Problem z plikiem abk.bat na wszystkich partycjach

**Posty:** 7 · przez **feelka** 06 Mar 2009, 12:10

Nie wiem jak się pozbyć tej infekcji, Norton wykrywa również ten plik na pendrive. Podaje loga, proszę o pomoc co z tym zrobić?

Kod: Zaznacz wszystko: ComboFix 09-03-04.01 - Kasia27 2009-03-06 10:33:20.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.2047.1590 [GMT 1:00] Uruchomiony z: h:\documents and settings\All Users\Pulpit\Downloads\ComboFix.exe AV: Norton Internet Security *On-access scanning disabled* (Updated) FW: Norton Internet Security *enabled* * Utworzono nowy punkt przywracania . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . H:\abk.bat H:\Autorun.inf h:\documents and settings\All Users\Dane aplikacji\CrucialSoft Ltd h:\documents and settings\Kasia27\Dane aplikacji\.# h:\documents and settings\Kasia27\Dane aplikacji\Adobe\crc.dat h:\documents and settings\Kasia27\Dane aplikacji\Adobe\Player.exe.bak h:\windows\IE4 Error Log.txt h:\windows\system32\kamsoft.exe h:\windows\system32\msnav32.ax h:\windows\system32\nmdfgds0.dll h:\windows\system32\nmdfgds1.dll h:\windows\system32\nmdfgds2.dll h:\windows\system32\olhrwef.exe h:\windows\system32\winpfz33.sys h:\windows\system32\zxdnt3d.cfg I:\abk.bat I:\Autorun.inf K:\abk.bat K:\Autorun.inf . ((((((((((((((((((((((((( Pliki utworzone od 2009-02-06 do 2009-03-06 ))))))))))))))))))))))))))))))) . 2009-03-06 08:53 . 2009-03-06 08:53 <DIR> d-------- h:\program files\Trend Micro 2009-03-04 10:41 . 2009-03-04 10:41 <DIR> d-------- h:\windows\Supermarket Mania 2009-03-04 10:41 . 2009-03-04 10:41 <DIR> d-------- h:\program files\Supermarket Mania 2009-03-03 11:42 . 2009-03-03 11:42 <DIR> d-------- h:\windows\Cooking Academy 2 World Cuisine 2009-03-03 11:42 . 2009-03-04 12:21 <DIR> d-------- h:\program files\Cooking Academy 2 World Cuisine 2009-03-03 11:16 . 2009-03-03 11:16 <DIR> d-------- h:\program files\Doggie Dash 2009-03-03 10:47 . 2009-02-27 19:59 107,008 -r-hs---- H:\gi2ky.exe 2009-03-02 14:04 . 2009-03-02 14:04 <DIR> d-------- h:\windows\Diner Dash 2009-03-02 13:02 . 2009-03-02 13:02 <DIR> d-------- h:\program files\Diner Dash Two 2009-03-02 12:47 . 2009-03-02 12:47 <DIR> d-------- h:\documents and settings\Kasia27\Dane aplikacji\skypePM 2009-03-02 12:47 . 2009-03-02 12:47 56 --ah----- h:\windows\system32\ezsidmv.dat 2009-03-02 12:46 . 2009-03-02 12:46 <DIR> dr------- h:\program files\Skype 2009-03-02 12:46 . 2009-03-02 12:46 <DIR> d-------- h:\program files\Common Files\Skype 2009-03-02 12:46 . 2009-03-02 12:46 <DIR> d-------- h:\documents and settings\All Users\Dane aplikacji\Skype 2009-03-01 19:50 . 2009-03-01 19:50 <DIR> d-------- h:\windows\Wedding Dash 2 - Rings Around the World 2009-03-01 13:26 . 2009-03-01 19:45 <DIR> d-------- h:\program files\Wedding Dash 2009-03-01 12:47 . 2009-03-01 13:01 <DIR> d-------- h:\program files\Forgotten Lands - First Colony 2009-03-01 11:45 . 2009-03-01 11:46 <DIR> d-------- h:\program files\Babysitting Mania 2009-03-01 11:06 . 2009-03-01 11:06 <DIR> d-------- h:\windows\Diner Dash Seasonal Snack Pack 2009-03-01 11:06 . 2009-03-01 12:46 <DIR> d-------- h:\program files\Diner Dash Seasonal Snack Pack 2009-03-01 10:38 . 2009-03-01 10:38 <DIR> d-------- h:\program files\Hometown Hero 2009-02-28 14:43 . 2009-02-28 14:43 <DIR> d-------- h:\program files\eMule 2009-02-28 13:18 . 2009-02-28 13:18 <DIR> d-------- h:\program files\Symantec 2009-02-28 13:18 . 2009-02-28 14:59 <DIR> d-------- h:\program files\Common Files\Symantec Shared 2009-02-28 13:18 . 2009-02-28 13:18 124,464 --a------ h:\windows\system32\drivers\SYMEVENT.SYS 2009-02-28 13:18 . 2009-02-28 13:18 60,808 --a------ h:\windows\system32\S32EVNT1.DLL 2009-02-28 13:18 . 