Win32:Patched-CK [Trj]

Lemonx33 · 26 Czerwiec 2009 17:38

WItam, mam problem ponieważ trojan Win32:Patched-CK [Trj] zainfekował mi pliki systemowe których nie mogę ani wyleczyć ani podmienić, są to:

c:\windows\explorer.exe

Koń trojański

c:\windows\system32\lsass.exe

Win32:Patched-CK [Trj]

Koń trojański

c:\windows\system32\services.exe

Win32:Patched-CK [Trj]

Koń trojański

c:\windows\system32\spoolsv.exe

Win32:Patched-CK [Trj]

Koń trojański

c:\windows\system32\svchost.exe

Win32:Patched-CK [Trj]

Koń trojański

c:\windows\system32\winlogon.exe

Win32:Patched-CK [Trj]

Koń trojański

Próbowałem podmienić m.in programem Replacer pliki od kolegi który ma identyczny system (Windows XP Pro SP3) lecz Replacer nie chce podmienić tych plików i nie wiem co robić…

Log ComboFixa (CF też nie pomógł):

ComboFix 09-06-25.01 - Administrator 2009-06-26 3:24.12 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1776 [GMT 2:00] Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe AV: avast! antivirus 4.8.1335 [VPS 090522-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: Kerio Personal Firewall *disabled* {A990EAA7-8941-4621-BC27-4F16261D3180} . ((((((((((((((((((((((((( Pliki utworzone od 2009-05-26 do 2009-06-26 ))))))))))))))))))))))))))))))) . 2009-06-24 21:54 . 2009-06-24 21:54 -------- dc----w- c:\windows\system32\dllcache\cache 2009-06-22 01:08 . 2009-06-22 01:08 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-06-22 00:17 . 2009-06-22 00:17 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\3B32C 2009-06-22 00:16 . 2009-06-22 00:16 -------- d-----w- c:\program files\Lphant Applications 2009-06-19 21:13 . 2009-06-19 21:13 -------- d-----w- c:\program files\ASPack 2009-06-19 21:09 . 2009-06-21 18:54 -------- d-----w- c:\program files\MoleBoxPro 2009-06-19 15:07 . 2009-06-19 15:07 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\OpenFM 2009-06-18 02:41 . 2009-06-18 02:53 -------- d-----w- c:\program files\CamStudio 2009-06-18 02:36 . 2009-06-18 02:35 30208 ----a-w- c:\windows\system32\cpap.exe 2009-06-18 02:28 . 2009-06-18 02:37 -------- d—a-w- c:\documents and settings\All Users\Dane aplikacji\TEMP 2009-06-18 02:28 . 2009-06-18 02:37 -------- d-----w- C:\Fraps 2009-06-18 02:23 . 2009-06-18 02:23 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\TechSmith 2009-06-18 02:23 . 2009-06-18 02:23 -------- d-----w- c:\program files\TechSmith 2009-06-18 02:23 . 2009-06-18 02:23 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\TechSmith 2009-06-17 23:18 . 2009-06-17 23:18 -------- d-----w- c:\program files\Restorator 2007 2009-06-17 23:18 . 2007-07-29 13:53 117248 ----a-w- c:\windows\system32\RestoratorContextMenu.dll 2009-06-17 23:13 . 2009-06-17 23:13 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Softplicity 2009-06-17 23:13 . 2009-06-17 23:13 -------- d-----w- c:\program files\TotalImageConverter 2009-06-17 21:23 . 2003-03-29 14:45 89184 ----a-w- c:\windows\system32\drivers\imagedrv.sys 2009-06-17 21:23 . 2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe 2009-06-17 21:23 . 2001-07-06 16:24 283920 ----a-w- c:\windows\system32\ImagXpr5.dll 2009-06-17 21:23 . 2001-07-06 12:41 569344 ----a-w- c:\windows\system32\imagr5.dll 2009-06-17 21:23 . 2001-07-06 10:44 544768 ----a-w- c:\windows\system32\imagx5.dll 2009-06-17 21:23 . 2001-06-26 06:15 38912 ----a-w- c:\windows\system32\picn20.dll 2009-06-15 00:26 . 2009-06-15 00:33 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Dev-Cpp 2009-06-15 00:26 . 2009-06-15 00:26 -------- d-----w- C:\Dev-Cpp 2009-06-14 17:46 . 