Win32:cutwail[trj] nie mogę go usunąć

sebastian244 · 27 Marzec 2009 14:31

Witam otóż mam problem z trojanem win32:cutwail[trj].

Avast nie może go usunąć.

Miałem też Kaspersky2009 i NOD 2009 też go wykrywały ale nie potrafiły go usunąć.

Avast pokazał mi taką ścieżkę: C:\WINDOWS\system32\drivers\i386si.sys[Embedded_Ix#19b0].

Co mam zrobić aby go usunąć, bardzo proszę o pomoc.

spandaupol · 27 Marzec 2009 14:34

Pobierz Combofix przeskanuj system daj log na forum

Na czas pobierania i skanowania Combofixem wyłącz antywirusa i zaporę

sebastian244 · 27 Marzec 2009 14:44

ComboFix 09-03-26.03 - seba 2009-03-27 15:39:22.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.1023.590 [GMT 1:00] Uruchomiony z: c:\documents and settings\seba\Pulpit\ComboFix.exe AV: avast! antivirus 4.8.1335 [VPS 090326-0] *On-access scanning disabled* (Updated) * Utworzono nowy punkt przywracania . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\seba\Dane aplikacji\inst.exe c:\documents and settings\seba\Dane aplikacji\wiaserva.log c:\documents and settings\seba\seba.exe c:\documents and settings\seba\x.exe c:\windows\system32\BReWErS.dll c:\windows\system32\digeste.dll . ((((((((((((((((((((((((( Pliki utworzone od 2009-02-27 do 2009-03-27 ))))))))))))))))))))))))))))))) . 2009-03-27 15:08 . 2009-03-27 15:08 2009-03-26 17:53 . 2009-02-05 22:05 30,464 --a------ c:\windows\system32\drivers\netsik.sys 2009-03-24 14:07 . 2009-03-24 14:07 2009-03-24 14:07 . 2009-03-25 15:28 2009-03-22 14:20 . 2004-08-03 23:07 59,264 --a------ c:\windows\system32\drivers\USBAUDIO.sys 2009-03-22 14:20 . 2004-08-03 23:07 59,264 --a–c— c:\windows\system32\dllcache\usbaudio.sys 2009-03-22 14:20 . 2004-08-04 00:44 21,504 --a------ c:\windows\system32\hidserv.dll 2009-03-22 14:20 . 2004-08-04 00:44 21,504 --a–c— c:\windows\system32\dllcache\hidserv.dll 2009-03-22 14:20 . 2004-08-04 00:38 14,848 --a------ c:\windows\system32\drivers\kbdhid.sys 2009-03-22 14:20 . 2004-08-04 00:38 14,848 --a–c— c:\windows\system32\dllcache\kbdhid.sys 2009-03-22 14:20 . 2001-10-26 16:57 12,160 --a------ c:\windows\system32\drivers\mouhid.sys 2009-03-22 14:20 . 2001-10-26 16:57 12,160 --a–c— c:\windows\system32\dllcache\mouhid.sys 2009-03-14 12:25 . 2009-03-14 12:28 2009-03-13 15:14 . 2009-03-13 15:15 2009-03-01 20:51 . 2009-03-27 15:11 563 --a------ C:\hpfr5550.xml . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-27 14:07 --------- d-----w c:\documents and settings\seba\Dane aplikacji\uTorrent 2009-03-25 14:28 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files 2009-03-25 14:27 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-03-24 13:10 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Symantec 2009-03-18 15:05 --------- d-----w c:\documents and settings\seba\Dane aplikacji\Vso 2009-03-13 14:13 --------- d-----w c:\program files\Common Files\Real 2009-03-12 07:10 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Microsoft Help 2009-02-28 15:33 --------- d—a-w c:\documents and settings\All Users\Dane aplikacji\TEMP 2009-02-23 06:25 --------- d-----w c:\program files\Avanquest update 2009-02-22 16:50 --------- d–h--w c:\program files\InstallShield Installation Information 2009-02-22 16:50 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\BVRP Software 2009-02-22 16:48 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Sony Ericsson 2009-02-19 16:26 --------- d-----w c:\program files\Microsoft Silverlight 2009-02-14 08:09 --------- d-----w c:\documents and settings\seba\Dane aplikacji\Ventrilo 2009-02-14 08:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-02-13 14:24 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\KONAMI 2009-02-09 14:19 1,846,528 ----a-w c:\windows\system32\win32k.sys 2009-02-06 14:27 183,112 ----a-w c:\windows\system32\PnkBstrB.exe 2009-02-06 14:27 138,184 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2009-02-02 14:54 --------- d-----w c:\documents and settings\seba\Dane aplikacji\Audacity 2009-01-24 20:11 66,872 ----a-w c:\windows\system32\PnkBstrA.exe 2008-11-16 19:09 47,360 ----a-w c:\documents and settings\seba\Dane aplikacji\pcouffin.sys 2007-12-08 12:41 22,328 ----a-w c:\documents and settings\seba\Dane aplikacji\PnkBstrK.sys 2006-10-07 18:54 390,023 --sha-r c:\program files\wunauclt.zip 2006-10-07 18:54 390,023 --sha-r c:\program files\wunauclt.tbe 2006-08-27 13:38 1,015,973 --sha-r c:\program files\serial.tde 2008-02-21 16:56 56 --sh–r c:\windows\system32\7623F1A22D.sys 2008-02-21 16:56 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2004-08-04 15360] “H/PC Connection Agent”=“c:\program files\Microsoft ActiveSync\WCESCOMM.EXE” [2004-02-24 401491] “uTorrent”=“c:\program files\uTorrent\uTorrent.exe” [2007-08-26 224048] “Gadu-Gadu”=“e:\program files\Gadu-Gadu\gg.exe” [2008-03-20 2127296] “ares”=“e:\program files\Ares\Ares.exe” [2007-05-04 961024] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“e:\program files\Alwil Software\Avast4\ashDisp.exe” [2009-02-05 81000] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-04 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] “UIHost”=“c:\windows\system32\logonui.