Wirus RecInfo

rahmel · 1 Luty 2009 23:29

Log z hijackthis http://wklejto.pl/24684 i proszę o pomoc w formie sprawdzenia loga i porady jak usunąć wirusa, dziękuje.

Jak zwykle nie pokazuje kreseczek… tutaj na http://www.sendspace.pl/file/0Mk8FmbP/

Pozdrawiam.

huber2t · 2 Luty 2009 04:52

Log ok

Podaj log z Combofix

Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link

rahmel · 2 Luty 2009 22:18

ComboFix 09-02-02.03 - Damian 2009-02-02 21:53:13.1 - NTFSx86

Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1250.1.1045.18.2038.1141 [GMT 1:00]

Uruchomiony z: c:\users\Damian\Downloads\ComboFix.exe

* Utworzono nowy punkt przywracania

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\x64

.

((((((((((((((((((((((((( Pliki utworzone od 2009-01-02 do 2009-02-02 )))))))))))))))))))))))))))))))

.

2009-02-02 16:46 . 2009-02-02 16:46

2009-02-02 12:25 . 2009-02-02 12:25 361,984 --a------ c:\windows\System32\IPSECSVC.DLL

2009-02-02 12:25 . 2009-02-02 12:25 272,896 --a------ c:\windows\System32\polstore.dll

2009-02-02 12:25 . 2009-02-02 12:25 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll

2009-02-02 12:25 . 2009-02-02 12:25 194,560 --a------ c:\windows\System32\WebClnt.dll

2009-02-02 12:25 . 2009-02-02 12:25 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll

2009-02-02 12:25 . 2009-02-02 12:25 110,080 --a------ c:\windows\System32\drivers\mrxdav.sys

2009-02-02 12:25 . 2009-02-02 12:25 95,232 --a------ c:\windows\System32\PortableDeviceClassExtension.dll

2009-02-02 12:25 . 2009-02-02 12:25 61,440 --a------ c:\windows\System32\winipsec.dll

2009-02-02 12:25 . 2009-02-02 12:25 28,672 --a------ c:\windows\System32\FwRemoteSvr.dll

2009-02-02 12:24 . 2009-02-02 12:24 1,383,424 --a------ c:\windows\System32\mshtml.tlb

2009-02-02 12:24 . 2009-02-02 12:24 1,060,920 --a------ c:\windows\System32\drivers\ntfs.sys

2009-02-02 12:24 . 2009-02-02 12:24 297,472 --a------ c:\windows\System32\gdi32.dll

2009-02-02 12:24 . 2009-02-02 12:24 268,800 --a------ c:\windows\System32\es.dll

2009-02-02 12:24 . 2009-02-02 12:24 211,456 --a------ c:\windows\System32\drivers\mrxsmb10.sys

2009-02-02 12:24 . 2009-02-02 12:24 41,984 --a------ c:\windows\System32\drivers\monitor.sys

2009-02-02 12:23 . 2009-02-02 12:23 4,247,552 --a------ c:\windows\System32\GameUXLegacyGDFs.dll

2009-02-02 12:23 . 2009-02-02 12:23 1,687,040 --a------ c:\windows\System32\gameux.dll

2009-02-02 12:23 . 2009-02-02 12:23 303,616 --a------ c:\windows\System32\wmpeffects.dll

2009-02-02 12:23 . 2009-02-02 12:23 28,672 --a------ c:\windows\System32\Apphlpdm.dll

2009-02-02 08:03 . 2009-02-02 08:03 9 --a------ C:\DVD.TAG

2009-02-02 02:17 . 2009-02-02 02:17 2,027,520 --a------ c:\windows\System32\win32k.sys

2009-02-02 02:16 . 2009-02-02 02:16 1,194,496 --a------ c:\windows\System32\msxml3.dll

2009-02-02 02:16 . 2009-02-02 02:16 2,048 --a------ c:\windows\System32\msxml3r.dll

2009-02-02 02:13 . 2009-02-02 02:13 2,048 --a------ c:\windows\System32\tzres.dll

2009-02-02 02:09 . 2009-02-02 02:09 211,000 --a------ c:\windows\System32\drivers\volsnap.sys

2009-02-02 02:09 . 2009-02-02 02:09 154,624 --a------ c:\windows\System32\drivers\nwifi.sys

2009-02-02 02:09 . 2009-02-02 02:09 109,624 --a------ c:\windows\System32\drivers\ataport.sys

2009-02-02 02:09 . 2009-02-02 02:09 45,112 --a------ c:\windows\System32\drivers\pciidex.sys

2009-02-02 02:09 . 2009-02-02 02:09 21,560 --a------ c:\windows\System32\drivers\atapi.sys

2009-02-02 02:09 . 2009-02-02 02:09 17,464 --a------ c:\windows\System32\drivers\intelide.sys