2008-12-12 04:28 36,272 -ra------ h:\windows\system32\drivers\SymIM.sys 2009-02-28 13:18 . 2009-02-28 13:18 10,635 --a------ h:\windows\system32\drivers\SYMEVENT.CAT 2009-02-28 13:18 . 2009-02-28 13:18 806 --a------ h:\windows\system32\drivers\SYMEVENT.INF 2009-02-28 13:17 . 2009-02-28 22:39 <DIR> d-------- h:\windows\system32\drivers\NIS 2009-02-28 13:17 . 2009-02-28 13:17 <DIR> d-------- h:\program files\Windows Sidebar 2009-02-28 13:17 . 2009-02-28 13:17 <DIR> d-------- h:\program files\NortonInstaller 2009-02-28 13:17 . 2009-02-28 13:17 <DIR> d-------- h:\program files\Norton Internet Security 2009-02-28 12:13 . 2009-02-28 13:13 21 --a------ h:\windows\DFC.INI 2009-02-28 10:27 . 2009-02-28 10:27 <DIR> d-------- h:\documents and settings\All Users\Dane aplikacji\Symantec 2009-02-28 10:02 . 2009-02-28 10:02 <DIR> d-------- h:\documents and settings\All Users\Dane aplikacji\NortonInstaller 2009-02-28 10:02 . 2009-02-28 14:50 <DIR> d-------- h:\documents and settings\All Users\Dane aplikacji\Norton 2009-02-28 08:38 . 2009-02-28 08:38 <DIR> d-------- h:\documents and settings\LocalService\Pulpit 2009-02-28 08:33 . 2009-02-28 09:01 <DIR> d-------- h:\documents and settings\All Users\Dane aplikacji\Lavasoft 2009-02-28 08:33 . 2009-02-28 09:01 <DIR> d--h-c--- h:\documents and settings\All Users\Dane aplikacji\~0 2009-02-27 20:41 . 2009-02-27 20:41 <DIR> d-------- h:\program files\MSSOAP 2009-02-27 20:41 . 2009-02-27 20:41 775,168 --a------ h:\windows\isRS-000.tmp 2009-02-27 20:40 . 2009-02-14 12:08 1,553,784 --a------ h:\windows\WRSetup.dll 2009-02-27 17:04 . 2009-02-28 08:40 <DIR> d-------- h:\windows\Cooking Dash 2009-02-26 09:19 . 2009-02-26 09:18 103,663 -r-hs---- H:\wx8o0bt1.com 2009-02-24 12:22 . 2009-02-24 12:36 <DIR> d-------- h:\program files\uTorrent 2009-02-16 20:33 . 2009-02-16 20:33 <DIR> d-------- h:\documents and settings\Kasia27\Dane aplikacji\DAEMON Tools Pro 2009-02-16 20:33 . 2009-02-16 20:33 <DIR> d-------- h:\documents and settings\All Users\Dane aplikacji\DAEMON Tools Lite 2009-02-16 20:32 . 2009-02-22 14:16 <DIR> d-------- h:\program files\DAEMON Tools Lite 2009-02-16 20:32 . 2009-02-16 20:33 <DIR> d-------- h:\documents and settings\Kasia27\Dane aplikacji\DAEMON Tools Lite 2009-02-13 15:38 . 2009-02-13 15:38 <DIR> d-------- h:\documents and settings\All Users\Dane aplikacji\HoverBee Studios 2009-02-10 19:46 . 2009-02-28 10:06 90,112 --a------ h:\windows\unvise32.exe 2009-02-09 13:19 . 2009-02-09 13:25 <DIR> d-------- h:\documents and settings\All Users\Dane aplikacji\Mandragora 2009-02-06 20:08 . 2009-02-06 20:16 <DIR> d-------- h:\documents and settings\All Users\Dane aplikacji\FarmFrenzy-PizzaParty 2009-02-06 19:38 . 2009-02-06 19:38 <DIR> d-------- h:\documents and settings\Kasia27\Dane aplikacji\HSA . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-06 07:35 --------- d-----w h:\documents and settings\Kasia27\Dane aplikacji\uTorrent 2009-03-06 07:33 --------- d--h--w h:\program files\InstallShield Installation Information 2009-03-06 06:58 --------- d-----w h:\program files\Winamp 2009-03-03 16:37 --------- d---a-w h:\documents and settings\All Users\Dane aplikacji\TEMP 2009-03-03 15:08 --------- d-----w h:\documents and settings\Kasia27\Dane aplikacji\Skype 2009-03-01 11:08 --------- d-----w h:\documents and settings\All Users\Dane aplikacji\BigFishGamesCache 2009-02-28 09:06 9,715,200 ------r h:\windows\RTLCPL.exe 2009-02-28 09:06 86,016 ----a-w h:\windows\unvise32qt.exe 2009-02-28 09:06 86,016 ------r h:\windows\SoundMan.exe 2009-02-28 09:06 720,896 ----a-w h:\windows\iun6002ev.exe 2009-02-28 09:06 69,632 ------r h:\windows\Alcmtr.exe 2009-02-28 09:06 315,392 ----a-w h:\windows\HideWin.exe 2009-02-28 