Wirus Znaleźiono podejrzany obiekt


(Pawel Ciszmowski) #1

Proszę niech ktoś mi pomorze mam nowego kompa i nowego wirusa

C:\WINDOWS\SYSTEM32\VBSDFE0.DLL


(Dom@) #2

Daj logi z ComboFix: viewtopic.php?f=16&t=36654


(JesperKyd) #3

Zainstaluj antywirusa, lub skorzystaj z któregoś skanera online.


(Pawel Ciszmowski) #4

ComboFix 08-12-20.05 - Ciszmek 2008-12-22 19:45:21.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.2046.1538 [GMT 1:00]

Uruchomiony z: c:\documents and settings\Ciszmek\Pulpit\ComboFix.exe

* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA!!

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

c:\windows\system32\gasretyw0.dll

.

((((((((((((((((((((((((( Pliki utworzone od 2008-11-22 do 2008-12-22 )))))))))))))))))))))))))))))))

.

2008-12-22 15:20 . 2008-12-22 19:25 85,504 -r-hs---- c:\windows\system32\vbsdfe0.dll

2008-12-22 14:53 . 2008-12-22 14:53

2008-12-22 14:03 . 2008-12-22 14:04

2008-12-22 14:03 . 2008-12-22 14:03

2008-12-22 12:34 . 2008-12-22 12:34 85,504 -r-hs---- c:\windows\system32\vbsdfe1.dll

2008-12-22 12:02 . 2001-10-26 20:28 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll

2008-12-22 12:01 . 2004-08-03 23:44 221,184 --a------ c:\windows\system32\wmpns.dll

2008-12-22 12:01 . 2008-12-22 12:01 749 -rah----- c:\windows\WindowsShell.Manifest

2008-12-22 12:01 . 2008-12-22 12:01 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest

2008-12-22 12:01 . 2008-12-22 12:01 749 -rah----- c:\windows\system32\sapi.cpl.manifest

2008-12-22 12:01 . 2008-12-22 12:01 749 -rah----- c:\windows\system32\nwc.cpl.manifest

2008-12-22 12:01 . 2008-12-22 12:01 749 -rah----- c:\windows\system32\ncpa.cpl.manifest

2008-12-22 12:01 . 2008-12-22 12:01 488 -rah----- c:\windows\system32\logonui.exe.manifest

2008-12-22 11:48 . 2008-11-13 16:20 203,540 --a------ c:\windows\system32\nvapps.nvb

2008-12-22 11:24 . 2008-12-22 11:24 84 --a------ c:\windows\system32\ikhcore.cfg

2008-12-21 23:51 . 2008-12-22 11:25

2008-12-21 23:34 . 2008-12-21 23:34 98,304 --a------ c:\windows\system32\CmdLineExt.dll

2008-12-21 23:09 . 2008-12-21 23:09 0 --a------ c:\windows\nsreg.dat

2008-12-21 22:29 . 2008-12-21 22:29

2008-12-21 22:29 . 2008-12-21 22:29 717,296 --a------ c:\windows\system32\drivers\sptd.sys

2008-12-21 22:27 . 2008-12-21 22:27

2008-12-21 22:27 . 2008-12-21 22:27

2008-12-21 22:25 . 2008-12-21 22:33

2008-12-21 22:25 . 2008-12-22 12:34 118,267 -r-hs---- c:\windows\system32\vamsoft.exe

2008-12-21 22:25 . 2008-12-09 05:44 107,045 -r-hs---- C:\m9ma.exe

2008-12-21 22:23 . 2008-12-22 16:00

2008-12-21 22:15 . 2008-12-21 22:16

2008-12-21 22:14 . 2008-12-21 22:14

2008-12-21 22:14 . 2008-12-21 22:14

2008-12-21 22:01 . 2008-12-21 22:01

2008-12-21 22:01 . 2008-12-21 22:01

2008-12-21 22:01 . 2004-07-20 17:24 1,568,768 --a------ c:\windows\system32\ImagX7.dll

