\Program Files\BearShare\BearShare.exe”=

“C:\Program Files\Internet Explorer\IEXPLORE.EXE”=

“C:\Program Files\SopCast\SopCast.exe”=

“C:\Program Files\SopCast\adv\SopAdver.exe”=

“C:\Program Files\Azureus\Azureus.exe”=

“C:\Documents and Settings\komputer\Application Data\PowerChallenge\PowerSoccer\PowerSoccer.exe”=

“C:\Program Files\rFactor\rFactor.exe”=

“C:\Program Files\FlashGet\FlashGet.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“15428:TCP”= 15428:TCP:BitComet 15428 TCP

“15428:UDP”= 15428:UDP:BitComet 15428 UDP

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{aedf28bf-353a-11dd-a0fa-0012252a20d8}]

\Shell\AutoRun\command - jjcx.com

\Shell\explore\Command - jjcx.com

\Shell\open\Command - jjcx.com

.

Contents of the ‘Scheduled Tasks’ folder

“2008-06-20 18:00:14 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job”

  • C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\DANEAP~1\Symantec\NORTON~1\Tasks\mycomp.sca

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-01 09:46:26

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en

C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine

C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun

C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun\HKCU

C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun\HKCU\RunOnce

C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun\HKLM

C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun\HKLM\RunOnce

C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun\StartMenuAllUsers

C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Autorun\StartMenuCurrentUser

C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\BrowserObjects

C:\Documents and Settings\komputer\Dane aplikacji\rhc7a0j0e9en\Quarantine\Packages

scan completed successfully

hidden files: 11

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Norton AntiVirus\Navapsvc.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\pphc3a0j0e9en.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2008-07-01 9:57:36 - machine was rebooted

ComboFix-quarantined-files.txt 2008-07-01 07:57:33

Pre-Run: 7,415,808,000 bajtów wolnych

Post-Run: 7,452,028,928 bajt˘w wolnych

157 — E O F — 2008-06-21 08:36:10

(huber2t) #4

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\system32\pphc3a0j0e9en.exe

C:\WINDOWS\system32\lphc3a0j0e9en.exe

C:\WINDOWS\system32\sysrest32.exe


Folder::

C:\Program Files\rhc7a0j0e9en


Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"lphc3a0j0e9en"=-

"sysrest32.exe"=-

"SMrhc7a0j0e9en"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aedf28bf-353a-11dd-a0fa-0012252a20d8}]

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

Logi dajesz na http://wklejto.pl a w poście dajesz tylko link

(Pocztapeel) #5

http://wklejto.pl/4547

W dniu 01.07.2008 , o godzinie 10:26 został dopisany post przez qwertyx

http://wklejto.pl/4549

(huber2t) #6

fix w hijackthis

Log combofix wyglada na czysty

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!