2009-02-02 02:08 . 2009-02-02 02:08 2,923,520 --a------ c:\windows\explorer.exe

2009-02-02 02:04 . 2009-02-02 02:04 56,320 --a------ c:\windows\System32\iesetup.dll

2009-02-02 02:03 . 2009-02-02 02:03 806,400 --a------ c:\windows\System32\drivers\tcpip.sys

2009-02-02 02:03 . 2009-02-02 02:03 217,144 --a------ c:\windows\System32\drivers\netio.sys

2009-02-02 02:03 . 2009-02-02 02:03 167,424 --a------ c:\windows\System32\tcpipcfg.dll

2009-02-02 02:03 . 2009-02-02 02:03 24,064 --a------ c:\windows\System32\netcfg.exe

2009-02-02 02:03 . 2009-02-02 02:03 22,016 --a------ c:\windows\System32\netiougc.exe

2009-02-02 01:57 . 2009-02-02 01:57 1,585,664 --a------ c:\windows\System32\setupapi.dll

2009-02-02 01:54 . 2009-02-02 01:54 223,232 --a------ c:\windows\System32\WMASF.DLL

2009-02-02 01:54 . 2009-02-02 01:54 9,728 --a------ c:\windows\System32\LAPRXY.DLL

2009-02-02 01:54 . 2009-02-02 01:54 2,048 --a------ c:\windows\System32\asferror.dll

2009-02-02 01:53 . 2009-02-02 01:53 712,192 --a------ c:\windows\System32\WindowsCodecs.dll

2009-02-02 01:53 . 2009-02-02 01:53 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll

2009-02-02 01:53 . 2009-02-02 01:53 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll

2009-02-02 01:53 . 2009-02-02 01:53 140,288 --a------ c:\windows\System32\COMDLG32.OCX

2009-02-02 01:52 . 2009-02-02 01:52 441,856 --a------ c:\windows\System32\win32spl.dll

2009-02-02 01:52 . 2009-02-02 01:52 37,376 --a------ c:\windows\System32\printcom.dll

2009-02-02 01:51 . 2009-02-02 01:51 113,664 --a------ c:\windows\System32\drivers\rmcast.sys

2009-02-02 01:51 . 2009-02-02 01:51 14,848 --a------ c:\windows\System32\wshrm.dll

2009-02-02 01:51 . 2009-02-02 01:51 11,776 --a------ c:\windows\System32\sbunattend.exe

2009-02-02 01:49 . 2009-02-02 01:49 290,304 --a------ c:\windows\System32\drivers\srv.sys

2009-02-02 01:48 . 2009-02-02 01:48 83,968 --a------ c:\windows\System32\dnsrslvr.dll

2009-02-02 01:48 . 2009-02-02 01:48 24,576 --a------ c:\windows\System32\dnscacheugc.exe

2009-02-02 01:42 . 2009-02-02 01:42 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll

2009-02-02 01:42 . 2009-02-02 01:42 622,080 --a------ c:\windows\System32\icardagt.exe

2009-02-02 01:42 . 2009-02-02 01:42 326,160 --a------ c:\windows\System32\PresentationHost.exe

2009-02-02 01:42 . 2009-02-02 01:42 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll

2009-02-02 01:42 . 2009-02-02 01:42 97,800 --a------ c:\windows\System32\infocardapi.dll

2009-02-02 01:42 . 2009-02-02 01:42 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll

2009-02-02 01:42 . 2009-02-02 01:42 37,384 --a------ c:\windows\System32\infocardcpl.cpl

2009-02-02 01:42 . 2009-02-02 01:42 11,264 --a------ c:\windows\System32\icardres.dll

2009-02-02 01:37 . 2009-02-02 01:37 96,760 --a------ c:\windows\System32\dfshim.dll

2009-02-02 01:36 . 2009-02-02 01:36 282,112 --a------ c:\windows\System32\mscoree.dll

2009-02-02 01:36 . 2009-02-02 01:36 158,720 --a------ c:\windows\System32\mscorier.dll

2009-02-02 01:36 . 2009-02-02 01:36 83,968 --a------ c:\windows\System32\mscories.dll

2009-02-02 01:36 . 2009-02-02 01:36 41,984 --a------ c:\windows\System32\netfxperf.dll

2009-02-02 01:31 . 2009-02-02 01:31 2,855,424 --a------ c:\windows\System32\mf.dll

2009-02-02 01:31 . 2009-02-02 01:31 996,352 --a------ c:\windows\System32\WMNetMgr.dll

2009-02-02 01:31 . 2009-02-02 01:31 98,816 --a------ c:\windows\System32\mfps.dll

