Witam mam zawirusowany komputer min. tym wirusem co w tytule. Dodatkowo problemy z odczytywaniem kart SD i mp3. Z forum korzystam po raz pierwszy. Perosze o pomoc
[ComboFix 08-05-21.3 - Administrator 2008-05-23 12:25:04.1 - FAT32 x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.106 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR
C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST
C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR
C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST
C:\Program Files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL
C:\Program Files\myglobalsearch\bar\1.bin\MGSBAR.DLL
C:\Program Files\myglobalsearch\bar\1.bin\NPMYGLSH.DLL
C:\Program Files\myglobalsearch\bar\Cache\00017F8B
C:\Program Files\myglobalsearch\bar\Cache\006B7D26.bin
C:\Program Files\myglobalsearch\bar\Cache\006B897A.bin
C:\Program Files\myglobalsearch\bar\Cache\006B9179.bin
C:\Program Files\myglobalsearch\bar\Cache\files.ini
C:\Program Files\myglobalsearch\bar\History\search
C:\Program Files\myglobalsearch\bar\Settings\prevcfg.htm
C:\WINDOWS\hosts
C:\WINDOWS\system32\lcss.exe
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_JQVM465HMYGEBKPP6
-------\Service_jqvm465hmygebkpp6
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.
2008-05-23 12:22 . 2008-05-23 12:22 18,020 --a------ C:\WINDOWS\system\chin.exe
2008-05-23 12:22 . 2008-05-23 12:22 11,224 --a------ C:\WINDOWS\system\del.exe
2008-05-23 12:22 . 2008-05-23 12:22 10,258 --a------ C:\delextra.exe
2008-05-22 23:05 . 2008-05-23 12:22 20,714 --a------ C:\gm.exe
2008-05-19 00:39 . 2008-05-19 00:39
2008-05-19 00:39 . 2008-05-19 00:39
2008-05-19 00:39 . 2008-05-19 00:39
2008-05-19 00:39 . 2008-05-19 00:39
2008-05-19 00:39 . 2008-05-19 00:39
2008-05-18 16:59 . 2008-05-23 12:22 7,680 --a------ C:\WINDOWS\system\delnew.exe
2008-05-18 15:41 . 2008-05-18 15:41
2008-05-12 08:10 . 2008-05-12 08:10 29,696 --a------ C:\winhost.exe
2008-05-06 11:05 . 2008-05-06 11:05
2008-04-29 18:45 . 2008-04-29 18:46
2008-04-24 21:54 . 2008-04-24 21:54 21,142 --a------ C:\WINDOWS\system32\gaygp.exe
2008-04-24 20:20 . 2008-04-24 20:20 21,142 --a------ C:\WINDOWS\system32\rdnqxcw.exe
2008-04-24 20:15 . 2008-05-09 21:18 19,931 --a------ C:\WINDOWS\system32\drivers\hosts
2008-04-24 17:33 . 2008-04-24 17:33 21,142 --a------ C:\WINDOWS\system32\qqwjsbyt.exe
2008-04-24 07:09 . 2008-04-24 07:09 11,764 --a------ C:\WINDOWS\system32\cvicgtlb.exe
2008-04-23 19:15 . 2008-04-23 19:15
2008-04-23 18:33 . 2008-04-23 18:33 21,142 --a------ C:\WINDOWS\system32\bxoqorc.exe
2008-04-23 16:03 . 2008-04-23 16:03 21,142 --a------ C:\WINDOWS\system32\mejiyqsv.exe
2008-04-23 14:33 . 2008-04-23 14:33 21,142 --a------ C:\WINDOWS\system32\xnntq.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 08:50 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-02-24 07:36 21,361 ----a-w C:\WINDOWS\AegisP.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 11:54 2131392]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IAAnotif”=“C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe” [2007-10-03 15:44 178712]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-12-19 11:08 135168]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2007-12-19 11:08 159744]
“Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [2007-12-19 11:07 131072]
“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2007-10-08 14:18 995328]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2007-10-08 14:13 1101824]
“SkyTel”=“SkyTel.EXE” [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2007-12-20 16:16 37376]
“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2004-11-02 20:24 32768]
“Device Detector”=“DevDetect.exe” []
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2006-01-12 15:40 155648]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 13:06 40048]
“Application Layer Gateway Service”=“C:\WINDOWS\system32\algs.exe” [2007-06-13 14:23 29776]
“MSRegInfo”=“C:\WINDOWS\pagefile.sys.vbs” []
“Winjava vil”=“sys32.exe” []
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“nltide_3”=“advpack.dll” [2007-12-07 02:58 124928 C:\WINDOWS\system32\advpack.dll]
“TSClientMSIUninstaller”=“cmd.exe” [2007-08-19 15:20 422400 C:\WINDOWS\system32\cmd.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“DisableStatusMessages”= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoDesktopCleanupWizard”= 1 (0x1)
“NoSMHelp”= 1 (0x1)
“NoWelcomeScreen”= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“ForceClassicControlPanel”= 1 (0x1)
“NoSMMyDocs”= 1 (0x1)
“NoSMMyPictures”= 1 (0x1)
“NoStartMenuPinnedList”= 1 (0x1)
“NoSMConfigurePrograms”= 1 (0x1)
“NoSMHelp”= 1 (0x1)
“ForceStartMenuLogoff”= 0 (0x0)
“NoUserNameInStartMenu”= 1 (0x1)
“NoInstrumentation”= 1 (0x1)
“NoStartMenuMFUprogramsList”= 1 (0x1)
“NoResolveTrack”= 1 (0x1)
“NoResolveSearch”= 1 (0x1)
“NoSimpleStartMenu”= 1 (0x1)
[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]
“ForceClassicControlPanel”= 1 (0x1)
“NoSMMyDocs”= 1 (0x1)
“NoSMMyPictures”= 1 (0x1)
“NoStartMenuPinnedList”= 1 (0x1)
“NoSMConfigurePrograms”= 1 (0x1)
“NoSMHelp”= 1 (0x1)
“StartMenuLogoff”= 1 (0x1)
“ForceStartMenuLogoff”= 0 (0x0)
“NoUserNameInStartMenu”= 1 (0x1)
“NoInstrumentation”= 1 (0x1)
“NoStartMenuMFUprogramsList”= 1 (0x1)
“NoResolveTrack”= 1 (0x1)
“NoResolveSearch”= 1 (0x1)
“NoSimpleStartMenu”= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“msacm.l3fhg”= mp3fhg.acm
“msacm.divxa32”= divxa32.acm
“VIDC.X264”= x264vfw.dll
“VIDC.HFYU”= huffyuv.dll
“VIDC.YV12”= yv12vfw.dll
“VIDC.ACDV”= ACDV.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001
“AntiVirusOverride”=dword:00000001
“FirewallOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
“DisableUnicastResponsesToMulticastBroadcast”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\WINDOWS\system32\algs.exe”=
“c:\winhost.exe”= C:\winhost.exe
“C:\Program Files\Skype\Phone\Skype.exe”=
R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
R3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
R3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2005-10-10 11:50]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4e7bca09-02f0-11dd-ab5c-0018de764a91}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8fbc2a20-e3ed-11dc-ab07-0018de764a91}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 12:28:59
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
.
**************************************************************************
.
