Logi (problem ckvo.exe, amvo i wiele innych)

[Spider_360]

Witam, mam prośbę o sprawdzenie log'ów. Mam problem z ckvo, amvo, często komp wiesza mi się zaraz po załadowaniu windowsa (tylko wtedy gdy mam podłączony modem), oprócz tego wciąż Avast wykrywa mi jakieś trojany.

Log z ComboFix'a

Kod: Zaznacz wszystko

ComboFix 08-09-05.05 - Bogumił 2008-09-07 22:02:47.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.297 [GMT 2:00]
Running from: C:\Documents and Settings\Bogumił\Pulpit\ComboFix.exe
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\DOCUME~1\BOGUMI~1\USTAWI~1\Temp\tru1.tmp
C:\f.bat
C:\kk3.bat
C:\ov.cmd
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\History\search
C:\r1y1.bat
C:\rqq2v.bat
C:\rs.cmd
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ckvo1.dll
C:\yssjnngm.cmd
D:\2.cmd
D:\Autorun.inf
D:\c9hehpa.bat
D:\f.bat
D:\kk3.bat
D:\ov.cmd
D:\r1y1.bat
D:\rqq2v.bat
D:\rs.cmd
D:\yssjnngm.cmd
C:\Documents and Settings\Bogumił\Cookies\bogumił@nuggad[1].txt . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2008-08-07 to 2008-09-07  )))))))))))))))))))))))))))))))
.

2008-09-07 22:13 . 2008-09-07 22:13   4,614   --a------   C:\Documents and Settings\Bogumicatchme.zip
2008-09-07 18:38 . 2008-09-07 18:41   <DIR>   d--------   C:\Program Files\BearShare
2008-09-07 18:38 . 2008-09-07 18:38   <DIR>   d--------   C:\My Downloads
2008-09-07 18:21 . 2008-09-07 18:21   <DIR>   d--------   C:\Program Files\PrevxCSI
2008-09-07 18:21 . 2008-09-07 19:14   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\PrevxCSI
2008-09-07 18:21 . 2008-09-07 18:21   17,408   --a------   C:\WINDOWS\system32\drivers\pxark.sys
2008-09-07 17:54 . 2008-09-07 17:54   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Grisoft
2008-09-07 17:54 . 2007-05-30 14:10   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-09-03 22:46 . 2008-09-03 22:46   92,213   -r-hs----   C:\ktnquo.exe
2008-09-02 22:40 . 2008-09-02 22:40   675,840   --a------   C:\WINDOWS\system32\ac3filter.ax
2008-09-02 22:40 . 2008-09-02 22:40   301,568   --a------   C:\WINDOWS\system32\l3codecp.acm
2008-09-02 22:38 . 2008-09-02 22:38   755,027   --a------   C:\WINDOWS\system32\xvidcore.dll
2008-09-02 22:38 . 2008-09-02 22:38   344,394   --a------   C:\WINDOWS\system32\xvid.ax
2008-09-02 22:38 . 2008-09-02 22:38   159,839   --a------   C:\WINDOWS\system32\xvidvfw.dll
2008-09-02 22:30 . 2008-09-02 22:30   <DIR>   d--------   C:\Program Files\MarBit
2008-09-02 22:28 . 2008-09-02 22:29   <DIR>   d--------   C:\WINDOWS\system32\quicktime
2008-09-02 22:28 . 2008-09-02 22:28   <DIR>   d--------   C:\Program Files\DivX
2008-08-29 06:41 . 2008-08-29 06:41   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\ashampoo
2008-08-26 22:14 . 2008-08-29 23:05   89,828   -r-hs----   C:\ph.com
2008-08-23 00:16 . 2008-08-23 00:14   91,127   -r-hs----   C:\n.com
2008-08-16 04:27 . 2008-08-16 04:27   484   --a------   C:\WINDOWS\eReg.dat
2008-08-16 01:36 . 2008-08-16 01:36   91,179   -r-hs----   C:\t1ypkh.exe
2008-08-16 01:19 . 2008-08-04 07:41   88,762   -rahs----   C:\knupkb.com

