Walka z wirusem win32.sality

vaderus · 10 Maj 2009 17:17

Witam, 3 dni walcze z infekcją kompa głównie wirusem win32.sality oraz jakimiś trojanami. Wszystko już niby ok ale potrafi a właściwie robi to nagminnie zrestartować komp podczas skanu programami antywirusowymi w trybie normalnym. W awaryjnym skanuje do końca. Często podczas restartu wywala blue screen z różnymi kodami błędu.

log:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:09:38, on 2009-05-10 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\D-Link AirPlus\AirPlus.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Mozilla Firefox\firefox.exe E:\hija\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe” O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe” O4 - HKLM…\Run: [avgnt] “C:\Program Files\Avira\AntiVir Desktop\avgnt.exe” /min O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - HKCU…\Run: [Ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: D-Link AirPlus.lnk = ? O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 6740771218 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Google Update Service (gupdate1c986c7798a7220) (gupdate1c986c7798a7220) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe – End of file - 8013 bytes

jasio96 · 10 Maj 2009 17:25

Log jest czysty .

Wykonaj pełne skanowanie Dr.Web CureIt!

ciemnowidz · 10 Maj 2009 17:36

Jeśli masz aktywny Sality - format absolutny (wszystkich partycji).

Ale, żeby wiedzieć na 100% - uruchom ComboFix i daj log

viewtopic.php?p=1170959#p1170959

vaderus · 10 Maj 2009 18:34

dr.web jak wszystko inne nie dochodzi do konca, reset nastepuje. ale z tym resetem to zaczynam podejrzewac zasilacz. log z combofixa:

ComboFix 09-05-09.05 - MARCIN 2009-05-10 20:29.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.2047.1606 [GMT 2:00] Uruchomiony z: e:\coś ściąganego\ComboFix.exe AV: Doctor Web Anti-Virus *On-access scanning enabled* (Updated) . ((((((((((((((((((((((((( Pliki utworzone od 2009-04-10 do 2009-05-10 ))))))))))))))))))))))))))))))) . 2009-05-10 18:12 . 2009-05-10 18:12 -------- d-----w c:\program files\SiSoftware 2009-05-10 17:58 . 2009-04-07 14:01 101496 ----a-w c:\windows\system32\drivers\dwprot.sys 2009-05-10 17:57 . 2009-05-10 17:57 -------- d-----w c:\program files\Common Files\Doctor Web 2009-05-10 17:57 . 2009-05-10 17:57 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Doctor Web 2009-05-10 17:57 . 2009-05-10 18:01 -------- d-----w c:\program files\DrWeb 2009-05-10 07:29 . 2009-05-10 07:29 -------- d-----w c:\program files\LSoft Technologies 2009-05-09 11:11 . 2009-05-09 11:11 138512 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2009-05-09 11:11 . 2009-05-09 11:11 201440 ----a-w c:\windows\system32\PnkBstrB.exe 2009-05-09 11:11 . 2009-05-09 11:11 66872 ----a-w c:\windows\system32\PnkBstrA.exe 2009-05-09 07:22 . 2006-03-02 12:00 47564 ----a-w c:\windows\NTDETECT.COM 2009-05-08 16:21 . 2009-05-10 18:31 13082656 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-05-08 16:21 . 2008-07-08 12:54 148496 ----a-w c:\windows\system32\drivers\44184794.sys 2009-05-08 08:38 . 2009-05-08 08:38 -------- d-----w c:\documents and settings\IGNACY.DOM-PROSTA\Ustawienia lokalne\Dane aplikacji\Mozilla 2009-05-08 08:18 . 2009-05-08 08:18 -------- d-----w c:\documents and settings\MARCIN.DOM-PROSTA\Dane aplikacji\Uniblue 2009-05-08 08:03 . 2009-05-08 08:03 -------- d-----w c:\program files\D-Link AirPlus 2009-05-08 07:58 . 2009-05-08 07:58 -------- d-----w c:\documents and settings\MARCIN.DOM-PROSTA\Dane aplikacji\ZoomBrowser EX 2009-05-08 07:51 . 2009-05-08 07:51 -------- d-----w c:\documents and settings\MARCIN.DOM-PROSTA\Dane aplikacji\Ahead 2009-05-08 07:50 . 2009-05-08 07:50 -------- d-----w c:\documents and settings\MARCIN.DOM-PROSTA\Dane aplikacji\ArcSoft 2009-05-08 07:16 . 2009-05-08 07:18 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-05-07 20:02 . 2009-05-07 20:02 -------- d-----w c:\documents and settings\MARCIN.DOM-PROSTA\Dane aplikacji\Gadu-Gadu 2009-05-07 20:02 . 2009-05-07 20:12 -------- d-----w c:\documents and settings\MARCIN.DOM-PROSTA\Dane aplikacji\Nowe Gadu-Gadu 2009-05-07 19:59 . 2009-05-07 19:59 -------- d-----w c:\program files\Common Files\Adobe AIR 2009-05-07 19:55 . 2009-05-07 19:56 -------- d-----w c:\documents and settings\MARCIN.DOM-PROSTA\Gadu-Gadu 2009-05-07 19:34 . 2009-05-07 19:59 -------- d-----w c:\documents and settings\MARCIN.DOM-PROSTA\Ustawienia lokalne\Dane aplikacji\Adobe 2009-05-07 16:24 . 2009-05-10 18:01 -------- d-----w c:\documents and settings\MARCIN.DOM-PROSTA\DoctorWeb 2009-05-07 15:16 . 2009-05-07 15:16 -------- d-----w c:\documents and settings\MARCIN.DOM-PROSTA\Dane aplikacji\Malwarebytes 2009-05-07 15:16 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-05-07 15:16 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-05-07 15:16 . 2009-05-07 15:16 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Malwarebytes 2009-05-07 12:43 . 2009-05-07 12:43 -------- d-----w c:\documents and settings\MARCIN.DOM-PROSTA\Ustawienia lokalne\Dane aplikacji\Google 2009-05-07 12:30 . 2009-05-07 12:30 29168 ----a-w c:\documents and settings\MARCIN.DOM-PROSTA\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-05-07 12:28 . 2009-05-07 12:28 -------- d-----w c:\documents and settings\MARCIN.DOM-PROSTA\Ustawienia lokalne\Dane aplikacji\Mozilla 2009-05-07 08:28 . 2009-05-08 07:18 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2009-04-30 22:30 . 2009-04-30 22:30 1194528 ----a-w c:\windows\system32\nvcplui.exe 2009-04-30 20:02 . 2009-04-30 20:02 5896320 -c–a-w c:\windows\system32\dllcache\nv4_disp.dll 2009-04-30 20:02 . 2009-04-30 20:02 8055584 -c–a-w c:\windows\system32\dllcache\nv4_mini.sys 2009-04-30 20:02 . 2009-04-30 20:02 8055584 ----a-w c:\windows\system32\drivers\nv4_mini.sys 2009-04-30 20:02 . 