Completion time: 2008-05-23 12:30:15 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-05-23 10:30:04
Pre-Run: 13,663,731,712 bajtów wolnych
Post-Run: 14,691,532,800 bajt˘w wolnych
192
]
[Logfile of HijackThis v1.99.1
Scan saved at 11:58:17, on 2008-05-23
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\algs.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lcss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Windows\Temp\Rar$EX00.172\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://poczta.onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ulubione
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O4 - HKLM…\Run: [iAAnotif] “C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe”
O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM…\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM…\Run: [intelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM…\Run: [intelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM…\Run: [skyTel] SkyTel.EXE
O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”
O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM…\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM…\Run: [Application Layer Gateway Service] C:\WINDOWS\system32\algs.exe
O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\Run: [MSRegInfo] C:\WINDOWS\pagefile.sys.vbs
O4 - HKLM…\Run: [Winjava vil] sys32.exe
O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray
O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [iNTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows … 3843413031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso … 3843474015
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip…{30A29310-8741-4B30-A703-4D66B115F957}: NameServer = 213.25.186.11
O17 - HKLM\System\CCS\Services\Tcpip…{E2C4BAFE-AF80-4DA4-B9C2-D7BA15759D10}: NameServer = 212.2.96.51 212.2.96.52
O17 - HKLM\System\CCS\Services\Tcpip…{EAAD65A5-53C2-4CFC-B3A5-78CD9ADB4788}: NameServer = 213.25.186.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: jqvm465hmygebkpp6 - Unknown owner - C:\WINDOWS\system32\lcss.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
]
fix w hijackthis
Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:
File::
C:\WINDOWS\system32\algs.exe
C:\WINDOWS\pagefile.sys.vbs
C:\WINDOWS\system\chin.exe
C:\WINDOWS\system\del.exe
C:\delextra.exe
C:\gm.exe
C:\winhost.exe
C:\WINDOWS\system32\gaygp.exe
C:\WINDOWS\system32\rdnqxcw.exe
C:\WINDOWS\system32\drivers\hosts
C:\WINDOWS\system32\qqwjsbyt.exe
C:\WINDOWS\system32\cvicgtlb.exe
C:\WINDOWS\system32\bxoqorc.exe
C:\WINDOWS\system32\mejiyqsv.exe
C:\WINDOWS\system32\xnntq.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"=-
"Device Detector"=-
"NeroFilterCheck"=-
"Adobe Reader Speed Launcher"=-
"Application Layer Gateway Service"=-
"MSRegInfo"=-
"Winjava vil"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->
Rozpocznie się usuwanie i powstanie log, daj ten log na forum.
[ComboFix 08-05-21.3 - Administrator 2008-05-23 13:01:01.2 - FAT32 x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.94 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE ::
C:\delextra.exe
C:\gm.exe
C:\WINDOWS\pagefile.sys.vbs
C:\WINDOWS\system\chin.exe
C:\WINDOWS\system\del.exe
C:\WINDOWS\system32\algs.exe
C:\WINDOWS\system32\bxoqorc.exe
C:\WINDOWS\system32\cvicgtlb.exe
C:\WINDOWS\system32\drivers\hosts
C:\WINDOWS\system32\gaygp.exe
C:\WINDOWS\system32\mejiyqsv.exe
C:\WINDOWS\system32\qqwjsbyt.exe
C:\WINDOWS\system32\rdnqxcw.exe
C:\WINDOWS\system32\xnntq.exe
C:\winhost.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\delextra.exe
C:\gm.exe
C:\WINDOWS\system\chin.exe
C:\WINDOWS\system\del.exe
C:\WINDOWS\system32\algs.exe
C:\WINDOWS\system32\bxoqorc.exe
C:\WINDOWS\system32\cvicgtlb.exe
C:\WINDOWS\system32\drivers\hosts
C:\WINDOWS\system32\gaygp.exe
C:\WINDOWS\system32\mejiyqsv.exe
C:\WINDOWS\system32\qqwjsbyt.exe
C:\WINDOWS\system32\rdnqxcw.exe
C:\WINDOWS\system32\xnntq.exe
C:\winhost.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.