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 20:39   921,600   ----a-w   C:\WINDOWS\system32\vorbisenc.dll
2008-09-02 20:39   9,216   ----a-w   C:\WINDOWS\system32\cpuinf32.dll
2008-09-02 20:39   892,928   ----a-w   C:\WINDOWS\system32\iconv.dll
2008-09-02 20:39   524,288   ----a-w   C:\WINDOWS\system32\DivXsm.exe
2008-09-02 20:39   45,056   ----a-w   C:\WINDOWS\system32\ogg.dll
2008-09-02 20:39   245,760   ----a-w   C:\WINDOWS\system32\mplvpx.dll
2008-09-02 20:39   237,568   ----a-w   C:\WINDOWS\system32\OggDS.dll
2008-09-02 20:39   188,416   ----a-w   C:\WINDOWS\system32\vorbis.dll
2008-09-02 20:39   1,415,680   ----a-w   C:\WINDOWS\system32\WMV9VCM.dll
2008-09-02 20:37   ---------   d-----w   C:\Program Files\Real Alternative
2008-08-30 22:02   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-08-30 21:37   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-08-29 07:01   ---------   d-----w   C:\Program Files\Azureus
2008-08-16 02:29   12,464   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2008-07-23 23:14   ---------   d-----w   C:\Program Files\Sjboy Emulator
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-15 4112384]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2003-10-02 81920]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-03-23 888832]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-15 81920]
"nwiz"="nwiz.exe" [2004-07-15 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 01:44 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-07-15 11:42 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"D:\\Programy\\Microsoft Office\\OFFICE12\\OUTLOOK.EXE"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=

R0 pnpshark;pnpshark;C:\WINDOWS\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-09-07 17408]
R0 st3shark;st3shark;C:\WINDOWS\system32\DRIVERS\st3shark.sys [2003-09-27 5504]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-09-07 618040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15ec0bb3-4477-11dd-b3d6-c656198b8e29}]
\Shell\AutoRun\command - I:\knupkb.com
\Shell\explore\Command - I:\knupkb.com
\Shell\open\Command - I:\knupkb.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f5f10d0-5b21-11dd-b435-b3f24ebaa83e}]
\Shell\AutoRun\command - H:\ivcvknr.bat
\Shell\explore\Command - H:\ivcvknr.bat
\Shell\open\Command - H:\ivcvknr.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ce2b800-44b8-11dd-b3d8-000e50f28ad1}]
\Shell\AutoRun\command - I:\ktnquo.exe
\Shell\explore\Command - I:\ktnquo.exe
\Shell\open\Command - I:\ktnquo.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97e45f00-6c35-11dd-b463-000e50f28ad1}]
\Shell\AutoRun\command - I:\[u]0[/u].com
\Shell\explore\Command - I:\[u]0[/u].com
\Shell\open\Command - I:\[u]0[/u].com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b61d8a10-44b1-11dd-b3d7-a3ab7303a32e}]
\Shell\AutoRun\command - I:\83l3v.cmd
\Shell\explore\Command - I:\83l3v.cmd
\Shell\open\Command - I:\83l3v.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d22dc420-6aae-11dd-b458-000e50f28ad1}]
\Shell\AutoRun\command - I:\ph.com
\Shell\explore\Command - I:\ph.com
\Shell\open\Command - I:\ph.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e488b2b0-57cc-11dd-b423-df1e4702fb9d}]
\Shell\AutoRun\command - H:\oq.cmd
\Shell\explore\Command - H:\oq.cmd
\Shell\open\Command - H:\oq.cmd
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-amva - C:\WINDOWS\system32\amvo.exe
MSConfigStartUp-kamsoft - C:\WINDOWS\system32\ckvo.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.pl/ig?hl=pl
O8 -: E&ksportuj do programu Microsoft Excel - D:\Programy\MICROS~1\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 22:14:28
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-09-07 22:20:39 - machine was rebooted [Bogumiˆ]
ComboFix-quarantined-files.txt  2008-09-07 20:20:12

Pre-Run: 687,706,112 bajtów wolnych
Post-Run: 731,467,776 bajt˘w wolnych

179


Log z HijackThis

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:41:15, on 2008-09-07
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ig?hl=pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\Programy\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Programy\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9F3F69C-2A9B-4ABD-9F9A-FD8F05E37ED7}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe

--
End of file - 4438 bytes


z góry dziex

[djarta]

1)


Wylecz pendriva lub kartę pamięci
Perlovga Removal Tool
Flash Disinfector
lub format


2)

Wklej do Notatnika:

Kod: Zaznacz wszystko

File::
C:\ktnquo.exe
D:\ktnquo.exe
C:\ph.com
D:\ph.com
C:\n.com
D:\n.com
C:\t1ypkh.exe
D:\t1ypkh.exe
C:\knupkb.com
D:\knupkb.com

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15ec0bb3-4477-11dd-b3d6-c656198b8e29}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f5f10d0-5b21-11dd-b435-b3f24ebaa83e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ce2b800-44b8-11dd-b3d8-000e50f28ad1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97e45f00-6c35-11dd-b463-000e50f28ad1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b61d8a10-44b1-11dd-b3d7-a3ab7303a32e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d22dc420-6aae-11dd-b458-000e50f28ad1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e488b2b0-57cc-11dd-b423-df1e4702fb9d}]


>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.
Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.

A tak na marginesie, jakiego używasz Antyvirusa?PrevxCSI, AVG czy Avasta?



===========================
K.

[Spider_360]

Co do antyvirusa to od dawna używam Avast'a 4.8 Home Edition

Oto log:

Kod: Zaznacz wszystko

ComboFix 08-09-05.09 - Bogumił 2008-09-08 15:54:54.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.297 [GMT 2:00]
Running from: C:\Documents and Settings\Bogumił\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bogumił\Pulpit\CFScript.txt.txt
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\knupkb.com
C:\ktnquo.exe
C:\n.com
C:\ph.com
C:\t1ypkh.exe
D:\ktnquo.exe
D:\n.com
D:\ph.com
D:\t1ypkh.exe
C:\Documents and Settings\Bogumił\Cookies\bogumił@nuggad[1].txt . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2008-08-08 to 2008-09-08  )))))))))))))))))))))))))))))))
.

2008-09-08 16:05 . 2008-09-08 16:05   9,210   --a------   C:\Documents and Settings\Bogumicatchme.zip
2008-09-07 22:40 . 2008-09-07 22:40   <DIR>   d--------   C:\Program Files\Trend Micro
2008-09-07 22:20 . 2008-09-07 22:20   <DIR>   d--------   C:\Documents and Settings\Bogumił
2008-09-07 22:20 .    <DIR>      C:\Documents and Settings\Bogumi-\Ustawienia lokalne
2008-09-07 22:20 .    <DIR>      C:\Documents and Settings\Bogumi-\Ustawienia lokalne
2008-09-07 18:38 . 2008-09-07 18:41   <DIR>   d--------   C:\Program Files\BearShare
2008-09-07 18:38 . 2008-09-07 18:38   <DIR>   d--------   C:\My Downloads
2008-09-07 17:54 . 2008-09-07 17:54   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Grisoft
2008-09-07 17:54 . 2007-05-30 14:10   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-09-02 22:40 . 2008-09-02 22:40   675,840   --a------   C:\WINDOWS\system32\ac3filter.ax
2008-09-02 22:40 . 2008-09-02 22:40   301,568   --a------   C:\WINDOWS\system32\l3codecp.acm
2008-09-02 22:38 . 2008-09-02 22:38   755,027   --a------   C:\WINDOWS\system32\xvidcore.dll
2008-09-02 22:38 . 2008-09-02 22:38   344,394   --a------   C:\WINDOWS\system32\xvid.ax
2008-09-02 22:38 . 2008-09-02 22:38   159,839   --a------   C:\WINDOWS\system32\xvidvfw.dll
2008-09-02 22:30 . 2008-09-02 22:30   <DIR>   d--------   C:\Program Files\MarBit
2008-09-02 22:28 . 2008-09-02 22:29   <DIR>   d--------   C:\WINDOWS\system32\quicktime
2008-09-02 22:28 . 2008-09-02 22:28   <DIR>   d--------   C:\Program Files\DivX
2008-08-29 06:41 . 2008-08-29 06:41   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\ashampoo
2008-08-16 04:27 . 2008-08-16 04:27   484   --a------   C:\WINDOWS\eReg.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 20:39   921,600   ----a-w   C:\WINDOWS\system32\vorbisenc.dll
2008-09-02 20:39   9,216   ----a-w   C:\WINDOWS\system32\cpuinf32.dll
2008-09-02 20:39   892,928   ----a-w   C:\WINDOWS\system32\iconv.dll
2008-09-02 20:39   524,288   ----a-w   C:\WINDOWS\system32\DivXsm.exe
2008-09-02 20:39   45,056   ----a-w   C:\WINDOWS\system32\ogg.dll
2008-09-02 20:39   245,760   ----a-w   C:\WINDOWS\system32\mplvpx.dll
2008-09-02 20:39   237,568   ----a-w   C:\WINDOWS\system32\OggDS.dll
2008-09-02 20:39   188,416   ----a-w   C:\WINDOWS\system32\vorbis.dll
2008-09-02 20:39   1,415,680   ----a-w   C:\WINDOWS\system32\WMV9VCM.dll
2008-09-02 20:37   ---------   d-----w   C:\Program Files\Real Alternative
2008-08-30 22:02   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-08-30 21:37   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-08-29 07:01   ---------   d-----w   C:\Program Files\Azureus
2008-08-16 02:29   12,464   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2008-07-23 23:14   ---------   d-----w   C:\Program Files\Sjboy Emulator
.

