win32:JunkPoly[Cryp] i inne wirusy


(Adagme) #1

Witam mam zawirusowany komputer min. tym wirusem co w tytule. Dodatkowo problemy z odczytywaniem kart SD i mp3. Z forum korzystam po raz pierwszy. Perosze o pomoc


(huber2t) #2

Podaj log z Hijackthis

Podaj log z Combofix


(Adagme) #3

[ComboFix 08-05-21.3 - Administrator 2008-05-23 12:25:04.1 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.106 [GMT 2:00]

Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\Program Files\myglobalsearch

C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR

C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST

C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR

C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST

C:\Program Files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL

C:\Program Files\myglobalsearch\bar\1.bin\MGSBAR.DLL

C:\Program Files\myglobalsearch\bar\1.bin\NPMYGLSH.DLL

C:\Program Files\myglobalsearch\bar\Cache\00017F8B

C:\Program Files\myglobalsearch\bar\Cache\006B7D26.bin

C:\Program Files\myglobalsearch\bar\Cache\006B897A.bin

C:\Program Files\myglobalsearch\bar\Cache\006B9179.bin

C:\Program Files\myglobalsearch\bar\Cache\files.ini

C:\Program Files\myglobalsearch\bar\History\search

C:\Program Files\myglobalsearch\bar\Settings\prevcfg.htm

C:\WINDOWS\hosts

C:\WINDOWS\system32\lcss.exe

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_JQVM465HMYGEBKPP6

-------\Service_jqvm465hmygebkpp6

((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))

.

2008-05-23 12:22 . 2008-05-23 12:22 18,020 --a------ C:\WINDOWS\system\chin.exe

2008-05-23 12:22 . 2008-05-23 12:22 11,224 --a------ C:\WINDOWS\system\del.exe

2008-05-23 12:22 . 2008-05-23 12:22 10,258 --a------ C:\delextra.exe

2008-05-22 23:05 . 2008-05-23 12:22 20,714 --a------ C:\gm.exe

2008-05-19 00:39 . 2008-05-19 00:39

2008-05-19 00:39 . 2008-05-19 00:39

2008-05-19 00:39 . 2008-05-19 00:39

2008-05-19 00:39 . 2008-05-19 00:39

2008-05-19 00:39 . 2008-05-19 00:39

2008-05-18 16:59 . 2008-05-23 12:22 7,680 --a------ C:\WINDOWS\system\delnew.exe

2008-05-18 15:41 . 2008-05-18 15:41

2008-05-12 08:10 . 2008-05-12 08:10 29,696 --a------ C:\winhost.exe

2008-05-06 11:05 . 2008-05-06 11:05

2008-04-29 18:45 . 2008-04-29 18:46

2008-04-24 21:54 . 2008-04-24 21:54 21,142 --a------ C:\WINDOWS\system32\gaygp.exe

2008-04-24 20:20 . 2008-04-24 20:20 21,142 --a------ C:\WINDOWS\system32\rdnqxcw.exe

2008-04-24 20:15 . 2008-05-09 21:18 19,931 --a------ C:\WINDOWS\system32\drivers\hosts

2008-04-24 17:33 . 2008-04-24 17:33 21,142 --a------ C:\WINDOWS\system32\qqwjsbyt.exe

2008-04-24 07:09 . 2008-04-24 07:09 11,764 --a------ C:\WINDOWS\system32\cvicgtlb.exe

2008-04-23 19:15 . 2008-04-23 19:15

2008-04-23 18:33 . 2008-04-23 18:33 21,142 --a------ C:\WINDOWS\system32\bxoqorc.exe

2008-04-23 16:03 . 2008-04-23 16:03 21,142 --a------ C:\WINDOWS\system32\mejiyqsv.exe

2008-04-23 14:33 . 2008-04-23 14:33 21,142 --a------ C:\WINDOWS\system32\xnntq.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-02 08:50 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2008-02-24 07:36 21,361 ----a-w C:\WINDOWS\AegisP.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 11:54 2131392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 15:44 178712]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-19 11:08 135168]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-19 11:08 159744]

"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-19 11:07 131072]

"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 14:18 995328]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 14:13 1101824]

"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-20 16:16 37376]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]

"Device Detector"="DevDetect.exe" []

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]

"Application Layer Gateway Service"="C:\WINDOWS\system32\algs.exe" [2007-06-13 14:23 29776]

"MSRegInfo"="C:\WINDOWS\pagefile.sys.vbs" []

"Winjava vil"="sys32.exe" []

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2007-12-07 02:58 124928 C:\WINDOWS\system32\advpack.dll]

"TSClientMSIUninstaller"="cmd.exe" [2007-08-19 15:20 422400 C:\WINDOWS\system32\cmd.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDesktopCleanupWizard"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMMyDocs"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoStartMenuPinnedList"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"ForceStartMenuLogoff"= 0 (0x0)

"NoUserNameInStartMenu"= 1 (0x1)

"NoInstrumentation"= 1 (0x1)