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “vidc.ffds”= ffdshow.ax “MSACM.CEGSM”= mobilev.acm [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BlueSoleil.lnk] backup=c:\windows\pss\BlueSoleil.lnkCommon Startup [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk] backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Oprogramowanie Kodak EasyShare.lnk] backup=c:\windows\pss\Oprogramowanie Kodak EasyShare.lnkCommon Startup [HKLM~\startupfolder\C:^Documents and Settings^seba^Menu Start^Programy^Autostart^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk] backup=c:\windows\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnkStartup [HKLM~\startupfolder\C:^Documents and Settings^seba^Menu Start^Programy^Autostart^Yahoo! Widget Engine.lnk] path=c:\documents and settings\seba\Menu Start\Programy\Autostart\Yahoo! Widget Engine.lnk backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup [HKLM~\startupfolder\C:^Documents and Settings^seba^Menu Start^Programy^Autostart^µTorrent.lnk] backup=c:\windows\pss\µTorrent.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog303 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P] Resident Evil 4 [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Komunikator HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TweakRAM HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VS Online HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALLUpdate] --a------ 2008-11-24 20:44 869888 e:\program files\ALLPlayer\ALLUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares] --a------ 2007-05-04 01:32 961024 e:\program files\Ares\Ares.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] --a------ 2005-08-05 21:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath] -ra------ 2004-06-09 07:37 40960 c:\windows\VM_STI.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 13:00 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2006-11-12 11:48 157592 e:\program files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domino] -ra------ 2006-06-28 10:54 49152 c:\windows\Domino.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] --a------ 2008-03-20 11:04 2127296 e:\program files\Gadu-Gadu\gg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] --a------ 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2004-02-24 08:33 401491 c:\program files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] --a------ 2004-06-16 06:03 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --a------ 2004-06-16 06:03 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-10-13 17:24 1694208 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nowe Gadu-Gadu] --a------ 2009-02-06 15:51 9302632 e:\program files\Nowe Gadu-Gadu\gg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RelevantKnowledge] --a------ 2008-10-28 15:16 1664000 c:\program files\RelevantKnowledge\rlvknlg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2003-10-31 19:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] --a------ 2007-01-29 15:36 25370152 c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] --a------ 2008-02-20 16:20 360448 d:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] --a------ 2006-11-10 11:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-10-08 06:39 1410296 e:\program files\Valve\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2006-12-15 03:23 75520 c:\program files\Java\jre1.5.0_11\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent] --a------ 2007-08-26 12:15 224048 c:\program files\uTorrent\uTorrent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMSnap3] -ra------ 2006-08-30 03:58 49152 c:\windows\VMSnap3.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule] --a------ 2007-02-12 16:22 397312 c:\program files\WinFast\W\WFTVFM\WFWIZ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] --a------ 2004-12-07 07:23 57344 c:\windows\ALCMTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd] --a------ 2004-12-10 08:38 2749440 c:\windows\ALCWZRD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] --a------ 2004-08-04 13:00 110592 c:\windows\system32\bthprops.cpl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skrót do strony w3aociwooci High Definition Audio] --------- 2004-03-17 15:10 61952 c:\windows\system32\Hdaudpropshortcut.