Wirus win32:cutwail, liczy sie czas

akuku2 · 18 Czerwiec 2009 18:07

Witam,

Aktualnie jestem u brata u ktorego na komputerze wykrywa wirusa: win32:cutwail.

bbf7ba087b8911d1.html

Bardzo prosze o pomoc w usunieci go.

Oto log hijack:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:07:22, on 2009-06-18

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\9129837.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Opera\Opera.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\MIREK\MIREK.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lacza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MIREK] C:\Documents and Settings\MIREK\MIREK.exe /i

O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USLUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USLUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: AutorunsDisabled

O4 - Startup: rncsys32.exe

O4 - Global Startup: AutorunsDisabled

O8 - Extra context menu item: Eksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Wyslij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyslij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


--

End of file - 7114 bytes

ComboFix 09-06-18.02 - MIREK 2009-06-18 20:16.1 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.49.1045.18.446.286 [GMT 2:00]

ausgeführt von:: C:\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090617-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}


Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert 

.


(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))

.


c:\recycled\Recycled

c:\documents and settings\MIREK\Dane aplikacji\wiaserva.log

c:\documents and settings\MIREK\Menu Start\Programy\Autostart\rncsys32.exe

c:\documents and settings\MIREK\MIREK.exe

c:\windows\9129837.exe

c:\windows\system32\drivers\ksi32sk.sys

c:\windows\system32\drivers\nicsk32.sys

c:\windows\zaponce52689.dat

c:\windows\zaponce53652.dat


.

((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))

.


-------\Legacy_ATI64SI

-------\Legacy_FIPS32CUP

-------\Legacy_I386SI

-------\Legacy_KSI32SK

-------\Legacy_NETSIK

-------\Legacy_NICSK32

-------\Legacy_PORT135SIK

-------\Legacy_SYSTEMNTMI

-------\Legacy_WS2_32SIK

-------\Service_ati64si

-------\Service_fips32cup

-------\Service_glaide32

-------\Service_i386si

-------\Service_ksi32sk

-------\Service_netsik

-------\Service_nicsk32

-------\Service_port135sik

-------\Service_ws2_32sik



((((((((((((((((((((((( Dateien erstellt von 2009-05-18 bis 2009-06-18 ))))))))))))))))))))))))))))))

.


2009-06-18 18:04 . 2009-06-18 18:04	--------	d-----w-	c:\program files\Trend Micro

2009-06-16 19:56 . 2009-06-16 19:56	--------	d-----w-	c:\windows\system32\KB905474

2009-06-16 19:56 . 2009-03-10 20:26	1436544	----a-w-	c:\windows\system32\KB905474\wganotifypackageinner.exe

2009-06-16 19:56 . 2009-03-10 20:18	455048	----a-w-	c:\windows\system32\KB905474\wgasetup.exe

2009-06-16 19:53 . 2009-06-16 19:53	--------	d-----w-	c:\program files\MSXML 4.0

2009-06-16 17:40 . 2009-06-16 17:57	--------	d-----w-	c:\windows\system32\CatRoot_bak

2009-06-16 17:38 . 2008-09-04 16:46	1106944	-c----w-	c:\windows\system32\dllcache\msxml3.dll

2009-06-16 17:38 . 2008-06-14 18:01	273024	-c----w-	c:\windows\system32\dllcache\bthport.sys

2009-06-16 17:36 . 2008-04-11 18:51	683520	-c----w-	c:\windows\system32\dllcache\inetcomm.dll

2009-06-16 17:36 . 2008-10-03 10:17	247326	-c----w-	c:\windows\system32\dllcache\strmdll.dll

2009-06-16 17:35 . 2008-10-15 17:00	332800	-c----w-	c:\windows\system32\dllcache\netapi32.dll

2009-06-16 17:35 . 2008-04-21 21:28	218112	-c----w-	c:\windows\system32\dllcache\wordpad.exe