"NoStartMenuMFUprogramsList"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoResolveSearch"= 1 (0x1)

"NoSimpleStartMenu"= 1 (0x1)

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMMyDocs"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoStartMenuPinnedList"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"StartMenuLogoff"= 1 (0x1)

"ForceStartMenuLogoff"= 0 (0x0)

"NoUserNameInStartMenu"= 1 (0x1)

"NoInstrumentation"= 1 (0x1)

"NoStartMenuMFUprogramsList"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoResolveSearch"= 1 (0x1)

"NoSimpleStartMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3fhg"= mp3fhg.acm

"msacm.divxa32"= divxa32.acm

"VIDC.X264"= x264vfw.dll

"VIDC.HFYU"= huffyuv.dll

"VIDC.YV12"= yv12vfw.dll

"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"%windir%\Network Diagnostic\xpnetdiag.exe"=

"C:\WINDOWS\system32\algs.exe"=

"c:\winhost.exe"= C:\winhost.exe

"C:\Program Files\Skype\Phone\Skype.exe"=

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]

R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]

R3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]

R3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]

R3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]

S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2005-10-10 11:50]

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4e7bca09-02f0-11dd-ab5c-0018de764a91}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8fbc2a20-e3ed-11dc-ab07-0018de764a91}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-23 12:28:59

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\o2flash.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\setup\avast.setup

.

**************************************************************************

.

Completion time: 2008-05-23 12:30:15 - machine was rebooted [Administrator]

ComboFix-quarantined-files.txt 2008-05-23 10:30:04

Pre-Run: 13,663,731,712 bajtów wolnych

Post-Run: 14,691,532,800 bajt˘w wolnych

192

]

[Logfile of HijackThis v1.99.1

Scan saved at 11:58:17, on 2008-05-23

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20733)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\algs.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\WINDOWS\system32\lcss.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\o2flash.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Opera\Opera.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\Windows\Temp\Rar$EX00.172\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://poczta.onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ulubione

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O4 - HKLM..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM..\Run: [skyTel] SkyTel.EXE

O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM..\Run: [Device Detector] DevDetect.exe -autorun

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM..\Run: [Application Layer Gateway Service] C:\WINDOWS\system32\algs.exe

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM..\Run: [MSRegInfo] C:\WINDOWS\pagefile.sys.vbs

O4 - HKLM..\Run: [Winjava vil] sys32.exe

O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 3843413031

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3843474015

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab

O17 - HKLM\System\CCS\Services\Tcpip..{30A29310-8741-4B30-A703-4D66B115F957}: NameServer = 213.25.186.11

O17 - HKLM\System\CCS\Services\Tcpip..{E2C4BAFE-AF80-4DA4-B9C2-D7BA15759D10}: NameServer = 212.2.96.51 212.2.96.52

O17 - HKLM\System\CCS\Services\Tcpip..{EAAD65A5-53C2-4CFC-B3A5-78CD9ADB4788}: NameServer = 213.25.186.11

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: jqvm465hmygebkpp6 - Unknown owner - C:\WINDOWS\system32\lcss.exe

O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

]


(huber2t) #4

fix w hijackthis

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\system32\algs.exe

C:\WINDOWS\pagefile.sys.vbs

C:\WINDOWS\system\chin.exe

C:\WINDOWS\system\del.exe

C:\delextra.exe

C:\gm.exe

C:\winhost.exe

C:\WINDOWS\system32\gaygp.exe

C:\WINDOWS\system32\rdnqxcw.exe

C:\WINDOWS\system32\drivers\hosts

C:\WINDOWS\system32\qqwjsbyt.exe

C:\WINDOWS\system32\cvicgtlb.exe

C:\WINDOWS\system32\bxoqorc.exe

C:\WINDOWS\system32\mejiyqsv.exe

C:\WINDOWS\system32\xnntq.exe


Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinampAgent"=-

"Device Detector"=-

"NeroFilterCheck"=-

"Adobe Reader Speed Launcher"=-

"Application Layer Gateway Service"=-

"MSRegInfo"=-

"Winjava vil"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.


(Adagme) #5

[ComboFix 08-05-21.3 - Administrator 2008-05-23 13:01:01.2 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.94 [GMT 2:00]

Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

C:\delextra.exe

C:\gm.exe

C:\WINDOWS\pagefile.sys.vbs

C:\WINDOWS\system\chin.exe

C:\WINDOWS\system\del.exe

C:\WINDOWS\system32\algs.exe

C:\WINDOWS\system32\bxoqorc.exe

C:\WINDOWS\system32\cvicgtlb.exe

C:\WINDOWS\system32\drivers\hosts

C:\WINDOWS\system32\gaygp.exe

C:\WINDOWS\system32\mejiyqsv.exe

C:\WINDOWS\system32\qqwjsbyt.exe

C:\WINDOWS\system32\rdnqxcw.exe

C:\WINDOWS\system32\xnntq.exe

C:\winhost.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\delextra.exe

C:\gm.exe

C:\WINDOWS\system\chin.exe

C:\WINDOWS\system\del.exe

C:\WINDOWS\system32\algs.exe

C:\WINDOWS\system32\bxoqorc.exe

C:\WINDOWS\system32\cvicgtlb.exe

C:\WINDOWS\system32\drivers\hosts

C:\WINDOWS\system32\gaygp.exe

C:\WINDOWS\system32\mejiyqsv.exe

C:\WINDOWS\system32\qqwjsbyt.exe

C:\WINDOWS\system32\rdnqxcw.exe

C:\WINDOWS\system32\xnntq.exe

C:\winhost.exe

.

