Wirus Win32:Trojan-gen i WIN32 Malob - X [cryp]

lucasz_1991 · 24 Październik 2009 10:48

Witam

Mam problem z wirusami Win32:Trojan-gen i WIN32 Malob - X [cryp] takie przynajmnie pokazal mi avast, ale nie potrafi usunąć tego badziewa. Do tego komputer tworzy dużo procesów svchost.exe.Jak narazie zniknęłymi mi sterowniki do geforce i nie daja sie one zaisntalowac. Oraz avast ciagle wyswietla mi informacje ze poczta wysyla duze ilosci takiej samej poczty.

Proszę o pomoc.

log z hijackthis

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:40:40, on 2009-10-24 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe D:\Program Files\Alwil Software\Avast4\ashServ.exe D:\WINDOWS\Explorer.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe D:\Program Files\Java\jre6\bin\jqs.exe D:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe D:\Program Files\Alwil Software\Avast4\ashWebSv.exe D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe D:\WINDOWS\system32\RunDll32.exe D:\WINDOWS\Temp\wpv411255703227.exe D:\Program Files\SAGEM WiFi manager\WLANUTL.exe D:\WINDOWS\system32\restorer64_a.exe D:\Documents and Settings\Skorupski\restorer64_a.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\wuauclt.exe D:\Program Files\Opera\opera.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Alwil Software\Avast4\setup\avast.setup D:\Program Files\Trend Micro\HijackThis\HijackThis.exe D:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file) F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe cpcp.cpo bef0regiiav O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [sysgif32] D:\WINDOWS\Temp\wpv411255703227.exe O4 - HKLM…\Run: [restorer64_a] D:\WINDOWS\system32\restorer64_a.exe O4 - HKLM…\Run: [Regedit32] D:\WINDOWS\system32\regedit.exe O4 - HKCU…\Run: [restorer64_a] D:\Documents and Settings\Skorupski\restorer64_a.exe O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Startup: zavupd32.exe O4 - Global Startup: Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk = ? O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe – End of file - 5980 bytes

