Zawieszanie kompa

**Posty:** 11 · przez **.Infinity-** 02 Mar 2010, 22:25

Ciągłe zwieszanie się kompa i wywala mnie na taka stronę przez prawie cały czas http://secure.softta.com/

Kod: Zaznacz wszystko: GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-03-02 21:21:58 Windows 5.1.2600 Dodatek Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\Mateusz\USTAWI~1\Temp\axlirpod.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF692B000, 0x1C5D38, 0xE8000020] init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xEFB22A80] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1896] WS2_32.dll!connect + 21B 71A54C22 4 Bytes JMP 027517E0 c:\windows\system32\sshnas21.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1896] WS2_32.dll!send 71A54C27 2 Bytes [EB, F9] {JMP 0xfffffffffffffffb} .text C:\Program Files\Mozilla Firefox\firefox.exe[1896] WS2_32.dll!send + 89 71A54CB0 4 Bytes JMP 02751D40 c:\windows\system32\sshnas21.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1896] WS2_32.dll!WSARecv 71A54CB5 2 Bytes [EB, F9] {JMP 0xfffffffffffffffb} .text C:\Program Files\Mozilla Firefox\firefox.exe[1896] WS2_32.dll!WSACloseEvent + 182 71A5676A 4 Bytes JMP 02751930 c:\windows\system32\sshnas21.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1896] WS2_32.dll!recv 71A5676F 2 Bytes [EB, F9] {JMP 0xfffffffffffffffb} .text C:\Program Files\Mozilla Firefox\firefox.exe[1896] WS2_32.dll!recv + 186 71A568F5 4 Bytes JMP 02751A30 c:\windows\system32\sshnas21.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1896] WS2_32.dll!WSASend 71A568FA 2 Bytes [EB, F9] {JMP 0xfffffffffffffffb} .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1980] WS2_32.dll!connect + 21B 71A54C22 7 Bytes JMP 00FB17E0 c:\windows\system32\sshnas21.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1980] WS2_32.dll!send + 89 71A54CB0 7 Bytes JMP 00FB1D40 c:\windows\system32\sshnas21.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1980] WS2_32.dll!WSACloseEvent + 182 71A5676A 7 Bytes JMP 00FB1930 c:\windows\system32\sshnas21.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1980] WS2_32.dll!recv + 186 71A568F5 7 Bytes JMP 00FB1A30 c:\windows\system32\sshnas21.dll ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExA] [00418470] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExW] [004184E8] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] [0041867A] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!MessageBoxW] [00418686] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!ShowWindow] [00418560] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\wininet.dll [USER32.dll!SetWindowPos] [0041860E] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\wininet.dll [USER32.dll!ShowWindow] [00418560] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\wininet.dll [USER32.dll!CreateWindowExA] [00418470] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\CRYPT32.dll [USER32.dll!MessageBoxW] [00418686] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\CRYPT32.dll [USER32.dll!MessageBoxA] [00418686] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamA] [0041867A] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamW] [0041867A] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExA] [00418470] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExW] [004184E8] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxA] [00418686] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxW] [00418686] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxIndirectA] [00418674] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxIndirectW] [00418674] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [0041860E] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!ShowWindow] [00418560] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!CreateWindowExW] [004184E8] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!DialogBoxParamW] [0041867A] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!ShowWindow] [00418560] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!SetWindowPos] [0041860E] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!MessageBoxW] [00418686] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!MessageBoxA] [00418686] C:\WINDOWS\msa.exe IAT C:\WINDOWS\msa.exe[1632] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!MessageBoxIndirectW] [00418674] C:\WINDOWS\msa.exe ---- Devices - GMER 1.0.15 ---- Device \Driver\USB_RNDIS \Device\{6F918B05-D4F4-4B28-8E79-FB3FE215BA94} RNDISMP.SYS (Remote NDIS Miniport/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----

Log z OTL

Kod: Zaznacz wszystko: http://www.wklej.org/id/289264/

**Posty:** 18165 · przez **wojtas** 02 Mar 2010, 22:42

Proszę zastosować się do zasad wstawiania logów i edytować swój post zgodnie z zasadami (brak loga z OTL , brak opisu problemu, zła nazwa tematu)

**Posty:** 11 · przez **.Infinity-** 03 Mar 2010, 18:45

Sprawdzi wreście ktoś tego loga.

