Wirus wincft.exe oraz dużo działających procesów

tomi798 · 15 Wrzesień 2011 15:01

Witam,otóż niedawno pożyczyłem sobie od znajomego netbooka i chciałem go trochę oczyścić ze zbędnych programów.Zainstalowałem avire,zeskanowałem i przeczyściłem cleanerem.Po jakimś czasie wykrywa mi tego właśnie wirusa wincft.exe ale nie można go usunąć.Drugą sprawą jest to że jest dość dużo działających procesów(w tej chwili 53)których nie znam.Proszę o pomoc w sprawie wirusa i możliwość wyłączenia zbędnych procesów.Tak jak napisałem jest to netbook,system windows xp SP3.

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-09-15 15:14:07

Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.01.0

Running: 5omk9q4i.exe; Driver: C:\DOCUME~1\MONIA\USTAWI~1\Temp\pxldypod.sys



---- System - GMER 1.0.15 ----


SSDT A5B33A6E ZwCreateKey

SSDT A5B33A64 ZwCreateThread

SSDT A5B33A73 ZwDeleteKey

SSDT A5B33A7D ZwDeleteValueKey

SSDT A5B33A82 ZwLoadKey

SSDT A5B33A50 ZwOpenProcess

SSDT A5B33A55 ZwOpenThread

SSDT A5B33A8C ZwReplaceKey

SSDT A5B33A87 ZwRestoreKey

SSDT A5B33A78 ZwSetValueKey

SSDT A5B33A5F ZwTerminateProcess


---- User code sections - GMER 1.0.15 ----


.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A 

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B 

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9 

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A 

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B 

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9 

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]

.text C:\Program Files\Google\Chrome\Application\chrome.exe[3808] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]


---- User IAT/EAT - GMER 1.0.15 ----


IAT C:\Program Files\Google\Chrome\Application\chrome.exe[1976] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010

IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3808] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010


---- Devices - GMER 1.0.15 ----


AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)


---- Registry - GMER 1.0.15 ----


Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583bbb005                                                   

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001583bbb005 (not active ControlSet)                               


---- EOF - GMER 1.0.15 ----

Nie działa mi skanowanie OTL,proszę napisać jakim innym programem mam to zeskanować.

Leon1 · 15 Wrzesień 2011 15:08

http://www.instalki.pl/programy/downloa … sbFix.html

z opcji Deletion

potem skan Otl

tomi798 · 15 Wrzesień 2011 15:17

Zrobiłem tak ja kazałeś

usbfix

############################## | UsbFix 7.058 | [Deletion]


User: MONIA (Administrator) # MONIKA []

Updated 24/08/2011 by El Desaparecido

Started at 17:12:37 | 15/09/2011

Website: http://www.teamxscript.org

Submit your sample: http://www.teamxscript.org/Upload.php

Contact: contact@eldesaparecido.com


CPU: Intel(R) Atom(TM) CPU N450 @ 1.66GHz

CPU 2: Intel(R) Atom(TM) CPU N450 @ 1.66GHz

Microsoft Windows XP Home Edition (5.1.2600 32-Bit) # Dodatek Service Pack 3

Internet Explorer 8.0.6001.18702


Windows Firewall: Enabled

Antivirus: AntiVir Desktop 9.0.1.32 [(!) Disabled | Updated]