I z Combofixa

ComboFix 09-10-22.01 - Skorupski 2009-10-23 20:56.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.767.535 [GMT 2:00] Uruchomiony z: d:\documents and settings\Skorupski\Pulpit\Nowy folder\ComboFix.exe Użyto następujących komend :: d:\combofix\CFScript.txt AV: avast! antivirus 4.8.1229 [VPS 091022-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . d:\documents and settings\Skorupski\Dane aplikacji\wiaserva.log d:\documents and settings\Skorupski\oashdihasidhasuidhiasdhiashdiuasdhasd d:\documents and settings\Skorupski\restorer64_a.exe d:\windows\system32\restorer64_a.exe . ---- Poprzednie uruchomienie ------- . d:\documents and settings\Skorupski\Dane aplikacji\wiaserva.log d:\documents and settings\Skorupski\oashdihasidhasuidhiasdhiashdiuasdhasd d:\documents and settings\Skorupski\restorer64_a.exe d:\windows\system32\restorer64_a.exe . ((((((((((((((((((((((((( Pliki utworzone od 2009-09-23 do 2009-10-23 ))))))))))))))))))))))))))))))) . 2009-10-23 16:35 . 2006-10-22 13:06 208896 ----a-w- d:\windows\system32\NVUNINST.EXE . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-17 17:21 . 2008-06-30 16:58 -------- d-----w- d:\program files\Opera 2009-10-16 13:27 . 2004-08-04 12:00 83660 ----a-w- d:\windows\system32\perfc015.dat 2009-10-16 13:27 . 2004-08-04 12:00 490284 ----a-w- d:\windows\system32\perfh015.dat 2009-09-11 14:36 . 2008-10-26 07:51 133632 ----a-w- d:\windows\system32\msv1_0.dll 2009-09-11 04:05 . 2009-02-21 12:52 -------- d-----w- d:\program files\Microsoft Silverlight 2009-09-04 20:47 . 2004-08-04 12:00 58880 ----a-w- d:\windows\system32\msasn1.dll 2009-08-31 12:58 . 2009-08-31 12:58 -------- d-----w- d:\documents and settings\All Users\Dane aplikacji\Apple Computer 2009-08-29 12:57 . 2009-08-29 12:57 -------- d-----w- d:\program files\QuickTime 2009-08-29 12:57 . 2009-08-29 12:57 -------- d-----w- d:\program files\Xilisoft 2009-08-29 12:15 . 2008-06-30 18:32 17920 ----a-w- d:\documents and settings\Skorupski\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-08-29 12:15 . 2009-08-29 12:15 -------- d-----w- d:\documents and settings\Skorupski\Dane aplikacji\OxyCube 2009-08-29 12:13 . 2009-08-29 12:13 -------- d-----w- d:\program files\Oxygen Software 2009-08-29 07:31 . 2004-08-04 12:00 832512 ------w- d:\windows\system32\wininet.dll 2009-08-29 07:30 . 2004-08-04 12:00 78336 ----a-w- d:\windows\system32\ieencode.dll 2009-08-29 07:30 . 2004-08-04 12:00 17408 ----a-w- d:\windows\system32\corpol.dll 2009-08-26 08:16 . 2004-08-04 12:00 247326 ----a-w- d:\windows\system32\strmdll.dll 2009-08-05 09:08 . 2004-08-04 12:00 205312 ----a-w- d:\windows\system32\mswebdvd.dll 2009-08-04 17:07 . 2008-10-26 07:51 2181632 ------w- d:\windows\system32\ntoskrnl.exe 2009-08-04 17:07 . 2008-10-26 07:51 2059008 ------w- d:\windows\system32\ntkrnlpa.exe 2009-04-25 13:42 . 2008-06-30 18:33 67688 ----a-w- d:\program files\mozilla firefox\components\jar50.dll 2009-04-25 13:42 . 2008-06-30 18:33 54368 ----a-w- d:\program files\mozilla firefox\components\jsd3250.dll 2009-04-25 13:42 . 2008-06-30 18:33 34944 ----a-w- d:\program files\mozilla firefox\components\myspell.dll 2009-04-25 13:42 . 2008-06-30 18:33 46712 ----a-w- d:\program files\mozilla firefox\components\spellchk.dll 2009-04-25 13:42 . 2008-06-30 18:33 172136 ----a-w- d:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( SnapShot@2009-10-23_18.42.31 ))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“d:\windows\system32\NvCpl.dll” [2003-11-17 3022848] “avast!”=“d:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2008-07-19 78008] “nwiz”=“nwiz.exe” - d:\windows\system32\nwiz.exe [2003-11-17 753664] “Cmaudio”=“cmicnfg.cpl” [bU] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“d:\windows\system32\CTFMON.EXE” [2004-08-04 15360] d:\documents and settings\Skorupski\Menu Start\Programy\Autostart\ zavupd32.exe [2004-8-4 17408] d:\documents and settings\All Users\Menu Start\Programy\Autostart\ Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - d:\program files\SAGEM WiFi manager\WLANUTL.exe [2009-5-30 950272] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] [bU] [HKLM~\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CnxDslTaskBar HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPLA! HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent [HKEY_LOCAL_MACHINE\software\microsoft\security center] “AntiVirusOverride”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “d:\Program Files\BitComet\BitComet.exe”= “d:\Program Files\Opera\opera.exe”= “d:\Program Files\Sports Interactive\Football Manager 2008\fm.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “22867:TCP”= 22867:TCP:BitComet 22867 TCP “22867:UDP”= 22867:UDP:BitComet 22867 UDP R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [2008-06-30 78416] R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [2008-06-30 20560] R3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;d:\windows\system32\drivers\WlanBZXP.sys [2009-05-30 450560] S3 CnxEtP;ZTE ZXDSL852 Adapter Filter Driver;d:\windows\system32\DRIVERS\CnxEtP.sys --> d:\windows\system32\DRIVERS\CnxEtP.sys [?] S3 CnxEtU;ZTE ZXDSL852 Interface Device Driver;d:\windows\system32\DRIVERS\CnxEtU.sys --> d:\windows\system32\DRIVERS\CnxEtU.sys [?] S3 CnxTgNW;ZTE ZXDSL852 WAN PPPoA Adapter Driver;d:\windows\system32\DRIVERS\CnxTgNW.sys --> d:\windows\system32\DRIVERS\CnxTgNW.sys [?] S3 k510bus;Sony Ericsson K510 Driver driver (WDM);d:\windows\system32\drivers\k510bus.sys [2008-07-07 58288] S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;d:\windows\system32\drivers\k510mdfl.sys [2008-07-07 8336] S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;d:\windows\system32\drivers\k510mdm.sys [2008-07-07 94064] S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);d:\windows\system32\drivers\k510mgmt.sys [2008-07-07 85408] S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;d:\windows\system32\drivers\k510obex.sys [2008-07-07 83344] S3 ZDCndis5;ZDCndis5 Protocol Driver;??\d:\windows\system32\ZDCndis5.SYS --> d:\windows\system32\ZDCndis5.SYS [?] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.neostrada.pl uInternet Connection Wizard,ShellNext = iexplore IE: &D&ownload &with BitComet - d:\program files\BitComet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - d:\program files\BitComet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - d:\program files\BitComet\BitComet.exe/AddAllLink.htm IE: E&ksport do programu Microsoft Excel - d:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - d:\documents and settings\Skorupski\Dane aplikacji\Mozilla\Firefox\Profiles\qx0lf7d4.default\ FF - prefs.js: browser.startup.homepage - www.wrzuta.pl FF - component: d:\documents and settings\Skorupski\Dane aplikacji\Mozilla\Firefox\Profiles\qx0lf7d4.default\extensions{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll FF - component: d:\program files\Mozilla Firefox\components\xpinstal.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - USUNIĘTO PUSTE WPISY - - - - HKLM-Run-restorer64_a - d:\windows\system32\restorer64_a.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-23 21:09 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . Czas ukończenia: 2009-10-23 21:12 ComboFix-quarantined-files.txt 2009-10-23 19:12 Przed: 11 424 825 344 bajtów wolnych Po: 11 369 029 632 bajtów wolnych Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - D64980CCE0611CB1B4BF52387113AB0A