2009-06-14 19:18 164880 —ha-w- c:\documents and settings\Administrator\Dane aplikacji\Microsoft\Virtual PC\VPCKeyboard.dll 2009-06-14 17:41 . 2009-06-14 17:41 -------- d-----w- c:\program files\Microsoft Virtual PC 2009-06-13 22:21 . 2009-06-13 22:21 -------- d-----w- c:\windows\system32\wbem\Repository 2009-06-13 21:29 . 2009-06-13 21:52 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Morpheus PRO 2009-06-13 21:27 . 2009-06-13 21:27 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\1B242 2009-06-13 21:27 . 2009-06-22 00:23 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Lphant 2009-06-13 21:24 . 2009-06-22 00:24 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Ares 2009-06-13 21:18 . 2009-06-13 22:20 -------- d-----w- c:\program files\Common Files\Common Share 2009-06-13 21:18 . 2009-06-13 21:18 -------- d-----w- c:\program files\OJOsoft 2009-06-13 21:03 . 2009-06-13 21:03 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Ahead 2009-06-13 21:03 . 2009-06-17 21:23 -------- d-----w- c:\program files\Common Files\Ahead 2009-06-13 21:03 . 2009-06-17 21:23 -------- d-----w- c:\program files\Ahead 2009-06-13 20:21 . 2009-06-13 22:20 -------- d-----w- C:\LetsFun FLV Converter 2009-06-13 19:58 . 2009-06-13 19:58 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\F157 2009-06-13 19:57 . 2009-06-13 22:20 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\iMesh 2009-06-13 19:28 . 2009-06-13 19:28 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\87D 2009-06-13 19:23 . 2009-06-13 22:20 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\BearShare 2009-06-13 19:13 . 2009-06-13 22:21 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\DC++ 2009-06-13 19:13 . 2009-06-13 19:19 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\DC++ 2009-06-07 14:48 . 2009-06-07 16:25 -------- d-----w- c:\program files\WinID 2009-06-06 20:35 . 2001-11-29 06:50 28672 ----a-w- c:\windows\system32\ibxml.dll 2009-06-06 20:35 . 2001-11-29 06:50 376832 ----a-w- c:\windows\system32\gds32.dll 2009-06-06 20:35 . 2001-11-29 06:50 177152 ----a-w- c:\windows\system32\ibinstall.dll 2009-06-06 15:41 . 2009-06-06 15:41 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\xc341db93fc3c3195 2009-06-06 15:32 . 2009-06-06 15:32 -------- d-----w- c:\program files\ISO Creator 2009-06-06 15:32 . 2009-06-06 15:32 -------- d-----w- c:\windows\ISO Creator 2009-06-06 15:32 . 2009-06-06 15:32 -------- d-----w- c:\program files\isocreator 2009-06-06 15:32 . 2009-06-06 15:32 916994 ----a-w- c:\program files\isocreator.zip 2009-06-06 14:36 . 2009-06-14 17:27 -------- d-----w- c:\documents and settings\Administrator.VirtualBox 2009-06-06 14:34 . 2009-05-29 18:13 100944 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys 2009-06-06 14:34 . 2009-05-29 18:13 79888 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys 2009-06-06 14:34 . 2009-05-29 18:13 41424 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys 2009-06-06 14:34 . 2009-06-06 14:34 -------- d-----w- c:\program files\Sun 2009-06-01 21:11 . 2009-06-19 21:11 -------- d-sh–w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji.# 2009-05-31 18:56 . 2009-02-06 17:33 180224 ----a-w- c:\windows\system32\cnvshell.dll 2009-05-31 18:56 . 2009-05-31 18:56 -------- d-----w- c:\program files\ImageConverter Plus 2009-05-30 14:48 . 2009-05-30 14:48 -------- d-----w- c:\windows\ShellNew 2009-05-30 14:48 . 2009-05-31 17:19 -------- d-----w- c:\program files\AutoIt3 2009-05-29 18:12 . 