2009-04-30 20:02 5896320 ----a-w c:\windows\system32\nv4_disp.dll 2009-04-30 20:02 . 2009-04-30 20:02 806912 ----a-w c:\windows\system32\nvapi.dll 2009-04-30 20:02 . 2009-04-30 20:02 143360 ----a-w c:\windows\system32\nvcod.dll 2009-04-30 20:02 . 2009-04-30 20:02 143360 ----a-w c:\windows\system32\nvcodins.dll 2009-04-30 20:02 . 2009-04-30 20:02 1720320 ----a-w c:\windows\system32\nvcuda.dll 2009-04-30 20:02 . 2009-04-30 20:02 1314816 ----a-w c:\windows\system32\nvcuvenc.dll 2009-04-30 20:02 . 2009-04-30 20:02 663552 ----a-w c:\windows\system32\nvcuvid.dll 2009-04-30 20:02 . 2009-04-30 20:02 1579630 ----a-w c:\windows\system32\nvdata.bin 2009-04-30 20:02 . 2009-04-30 20:02 9994240 ----a-w c:\windows\system32\nvoglnt.dll 2009-04-29 17:26 . 2009-04-29 17:26 -------- d-----w c:\documents and settings\LocalService\Menu Start 2009-04-29 17:26 . 2009-03-24 14:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys 2009-04-27 08:01 . 2009-04-27 08:01 -------- d-----w c:\documents and settings\MARCIN\Ustawienia lokalne\Dane aplikacji\Apple Computer 2009-04-24 11:50 . 2009-04-24 11:50 -------- d-----w c:\documents and settings\MARCIN.gstreamer-0.10 2009-04-24 11:47 . 2009-04-24 11:47 -------- d-----w c:\documents and settings\MARCIN\Dane aplikacji\OpenFM 2009-04-24 11:47 . 2008-04-14 20:50 21504 -c–a-w c:\windows\system32\dllcache\hidserv.dll 2009-04-24 11:47 . 2008-04-14 20:50 21504 ----a-w c:\windows\system32\hidserv.dll 2009-04-24 11:47 . 2008-04-13 22:15 10368 -c–a-w c:\windows\system32\dllcache\hidusb.sys 2009-04-24 11:47 . 2008-04-13 22:15 10368 ----a-w c:\windows\system32\drivers\hidusb.sys 2009-04-24 11:47 . 2008-04-13 22:15 60032 -c–a-w c:\windows\system32\dllcache\usbaudio.sys 2009-04-24 11:47 . 2008-04-13 22:15 60032 ----a-w c:\windows\system32\drivers\USBAUDIO.sys 2009-04-24 11:46 . 2008-04-13 22:15 32128 -c–a-w c:\windows\system32\dllcache\usbccgp.sys 2009-04-24 11:46 . 2008-04-13 22:15 32128 ----a-w c:\windows\system32\drivers\usbccgp.sys 2009-04-21 19:02 . 2009-04-21 19:02 -------- d-----w c:\program files\Common Files\Program4Pc 2009-04-19 08:01 . 2009-04-19 08:01 -------- d-----w c:\documents and settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Google 2009-04-15 08:49 . 2009-04-15 08:49 -------- d-----w c:\program files\MSECache 2009-04-15 08:47 . 2009-04-15 08:47 -------- d-----w c:\documents and settings\QBA\Ustawienia lokalne\Dane aplikacji\Microsoft Help 2009-04-15 07:42 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 07:42 . 2009-03-06 14:22 285696 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 07:42 . 2009-02-09 11:25 111104 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 07:42 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 07:42 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 07:42 . 2009-02-09 10:53 686592 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 07:42 . 2009-02-09 10:53 731136 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 07:42 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 07:42 . 2004-08-04 06:56 708096 -c–a-w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 07:32 . 2008-04-21 21:16 218112 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-04-14 06:29 . 2009-04-20 16:48 -------- d-----w c:\documents and settings\MARCIN\Dane aplikacji\Nowe Gadu-Gadu 2009-04-14 06:28 . 2009-05-08 06:38 -------- d-----w c:\program files\Nowe Gadu-Gadu 2009-04-13 17:22 . 2009-04-13 17:44 -------- d-----w c:\program files\Foto E-Net . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-10 18:13 . 2009-05-10 18:13 4590 ----a-w c:\documents and settings\All Users\Dane aplikacji\rssA.tmp 2009-05-10 18:13 . 2009-05-10 18:13 14162 ----a-w c:\documents and settings\All Users\Dane aplikacji\rss9.tmp 2009-05-10 18:00 . 2009-05-08 16:21 133160 --sha-w c:\windows\system32\drivers\fidbox.idx 2009-05-10 07:29 . 2008-11-13 17:51 -------- d–h--w c:\program files\InstallShield Installation Information 2009-05-09 09:02 . 2008-12-26 16:36 -------- d-----w c:\program files\NAPI-PROJEKT 2009-05-08 08:36 . 