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skrót do strony właściwości High Definition Audio] --------- 2004-03-17 15:10 61952 c:\windows\system32\Hdaudpropshortcut.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --a------ 2004-11-02 07:53 77824 c:\windows\SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] “FirewallOverride”=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] “DisableMonitoring”=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] “DisableMonitoring”=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] “DisableMonitoring”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “e:\Program Files\Gadu-Gadu\gg.exe”= “c:\Program Files\uTorrent\uTorrent.exe”= “e:\Program Files\Ares\Ares.exe”= “c:\Program Files\Microsoft ActiveSync\wcescomm.exe”= “e:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe”= “c:\WINDOWS\system32\PnkBstrA.exe”= “c:\WINDOWS\system32\PnkBstrB.exe”= “c:\Program Files\MSN Messenger\msnmsgr.exe”= “e:\Program Files\kodak\Kodak EasyShare software\bin\EasyShare.exe”= “c:\WINDOWS\system32\dpvsetup.exe”= “e:\Program Files\Valve\Steam\Steam.exe”= “e:\Program Files\Mozilla Firefox\firefox.exe”= “e:\Program Files\Valve\Steam\SteamApps\sebastian_rosiak\condition zero\hl.exe”= “e:\Program Files\Valve\Steam\SteamApps\sebastian_rosiak\counter-strike\hl.exe”= “e:\Program Files\Valve\Steam\SteamApps\sebastian_rosiak\dedicated server\hlds.exe”= “e:\Program Files\Nowe Gadu-Gadu\gg.exe”= “c:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2009\Polish\setup.exe”= “e:\Program Files\Valve\Counter-Strike Source\hl2.exe”= “c:\Documents and Settings\seba\Application Data\PowerChallenge\PowerSoccer\PowerSoccer.exe”= “c:\Program Files\Skype\Phone\Skype.exe”= “e:\Program Files\KONAMI\Pro Evolution Soccer 2009\pes2009.exe”= “c:\program files\relevantknowledge\rlvknlg.exe”= [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “8461:TCP”= 8461:TCP:GoD High Port “8462:TCP”= 8462:TCP:GoD Low Port R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-08-03 28544] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-26 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-26 20560] R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2008-02-18 59776] R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2008-02-18 19456] R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [2008-02-18 9600] R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2007-06-06 428160] S2 amd64si;amd64si;??\c:\windows\system32\drivers\amd64si.sys --> c:\windows\system32\drivers\amd64si.sys [?] S2 ati64si;ati64si;??\c:\windows\system32\drivers\ati64si.sys --> c:\windows\system32\drivers\ati64si.sys [?] S2 fips32cup;fips32cup;??\c:\windows\system32\drivers\fips32cup.sys --> c:\windows\system32\drivers\fips32cup.sys [?] S2 i386si;i386si;c:\windows\system32\drivers\i386si.sys [2007-03-06 30464] S2 netsik;netsik;c:\windows\system32\drivers\netsik.sys [2009-03-26 30464] S2 nicsk32;nicsk32;??\c:\windows\system32\drivers\nicsk32.sys --> c:\windows\system32\drivers\nicsk32.sys [?] S2 port135sik;port135sik;??\c:\windows\system32\drivers\port135sik.sys --> c:\windows\system32\drivers\port135sik.sys [?] S2 securentm;securentm;??\c:\windows\system32\drivers\securentm.sys --> c:\windows\system32\drivers\securentm.sys [?] S2 ws2_32sik;ws2_32sik;??\c:\windows\system32\drivers\ws2_32sik.sys --> c:\windows\system32\drivers\ws2_32sik.sys [?] S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\KS-959.sys [2007-05-22 19034] S3 SER120;OTI Serial port driver;c:\windows\system32\drivers\ser120.sys [2007-05-21 32910] S3 tcpip_patcher;tcpip_patcher;e:\program files\Ares\tcpip_patcher.sys [2005-10-25 15744] S3 WFIOCTL;WFIOCTL;??\c:\program files\WinFast\WFTVFM\WFIOCTL.SYS --> c:\program files\WinFast\WFTVFM\WFIOCTL.SYS [?] S3 ZSMC302;VIMICRO USB PC Camera;c:\windows\system32\drivers\usbVM31b.sys [2007-03-07 90568] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{370631e8-b15d-11dc-ad28-0014852995ed}] \Shell\AutoRun\command - n1deiect.com \Shell\explore\Command - n1deiect.com \Shell\open\Command - n1deiect.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b8bf0ade-b661-11dd-b638-0014852995ed}] \Shell\Auto\command - Cn911.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e19ec8dc-d5a3-11dc-ada3-0014852995ed}] \Shell\Auto\command - Cn911.