2009-06-16 17:31 . 2009-06-16 19:57	--------	d--h--w-	c:\windows\$hf_mig$

2009-06-15 15:11 . 2009-06-15 15:11	--------	d-----w-	c:\program files\FLVPlayer

2009-06-15 14:09 . 2009-06-15 14:09	--------	d-----w-	c:\documents and settings\MIREK\Ustawienia lokalne\Dane aplikacji\Opera

2009-06-15 14:09 . 2009-06-15 14:09	--------	d-----w-	c:\program files\Opera

2009-06-15 14:04 . 2009-06-15 14:04	--------	d-----w-	c:\program files\ToniArts

2009-06-01 09:09 . 2009-06-01 11:35	848	--sha-w-	c:\windows\system32\KGyGaAvL.sys

2009-06-01 09:08 . 2009-06-01 09:08	--------	d-----w-	c:\program files\Corel

2009-06-01 09:07 . 2009-06-01 09:07	--------	d-----w-	c:\documents and settings\MIREK\Dane aplikacji\InstallShield

2009-05-31 21:37 . 2009-05-31 21:37	--------	d-----w-	c:\program files\Photo!

2009-05-31 20:39 . 2009-05-31 20:39	--------	d-----w-	c:\program files\Ashampoo

2009-05-24 21:43 . 2009-05-24 21:44	--------	d-----w-	c:\documents and settings\MIREK\Dane aplikacji\Media Player Classic

2009-05-23 20:45 . 2009-05-23 20:45	--------	d-----w-	c:\documents and settings\MIREK\Dane aplikacji\Ashampoo

2009-05-21 10:50 . 2004-08-03 23:44	221184	----a-w-	c:\windows\system32\wmpns.dll


.

(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-18 18:03 . 2009-06-18 18:10	3028246	----a-r-	C:\ComboFix.exe

2009-06-16 20:04 . 2001-10-26 16:15	75486	----a-w-	c:\windows\system32\perfc015.dat

2009-06-16 20:04 . 2001-10-26 16:15	451326	----a-w-	c:\windows\system32\perfh015.dat

2009-06-15 20:26 . 2008-02-13 18:12	--------	d-----w-	c:\documents and settings\All Users\Dane aplikacji\Microsoft Help

2009-06-15 14:09 . 2008-02-13 19:15	--------	d-----w-	c:\program files\Gadu-Gadu

2009-06-15 14:04 . 2008-02-13 17:02	--------	d--h--w-	c:\program files\InstallShield Installation Information

2009-06-15 14:00 . 2008-07-24 20:08	--------	d-----w-	c:\program files\SweetIM

2009-06-15 13:57 . 2008-10-25 18:57	--------	d-----w-	c:\program files\Spybot - Search Destroy

2009-06-15 13:56 . 2008-02-14 21:21	--------	d-----w-	c:\program files\Google

2009-06-15 13:55 . 2008-10-25 18:57	--------	d-----w-	c:\documents and settings\All Users\Dane aplikacji\Spybot - Search Destroy

2009-06-15 13:52 . 2008-02-13 18:03	--------	d-----w-	c:\documents and settings\MIREK\Dane aplikacji\Lavasoft

2009-05-17 21:06 . 2008-10-12 19:18	--------	d-----w-	c:\documents and settings\MIREK\Dane aplikacji\Samsung

2009-05-17 20:57 . 2008-10-12 18:57	--------	d-----w-	c:\program files\Samsung

2009-05-08 16:45 . 2008-10-03 15:03	--------	d-----w-	c:\program files\7-Zip

2009-05-07 15:44 . 2001-10-26 17:29	346112	----a-w-	c:\windows\system32\localspl.dll

2009-04-29 04:53 . 2001-10-26 17:29	662016	----a-w-	c:\windows\system32\wininet.dll

2009-04-29 04:53 . 2008-02-13 16:50	81920	------w-	c:\windows\system32\ieencode.dll

2009-04-19 20:11 . 2001-10-26 16:59	1846912	----a-w-	c:\windows\system32\win32k.sys

2009-04-15 15:18 . 2001-10-26 17:29	584192	----a-w-	c:\windows\system32\rpcrt4.dll

2009-03-21 08:07 . 2009-03-21 08:07	41000	---ha-w-	c:\windows\system32\mlfcache.dat

2008-11-16 19:53 . 2008-11-16 19:51	24	--sh--w-	c:\windows\SF20C76AF.tmp

.