2009-05-08 08:36 29168 ----a-w c:\documents and settings\QBA.DOM-PROSTA\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-05-07 20:12 . 2009-05-07 20:12 29168 ----a-w c:\documents and settings\IGNACY.DOM-PROSTA\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-05-07 19:59 . 2008-11-14 10:54 -------- d-----w c:\program files\Common Files\Adobe 2009-05-07 09:30 . 2006-03-02 12:00 84208 ----a-w c:\windows\system32\perfc015.dat 2009-05-07 09:30 . 2006-03-02 12:00 491152 ----a-w c:\windows\system32\perfh015.dat 2009-04-30 22:30 . 2009-04-30 22:30 331776 ----a-w c:\windows\system32\nvrshe.dll 2009-04-30 20:02 . 2008-11-13 18:56 457248 ----a-w c:\windows\system32\nvudisp.exe 2009-04-26 22:42 . 2008-11-13 17:48 457248 ----a-w c:\windows\system32\NVUNINST.EXE 2009-04-14 08:52 . 2009-02-20 15:42 -------- d-----w c:\program files\PITy 2009-04-03 18:35 . 2009-02-04 12:49 -------- d-----w c:\program files\Google 2009-04-02 07:38 . 2009-04-02 07:38 -------- d-----w c:\program files\ProSoft Driver 2009-03-31 15:18 . 2008-11-15 13:44 -------- d-----w c:\program files\Java 2009-03-09 03:19 . 2008-11-15 13:44 410984 ----a-w c:\windows\system32\deploytk.dll 2009-03-06 14:22 . 2006-03-02 12:00 285696 ----a-w c:\windows\system32\pdh.dll 2009-03-03 00:10 . 2006-03-02 12:00 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-28 17:24 . 2008-11-15 09:43 52908 ----a-w c:\windows\unins000.dat 2009-02-28 17:23 . 2008-11-15 09:43 697353 ----a-w c:\windows\unins000.exe 2009-02-20 17:13 . 2006-03-02 12:00 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-10 17:09 . 2004-08-04 00:38 2067328 ----a-w c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpybotSD TeaTimer”=“c:\program files\Spybot - Search & Destroy\TeaTimer.exe” [2009-03-05 2260480] “H/PC Connection Agent”=“c:\program files\Microsoft ActiveSync\wcescomm.exe” [2006-11-13 1289000] “Ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “QuickTime Task”=“c:\program files\QuickTime\qttask.exe” [2008-11-14 356352] “Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2009-02-27 35696] “NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2009-04-30 86016] “NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2009-04-30 13750272] “SpIDerAgent”=“c:\program files\DrWeb\SpIDerAgent.exe” [2009-02-16 423152] “SpIDerMail”=“c:\program files\DrWeb\spiderml.exe” [2009-04-15 640240] “SpIDerNT”=“c:\progra~1\DrWeb\spiderui.exe” [2009-04-16 251144] “nwiz”=“nwiz.exe” - c:\windows\system32\nwiz.exe [2009-04-30 1657376] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360] c:\documents and settings\MARCIN\Menu Start\Programy\Autostart\ Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ D-Link AirPlus.lnk - c:\program files\D-Link AirPlus\AirPlus.exe [2009-5-8 262144] [HKEY_LOCAL_MACHINE\software\microsoft\security center] “AntiVirusOverride”=dword:00000001 “UacDisableNotify”=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] “AntiVirusOverride”=dword:00000001 “AntiVirusDisableNotify”=dword:00000001 “FirewallDisableNotify”=dword:00000001 “FirewallOverride”=dword:00000001 “UpdatesDisableNotify”=dword:00000001 “UacDisableNotify”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “c:\Program Files\Microsoft ActiveSync\rapimgr.exe”= “e:\Gry\wolfen\ET.exe”= “c:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe”= “c:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe”= P2 SPIDERNT;SpIDer Guard for Windows;c:\progra~1\DrWeb\spidernt.exe [2009-04-16 251144] R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [2009-05-10 101496] R1 is-B4PD6drv;is-B4PD6drv;c:\windows\system32\drivers\44184794.sys [2009-05-08 148496] R2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);c:\program files\Common Files\Doctor Web\Scanning Engine\dwengine.exe [2009-01-21 886072] R2 SPIDER;SpIDer Guard File System Monitor;c:\progra~1\DrWeb\spider.sys [2009-04-16 394184] S2 gupdate1c986c7798a7220;Google Update Service (gupdate1c986c7798a7220);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 133104] S3 abp470n5;abp470n5;??\c:\windows\system32\drivers\qnkiq.sys --> c:\windows\system32\drivers\qnkiq.sys [?] S3 CrystalSysInfo;CrystalSysInfo;e:\mediacoder\SysInfo.sys [2007-09-25 15152] S3 uti3nda1;AVZ Kernel Driver;??