Złapałem wirusa Rootkit

abdulek · 12 Kwiecień 2008 13:14

Witam.Dziś rano wyskoczył mi komunikat-“Znaleziono oprogramowanie typu rootkit” i dalej:W systemie wykryto podejrzany, ukryty obiekt(rootkit).Może to oznaczac zarażenie szkodliwym oprogramowaniem.Zaleca się natychmiastowe usunięcie obiektu.

Plik:C:\WINDOWS\system32\HPZipm12.exe

Typ:Rootkit:ukryty proces

Poniżej mam do wyboru dwie opcje:usuń teraz,lub zignoruj.

Mój antywirus to Avast.Proszę o pomoc.Dodam że jestem amatorem i nie znam zagadnień związanych z komputerem.Z góry dziękuję.

Chillout · 12 Kwiecień 2008 13:18

wrzuć logi

abdulek · 12 Kwiecień 2008 13:27

Jak to zrobic?

system · 12 Kwiecień 2008 13:46

Tutaj masz opisane:

viewtopic.php?f=16&t=36654 - na początek daj logi z HijackThis. Zastosuj się również do zasady wklejania logów:

viewtopic.php?f=16&t=213350

To proces (a raczej sterownik) urządzenia HP. Też taki mam w procesach. Antywirus nie krzyczy ani oprogramowanie antyszpiegowskie. Avast często wszczyna fałszywe alarmy.

abdulek · 12 Kwiecień 2008 14:01

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:56:46, on 2008-04-12

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

D:\Instalki\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SiteAdvisor\6253\SAService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

D:\Instalki\NetMeter\NetMeter.exe

D:\Instalki\Nokia PC Suite 6\PCSuite.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Kalendarz XP\Kalendarz.exe

D:\Instalki\VolumeWatcher\SPUVolumeWatcher.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 DataModem HSDPA.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\program files\winamp toolbar\WinampTbServer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Instalki\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM…\Run: [skyTel] SkyTel.EXE

O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM…\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot

O4 - HKLM…\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”

O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM…\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU…\Run: [Creative WebCam Tray] “C:\Program Files\Creative\Shared Files\CamTray.exe”

O4 - HKCU…\Run: [D] D:\Instalki\NetMeter\NetMeter.exe

O4 - HKCU…\Run: [PC Suite Tray] “D:\Instalki\Nokia PC Suite 6\PCSuite.exe” -onlytray

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = D:\Instalki\VolumeWatcher\SPUVolumeWatcher.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe

O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ … /CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip…{BF485DD2-1CC5-4653-8883-222AC98B3CF7}: NameServer = 172.31.140.69 172.30.140.69

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Instalki\aawservice.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Instalki\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Usługa SiteAdvisor (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

–

End of file - 8146 bytes

to są moje logi.Co teraz powinienem zrobic?

system · 12 Kwiecień 2008 14:03

Fix

abdulek · 12 Kwiecień 2008 14:08

O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE zaznaczam to i klikam na fix checked.Czy tak mam zrobic?

system · 12 Kwiecień 2008 14:33

Tak

Leon1 · 12 Kwiecień 2008 14:43

wpis

usuń HijackThisem >> Fix checked

Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 przeskanuj daj log

abdulek · 12 Kwiecień 2008 14:45

Zrobiłem tak jak napisałeś.Czyli już teraz jest wszystko w porządku?A co teraz zrobic z ostrzeżeniem od avasta?Poprostu zamknąc?

abdulek · 12 Kwiecień 2008 15:15

ComboFix 08-04-11.8 - Łukasz 2008-04-12 15:56:04.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.1436 [GMT 1:00]

Running from: D:\Instalki\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))

.

2008-04-09 13:00 . 2008-04-09 13:00 98,927 --a------ C:\WINDOWS\hpqins16.dat

2008-04-03 01:10 . 2008-03-29 18:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys

2008-04-03 01:10 . 2008-03-29 18:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys

2008-03-24 21:56 . 2008-03-24 21:56

2008-03-13 15:35 . 2008-03-13 15:35

2008-03-13 15:19 . 2008-03-13 15:19

2008-03-13 14:17 . 2008-03-13 14:17

2008-03-13 14:16 . 2008-03-13 14:16

2008-03-13 14:16 . 2008-03-13 14:17

2008-03-13 14:16 . 2008-03-13 14:16

2008-03-13 14:05 . 2008-03-13 14:22

2008-03-13 14:05 . 2008-01-08 21:00 799,424 -ra------ C:\WINDOWS\system32\tmp30A.tmp

2008-03-13 14:05 . 2008-01-08 21:00 799,424 -ra------ C:\WINDOWS\system32\tmp309.tmp

2008-03-13 13:57 . 2008-03-13 13:57

2008-03-13 13:47 . 2007-03-12 17:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll

2008-03-13 13:46 . 2008-03-13 13:46

2008-03-13 13:46 . 2005-05-26 16:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll

2008-03-13 02:34 . 2008-03-13 02:34

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-12 14:53 --------- d-----w C:\Documents and Settings\Łukasz\Dane aplikacji\Skype

2008-04-12 11:03 --------- d-----w C:\Program Files\Kalendarz XP

2008-04-12 10:54 --------- d-----w C:\Documents and Settings\Łukasz\Dane aplikacji\skypePM