2009-05-29 18:12 133648 ----a-w- c:\windows\system32\VBoxNetFltNotify.dll 2009-05-29 18:12 . 2009-05-29 18:12 87760 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-26 01:09 . 2009-04-18 17:18 -------- d-----w- c:\program files\DNA 2009-06-26 01:09 . 2009-04-18 17:18 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\DNA 2009-06-26 00:05 . 2009-03-18 12:06 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2009-06-25 22:09 . 2009-03-01 17:56 -------- d-----w- c:\program files\GameTribe 2009-06-23 01:01 . 2009-05-21 16:35 -------- d-----w- c:\program files\Webzen 2009-06-22 14:52 . 2009-02-19 11:33 24968 ----a-w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-06-18 02:22 . 2009-02-19 11:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-06-14 17:42 . 2001-10-26 22:15 91720 ----a-w- c:\windows\system32\perfc015.dat 2009-06-14 17:42 . 2001-10-26 22:15 509790 ----a-w- c:\windows\system32\perfh015.dat 2009-06-13 22:21 . 2009-02-20 12:47 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Nowe Gadu-Gadu 2009-06-13 22:20 . 2009-04-01 11:48 -------- d-----w- c:\program files\BurnAware Free 2009-06-13 22:20 . 2009-02-19 11:33 -------- d–h--w- c:\program files\InstallShield Installation Information 2009-06-13 22:03 . 2009-02-19 11:33 -------- d-----w- c:\program files\Common Files\InstallShield 2009-06-13 22:01 . 2009-02-22 23:50 -------- d-----w- c:\program files\Image-Line 2009-06-06 20:45 . 2009-02-24 21:57 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\uTorrent 2009-05-31 20:53 . 2009-03-08 14:08 33824 ----a-w- c:\windows\system32\drivers\oreans32.sys 2009-05-30 15:07 . 2009-04-11 15:29 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Microsoft Help 2009-05-23 17:36 . 2009-05-23 17:35 -------- d-----w- c:\program files\Audio CD Maker 2009-05-23 08:57 . 2009-03-01 18:59 -------- d-----w- c:\program files\Cheat Engine 2009-05-21 09:48 . 2009-05-01 16:10 323584 ----a-w- c:\windows\system32\CMStarterCore.exe 2009-05-21 09:48 . 2009-05-01 16:10 49152 ----a-w- c:\windows\system32\CMStarter_Kor.dll 2009-05-21 09:48 . 2009-05-01 16:10 49152 ----a-w- c:\windows\system32\CMStarter_Eng.dll 2009-05-20 04:52 . 2009-02-20 13:21 -------- d-----w- c:\program files\CCleaner 2009-05-17 13:35 . 2009-05-17 13:35 3584 ----a-w- c:\windows\EAddress.dll 2009-05-16 10:22 . 2009-05-16 10:22 -------- d-----w- c:\program files\Nowe Gadu-Gadu 2009-05-15 21:56 . 2009-05-15 21:56 165 ----a-w- c:\windows\system32\drivers\fwdrv.err 2009-05-15 15:28 . 2009-05-15 15:28 28736 ----a-w- c:\windows\php_zlib_filter.dll 2009-05-15 14:41 . 2009-05-15 14:44 274489 ----a-w- c:\windows\ntwdblib.dll 2009-05-15 14:41 . 2009-05-14 18:56 274489 ----a-w- c:\windows\system32\ntwdblib.dll 2009-05-15 14:16 . 2009-03-14 15:52 -------- d-----w- c:\program files\Nokia 2009-05-15 14:15 . 2009-05-09 16:51 -------- d-----w- c:\program files\Magic Music Studio Pro 2009-05-15 14:15 . 2009-02-22 23:51 -------- d-----w- c:\program files\VstPlugins 2009-05-14 20:10 . 2009-04-01 20:41 -------- d-----w- c:\program files\Microsoft SQL Server 2009-05-14 15:02 . 2009-05-14 11:56 2130 ----a-w- C:\sitelog1405.dat 2009-05-14 11:55 . 2009-05-14 11:55 0 ----a-w- C:\kom1.dat 2009-05-13 23:20 . 2009-05-13 23:20 18718 ----a-r- c:\documents and settings\Administrator\Dane aplikacji\Microsoft\Installer{A990EAA7-8941-4621-BC27-4F16261D3180}\NewShortcut3_8315396A5EA1419DBEC4978284BDF556.exe 2009-05-13 23:20 . 2009-05-13 23:20 18718 ----a-r- c:\documents and settings\Administrator\Dane aplikacji\Microsoft\Installer{A990EAA7-8941-4621-BC27-4F16261D3180}\NewShortcut2_8315396A5EA1419DBEC4978284BDF556.exe 2009-05-13 23:20 . 