2009-02-02 01:31 . 2009-02-02 01:31 94,720 --a------ c:\windows\System32\logagent.exe

2009-02-02 01:31 . 2009-02-02 01:31 52,736 --a------ c:\windows\System32\rrinstaller.exe

2009-02-02 01:31 . 2009-02-02 01:31 24,576 --a------ c:\windows\System32\mfpmp.exe

2009-02-02 01:31 . 2009-02-02 01:31 2,048 --a------ c:\windows\System32\mferror.dll

2009-02-02 01:30 . 2009-02-02 01:30 1,645,568 --a------ c:\windows\System32\connect.dll

2009-02-02 01:30 . 2009-02-02 01:30 1,327,104 --a------ c:\windows\System32\quartz.dll

2009-02-02 01:30 . 2009-02-02 01:30 737,792 --a------ c:\windows\System32\inetcomm.dll

2009-02-02 01:30 . 2009-02-02 01:30 130,048 --a------ c:\windows\System32\drivers\srv2.sys

2009-02-02 01:30 . 2009-02-02 01:30 101,888 --a------ c:\windows\System32\drivers\mrxsmb.sys

2009-02-02 01:30 . 2009-02-02 01:30 84,992 --a------ c:\windows\System32\drivers\srvnet.sys

2009-02-02 01:30 . 2009-02-02 01:30 84,480 --a------ c:\windows\System32\INETRES.dll

2009-02-02 01:30 . 2009-02-02 01:30 58,368 --a------ c:\windows\System32\drivers\mrxsmb20.sys

2009-02-02 01:29 . 2009-02-02 01:29 3,505,208 --a------ c:\windows\System32\ntkrnlpa.exe

2009-02-02 01:29 . 2009-02-02 01:29 3,470,904 --a------ c:\windows\System32\ntoskrnl.exe

2009-02-02 01:29 . 2009-02-02 01:29 1,341,440 --a------ c:\windows\System32\msxml6.dll

2009-02-02 01:29 . 2009-02-02 01:29 99,840 --a------ c:\windows\System32\poqexec.exe

2009-02-02 01:29 . 2009-02-02 01:29 2,048 --a------ c:\windows\System32\msxml6r.dll

2009-02-02 00:49 . 2009-02-02 00:49

2009-02-02 00:47 . 2009-02-02 00:47

2009-02-02 00:43 . 2009-02-02 00:48

2009-02-02 00:43 . 2009-02-02 00:43

2009-02-02 00:37 . 2009-02-02 00:37 16 --a------ c:\windows\System32\coh.cache

2009-02-02 00:23 . 2009-02-02 00:23

2009-02-02 00:14 . 2009-02-02 00:13 410,984 --a------ c:\windows\System32\deploytk.dll

2009-02-02 00:13 . 2009-02-02 00:13

2009-02-02 00:02 . 2009-02-02 00:02

2009-02-02 00:02 . 2008-12-04 21:42 815,104 --a------ c:\windows\System32\xvidcore.dll

2009-02-02 00:02 . 2008-12-04 21:46 180,224 --a------ c:\windows\System32\xvidvfw.dll

2009-02-02 00:02 . 2008-12-13 20:01 77,824 --a------ c:\windows\System32\xvid.ax

2009-02-01 23:56 . 2009-02-02 00:17

2009-02-01 23:36 . 2009-02-01 23:36 0 --a------ c:\windows\nsreg.dat

2009-02-01 23:34 . 2009-02-01 23:34 1,809,944 --a------ c:\windows\System32\wuaueng.dll

2009-02-01 23:34 . 2009-02-01 23:34 1,524,736 --a------ c:\windows\System32\wucltux.dll

2009-02-01 23:34 . 2009-02-01 23:34 51,224 --a------ c:\windows\System32\wuauclt.exe

2009-02-01 23:34 . 2009-02-01 23:34 43,544 --a------ c:\windows\System32\wups2.dll

2009-02-01 23:33 . 2009-02-01 23:33 561,688 --a------ c:\windows\System32\wuapi.dll

2009-02-01 23:33 . 2009-02-01 23:33 162,064 --a------ c:\windows\System32\wuwebv.dll

2009-02-01 23:33 . 2009-02-01 23:33 83,456 --a------ c:\windows\System32\wudriver.dll

2009-02-01 23:33 . 2009-02-01 23:33 34,328 --a------ c:\windows\System32\wups.dll

2009-02-01 23:33 . 2009-02-01 23:33 31,232 --a------ c:\windows\System32\wuapp.exe

2009-02-01 23:19 . 2009-02-01 23:19

2009-02-01 23:19 . 2009-02-02 21:51

2009-02-01 23:19 . 2009-02-02 16:51

2009-02-01 23:19 . 2009-02-01 23:19

2009-02-01 23:19 . 2009-02-02 00:43

2009-02-01 23:14 . 2009-02-01 23:14

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-02 20:49 --------- d-----w c:\program files\Common Files\Adobe

