sprawdzenie loga-kłopot z wejściem na dyski

**Posty:** 38 · przez **renik** 16 Kwi 2008, 11:04

Miałam problem x19.com i amvo na moim kompie. za pomocą forum zostały one usunięte :lol:

ale niestety zawirusowałam jeszcze drugiego kompa. Proszę i tym razem o pomoc. Jestem na etapie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

wykonałam i umieszczam logi:
raport z sdfix

Kod: Zaznacz wszystko: [b]SDFix: Version 1.171 [/b] Run by Goska on 2008-03-24 at 12:20 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix [b]Checking Services [/b]: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting [b]Checking Files [/b]: Trojan Files Found: C:\autorun.inf - Deleted Removing Temp Files [b]ADS Check [/b]: [b]Final Check [/b]: catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-24 12:24:01 Windows 5.1.2600 Dodatek Service Pack 2 NTFS detected NTDLL code modification: ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 [b]Remaining Services [/b]: Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [b]Remaining Files [/b]: File Backups: - C:\SDFix\backups\backups.zip [b]Files with Hidden Attributes [/b]: Sun 16 Mar 2008 101,295 ..SHR --- "C:\xp19.com" Sun 16 Mar 2008 101,295 ..SHR --- "C:\WINDOWS\system32\amvo.exe" Mon 24 Mar 2008 72,192 ..SHR --- "C:\WINDOWS\system32\amvo0.dll" Thu 17 Jan 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 23 Jan 2008 194,560 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL0002.tmp" Thu 24 Jan 2008 228,352 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL0004.tmp" Mon 21 Jan 2008 183,808 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL0310.tmp" Sun 20 Jan 2008 108,544 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL0341.tmp" Sun 20 Jan 2008 121,856 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL0653.tmp" Sun 20 Jan 2008 124,416 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL1177.tmp" Sun 20 Jan 2008 110,080 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL1332.tmp" Sun 20 Jan 2008 118,272 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL1749.tmp" Sun 20 Jan 2008 155,648 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL1804.tmp" Thu 24 Jan 2008 204,288 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL1961.tmp" Sun 20 Jan 2008 134,656 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL1963.tmp" Sun 20 Jan 2008 157,184 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL2214.tmp" Sun 20 Jan 2008 152,576 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL2331.tmp" Sun 20 Jan 2008 118,272 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL2472.tmp" Sun 20 Jan 2008 110,080 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL2613.tmp" Sat 19 Jan 2008 89,600 ...H. --- "C:\Documents and Settings\Goska\Pulpit\~WRL3243.tmp" [b]Finished![/b]