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe . Zawartość folderu ‘Zaplanowane zadania’ 2009-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-03-27 c:\windows\Tasks\RegCure Program Check.job - e:\program files\RegCure\RegCure.exe [2009-03-12 20:44] 2009-03-14 c:\windows\Tasks\RegCure.job - e:\program files\RegCure\RegCure.exe [2009-03-12 20:44] . - - - - USUNIĘTO PUSTE WPISY - - - - URLSearchHooks-{F4F10C1D-87C7-404A-B4B3-000000000000} - (no file) HKCU-Run-seba - c:\documents and settings\seba\seba.exe MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe MSConfigStartUp-HPHUPD04 - c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe MSConfigStartUp-seba - c:\documents and settings\seba\seba.exe . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl uDefault_Search_URL = hxxp://www.google.com/ie mStart Page = about:blank uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab FF - ProfilePath - c:\documents and settings\seba\Dane aplikacji\Mozilla\Firefox\Profiles\nq2mwlvi.default\ FF - prefs.js: browser.startup.homepage - google.pl FF - component: e:\program files\Mozilla Firefox\components\xpinstal.dll FF - component: e:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-27 15:40:49 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\S-1-5-21-1214440339-854245398-725345543-1004\Software\SecuROM!CAUTION! NEVER A OR CHANGE ANY KEY*] “??”=hex:5e,43,81,0d,1f,e5,f4,d6,00,49,06,2b,4e,e3,67,0d,2f,61,9c,97,2e,c9,cb, 0a,fe,ce,f2,62,32,27,6b,c4,29,11,e9,0a,66,2f,85,14,12,68,8e,d5,f0,fe,b5,07,\ “??”=hex:1b,a8,d3,4e,96,80,ad,da,ea,df,bf,53,ac,55,69,6f [HKEY_USERS\S-1-5-21-1214440339-854245398-725345543-1004\Software\SecuROM\License information*] “datasecu”=hex:36,ca,c5,ba,e4,5f,e1,99,69,50,8b,bc,7d,08,f2,ad,5c,fb,b2,f5,b3, 57,c5,3c,80,01,65,c4,17,9a,58,6d,4d,c2,64,78,a3,3b,09,e8,3d,63,d1,68,3a,df,\ “rkeysecu”=hex:1f,89,bb,05,f5,6b,28,c3,ed,2c,2b,2a,a4,86,e3,f2 [HKEY_LOCAL_MACHINE\software\Classes\CLSID{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “cd042efbbd7f7af1647644e76e06692b”=hex:e2,63,26,f1,3f,c8,ff,68,db,56,af,86,d6, 93,d7,69,c8,28,51,af,b0,29,a3,98,51,22,98,2c,9f,99,8d,54,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “bca643cdc5c2726b20d2ecedcc62c59b”=hex:71,3b,04,66,8b,46,0d,96,92,40,fd,d1,4c, d2,6a,94,71,3b,04,66,8b,46,0d,96,d2,90,62,40,e8,9d,51,6e,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “2c81e34222e8052573023a60d06dd016”=hex:ff,7c,85,e0,43,d4,0e,fe,bf,6e,59,4f,1f, 69,e1,90,25,da,ec,7e,55,20,c9,26,c2,48,33,bd,40,68,e5,82,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “2582ae41fb52324423be06337561aa48”=hex:6b,65,49,6a,7e,99,74,f7,9d,8d,6e,d8,71, ad,da,66,3e,1e,9e,e0,57,5a,93,61,36,1b,d8,70,5c,85,c9,27,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “caaeda5fd7a9ed7697d9686d4b818472”=hex:cd,44,cd,b9,a6,33,6c,cd,2b,d9,34,20,5a, 15,d5,c7,cd,44,cd,b9,a6,33,6c,cd,e6,ed,53,fc,20,37,ab,66,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “a4a1bcf2cc2b8bc3716b74b2b4522f5d”=hex:50,93,e5,ab,ec,6a,4e,ab,59,87,1b,b4,c4, 89,b0,59,b0,18,ed,a7,3f,8d,37,a4,94,d9,6a,a8,7f,de,45,1f,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “4d370831d2c43cd13623e232fed27b7b”=hex:31,77,e1,ba,b1,f8,68,02,30,7f,5b,f9,a4, 73,db,76,31,77,e1,ba,b1,f8,68,02,bf,91,ac,96,e0,dd,b6,8a,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “1d68fe701cdea33e477eb204b76f993d”=hex:83,6c,56,8b,a0,85,96,ab,27,5d,f0,e9,4d, 74,9c,36,83,6c,56,8b,a0,85,96,ab,42,02,48,9d,d1,a6,ce,46,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “1fac81b91d8e3c5aa4b0a51804d844a3”=hex:51,fa,6e,91,28,9e,14,cc,91,80,62,12,2c, 69,b0,a0,51,fa,6e,91,28,9e,14,cc,c7,d6,f9,1f,27,8e,9f,c1,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “f5f62a6129303efb32fbe080bb27835b”=hex:b1,cd,45,5a,a8,c4,f8,b9,49,93,d7,cd,da, 25,30,20,b1,cd,45,5a,a8,c4,f8,b9,fc,cd,e0,51,09,00,4e,e0,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “fd4e2e1a3940b94dceb5a6a021f2e3c6”=hex:2a,b7,cc,b5,b9,7f,41,e7,b7,17,b7,6c,19, 7d,e8,5a,e3,0e,66,d5,eb,bc,2f,6b,35,61,ac,0e,a3,26,6a,50,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “8a8aec57dd6508a385616fbc86791ec2”=hex:fa,ea,66,7f,d4,3b,6b,70,94,cc,ce,8e,fc, f6,69,2d,fa,ea,66,7f,d4,3b,6b,70,ab,dc,14,35,51,2c,48,0e,6c,43,2d,1e,aa,22,\ [HKEY_LOCAL_MACHINE\System\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\ * !*\DirectSound\Device Presence] “VxD”=dword:00000001 “WDM”=dword:00000001 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > ‘winlogon.exe’(1180) c:\windows\system32\Ati2evxx.dll . Czas ukończenia: 2009-03-27 15:42:39 ComboFix-quarantined-files.txt 2009-03-27 14:42:26 Przed: 6,285,979,648 bajtów wolnych Po: 6,315,118,592 bajtów wolnych WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Home Edition” /noexecute=optin /fastdetect 380 — E O F — 2009-03-15 15:57:23