**Posty:** 18165 · przez **wojtas** 03 Mar 2010, 19:51

.Infinity- napisał(a):Sprawdzi wreście ktoś tego loga.

spokojnie mamy też swoje prywatne życie...

pobierz i wypakuj na C

http://www.sendspace.com/file/dofhfl

Uruchom OTL i w oknie Custom Scans/Fixes wklej :

:OTL
FF - prefs.js..browser.search.defaultenginename: "BearShare Web Search"
FF - prefs.js..browser.search.order.1: "BearShare Web Search"
FF - prefs.js..browser.search.selectedEngine: "BearShare Web Search"
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.8
FF - prefs.js..keyword.URL: "http://search.bearshare.com/webResults.html?src=ffb&q="
O4 - HKCU..\Run: [TOY5KNQ8OC] C:\DOCUME~1\Mateusz\USTAWI~1\Temp\Nxl.exe File not found

:Files
C:\Program Files\BearShare Applications
C:\WINDOWS\msa.exe
C:\WINDOWS\system32\sshnas21.dll
C:\Documents and Settings\Mateusz\Dane aplikacji\Mozilla\Firefox\Profiles\08gl3cnk.default\searchplugins\BearShareWebSearch.xml
C:\Program Files\Mozilla Firefox\searchplugins\BearShareWebSearch.xml
C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
C:\Documents and Settings\Mateusz\Dane aplikacji\addon.dat
C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
C:\WINDOWS\PEV.exe
C:\WINDOWS\sed.exe
C:\WINDOWS\grep.exe
C:\WINDOWS\MBR.exe
C:\WINDOWS\zip.exe
C:\WINDOWS\System32\WS2_32.dll|C:WS2_32.dll /replace

:Services
SSHNAS

:Commands
[emptytemp]

Kliknij w Run Fix. I potwierdz reset kompa .

Następnie uruchamiasz OTL z opcją Run Scan. Pokazujesz nowy log OTL.txt oraz raport z czyszczenia komputera + log z GMERA