2009-02-02 11:36 --------- d-----w c:\program files\Windows Mail

2009-02-02 11:23 537,600 ----a-w c:\windows\AppPatch\AcLayers.dll

2009-02-02 11:23 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll

2009-02-02 11:23 449,536 ----a-w c:\windows\AppPatch\AcSpecfc.dll

2009-02-02 11:23 2,560 ----a-w c:\windows\AppPatch\AcRes.dll

2009-02-02 11:23 2,144,256 ----a-w c:\windows\AppPatch\AcGenral.dll

2009-02-02 11:23 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll

2009-02-02 10:10 174 --sha-w c:\program files\desktop.ini

2009-02-02 10:04 --------- d-----w c:\program files\Windows Sidebar

2009-02-02 01:05 826,368 ----a-w c:\windows\System32\wininet.dll

2009-02-02 01:05 26,624 ----a-w c:\windows\System32\ieUnatt.exe

2009-02-02 00:56 944,184 ----a-w c:\windows\System32\winload.exe

2009-02-01 23:54 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-02-01 23:47 --------- d-----w c:\programdata\Symantec

2009-02-01 22:14 --------- d-sh–w c:\programdata\Ulubione

2009-02-01 22:14 --------- d-sh–w c:\programdata\Szablony

2009-02-01 22:14 --------- d-sh–w c:\programdata\Pulpit

2009-02-01 22:14 --------- d-sh–w c:\programdata\Menu Start

2009-02-01 22:14 --------- d-sh–w c:\programdata\Dokumenty

2009-02-01 22:14 --------- d-sh–w c:\programdata\Dane aplikacji

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Sidebar”=“c:\program files\Windows Sidebar\sidebar.exe” [2009-02-02 1232896]

“WindowsWelcomeCenter”=“oobefldr.dll” [2006-11-02 c:\windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“IgfxTray”=“c:\windows\system32\igfxtray.exe” [2007-06-06 142104]

“HotKeysCmds”=“c:\windows\system32\hkcmd.exe” [2007-06-06 154392]

“Persistence”=“c:\windows\system32\igfxpers.exe” [2007-06-06 138008]

“HotkeyApp”=“c:\program files\Launch Manager\HotkeyApp.exe” [2007-07-26 192512]

“SynTPStart”=“c:\program files\Synaptics\SynTP\SynTPStart.exe” [2007-08-17 102400]

“MSConfig”=“c:\windows\system32\msconfig.exe” [2006-11-02 222208]

“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]

“RtHDVCpl”=“RtHDVCpl.exe” [2007-07-06 c:\windows\RtHDVCpl.exe]

[HKLM~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup

backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

–a------ 2007-02-26 20:46 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\recinfo905]

–a------ 2007-06-06 12:33 2768896 c:\recinfo\RecInfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

–a------ 2009-02-02 00:13 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

“DFSR-1”= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 Hotkey;Hotkey;c:\windows\System32\drivers\HOTKEY.sys [2007-12-14 9867]

R3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2007-12-14 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c743a950-f11d-11dd-b168-0016d38cd6f6}]

\shell\AutoRun\command - oufddh.exe

\shell\explore\Command - oufddh.exe

\shell\open\Command - oufddh.exe

.

------- Skan uzupełniający -------

.

FF - ProfilePath - c:\users\Damian\AppData\Roaming\Mozilla\Firefox\Profiles\d0ghxuld.default\

FF - prefs.js: browser.startup.homepage - google.pl

.

------- Skojarzenia plików -------

.

vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" “%1” %*

vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" “%1” %*

jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe “%1” %*

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-02 21:55:08

Windows 6.0.6000 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

c:\windows\TEMP\TMP0000008A9C253D3587E64F15 524288 bytes

skanowanie pomyślnie ukończone

ukryte pliki: 1

**************************************************************************

.

Czas ukończenia: 2009-02-02 21:56:59

ComboFix-quarantined-files.txt 2009-02-02 20:56:57

Przed: 70 713 577 472 bajtów wolnych

Po: 70,489,534,464 bajtów wolnych

231 — E O F — 2009-02-02 11:25:41

huber2t · 3 Luty 2009 04:55

otwórz notatnik i wklej

Z menu Notatnika -> Plik -> Zapisz jako -> Zmień rozszerzenie z .txt na wszystkie pliki -> zapisz pod nazwą Fix.reg

Uruchom ten plik, uruchom ponownie komputer

usuń ręcznie folder C:\Qoobox , usuń instalkę Combofix z dysku.

Przeczyść system Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar całego komputera http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

Gutek · 3 Luty 2009 07:49

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=253052