09:06 306,688 ----a-w h:\windows\IsUninst.exe 2009-02-28 09:06 299,008 ----a-w h:\windows\uninst.exe 2009-02-28 09:06 2,808,832 ------r h:\windows\alcwzrd.exe 2009-02-28 09:06 2,165,760 ------r h:\windows\MicCal.exe 2009-02-28 09:06 1,826,816 ------r h:\windows\SkyTel.exe 2009-02-28 09:06 1,191,936 ------r h:\windows\RtlUpd.exe 2009-02-24 12:01 --------- d-----w h:\program files\PowerISO 2009-02-16 19:33 --------- d-----w h:\documents and settings\Kasia27\Dane aplikacji\DAEMON Tools 2009-02-06 17:08 --------- d-----w h:\documents and settings\All Users\Dane aplikacji\PlayFirst 2009-02-06 14:07 --------- d-----w h:\documents and settings\All Users\Dane aplikacji\AlawarWrapper 2009-01-31 17:27 --------- d-----w h:\documents and settings\Kasia27\Dane aplikacji\Island 2009-01-31 09:34 --------- d-----w h:\documents and settings\Kasia27\Dane aplikacji\ViquaSoft 2009-01-30 12:39 --------- d--h--w h:\program files\Zero G Registry 2009-01-27 16:38 --------- d-----w h:\documents and settings\All Users\Dane aplikacji\blg 2009-01-26 21:52 --------- d-----w h:\documents and settings\All Users\Dane aplikacji\ipla 2009-01-24 14:25 --------- d-----w h:\documents and settings\Kasia27\Dane aplikacji\Valusoft 2009-01-24 14:25 --------- d-----w h:\documents and settings\All Users\Dane aplikacji\Valusoft 2009-01-24 11:22 --------- d-----w h:\documents and settings\All Users\Dane aplikacji\Enkord 2009-01-24 07:24 --------- d-----w h:\documents and settings\All Users\Dane aplikacji\iWin 2009-01-24 06:57 --------- d-----w h:\documents and settings\All Users\Dane aplikacji\SugarGames 2009-01-21 14:40 --------- d-----w h:\documents and settings\All Users\Dane aplikacji\Fugazo 2009-01-21 14:19 --------- d-----w h:\program files\bfgclient 2009-01-15 10:27 --------- d-----w h:\program files\Ares 2009-01-11 14:49 --------- d-----w h:\program files\Common Files\DirectX 2009-01-10 07:47 --------- d-----w h:\documents and settings\All Users\Dane aplikacji\DivoGames . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="h:\windows\system32\ctfmon.exe" [2004-08-03 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2008-01-08 8523776] "NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2008-01-08 81920] "SecurDisc"="h:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208] "GrooveMonitor"="h:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016] "SunJavaUpdateSched"="h:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600] "ISUSPM Startup"="h:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2009-02-28 249856] "Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2009-02-28 413696] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2004-08-03 15360] h:\documents and settings\Kasia27\Menu Start\Programy\Autostart\ Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - h:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] --a------ 2007-05-15 14:55 1057328 h:\program files\Nero\Nero 7\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 14:57 153136 h:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2009-02-28 10:06 1626112 h:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "h:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "h:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "h:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "h:\\Documents and Settings\\Kasia27\\Moje dokumenty\\Gadu-Gadu\\gg.exe"= "h:\\Program Files\\eMule\\emule.exe"= "h:\\Program Files\\Ares\\Ares.exe"= "h:\\Program Files\\uTorrent\\uTorrent.exe"= "h:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?] R1 BHDrvx86;Symantec Heuristics Driver;h:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2009-02-28 255536] R1 ccHP;Symantec Hash