\c:\windows\system32\Drivers\uti3nda1.sys --> c:\windows\system32\Drivers\uti3nda1.sys [?] — Inne Usługi/Sterowniki w Pamięci — *NewlyCreated* - SANDRATHESRV . Zawartość folderu ‘Zaplanowane zadania’ 2009-05-10 c:\windows\Tasks\Dr.Web Daily scan.job - c:\program files\DrWeb\DrWeb32w.exe [2009-04-22 15:46] 2009-05-10 c:\windows\Tasks\Dr.Web Update.job - c:\program files\DrWeb\DrWebUpW.exe [2009-03-02 16:51] 2009-05-10 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-04 18:03] 2009-05-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 12:52] . - - - - USUNIĘTO PUSTE WPISY - - - - HKLM-Run-NeroFilterCheck - c:\windows\system32\NeroCheck.exe HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe HKLM-Run-RTHDCPL - RTHDCPL.EXE . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.yahoo.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: c:\program files\DrWeb\drwebsp.dll DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} - hxxp://arcaonline.arcabit.com/ArcaOnline.cab FF - ProfilePath - c:\documents and settings\MARCIN.DOM-PROSTA\Dane aplikacji\Mozilla\Firefox\Profiles\b58zp4cr.default\ FF - prefs.js: browser.startup.homepage - www.google.pl FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-10 20:31 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SSDPSRV] “ServiceDll”="%SystemRoot%\System32\ssdpsrv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\stisvc] “ServiceDll”="%SystemRoot%\system32\wiaservc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\swenum] “ImagePath”=“system32\DRIVERS\swenum.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\swmidi] “ImagePath”=“system32\drivers\swmidi.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SwPrv] “ImagePath”=“c:\windows\system32\dllhost.exe /Processid:{D10E033E-D176-4612-B1DE-64780D4F1E85}” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\swwd] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\symc810] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\symc8xx] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sym_hi] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sym_u3] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sysaudio] “ImagePath”=“system32\drivers\sysaudio.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SysmonLog] “ImagePath”="%SystemRoot%\system32\smlogsvc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TapiSrv] “ServiceDll”="%SystemRoot%\System32\tapisrv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip] “ImagePath”=“system32\DRIVERS\tcpip.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TDPIPE] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TDTCP] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TermDD] “ImagePath”=“system32\DRIVERS\termdd.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TermService] “ServiceDll”="%SystemRoot%\System32\termsrv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Themes] “ServiceDll”="%SystemRoot%\System32\shsvcs.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TosIde] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWks] “ServiceDll”="%SystemRoot%\system32\trkwks.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TSDDD] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Udfs] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ultra] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Update] “ImagePath”=“system32\DRIVERS\update.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\upnphost] “ServiceDll”="%SystemRoot%\System32\upnphost.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UPS] “ImagePath”="%SystemRoot%\System32\ups.exe" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbaudio] “ImagePath”=“system32\drivers\usbaudio.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbccgp] “ImagePath”=“system32\DRIVERS\usbccgp.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbehci] “ImagePath”=“system32\DRIVERS\usbehci.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbhub] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbohci] “ImagePath”=“system32\DRIVERS\usbohci.