2008-12-21 22:01 . 2004-07-20 17:24 476,320 --a------ c:\windows\system32\ImagXpr7.dll

2008-12-21 22:01 . 2004-07-20 17:24 471,040 --a------ c:\windows\system32\ImagXRA7.dll

2008-12-21 22:01 . 2004-07-09 09:43 364,544 --a------ c:\windows\system32\TwnLib4.dll

2008-12-21 22:01 . 2004-07-20 17:24 262,144 --a------ c:\windows\system32\ImagXR7.dll

2008-12-21 22:01 . 2001-07-09 11:50 155,648 --a------ c:\windows\system32\NeroCheck.exe

2008-12-21 22:01 . 2000-06-26 11:45 106,496 --a------ c:\windows\system32\TwnLib20.dll

2008-12-21 22:01 . 2001-06-26 08:15 38,912 --a------ c:\windows\system32\picn20.dll

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-22 18:45 --------- d-----w c:\program files\Neostrada TP

2008-12-22 18:25 16,608 ----a-w c:\windows\gdrv.sys

2008-12-21 22:40 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-12-21 22:15 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-21 21:03 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab

2008-12-21 20:56 --------- d-----w c:\program files\AGEIA Technologies

2008-12-21 20:55 --------- d-----w c:\program files\Canon

2008-12-21 20:17 --------- d-----w c:\program files\Thomson

2008-12-21 20:16 --------- d-----w c:\program files\Java

2008-12-21 20:16 --------- d-----w c:\program files\Common Files\InstallShield

2008-12-21 20:12 --------- d-----w c:\program files\Kaspersky Lab

2008-12-21 20:10 --------- d-----w c:\program files\Realtek

2008-12-21 20:10 --------- d-----w c:\documents and settings\Ciszmek\Dane aplikacji\InstallShield

2008-12-21 20:08 315,392 ----a-w c:\windows\HideWin.exe

2008-12-21 20:06 --------- d-----w c:\program files\Intel

2008-12-21 20:05 --------- d-----w c:\program files\GIGABYTE

2008-12-21 20:01 --------- d-----w c:\program files\microsoft frontpage

2008-12-21 20:00 --------- d-----w c:\program files\Usługi online

2008-11-12 12:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE

2008-10-13 08:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]

[HKEY_CLASSES_ROOT\clsid{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]

"vamsoft"="c:\windows\system32\vamsoft.exe" [2008-12-22 118267]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GEST"="m‘|\ü" [X]

"WooCnxMon"="c:\progra~1\NEOSTR~1\CnxMon.exe" [2003-10-16 24576]

"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]

"WOOWATCH"="c:\progra~1\NEOSTR~1\Watch.exe" [2003-10-16 20480]

"WOOTASKBARICON"="c:\progra~1\NEOSTR~1\TaskbarIcon.exe" [2003-10-16 53248]

"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 c:\windows\RTHDCPL.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"c:\WINDOWS\system32\usmt\migwiz.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-22 111184]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-22 20560]

R2 GEST Service;GEST Service for program management.;"c:\program files\GIGABYTE\EnergySaver\GSvr.exe" [2008-12-21 80392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{50c75f99-cfa4-11dd-af69-000e50afedc8}]

\Shell\AutoRun\command - E:\iky.bat

\Shell\explore\Command - E:\iky.bat

\Shell\open\Command - E:\iky.bat

*Newly Created Service* - PROCEXP90

.

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.neostrada.pl

IE: Winamp Search - c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

IE: { - c:\program files\Messenger\msmsgs.exe

IE: {c:\program files\Messenger\msmsgs.exe - -

FF - ProfilePath - c:\documents and settings\Ciszmek\Dane aplikacji\Mozilla\Firefox\Profiles\hu2x4a0h.default\

FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJPI140_03.dll

FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPOJI610.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-22 19:45:55

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

Czas ukończenia: 2008-12-22 19:46:14

ComboFix-quarantined-files.txt 2008-12-22 18:46:07

Przed: 238 782 963 712 bajtów wolnych

Po: 239,067,811,840 bajtów wolnych

153