Provider;h:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys [2009-02-28 362544] R1 IDSxpx86;IDSxpx86;h:\documents and settings\All Users\Dane aplikacji\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090303.001\IDSxpx86.sys [2009-03-05 276344] R2 acedrv11;acedrv11;h:\windows\system32\drivers\ACEDRV11.sys [2008-01-23 501560] R2 Norton Internet Security;Norton Internet Security;h:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2009-02-28 115560] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;h:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-01 101936] S2 .norton2009Reset;Norton 2009 Reset;h:\documents and settings\All Users\Dane aplikacji\Norton\Norton2009Reset.exe [2009-02-28 281625] S3 MEMSWEEP2;MEMSWEEP2;\??\h:\windows\system32\5.tmp --> h:\windows\system32\5.tmp [?] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L] \Shell\AutoRun\command - L:\launcher.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M] \Shell\AutoRun\command - M:\Autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51715600-d9ab-11dd-8a4a-000b2b12fc77}] \Shell\AutoRun\command - M:\gi2ky.exe \Shell\open\Command - M:\gi2ky.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1b83d82-3ecc-11dd-878e-000b2b12fc77}] \Shell\AutoRun\command - J:\autorun.exe . Zawartość folderu 'Zaplanowane zadania' 2009-03-02 h:\windows\Tasks\Ad-Aware Update (Weekly).job - h:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [] 2009-02-21 h:\windows\Tasks\AppleSoftwareUpdate.job - h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . - - - - USUNIĘTO PUSTE WPISY - - - - BHO-{BF9FF225-EB72-40E6-9F99-0196590FF0B7} - h:\windows\system32\bthser.dll HKCU-Run-cdoosoft - h:\windows\system32\olhrwef.exe HKLM-Run-{00-00-00-03-DW} - h:\windows\system32\rpwnw64k.exe HKLM-Run-{20-00-09-9C-DW} - h:\windows\system32\rpwnw64k.exe Notify-WgaLogon - (no file) . ------- Skan uzupełniający ------- . uStart Page = hxxp://google.pl/ IE: E&ksportuj do programu Microsoft Excel - h:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - h:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-06 10:35:56 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton Internet Security] "ImagePath"="\"h:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"h:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2] "ImagePath"="\??\h:\windows\system32\5.tmp" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\S-1-5-21-1214440339-1844237615-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . ------------------------ Pozostałe uruchomione procesy ------------------------ . h:\windows\system32\rundll32.exe h:\program files\Nero\Nero 7\InCD\InCDsrv.exe h:\program files\Java\jre6\bin\jqs.exe h:\windows\system32\nvsvc32.exe h:\windows\system32\wbem\wmiapsrv.exe . ************************************************************************** . Czas ukończenia: 2009-03-06 10:38:05 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-03-06 09:38:02 Przed: 25 893 736 448 bajtów wolnych Po: 26,466,574,336 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4 252 --- E O F --- 2009-02-25 05:43:03

**Posty:** 18165 · przez **wojtas** 06 Mar 2009, 17:06

Wylecz pendriva lub kartę pamięci
użyj Perlovga Removal Tool lub
Flash Disinfector
lub format.

wklej do notatnika

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51715600-d9ab-11dd-8a4a-000b2b12fc77}]

[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....

Otworz notatnik i wklej w nim to:

File::
H:\gi2ky.exe
I:\gi2ky.exe
K:\gi2ky.exe
H:\wx8o0bt1.com
I:\wx8o0bt1.com
K:\wx8o0bt1.com
h:\windows\system32\5.tmp

Driver::
MEMSWEEP2

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->

Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.