combofix

Kod: Zaznacz wszystko: ComboFix 08-04-13.3 - Goska 2008-04-14 17:13:48.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1539 [GMT 2:00] Running from: C:\Documents and Settings\Goska\Pulpit\ComboFix.exe [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf C:\WINDOWS\system32\amvo.exe C:\WINDOWS\system32\amvo0.dll C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\pthreadVC.dll C:\WINDOWS\system32\wanpacket.dll C:\WINDOWS\system32\wpcap.dll D:\Autorun.inf E:\Autorun.inf F:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF -------\NPF ((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 ))))))))))))))))))))))))))))))) . 2008-03-30 20:09 . 2008-03-23 16:19 69 --a------ C:\WINDOWS\NeroDigital.ini 2008-03-24 13:18 . 2008-03-24 13:18 <DIR> d-------- C:\WINDOWS\ERUNT 2008-03-24 13:05 . 2008-03-24 13:25 <DIR> d-------- C:\SDFix 2008-03-24 12:59 . 2008-03-24 12:59 1,419,174 --a------ C:\SDFix.exe 2008-03-23 19:54 . 2008-04-14 17:10 13,880 --a------ C:\WINDOWS\system32\drivers\COMFiltr.sys 2008-03-23 14:30 . 2008-03-23 14:30 <DIR> d-------- C:\Program Files\directx 2008-03-23 14:30 . 2008-03-23 14:36 <DIR> d-------- C:\Program Files\Common Files\3DO Shared 2008-03-23 14:30 . 2008-03-23 14:30 <DIR> d-------- C:\Program Files\3DO 2008-03-23 14:30 . 1998-10-29 17:45 306,688 --a------ C:\WINDOWS\IsUninst.exe 2008-03-20 00:42 . 2008-03-16 21:12 101,295 -r-hs---- C:\xp19.com 2008-03-15 12:09 . 2008-03-15 12:09 <DIR> d-------- C:\Program Files\Nero 2008-03-15 12:09 . 2008-03-15 12:10 <DIR> d-------- C:\Program Files\Common Files\Ahead 2008-03-15 12:09 . 2008-03-15 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Nero . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-14 15:12 212,768 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck 2008-04-14 15:12 212,768 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT 2008-04-14 15:12 1,244 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck 2008-04-14 15:12 1,244 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG 2008-04-14 14:26 144 ----a-w C:\WINDOWS\system32\drivers\wnmsav.dat 2008-04-01 14:17 --------- d-----w C:\Documents and Settings\Goska\Dane aplikacji\U3 2008-03-23 12:37 28,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2008-03-15 10:16 --------- d-----w C:\Documents and Settings\Goska\Dane aplikacji\Ahead 2008-03-15 10:06 --------- d-----w C:\Program Files\Ahead 2008-02-26 15:20 --------- d-----w C:\Documents and Settings\Goska\Dane aplikacji\Ethereal 2008-02-26 14:27 --------- d-----w C:\Program Files\WinPcap . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:55 1667584] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-18 23:29 141848] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-18 23:29 166424] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-18 23:29 137752] "Resume copy"="copyfstq.exe" [2007-11-29 18:54 73728 C:\WINDOWS\copyfstq.exe] "WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [ ] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-14 13:03 161328] "InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-03-02 09:33 1055792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] avldr.dll 2007-02-15 21:02 50736 C:\WINDOWS\system32\avldr.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 10:33] R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 10:33] R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 10:33] R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 12:39] R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 10:33] R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-05-23 16:40] R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 10:33] R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 10:33] R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 09:44] R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 14:49] R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 16:43] R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys [] S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys [] S3 EverestDriver;Lavalys EVEREST Kernel Driver;I:\Dix\kerneld.wnt [] S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C] \Shell\AutoRun\command - C:\xp19.com \Shell\explore\Command - C:\xp19.com \Shell\open\Command - C:\xp19.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\xp19.com \Shell\explore\Command - D:\xp19.com \Shell\open\Command - D:\xp19.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\xp19.com \Shell\explore\Command - E:\xp19.com \Shell\open\Command - E:\xp19.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\xp19.com \Shell\explore\Command - F:\xp19.com \Shell\open\Command - F:\xp19.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d81c83e-a002-11dc-a4e0-001cbf2da95a}] \Shell\AutoRun\command - H:\start.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62271b5e-bdd4-11dc-a50e-001cbf2da95a}] \Shell\AutoRun\command - H:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9c361ed-9ea5-11dc-a4da-001cbf2da95a}] \Shell\AutoRun\command - H:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b90ffd90-9f4b-11dc-a4dd-001cbf2da95a}] \Shell\AutoRun\command - I:\USBNB.exe . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-14 17:16:53 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver] "ImagePath"="\??\I:\Dix\kerneld.wnt" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrlS.exe C:\Program Files\Panda Security\Panda Internet Security 2008\PAVFNSVR.EXE C:\Program Files\Common Files\Panda Software\PavShld\PavPrSrv.exe C:\Program Files\Panda Security\Panda Internet Security 2008\PAVSRV51.EXE C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe C:\Program Files\Panda Security\Panda Internet Security 2008\FIREWALL\PSHost.exe C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe C:\Program Files\Panda Security\Panda Internet Security 2008\apvxdwin.exe C:\Program Files\Panda Security\Panda Internet Security 2008\SrvLoad.exe C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe C:\Program Files\Panda Security\Panda Internet Security 2008\psimreal.exe C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe . ************************************************************************** . Completion time: 2008-04-14 17:18:08 - machine was rebooted [Goska] ComboFix-quarantined-files.txt 2008-04-14 15:18:00 Pre-Run: 11,536,334,848 bajtów wolnych Post-Run: 11,483,729,920 bajt˘w wolnych

**Posty:** 18165 · przez **wojtas** 16 Kwi 2008, 13:10

Otworz notatnik i wklej w nim to:

File::
C:\xp19.com

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

Plik >>> zapisz jako CFScript.txt .Plik przeciągnij i upuść na ikonę ComboFixa (tak jak tu ) . odczekaj az wygeneruje sie nowy log i go daj na forum

**Posty:** 38 · przez **renik** 16 Kwi 2008, 15:56

wykonałam zamieszczam log:

