Wirus o nazwie nmdfgds.ddl Proszę o sprawdzenie loga


(Chudy 99) #1

Wklejam loga z ComboFix

ComboFix 09-03-06.02 - Borrro 2009-03-07 21:24:14.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.3070.2606 [GMT 1:00]

Uruchomiony z: C:\Documents and Settings\Borrro\Pulpit\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090306-0] *On-access scanning disabled* (Updated)

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\2.bat

C:\autorun.inf

C:\Documents and Settings\Borrro\Dane aplikacji\inst.exe

C:\WINDOWS\system32\nmdfgds0.dll

C:\WINDOWS\system32\nmdfgds1.dll

C:\WINDOWS\system32\olhrwef.exe

C:\WINDOWS\system32\Pncrt.dll

D:\2.bat

D:\Autorun.inf

H:\2.bat

H:\Autorun.inf

.

((((((((((((((((((((((((( Pliki utworzone od 2009-02-07 do 2009-03-07 )))))))))))))))))))))))))))))))

.

2009-03-07 18:31 . 2009-03-07 18:31 108,446 -r-hs---- C:\i.com

2009-03-07 14:40 . 2009-03-05 09:11 109,434 -r-hs---- C:\dbrxubcw.com

2009-02-27 20:13 . 2009-02-27 20:13

2009-02-26 19:31 . 2009-03-05 20:53

2009-02-22 15:18 . 2009-02-22 15:18

2009-02-12 10:20 . 2009-02-12 10:20 1,374 --a------ C:\WINDOWS\imsins.BAK

2009-02-07 23:36 . 2009-02-17 18:08

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-07 20:29 --------- d-----w C:\Documents and Settings\Borrro\Dane aplikacji\Skype

2009-03-07 20:11 --------- d-----w C:\Documents and Settings\Borrro\Dane aplikacji\skypePM

2009-03-07 17:31 --------- d-----w C:\Documents and Settings\Borrro\Dane aplikacji\Vso

2009-03-06 20:33 --------- d-----w C:\Documents and Settings\Gosia\Dane aplikacji\Skype

2009-03-06 20:27 --------- d-----w C:\Program Files\Mozilla Thunderbird

2009-03-06 20:08 --------- d-----w C:\Documents and Settings\Gosia\Dane aplikacji\skypePM

2009-02-22 14:09 --------- d-----w C:\Program Files\FOTOJOKER

2009-02-21 19:06 --------- d-----w C:\Program Files\eMule

2009-02-07 23:46 --------- d-----w C:\Documents and Settings\Borrro\Dane aplikacji\GanymedeNet

2009-02-01 13:55 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys

2009-01-29 22:13 --------- d-----w C:\Program Files\VSO

2009-01-27 21:32 --------- d-----w C:\Program Files\Western Digital Technologies

2009-01-27 16:28 --------- d-----w C:\Program Files\SkanerOnline

2009-01-22 22:55 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\TuneUp Software

2009-01-21 13:07 --------- d-----w C:\Program Files\SopCast

2009-01-17 08:10 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\LogiShrd

2009-01-16 19:23 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf

2009-01-16 19:22 --------- d-----w C:\Program Files\Common Files\Logitech

2009-01-16 19:22 --------- d-----w C:\Program Files\Common Files\Logishrd

2009-01-16 19:21 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-02-28 18:08 47,360 ----a-w C:\Documents and Settings\Borrro\Dane aplikacji\pcouffin.sys

2008-02-26 21:14 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-06 18:21 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 22:08 81000]

"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-10-07 13:33 13574144]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-10-07 13:33 86016]

"nwiz"="nwiz.exe" [2008-10-07 13:33 1630208 C:\WINDOWS\system32\nwiz.exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 03:12 76304 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer{AC76BA86-1033-0000-7760-000000000003}_SC_Acrobat.exe [2008-02-27 20:33:28 295606]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 02:42 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"C:\Program Files\Bonjour\mDNSResponder.exe"=

"C:\Program Files\Pinnacle\Studio 11\programs\RM.exe"=

"C:\Program Files\Pinnacle\Studio 11\programs\Studio.exe"=

"C:\Program Files\Pinnacle\Studio 11\programs\PMSRegisterFile.exe"=

"C:\Program Files\Pinnacle\Studio 11\programs\umi.exe"=

"C:\WINDOWS\system32\LEXPPS.EXE"=

"C:\Program Files\eMule\emule.exe"=

"C:\Program Files\SopCast\adv\SopAdver.exe"=

"C:\Program Files\SopCast\SopCast.exe"=

"C:\Program Files\TVUPlayer\TVUPlayer.exe"=

"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"=

"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe"=

"C:\Program Files\Skype\Phone\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-04-02 22:25:56 114768]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 12:03:18 169312]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\drivers\aswFsBlk.sys [2008-04-02 22:25:56 20560]

R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\drivers\V0260Vid.sys [2008-07-22 18:10:00 162176]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{2aac8e97-cdef-11dd-8d41-000cf196c483}]

\Shell\Auto\command - activexdebugger32.exe f

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f

\Shell\explore\Command - activexdebugger32.exe f

\Shell\open\Command - activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{96778e5f-000c-11de-8df1-000cf196c483}]

\Shell\AutoRun\command - H:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{afe7f0b0-0433-11de-8e05-000cf196c483}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

.

Zawartość folderu 'Zaplanowane zadania'

2009-01-30 C:\WINDOWS\Tasks\1-Click Maintenance.job

  • C:\Program Files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]

.

  • USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-cdoosoft - C:\WINDOWS\system32\olhrwef.exe

HKCU-Run-AdobeBridge - (no file)

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.finderg.com

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&ksport do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab

FF - ProfilePath - C:\Documents and Settings\Borrro\Dane aplikacji\Mozilla\Firefox\Profiles\kafu3omi.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/

FF - plugin: C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: C:\Program Files\Mozilla Firefox\plugins\NPCARDS.dll

FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npganymedenet.dll

.


(Adax) #2

Wszystkie logi umieszczamy na wklej.org Log powinneś wstawić do działu bezpieczeństwo i logi hijackthis.


(Chudy 99) #3

Ok już poprawiam

-- Dodane 09.03.2009 (Pn) 19:26 --

Tylko dział bezpieczeństwo i logi hijackthis jest zamknięty chwilowo


(huber2t) #4

Do wyleczenia pendrive z wirusów użyj tych programów

Wklej do notatnika:

File::

C:\i.com

C:\dbrxubcw.com


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2aac8e97-cdef-11dd-8d41-000cf196c483}]

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->

cfscript10uc2.gif

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklej.org a w poście dajesz tylko link