RAM -> 1013 Mb 

C:\ (%systemdrive%) -> Fixed drive # 134 Gb (95 Mb free - 71%) [ACER] # NTFS

D:\ -> Fixed drive # 4 Gb (3 Mb free - 66%) [] # FAT32


################## | Files # Infected Folders |


Deleted ! C:\Recycler\S-1-5-21-439199626-1318987518-222395546-1006


################## | Registry |



################## | Mountpoints2 |



################## | Listing |


[22/06/2011 - 23:52:32 | D] C:\40568603fa275c134d

[21/06/2011 - 18:08:50 | D] C:\6d225614f1584dec40bf19a0d319

[31/12/2010 - 07:30:20 | D] C:\ACER

[15/08/2010 - 23:49:38 | N | 0] C:\AUTOEXEC.BAT

[16/08/2010 - 02:11:38 | D] C:\Book

[14/09/2011 - 20:51:19 | N | 211] C:\boot.ini

[15/04/2008 - 14:00:00 | N | 4952] C:\Bootfont.bin

[14/09/2011 - 22:41:17 | D] C:\Config.Msi

[15/08/2010 - 23:49:38 | N | 0] C:\CONFIG.SYS

[02/01/2011 - 13:16:37 | D] C:\DirectX_Eradicator

[30/12/2010 - 22:56:37 | D] C:\Documents and Settings

[17/08/2011 - 21:33:44 | D] C:\i386

[16/08/2010 - 01:12:45 | D] C:\Intel

[15/08/2010 - 23:49:38 | N | 0] C:\IO.SYS

[15/08/2010 - 23:49:38 | N | 0] C:\MSDOS.SYS

[16/08/2010 - 01:27:11 | RHD] C:\MSOCache

[15/04/2008 - 14:00:00 | N | 47564] C:\NTDETECT.COM

[15/04/2008 - 14:00:00 | N | 251152] C:\ntldr

[31/12/2010 - 07:30:19 | D] C:\OEM

[15/09/2011 - 13:51:35 | ASH | 1598029824] C:\pagefile.sys

[14/09/2011 - 22:41:16 | D] C:\Program Files

[15/09/2011 - 17:12:55 | SHD] C:\RECYCLER

[16/08/2010 - 01:22:49 | N | 2211] C:\RHDSetup.log

[30/12/2010 - 22:56:16 | SHD] C:\System Volume Information

[15/09/2011 - 17:12:55 | D] C:\UsbFix

[15/09/2011 - 17:12:56 | A | 914] C:\UsbFix.txt

[02/01/2011 - 14:17:00 | D] C:\VALUEADD

[14/09/2011 - 22:41:04 | D] C:\WINDOWS

[13/08/2010 - 10:33:06 | N | 234881707] D:\var.img

[13/08/2010 - 10:32:58 | N | 153093047] D:\q2l.img

[26/03/2010 - 09:14:46 | N | 1048576000] D:\firefox.img

[30/12/2010 - 21:57:36 | SHD] D:\System Volume Information

[31/12/2010 - 06:26:52 | D] D:\android

[01/01/2011 - 16:55:52 | SHD] D:\Recycled


################## | Vaccin |


C:\Autorun.inf -> Vaccine created by UsbFix (TeamXscript)

D:\Autorun.inf -> Vaccine created by UsbFix (TeamXscript)


################## | Upload |


Please send the file: C:\UsbFix_Upload_Me_MONIKA.zip

http://www.teamxscript.org/Upload.php

Thank you for your contribution.


################## | E.O.F |

Zaraz wkleje otl jeżeli pójdzie

Leon1 · 15 Wrzesień 2011 15:25

log wklej na http://www.wklej.org/

według zasad zasady-wklejania-logow-forum-tytulowania-tematow-t253052.html

tomi798 · 15 Wrzesień 2011 15:28

otl

http://wklej.org/id/594423/

extras

http://wklej.org/id/594424/

Leon1 · 15 Wrzesień 2011 15:42

OTL w oknie Custom Scans-Fixes (własne opcje skanowania/skrypt)wklej następujący skrypt:

:OTL FF - prefs.js…browser.search.defaultengine: “Ask.com” FF - prefs.js…browser.search.defaultenginename: “Ask.com” FF - prefs.js…browser.search.order.1: “Ask.com” FF - prefs.js…extensions.enabledItems: toolbar@ask.com:3.11.0.15286 FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\{6E19037A-12E3-4295-8915-ED48BC341614}: C:\Program Files\RelevantKnowledge [2011-09-14 19:35:31 | 000,000,000 | —D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\{3C5F0F00-683D-4847-89C8-E7AF64FD1CFB}: C:\Program Files\RelevantKnowledge [2011-09-14 19:35:31 | 000,000,000 | —D | M] FF - prefs.js…extensions.enabledItems: {6E19037A-12E3-4295-8915-ED48BC341614}:1.3.329.2 [2011-06-01 19:13:45 | 000,002,574 | ---- | M] () – C:\Documents and Settings\MONIA\Dane aplikacji\Mozilla\Firefox\Profiles\2yfwhlei.default\searchplugins\askcom.xml O3: - HKU\S-1-5-21-439199626-1318987518-222395546-1006…\Toolbar\WebBrowser - No CLSID value found. O3 - HKU\S-1-5-21-439199626-1318987518-222395546-1006…\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3: - HKU\S-1-5-21-439199626-1318987518-222395546-1006…\Toolbar\WebBrowser - No CLSID value found. O3 - HKU\S-1-5-21-439199626-1318987518-222395546-1006…\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM…\Run: [s6000Mnt] Rundll32.exe S6000Rmv.dll ,WinMainRmv /StartStillMnt File not found O4 - HKLM…\Run: [WinDefender] C:\WINDOWS\Wincft.exe () O4 - HKLM…\RunOnce: [] File not found O8 - Extra context menu item: Funkcja Google Sidewiki - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found O20 - Winlogon\Notify\RelevantKnowledge: DllName - (C:\Program Files\RelevantKnowledge\rlls.dll) - File not found [2011-09-14 18:41:37 | 000,000,000 | —D | C] – C:\Documents and Settings\All Users\Menu Start\Programy\RelevantKnowledge [2011-09-14 22:17:19 | 000,577,536 | ---- | M] () – C:\WINDOWS\Wincft.exe @Alternate Data Stream - 231 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:6BE50C2B @Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:5D7E5A8F @Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:CDFF58FE @Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:93EB7685 @Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:4D066AD2 @Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:E36F5B57 @Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:1A60DE96 @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:E1F04E8D @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:0B9176C0 @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:E3C56885 @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:798A3728 :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] “c:\program files\relevantknowledge\rlvknlg.exe”=- :Commands [CLEARALLRESTOREPOINTS] [emptytemp]