2009-05-13 23:20 18718 ----a-r- c:\documents and settings\Administrator\Dane aplikacji\Microsoft\Installer{A990EAA7-8941-4621-BC27-4F16261D3180}\ARPPRODUCTICON.exe 2009-05-13 23:20 . 2009-05-13 23:20 -------- d-----w- c:\program files\Sunbelt Software 2009-05-13 22:30 . 2009-03-17 03:02 -------- d-----w- c:\program files\Gamers First 2009-05-13 19:33 . 2009-05-13 19:33 -------- d-----w- c:\program files\febooti fileTweak Hex Editor 2009-05-10 18:53 . 2009-05-10 18:52 -------- d-----w- c:\documents and settings\jean\Dane aplikacji\Nowe Gadu-Gadu 2009-05-10 00:08 . 2009-05-10 00:08 -------- d-----w- c:\program files\Wisdom-soft ScreenHunter 5 Pro 2009-05-03 17:57 . 2009-05-03 11:50 -------- d-----w- c:\program files\Vidalia Bundle 2009-05-03 11:01 . 2009-05-03 10:49 -------- d-----w- c:\program files\Simple Port Forwarding 2009-04-20 02:05 . 2009-02-20 14:52 22328 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\PnkBstrK.sys 2009-04-20 02:05 . 2009-02-20 14:52 22328 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\PnkBstrK.sys 2009-04-11 15:59 . 2009-04-11 15:59 22160 ----a-w- c:\documents and settings\Programming\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-04-11 15:33 . 2009-04-11 15:33 112640 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Microsoft\VCExpress\9.0\1033\ResourceCache.dll 2009-04-11 15:33 . 2009-04-11 15:33 416 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Microsoft\MSDN\9.0\1033\ResourceCache.dll . ------- Sigcheck ------- [-] 2008-04-15 00:51 17408 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\svchost.exe [-] 2008-04-15 00:51 512000 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\winlogon.exe [-] 2008-04-15 00:51 1037824 D41D8CD98F00B204E9800998ECF8427E c:\windows\explorer.exe [-] 2008-04-15 00:51 111104 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\services.exe [-] 2008-04-15 00:51 14848 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\lsass.exe [-] 2008-04-15 00:51 58880 36B41CCBEA186848BCEE4FBFF06AC293 c:\windows\system32\spoolsv.exe [-] 2008-05-21 18:02 1571840 496E32CE596F02E9098A673865979B96 c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((( SnapShot_2009-06-22_00.00.21 ))))))))))))))))))))))))))))))))))))))))) . + 2009-06-24 21:54 . 2008-04-15 00:51 82432 c:\windows\system32\dllcache\cache\ws2_32.dll + 2009-06-24 21:54 . 2008-04-15 00:51 26624 c:\windows\system32\dllcache\cache\userinit.exe + 2009-06-24 21:54 . 2008-04-15 00:50 17408 c:\windows\system32\dllcache\cache\powrprof.dll + 2009-06-24 21:54 . 2008-04-14 23:50 24960 c:\windows\system32\dllcache\cache\kbdclass.sys + 2009-06-24 21:54 . 2008-04-14 02:23 36608 c:\windows\system32\dllcache\cache\ip6fw.sys + 2009-06-24 21:54 . 2008-04-15 00:51 15360 c:\windows\system32\dllcache\cache\ctfmon.exe + 2009-03-01 14:18 . 2009-06-25 14:35 16384 c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat - 2009-03-01 14:18 . 2009-06-21 15:46 16384 c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat - 2009-03-01 14:18 . 2009-06-21 15:46 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-03-01 14:18 . 2009-06-25 14:35 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-02-19 12:23 . 2009-06-22 21:31 128504 c:\windows\system32\FNTCACHE.DAT + 2009-06-24 21:54 . 2008-04-15 00:51 112128 c:\windows\system32\dllcache\cache\wuauclt.exe + 2009-06-24 21:54 . 2008-04-15 00:50 668672 c:\windows\system32\dllcache\cache\wininet.dll + 2009-06-24 21:54 . 