Kod: Zaznacz wszystko: ComboFix 08-04-13.3 - Goska 2008-04-16 15:49:47.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1552 [GMT 2:00] Running from: C:\Documents and Settings\Goska\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Goska\Pulpit\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\xp19.com . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\xp19.com . ((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 ))))))))))))))))))))))))))))))) . 2008-04-14 17:22 . 2008-04-14 17:30 <DIR> d-------- C:\Program Files\SkanerOnline 2008-03-30 20:09 . 2008-03-23 16:19 69 --a------ C:\WINDOWS\NeroDigital.ini 2008-03-24 13:18 . 2008-03-24 13:18 <DIR> d-------- C:\WINDOWS\ERUNT 2008-03-24 13:05 . 2008-03-24 13:25 <DIR> d-------- C:\SDFix 2008-03-24 12:59 . 2008-03-24 12:59 1,419,174 --a------ C:\SDFix.exe 2008-03-23 19:54 . 2008-04-16 13:44 13,880 --a------ C:\WINDOWS\system32\drivers\COMFiltr.sys 2008-03-23 14:30 . 2008-03-23 14:30 <DIR> d-------- C:\Program Files\directx 2008-03-23 14:30 . 2008-03-23 14:36 <DIR> d-------- C:\Program Files\Common Files\3DO Shared 2008-03-23 14:30 . 2008-03-23 14:30 <DIR> d-------- C:\Program Files\3DO 2008-03-23 14:30 . 1998-10-29 17:45 306,688 --a------ C:\WINDOWS\IsUninst.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-16 13:48 212,768 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck 2008-04-16 13:48 212,768 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT 2008-04-16 13:48 1,244 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck 2008-04-16 13:48 1,244 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG 2008-04-14 14:26 144 ----a-w C:\WINDOWS\system32\drivers\wnmsav.dat 2008-04-01 14:17 --------- d-----w C:\Documents and Settings\Goska\Dane aplikacji\U3 2008-03-23 12:37 28,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2008-03-15 10:16 --------- d-----w C:\Documents and Settings\Goska\Dane aplikacji\Ahead 2008-03-15 10:10 --------- d-----w C:\Program Files\Common Files\Ahead 2008-03-15 10:09 --------- d-----w C:\Program Files\Nero 2008-03-15 10:09 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Nero 2008-03-15 10:06 --------- d-----w C:\Program Files\Ahead 2008-02-26 15:20 --------- d-----w C:\Documents and Settings\Goska\Dane aplikacji\Ethereal 2008-02-26 14:27 --------- d-----w C:\Program Files\WinPcap . ((((((((((((((((((((((((((((( snapshot@2008-04-16_10.55.59.60 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-16 08:50:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-16 11:31:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-04-16 08:55:01 40,326 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-04-16 11:36:09 40,326 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-04-16 08:55:01 49,910 ----a-w C:\WINDOWS\system32\perfc015.dat + 2008-04-16 11:36:09 49,910 ----a-w C:\WINDOWS\system32\perfc015.dat - 2008-04-16 08:55:01 311,938 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-04-16 11:36:09 311,938 ----a-w C:\WINDOWS\system32\perfh009.dat - 2008-04-16 08:55:02 356,068 ----a-w C:\WINDOWS\system32\perfh015.dat + 2008-04-16 11:36:09 356,068 ----a-w C:\WINDOWS\system32\perfh015.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:55 1667584] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-18 23:29 141848] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-18 23:29 166424] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-18 23:29 137752] "Resume copy"="copyfstq.exe" [2007-11-29 18:54 73728 C:\WINDOWS\copyfstq.exe] "WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [ ] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-14 13:03 161328] "InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-03-02 09:33 1055792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] avldr.dll 2007-02-15 21:02 50736 C:\WINDOWS\system32\avldr.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 10:33] R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 10:33] R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 10:33] R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 12:39] R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 10:33] R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-05-23 16:40] R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 10:33] R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 10:33] R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 09:44] R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 14:49] R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys [] R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 16:43] R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys [] R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys [] S3 EverestDriver;Lavalys EVEREST Kernel Driver;I:\Dix\kerneld.wnt [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d81c83e-a002-11dc-a4e0-001cbf2da95a}] \Shell\AutoRun\command - H:\start.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62271b5e-bdd4-11dc-a50e-001cbf2da95a}] \Shell\AutoRun\command - H:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9c361ed-9ea5-11dc-a4da-001cbf2da95a}] \Shell\AutoRun\command - H:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b90ffd90-9f4b-11dc-a4dd-001cbf2da95a}] \Shell\AutoRun\command - I:\USBNB.exe . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-16 15:50:53 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver] "ImagePath"="\??\I:\Dix\kerneld.wnt" . Completion time: 2008-04-16 15:51:11 ComboFix-quarantined-files.txt 2008-04-16 13:51:08 ComboFix2.txt 2008-04-16 08:56:09 ComboFix3.txt 2008-04-14 15:18:10 Pre-Run: 11,455,451,136 bajtów wolnych Post-Run: 11,447,386,112 bajtów wolnych

**Posty:** 18165 · przez **wojtas** 16 Kwi 2008, 16:03

Czysto, wykonaj:

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp

2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem

**Posty:** 38 · przez **renik** 16 Kwi 2008, 16:25

wykonałam

dziękuję za pomoc, bo sama to mogłabym tylko jeszcze pogorszyć <lol>

[ Dodano: Dzisiaj o 10:59 ]
wracam ponownie do mego problemu. wszystko było w porządku, ale do czasu.Mianowicie. po włożeniu pendriwe znowu pojawiło się info o tym ze jest xp19.com. Sformatowalam pendriwa. chce sie upewnic czy ten wirus nie przeniósł się ponownie na mój komputer. prosze o poradę, przesyłam raport z hijackthis:

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:57:17, on 2008-04-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe C:\Program Files\Panda Security\Panda Internet Security 2008\ApvxdWin.exe C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Panda Security\Panda Internet Security 2008\avciman.exe C:\Program Files\Panda Security\Panda Internet Security 2008\psimreal.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://mks.com.pl O15 - Trusted Zone: http://www.gogle.pl O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B580A02F-0011-4932-868A-E64D2EF2FA9F}: NameServer = 192.168.1.1,194.204.152.34 O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe -- End of file - 6673 bytes

sprawdzenie loga-kłopot z wejściem na dyski

sprawdzenie loga-kłopot z wejściem na dyski

Kto jest na forum