((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))

.

2008-05-23 12:56 . 2007-12-24 08:56 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

2008-05-23 12:55 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

2008-05-19 00:39 . 2008-05-19 00:39

2008-05-19 00:39 . 2008-05-19 00:39

2008-05-19 00:39 . 2008-05-19 00:39

2008-05-19 00:39 . 2008-05-19 00:39

2008-05-19 00:39 . 2008-05-19 00:39

2008-05-18 16:59 . 2008-05-23 12:22 7,680 --a------ C:\WINDOWS\system\delnew.exe

2008-05-18 15:41 . 2008-05-18 15:41

2008-05-06 11:05 . 2008-05-06 11:05

2008-04-29 18:45 . 2008-04-29 18:46

2008-04-23 19:15 . 2008-04-23 19:15

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-02 08:50 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2008-02-24 07:36 21,361 ----a-w C:\WINDOWS\AegisP.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 11:54 2131392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 15:44 178712]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-19 11:08 135168]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-19 11:08 159744]

"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-19 11:07 131072]

"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 14:18 995328]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 14:13 1101824]

"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2007-12-07 02:58 124928 C:\WINDOWS\system32\advpack.dll]

"TSClientMSIUninstaller"="cmd.exe" [2007-08-19 15:20 422400 C:\WINDOWS\system32\cmd.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDesktopCleanupWizard"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMMyDocs"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoStartMenuPinnedList"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"ForceStartMenuLogoff"= 0 (0x0)

"NoUserNameInStartMenu"= 1 (0x1)

"NoInstrumentation"= 1 (0x1)

"NoStartMenuMFUprogramsList"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoResolveSearch"= 1 (0x1)

"NoSimpleStartMenu"= 1 (0x1)

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMMyDocs"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoStartMenuPinnedList"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"StartMenuLogoff"= 1 (0x1)

"ForceStartMenuLogoff"= 0 (0x0)

"NoUserNameInStartMenu"= 1 (0x1)

"NoInstrumentation"= 1 (0x1)

"NoStartMenuMFUprogramsList"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoResolveSearch"= 1 (0x1)

"NoSimpleStartMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3fhg"= mp3fhg.acm

"msacm.divxa32"= divxa32.acm

"VIDC.X264"= x264vfw.dll

"VIDC.HFYU"= huffyuv.dll

"VIDC.YV12"= yv12vfw.dll

"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"%windir%\Network Diagnostic\xpnetdiag.exe"=

"C:\Program Files\Skype\Phone\Skype.exe"=

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]

R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]

R3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]

R3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]

R3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]

S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2005-10-10 11:50]

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-23 13:02:08

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-05-23 13:02:26

ComboFix-quarantined-files.txt 2008-05-23 11:02:24

ComboFix2.txt 2008-05-23 10:30:18

Pre-Run: 14,700,347,392 bajtów wolnych

Post-Run: 14,690,353,152 bajtów wolnych

159

]


(huber2t) #6

Log wyglada na czysty

Usuń ręcznie folder C:\Qoobox ,usuń instalkę Combofix z dysku

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

Włącz przywracanie systemu.

Logi dajesz na http://www.wklej.org


(Adagme) #7

mam problem ze zrobieniem skanu na kasperskym gdyż nie można przeskanowań całego dysku tylko poszczegolne pliki. Z pulpitu zniknął mi również kosz


(huber2t) #8

Przeskanuj komputer programem ArcaMicroscan, usuń wirusy


(Adagme) #9

ArcaMicroScan - Raport ze skanowania [2008.05.23 16:46:36]

Data bazy wirusów : 2008.05.23 01:48:31

[skanowanie : C:]

C:\Recycled\Dc1\Quarantine\C\winhost.exe.vir <- Trojan.Pakes.Cvl : Kasowanie

C:\Recycled\Dc1\Quarantine\C\WINDOWS\system32\cvicgtlb.exe.vir <- Worm.Autorun.Dqq : Kasowanie

[skanowanie : D:]

Przeskanowanych obiektów : 34008

Zainfekowanych obiek

tów : 2

mp3 i karty sd już chodzą normalnie


(huber2t) #10

Pliki zainfekowane zostały usuniete, powinno byc ok

:slight_smile:


(Adagme) #11

:slight_smile: Bardzo się ciesze. Wielkie, wielkie dzięki.