2008-04-15 00:50 580096 c:\windows\system32\dllcache\cache\user32.dll + 2009-06-24 21:54 . 2008-04-15 00:50 296448 c:\windows\system32\dllcache\cache\termsrv.dll + 2009-06-24 21:54 . 2008-04-14 02:50 361344 c:\windows\system32\dllcache\cache\tcpip.sys + 2009-06-24 21:54 . 2008-04-14 02:50 182656 c:\windows\system32\dllcache\cache\ndis.sys + 2009-06-24 21:54 . 2008-04-15 00:50 110080 c:\windows\system32\dllcache\cache\imm32.dll + 2009-06-24 21:54 . 2008-04-15 00:50 172032 c:\windows\system32\dllcache\cache\appmgmts.dll + 2009-06-24 21:54 . 2008-04-14 23:59 2146816 c:\windows\system32\dllcache\cache\ntoskrnl.exe + 2009-06-24 21:54 . 2008-04-15 01:09 2025472 c:\windows\system32\dllcache\cache\ntkrnlpa.exe + 2009-06-24 21:54 . 2008-04-15 00:50 1018368 c:\windows\system32\dllcache\cache\kernel32.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “BitTorrent DNA”=“c:\program files\DNA\btdna.exe” [2009-04-18 342848] “Nowe Gadu-Gadu”=“c:\program files\Nowe Gadu-Gadu\gg.exe” [2009-04-20 9818728] “MSMSGS”=“c:\program files\Messenger\Msmsgs.exe” [2008-06-02 1660952] “SpybotSD TeaTimer”=“c:\program files\Spybot - Search & Destroy\TeaTimer.exe” [2009-01-26 2144088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2008-10-07 13574144] “avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-02-05 81000] “NeroCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648] “cpap”=“c:\windows\system32\cpap.exe” [2009-06-18 30208] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-15 15360] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] “nltide_3”=“advpack.dll” - c:\windows\system32\advpack.dll [2008-04-15 100864] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2009-5-16 69632] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “ForceClassicControlPanel”= 1 (0x1) [HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer] “ForceClassicControlPanel”= 1 (0x1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] “tCWkeXhwQehm”= {AECCE28A-0466-4820-14B2-E934A0FC7417} - c:\windows\system32\bfff.dll [2008-04-15 32768] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wdf01000.sys] @=“Driver” [HKLM~\startupfolder\c:^documents and settings^all users^menu start^programy^autostart^adobe gamma loader.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center] “AntiVirusDisableNotify”=dword:00000001 “UpdatesDisableNotify”=dword:00000001 “UacDisableNotify”=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] “AntiVirusOverride”=dword:00000001 “AntiVirusDisableNotify”=dword:00000001 “FirewallDisableNotify”=dword:00000001 “FirewallOverride”=dword:00000001 “UpdatesDisableNotify”=dword:00000001 “UacDisableNotify”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\Network Diagnostic\xpnetdiag.exe”= “%windir%\system32\sessmgr.exe”= “c:\Program Files\Nowe Gadu-Gadu\gg.exe”= “c:\Program Files\Java\jre6\bin\java.exe”= “c:\Documents and Settings\Administrator\Pulpit\WildProxy_1.1\WildProxy_1.1\binary\wildproxy.exe”= “c:\Program Files\BitTorrent\btdownloadgui.exe”= “c:\Program Files\uTorrent\uTorrent.exe”= “c:\Program Files\Garena\Garena.exe”= “c:\Documents and Settings\Administrator\Pulpit\MobStacker\MobStacker.exe”= “”= c:\wxjnssm.exe “c:\Program Files\Messenger\msmsgs.exe”= “c:\Program Files\DNA\btdna.exe”= “c:\WINDOWS\system32\cpap.exe”= R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-12-15 274432] R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-05-29 87760] S1 4487ab5a;4487ab5a;c:\windows\system32\drivers\4487ab5a.sys [2009-03-14 0] S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-05-15 114768] S1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2005-12-15 81920] S1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-06-06 100944] S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-06-06 41424] S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-05-15 20560] S3 abp470n5;abp470n5;??