(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge legitime Standardeinträge werden nicht angezeigt. 

REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-15 39408]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-15 68592]

"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]


c:\documents and settings\MIREK\Menu Start\Programy\Autostart\AutorunsDisabled

Tworzenie wycink¢w ekranu i uruchamianie programu OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Gadu-Gadu\\gg.exe"=

"c:\\WINDOWS\\system32\\HPZipm12.exe"=

"c:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe"=

"c:\\WINDOWS\\system32\\KB905474\\wgasetup.exe"=


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8461:TCP"= 8461:TCP:GoD High Port

"8462:TCP"= 8462:TCP:GoD Low Port


R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-25 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-25 20560]

S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};\??\c:\windows\TEMP\4.tmp -- c:\windows\TEMP\4.tmp [?]

S3 PCANDIS5_RETWIFI;PCANDIS5_RETWIFI Protocol Driver;\??\c:\progra~1\EEYEDI~1\RETINA~1\PCANDIS5_RETWIFI.SYS -- c:\progra~1\EEYEDI~1\RETINA~1\PCANDIS5_RETWIFI.SYS [?]

S3 PCANDIS5_WIFISCAN.SYS;PCANDIS5_WIFISCAN.SYS;\??\c:\program files\eEye Digital Security\Retina Wireless Scanner\PCANDIS5_WIFISCAN.SYS -- c:\program files\eEye Digital Security\Retina Wireless Scanner\PCANDIS5_WIFISCAN.SYS [?]

.

Inhalt des "geplante Tasks" Ordners


2009-06-18 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-06-16 20:18]

.

.

------- Zusätzlicher Suchlauf -------

.

uStart Page = hxxp://www.google.pl/

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://www.google.com/ie

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://home.sweetim.com

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: Eksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.


**************************************************************************


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-18 20:24

Windows 5.1.2600 Dodatek Service Pack 2 NTFS


Scanne versteckte Prozesse... 


Scanne versteckte Autostarteinträge... 


Scanne versteckte Dateien... 


Scan erfolgreich abgeschlossen

versteckte Dateien: 0


**************************************************************************


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]

"ImagePath"="\??\c:\windows\TEMP\4.tmp"

.

--------------------- Durch laufende Prozesse gestartete DLLs ---------------------


- - - - - - - 'winlogon.exe'(556)

c:\windows\system32\Ati2evxx.dll


- - - - - - - 'explorer.exe'(1128)

c:\windows\system32\msi.dll

c:\windows\system32\browselc.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

c:\program files\Microsoft Office\Office12\1045\GrooveIntlResource.dll

.

------------------------ Weitere laufende Prozesse ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Zeit der Fertigstellung: 2009-06-18 20:26 - PC wurde neu gestartet

ComboFix-quarantined-files.txt 2009-06-18 18:26


Vor Suchlauf: 14 243 528 704 bajtów wolnych

Nach Suchlauf: 14 186 999 808 bajtów wolnych


195	--- E O F ---	2009-06-18 17:55

[/code]

ciemnowidz · 18 Czerwiec 2009 18:36

Ech, nie wklejaj logów przez code bo się ciężko sprawdza.

Cutwail usunięty, prawdopodobnie jest też rootkit mbr.

Wklej do notatnika

Zapisz jako CFScript.txt. Przeciągasz ten plik na ikonę ComboFix’a. Dajesz powstały log.

Pobierz mbr.exe stąd

http://www.gmer.net/

Umieść go bezpośrednio na C, uruchom, wklej log.