spandaupol · 27 Marzec 2009 14:50

wklej do notatnika:

Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe

Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum.

Loga wklej na http://www.wklejto.pl lub http://www.wklej.org/ a w poście daj linka

sebastian244 · 27 Marzec 2009 15:05

http://www.wklejto.pl/29948

Chyba pomogło bo już nie wykrywa

Wielkie dzięki

Jak bym Cię znał, to bym Ci piwko postawił

spandaupol · 27 Marzec 2009 15:14

Usuń ręcznie te pliki - mają atrybut ukryty

Log wygląda na czysty.

usuń ręcznie folder C: \Qoobox oraz instalkę Combofix z dysku.

sebastian244 · 27 Marzec 2009 15:17

Nie widzę tych plików, a mam włączone żeby oglądać ukryte.

spandaupol · 27 Marzec 2009 15:18

Pobierz The Avenger zaznacz poniższy tekst

kopiujesz - klikasz na Paste Script from Clipboard - Execute - Potwierdzasz i zgadzasz się na restart klikając OK.

Po wykonaniu skasuj z dysku plik: C:\Avenger\backup.zip i wklej raport na forum C:\avenger.txt

Instrukcja obsługi programu http://cybertrash.pl/images/tata/Avenger/Avenger.html

sebastian244 · 27 Marzec 2009 15:53

spandaupol · 27 Marzec 2009 17:20

Pliki usunięte Usuń ręcznie folder C:\Avenger z dysku powinno być OK