2008-05-23 12:56 . 2007-12-24 08:56 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-23 12:55 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-05-19 00:39 . 2008-05-19 00:39
2008-05-19 00:39 . 2008-05-19 00:39
2008-05-19 00:39 . 2008-05-19 00:39
2008-05-19 00:39 . 2008-05-19 00:39
2008-05-19 00:39 . 2008-05-19 00:39
2008-05-18 16:59 . 2008-05-23 12:22 7,680 --a------ C:\WINDOWS\system\delnew.exe
2008-05-18 15:41 . 2008-05-18 15:41
2008-05-06 11:05 . 2008-05-06 11:05
2008-04-29 18:45 . 2008-04-29 18:46
2008-04-23 19:15 . 2008-04-23 19:15
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 08:50 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2008-02-24 07:36 21,361 ----a-w C:\WINDOWS\AegisP.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 11:54 2131392]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IAAnotif”=“C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe” [2007-10-03 15:44 178712]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-12-19 11:08 135168]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2007-12-19 11:08 159744]
“Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [2007-12-19 11:07 131072]
“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2007-10-08 14:18 995328]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2007-10-08 14:13 1101824]
“SkyTel”=“SkyTel.EXE” [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2004-11-02 20:24 32768]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“nltide_3”=“advpack.dll” [2007-12-07 02:58 124928 C:\WINDOWS\system32\advpack.dll]
“TSClientMSIUninstaller”=“cmd.exe” [2007-08-19 15:20 422400 C:\WINDOWS\system32\cmd.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“DisableStatusMessages”= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoDesktopCleanupWizard”= 1 (0x1)
“NoSMHelp”= 1 (0x1)
“NoWelcomeScreen”= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“ForceClassicControlPanel”= 1 (0x1)
“NoSMMyDocs”= 1 (0x1)
“NoSMMyPictures”= 1 (0x1)
“NoStartMenuPinnedList”= 1 (0x1)
“NoSMConfigurePrograms”= 1 (0x1)
“NoSMHelp”= 1 (0x1)
“ForceStartMenuLogoff”= 0 (0x0)
“NoUserNameInStartMenu”= 1 (0x1)
“NoInstrumentation”= 1 (0x1)
“NoStartMenuMFUprogramsList”= 1 (0x1)
“NoResolveTrack”= 1 (0x1)
“NoResolveSearch”= 1 (0x1)
“NoSimpleStartMenu”= 1 (0x1)
[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]
“ForceClassicControlPanel”= 1 (0x1)
“NoSMMyDocs”= 1 (0x1)
“NoSMMyPictures”= 1 (0x1)
“NoStartMenuPinnedList”= 1 (0x1)
“NoSMConfigurePrograms”= 1 (0x1)
“NoSMHelp”= 1 (0x1)
“StartMenuLogoff”= 1 (0x1)
“ForceStartMenuLogoff”= 0 (0x0)
“NoUserNameInStartMenu”= 1 (0x1)
“NoInstrumentation”= 1 (0x1)
“NoStartMenuMFUprogramsList”= 1 (0x1)
“NoResolveTrack”= 1 (0x1)
“NoResolveSearch”= 1 (0x1)
“NoSimpleStartMenu”= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“msacm.l3fhg”= mp3fhg.acm
“msacm.divxa32”= divxa32.acm
“VIDC.X264”= x264vfw.dll
“VIDC.HFYU”= huffyuv.dll
“VIDC.YV12”= yv12vfw.dll
“VIDC.ACDV”= ACDV.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001
“AntiVirusOverride”=dword:00000001
“FirewallOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
“DisableUnicastResponsesToMulticastBroadcast”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=
R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
R3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
R3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2005-10-10 11:50]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 13:02:08
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-23 13:02:26
ComboFix-quarantined-files.txt 2008-05-23 11:02:24
ComboFix2.txt 2008-05-23 10:30:18
Pre-Run: 14,700,347,392 bajtów wolnych
Post-Run: 14,690,353,152 bajtów wolnych
159
]
Log wyglada na czysty
Usuń ręcznie folder C:\Qoobox ,usuń instalkę Combofix z dysku
Przeczyść komputer Ccleanerem
Wykonaj optymalizację autostartu
Wyłącz przywracanie systemu na wszystkich dyskach. Instrukcja
Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum
Włącz przywracanie systemu.
Logi dajesz na http://www.wklej.org
mam problem ze zrobieniem skanu na kasperskym gdyż nie można przeskanowań całego dysku tylko poszczegolne pliki. Z pulpitu zniknął mi również kosz
ArcaMicroScan - Raport ze skanowania [2008.05.23 16:46:36]
Data bazy wirusów : 2008.05.23 01:48:31
[skanowanie : C:]
C:\Recycled\Dc1\Quarantine\C\winhost.exe.vir <- Trojan.Pakes.Cvl : Kasowanie
C:\Recycled\Dc1\Quarantine\C\WINDOWS\system32\cvicgtlb.exe.vir <- Worm.Autorun.Dqq : Kasowanie
[skanowanie : D:]
Przeskanowanych obiektów : 34008
Zainfekowanych obiek
tów : 2
mp3 i karty sd już chodzą normalnie
Pliki zainfekowane zostały usuniete, powinno byc ok
Bardzo się ciesze. Wielkie, wielkie dzięki.