(((((((((((((((((((((((((((((   snapshot@2008-09-07_22.18.05.51   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-08 14:05:53   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_4e8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-15 4112384]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2003-10-02 81920]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-03-23 888832]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-15 81920]
"nwiz"="nwiz.exe" [2004-07-15 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 01:44 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-07-15 11:42 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"D:\\Programy\\Microsoft Office\\OFFICE12\\OUTLOOK.EXE"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=

R0 pnpshark;pnpshark;C:\WINDOWS\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
R0 st3shark;st3shark;C:\WINDOWS\system32\DRIVERS\st3shark.sys [2003-09-27 5504]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 16:06:51
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-09-08 16:12:38 - machine was rebooted [Bogumiˆ]
ComboFix-quarantined-files.txt  2008-09-08 14:12:10
ComboFix2.txt  2008-09-07 20:20:46

Pre-Run: 633,520,128 bajtów wolnych
Post-Run: 649,707,520 bajt˘w wolnych

128


[djarta]

W takim razie daje do usuwania AVG.


Wklej do Notatnika:

Kod: Zaznacz wszystko

File::
C:\WINDOWS\system32\drivers\AvgAsCln.sys

Folder::
C:\Documents and Settings\All Users\Dane aplikacji\Grisoft


>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.
Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.


=======================
K.

[Spider_360]

Kod: Zaznacz wszystko

ComboFix 08-09-05.09 - Bogumił 2008-09-08 19:29:06.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.282 [GMT 2:00]
Running from: C:\Documents and Settings\Bogumił\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bogumił\Pulpit\CFScript.txt.txt
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Dane aplikacji\Grisoft
C:\Documents and Settings\All Users\Dane aplikacji\Grisoft\AVG Anti-Spyware 7.5\Downloads\help.dll
C:\WINDOWS\system32\drivers\AvgAsCln.sys
C:\Documents and Settings\Bogumił\Cookies\bogumił@nuggad[1].txt . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2008-08-08 to 2008-09-08  )))))))))))))))))))))))))))))))
.