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbprint] “ImagePath”=“system32\DRIVERS\usbprint.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbscan] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\USBSTOR] “ImagePath”=“system32\DRIVERS\USBSTOR.SYS” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbuhci] “ImagePath”=“system32\DRIVERS\usbuhci.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\uti3nda1] “ImagePath”="??\c:\windows\system32\Drivers\uti3nda1.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VgaSave] “ImagePath”="\SystemRoot\System32\drivers\vga.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ViaIde] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VolSnap] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VSS] “ImagePath”="%SystemRoot%\System32\vssvc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\W32Time] “ServiceDll”="%systemroot%\system32\w32time.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\W3SVC] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Wanarp] “ImagePath”=“system32\DRIVERS\wanarp.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wceusbsh] “ImagePath”=“system32\DRIVERS\wceusbsh.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WDICA] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wdmaud] “ImagePath”=“system32\drivers\wdmaud.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WebClient] “ServiceDll”="%SystemRoot%\System32\webclnt.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Windows Workflow Foundation 3.0.0.0] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\winmgmt] “ServiceDll”="%SystemRoot%\system32\wbem\WMIsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Winsock] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WinSock2] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WinTrust] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmdmPmSN] “ServiceDll”=“c:\windows\system32\MsPMSNSv.dll” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Wmi] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmiApRpl] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmiApSrv] “ImagePath”=“c:\windows\system32\wbem\wmiapsrv.exe” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WMPNetworkSvc] “ImagePath”="“c:\program files\Windows Media Player\WMPNetwk.exe”" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WS2IFSL] “ImagePath”="\SystemRoot\System32\drivers\ws2ifsl.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wscsvc] “ServiceDll”="%SYSTEMROOT%\system32\wscsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauserv] “ServiceDll”=“c:\windows\system32\wuauserv.dll” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WudfPf] “ImagePath”=“system32\DRIVERS\WudfPf.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WudfRd] “ImagePath”=“system32\DRIVERS\wudfrd.sys” [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WudfSvc] “ServiceDll”="%SystemRoot%\System32\WUDFSvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WZCSVC] “ServiceDll”="%SystemRoot%\System32\wzcsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xmlprov] “ServiceDll”="%SystemRoot%\System32\xmlprov.dll" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services{1429AECE-06F6-4396-A592-05305B0465F1}] [HKEY_LOCAL_MACHINE\System\ControlSet003\Services{C27F902E-6E0F-4837-8BF7-F25B99C22EEC}] . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > ‘lsass.exe’(472) c:\program files\DrWeb\drwebsp.dll - - - - - - - > ‘explorer.exe’(3100) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll c:\progra~1\SPYBOT~1\SDHelper.dll . Czas ukończenia: 2009-05-10 20:32 ComboFix-quarantined-files.txt 2009-05-10 18:32 Przed: 39 201 316 864 bajtów wolnych Po: 39 190 962 176 bajtów wolnych 325 — E O F — 2009-04-30 06:42

ciemnowidz · 10 Maj 2009 18:52

Wg mnie to Sality.

Najprostsze i najskuteczniejsze - format wszystkich partycji (najlepiej z poziomu konsoli odzyskiwania).

Usunięcie wszelkich uprzednio pobranych instalek i pobranie czystych.

Więcej o nim

http://www.searchengines.pl/index.php?s … pic=122692

Gutek · 11 Maj 2009 08:38

tak to ten wirus widać w Combo. Zastosuj sie do linku ciemnowidz