2008-04-12 01:51 3,145,728 ----a-w C:\Documents and Settings\Łukasz\ntuser.dat

2008-04-10 11:38 --------- d-----w C:\Documents and Settings\Łukasz\Dane aplikacji\SiteAdvisor

2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe

2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-18 10:28 --------- d-----w C:\Program Files\Java

2008-03-13 14:35 --------- d-----w C:\Documents and Settings\Łukasz\Dane aplikacji\Command Conquer 3 Tiberium Wars

2008-03-13 13:17 --------- d–h--r C:\Documents and Settings\Łukasz\Dane aplikacji\SecuROM

2008-03-13 13:05 418,480 ----a-w C:\WINDOWS\system32\wrap_oal.dll

2008-03-13 13:05 115,432 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2008-03-13 12:55 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-03-13 01:34 --------- d-----w C:\Documents and Settings\Łukasz\Dane aplikacji\InterTrust

2008-03-09 18:40 --------- d-----w C:\Program Files\THQ

2008-03-02 19:12 --------- d-----w C:\Program Files\Blitzkrieg 2

2008-03-02 15:38 --------- d-----w C:\Program Files\SkanerOnline

2008-02-26 13:18 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2008-02-25 17:15 --------- d-----w C:\Documents and Settings\Łukasz\Dane aplikacji\Image Zone Express

2008-02-23 01:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-17 16:17 --------- d-----w C:\Program Files\Lavalys

2008-02-16 09:05 662,016 ----a-w C:\WINDOWS\system32\wininet.dll

2007-12-31 18:28 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]

2007-12-13 17:49 1185120 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= “C:\Program Files\Winamp Toolbar\winamptb.dll” [2007-12-13 17:49 1185120]

[HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-12-13 17:49 1185120]

[HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 13:00 15360]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-12-12 15:20 21686568]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-04-06 15:37 68856]

“Creative WebCam Tray”=“C:\Program Files\Creative\Shared Files\CamTray.exe” [2005-10-27 11:00 299008]

“D:\Instalki\NetMeter\NetMeter.exe”=“D:\Instalki\NetMeter\NetMeter.exe” [2007-08-11 15:50 331264]

“PC Suite Tray”=“D:\Instalki\Nokia PC Suite 6\PCSuite.exe” [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“RTHDCPL”=“RTHDCPL.EXE” [2006-08-14 07:00 16050176 C:\WINDOWS\RTHDCPL.exe]

“SkyTel”=“SkyTel.EXE” [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]

“JMB36X Configure”=“C:\WINDOWS\system32\JMRaidTool.exe” [2006-04-06 14:00 385024]

“StartCCC”=“C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 12:35 90112]

“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-03-29 18:37 79224]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 05:25 144784]

“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 02:41 49152]

“SiteAdvisor”=“C:\Program Files\SiteAdvisor\6253\SiteAdv.exe” [2007-12-04 22:03 36640]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 13:00 15360]

“Nokia.PCSync”=“D:\Instalki\Nokia PC Suite 6\PcSync2.exe” [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

Kalendarz XP.lnk - C:\Program Files\Kalendarz XP\Kalendarz.exe [2007-12-28 23:20:21 882176]

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe”=

“C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe”=

“C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe”=

“C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe”=

“C:\Program Files\HP\Digital Imaging\bin\hposid01.exe”=

“C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe”=

“C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe”=

“C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe”=

“C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe”=

“C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe”=

“C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe”=

“C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe”=

“C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe”=

“C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe”=

“C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 DataModem HSDPA.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“D:\Instalki\Ares\Ares.exe”=

“C:\Program Files\Creative\eMule\emule.exe”=

“D:\gry\Splinter Cell Pandora Tomorrow\pandora.exe”=

“C:\Program Files\Eidos\Conflict Denied Ops\ConflictDeniedOps.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]

R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\DRIVERS\V0260Vid.sys [2006-11-03 23:45]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt [2005-08-18 00:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{031a254a-b586-11dc-8718-00155860d008}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{031a254b-b586-11dc-8718-00155860d008}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe

\Shell\Open(0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7b3cfa62-b592-11dc-8719-00155860d007}]

\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c8517f66-b594-11dc-871a-b6d71aca7e00}]

\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c8517f68-b594-11dc-871a-b6d71aca7e00}]

\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{db2f231f-b589-11dc-9a05-806d6172696f}]

\Shell\AutoRun\command - F:\Launch.exe

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-12 15:57:28

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“D:\Instalki\NetMeter\NetMeter.exe”=“D:\Instalki\NetMeter\NetMeter.exe”

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]

“ImagePath”="??\C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe

C:\Program Files\SiteAdvisor\6253\saHook.dll

.

Completion time: 2008-04-12 15:57:44

ComboFix-quarantined-files.txt 2008-04-12 14:57:39

Pre-Run: 72,332,132,352 bajtów wolnych

Post-Run: 72,330,649,600 bajtów wolnych

.

2008-04-12 01:51:05 — E O F —

Pobrałem Combofix i przeskanowałem.Czy to o te logi chodziło?Jeszcze nic nie robiłem z wpisemO8 - Extra context menu item: Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

Co powinienem teraz zrobic?

Leon1 · 12 Kwiecień 2008 15:27

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S … Tool.shtml lub format

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

zrób optymalizacje uruchamiania http://cybertrash.netarteria.pl/cyber/index.php/topic,378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

przeskanuj tym http://www.kaspersky.pl/virusscanner.html pokaż raport

włącz przywracanie systemu