2008-09-08 19:35 . 2008-09-08 19:35   13,806   --a------   C:\Documents and Settings\Bogumicatchme.zip
2008-09-07 22:40 . 2008-09-07 22:40   <DIR>   d--------   C:\Program Files\Trend Micro
2008-09-07 22:20 . 2008-09-07 22:20   <DIR>   d--------   C:\Documents and Settings\Bogumił
2008-09-07 22:20 .    <DIR>      C:\Documents and Settings\Bogumi-\Ustawienia lokalne
2008-09-07 22:20 .    <DIR>      C:\Documents and Settings\Bogumi-\Ustawienia lokalne
2008-09-07 18:38 . 2008-09-07 18:41   <DIR>   d--------   C:\Program Files\BearShare
2008-09-07 18:38 . 2008-09-07 18:38   <DIR>   d--------   C:\My Downloads
2008-09-02 22:40 . 2008-09-02 22:40   675,840   --a------   C:\WINDOWS\system32\ac3filter.ax
2008-09-02 22:40 . 2008-09-02 22:40   301,568   --a------   C:\WINDOWS\system32\l3codecp.acm
2008-09-02 22:38 . 2008-09-02 22:38   755,027   --a------   C:\WINDOWS\system32\xvidcore.dll
2008-09-02 22:38 . 2008-09-02 22:38   344,394   --a------   C:\WINDOWS\system32\xvid.ax
2008-09-02 22:38 . 2008-09-02 22:38   159,839   --a------   C:\WINDOWS\system32\xvidvfw.dll
2008-09-02 22:30 . 2008-09-02 22:30   <DIR>   d--------   C:\Program Files\MarBit
2008-09-02 22:28 . 2008-09-02 22:29   <DIR>   d--------   C:\WINDOWS\system32\quicktime
2008-09-02 22:28 . 2008-09-02 22:28   <DIR>   d--------   C:\Program Files\DivX
2008-08-29 06:41 . 2008-08-29 06:41   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\ashampoo
2008-08-16 04:27 . 2008-08-16 04:27   484   --a------   C:\WINDOWS\eReg.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 20:39   921,600   ----a-w   C:\WINDOWS\system32\vorbisenc.dll
2008-09-02 20:39   9,216   ----a-w   C:\WINDOWS\system32\cpuinf32.dll
2008-09-02 20:39   892,928   ----a-w   C:\WINDOWS\system32\iconv.dll
2008-09-02 20:39   524,288   ----a-w   C:\WINDOWS\system32\DivXsm.exe
2008-09-02 20:39   45,056   ----a-w   C:\WINDOWS\system32\ogg.dll
2008-09-02 20:39   245,760   ----a-w   C:\WINDOWS\system32\mplvpx.dll
2008-09-02 20:39   237,568   ----a-w   C:\WINDOWS\system32\OggDS.dll
2008-09-02 20:39   188,416   ----a-w   C:\WINDOWS\system32\vorbis.dll
2008-09-02 20:39   1,415,680   ----a-w   C:\WINDOWS\system32\WMV9VCM.dll
2008-09-02 20:37   ---------   d-----w   C:\Program Files\Real Alternative
2008-08-30 22:02   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-08-30 21:37   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-08-29 07:01   ---------   d-----w   C:\Program Files\Azureus
2008-08-16 02:29   12,464   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2008-07-23 23:14   ---------   d-----w   C:\Program Files\Sjboy Emulator
.

(((((((((((((((((((((((((((((   snapshot@2008-09-07_22.18.05.51   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-08 17:35:43   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_4e0.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-15 4112384]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2003-10-02 81920]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-03-23 888832]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-15 81920]
"nwiz"="nwiz.exe" [2004-07-15 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 01:44 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-07-15 11:42 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"D:\\Programy\\Microsoft Office\\OFFICE12\\OUTLOOK.EXE"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=

R0 pnpshark;pnpshark;C:\WINDOWS\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
R0 st3shark;st3shark;C:\WINDOWS\system32\DRIVERS\st3shark.sys [2003-09-27 5504]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 19:36:33
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\BOGUMI~1\USTAWI~1\Temp\RGI1.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-09-08 19:39:56 - machine was rebooted
ComboFix-quarantined-files.txt  2008-09-08 17:39:44
ComboFix2.txt  2008-09-08 14:12:47
ComboFix3.txt  2008-09-07 20:20:46

Pre-Run: 625,053,696 bajtów wolnych
Post-Run: 629,084,160 bajt˘w wolnych

121


[djarta]

Czysto.

Wykonaj to co jest podane w tym temacie (jeśli wykonałeś/łaś to wcześniej to nie rób tego).

Usuń ręcznie folder C:\Qoobox,

Usuń instalkę ComboFix z dysku.

Wykonaj optymalizację autostartu

Przeczyść komputer ATF-Cleaner

Wyłącz i włącz przywracanie systemu na wszystkich dyskach.Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum.

i tym:

FixIEDef.



=========================
K.