\c:\windows\system32\drivers\hkmsfi.sys --> c:\windows\system32\drivers\hkmsfi.sys [?] S3 GarenaPEngine;GarenaPEngine;??\c:\docume~1\ADMINI~1\USTAWI~1\Temp\QGR11.tmp --> c:\docume~1\ADMINI~1\USTAWI~1\Temp\QGR11.tmp [?] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-06-06 79888] S3 XDva224;XDva224;??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs OaXeyc . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/ uInternet Settings,ProxyServer = 217.169.182.206:8080 FF - ProfilePath - . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-26 03:30 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine] “ImagePath”="??\c:\docume~1\ADMINI~1\USTAWI~1\Temp\QGR11.tmp" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc] “ImagePath”=“c:\windows\system32\GameMon.des -service” . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\S-1-5-21-1214440339-725345543-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{17AABA02-DB54-1380-F8BD-07CB21E10D2B}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) “abfgnmeobiaadanbfifalneafpmpdafnla”=hex:61,61,00,00 “bbfgnmeobiaadanbfimbchlolpfnhijfbckj”=hex:61,61,00,00 [HKEY_USERS\S-1-5-21-1214440339-725345543-682003330-500\Software\SecuROM\License information*] “datasecu”=hex:3e,59,b4,86,e9,4c,47,e3,a7,bc,27,3a,be,d9,e1,03,7e,8b,d6,43,13, e5,c2,02,79,3f,ab,f9,59,13,5d,be,7b,ea,5d,28,b3,b4,bb,d4,11,6e,8b,d9,43,2d,\ “rkeysecu”=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb [HKEY_USERS\S-1-5-21-1214440339-725345543-682003330-500_Classes\CLSID{CF614386-2529-7040-AEC6-82A7191EF47E}\InprocServer32] @Denied: (A 4) (Everyone) [HKEY_USERS\S-1-5-21-1214440339-725345543-682003330-500_Classes\CLSID{CF614386-2529-7040-AEC6-82A7191EF47E}\InprocServer32\Misc] “95430919”=hex:54,ba,39,3f,f6,d4,8d,8a,a8,a9,98,fd,cc,fd,a0,34,8a,b7,9b,c1,73, 6b,c9,c5,41,53,31,a2,e2,e8,dd,9a,09,65,11,68,a0,ba,02,98,a1,f0,9c,5a,c6,35,\ . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > ‘explorer.exe’(1736) c:\windows\system32\msi.dll . Czas ukończenia: 2009-06-26 3:32 ComboFix-quarantined-files.txt 2009-06-26 01:31 ComboFix2.txt 2009-06-24 21:55 ComboFix3.txt 2009-06-22 01:04 ComboFix4.txt 2009-06-22 00:03 ComboFix5.txt 2009-06-26 01:23 Przed: 2 280 341 504 bajtów wolnych Po: 2 279 215 104 bajtów wolnych 287

Obecnie siedze na trybie awaryjnym bo jak wejde normalnie to PC sie zawiesza…

ciemnowidz · 26 Czerwiec 2009 17:46

Przede wszystkim masz tutaj Sality, ciężkie do zwalczenia bez formatu. Zajrzyj na tą stronę, tam masz napisane jak próbować się tego pozbyć bez formatu wszystkich partycji

http://www.searchengines.pl/Infekcje-pl … 22692.html

Lemonx33 · 26 Czerwiec 2009 17:55

Hmm Sality mi nie wykrywa, Sality pamietam jak miałem to zarażał wszystkie pliki na kompie i usunołem go programem “Sality Remover” a tutaj mam te pliki systemowe zainfekowane i normalnie jak odpale komputer to się on po chwili zmula i wiesza, menadżer zadań, cmd i regedit działają poprawnie a format wykluczony komputer ma zbyt wielkie już niedostepne zbiory #-o

deFco247 · 26 Czerwiec 2009 18:02

W każdym razie piszesz, że infekcja “wlazła” w pliki systemowe, a usuwanie tego typu szkodników odbywa się w bardzo podobny sposób jak wirusy Sality i Virut.