**Posty:** 11 · przez **.Infinity-** 03 Mar 2010, 20:37

Log z OTL

Kod: Zaznacz wszystko: http://www.wklej.org/id/289689/

Log z Gmer

Kod: Zaznacz wszystko: GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-03-03 19:35:44 Windows 5.1.2600 Dodatek Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\Mateusz\USTAWI~1\Temp\axlirpod.sys ---- System - GMER 1.0.15 ---- SSDT spvt.sys ZwCreateKey [0xF72940E0] SSDT spvt.sys ZwEnumerateKey [0xF72ACDA4] SSDT spvt.sys ZwEnumerateValueKey [0xF72AD132] SSDT spvt.sys ZwOpenKey [0xF72940C0] SSDT spvt.sys ZwQueryKey [0xF72AD20A] SSDT spvt.sys ZwQueryValueKey [0xF72AD08A] SSDT spvt.sys ZwSetValueKey [0xF72AD29C] INT 0x62 ? 86529BF8 INT 0x63 ? 8652CBF8 INT 0x73 ? 8652CBF8 INT 0xA4 ? 8602BBF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spvt.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF63A5000, 0x1C5D38, 0xE8000020] .text USBPORT.SYS!DllUnload F63848AC 5 Bytes JMP 8602B1D8 init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xECF4CA80] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7295042] spvt.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F729513E] spvt.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72950C0] spvt.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7295800] spvt.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72956D6] spvt.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72A4B90] spvt.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 865271F8 Device \FileSystem\Fastfat \FatCdrom 860DE500 Device \Driver\usbohci \Device\USBPDO-0 8608C500 Device \Driver\dmio \Device\DmControl\DmIoDaemon 865AC1F8 Device \Driver\dmio \Device\DmControl\DmConfig 865AC1F8 Device \Driver\dmio \Device\DmControl\DmPnP 865AC1F8 Device \Driver\dmio \Device\DmControl\DmInfo 865AC1F8 Device \Driver\usbehci \Device\USBPDO-1 8608B500 Device \Driver\USB_RNDIS \Device\{6F918B05-D4F4-4B28-8E79-FB3FE215BA94} RNDISMP.SYS (Remote NDIS Miniport/Microsoft Corporation) Device \Driver\Ftdisk \Device\HarddiskVolume1 8652A1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8652A1F8 Device \Driver\Cdrom \Device\CdRom0 8608A500 Device \Driver\atapi \Device\Ide\IdePort0 [F71E7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F71E7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 [F71E7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 86228500 Device \Driver\NetBT \Device\NetbiosSmb 86228500 Device \Driver\usbohci \Device\USBFDO-0 8608C500 Device \Driver\usbehci \Device\USBFDO-1 8608B500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 862351F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 862351F8 Device \Driver\Ftdisk \Device\FtControl 8652A1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{6F918B05-D4F4-4B28-8E79-FB3FE215BA94} 86228500 Device \Driver\nvgts \Device\Scsi\nvgts2Port3Path0Target0Lun0 865281F8 Device \Driver\nvgts \Device\Scsi\nvgts1 865281F8 Device \Driver\nvgts \Device\Scsi\nvgts2 865281F8 Device \FileSystem\Fastfat \Fat 860DE500 Device \FileSystem\Cdfs \Cdfs 861B0500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC9 0xE2 0xB6 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEC 0x08 0xD2 0x5B ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC9 0xE2 0xB6 0x67 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEC 0x08 0xD2 0x5B ... ---- EOF - GMER 1.0.15 ----

**Posty:** 18165 · przez **wojtas** 03 Mar 2010, 20:56

brak raportu z czyszczenia kompa pokaż w następnym poście

Pamiętaj o zasad wstawiania logów masz napędy emulujące :

DRV - [2010-03-03 02:00:54 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)

a w topicu o zasadach jest napisane że trzeba je skasować przed wygenerowaniem logu z Combofixa lub Gmera... (fałszuje wyniki)

poszukaj pliku na kompie spvt.sys
przeskanuj tu
http://virusscan.jotti.org/
http://www.virustotal.com/

i daj raporty ze skanow

1.Uruchom OTL z opcji CleanUp
2. wykonaj optymalizację windowsa
3.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem]
4. zrób skan Malwarebytes Anti-Malware (zaktualizuj, usuń co znajdzie ) tu też raport pokaż

**Posty:** 11 · przez **.Infinity-** 03 Mar 2010, 21:11

spvt.sys tego pliku nie ma

**Posty:** 18165 · przez **wojtas** 03 Mar 2010, 22:02

wykonaj co możesz

Uruchom SystemLook , w oknie wklej:

:filefind
spvt.sys

i dajesz look

pokazujesz raport + wczesniejsze

**Posty:** 11 · przez **.Infinity-** 03 Mar 2010, 22:11

Kod: Zaznacz wszystko: SystemLook v1.0 by jpshortstuff (11.01.10) Log created at 21:10 on 03/03/2010 by Mateusz (Administrator - Elevation successful) ========== filefind ========== Searching for "spvt.sys" No files found. -=End Of File=-

Nie ma

**Posty:** 18165 · przez **wojtas** 03 Mar 2010, 22:30

no ok . wykonaj resztę zadań

**Posty:** 11 · przez **.Infinity-** 03 Mar 2010, 23:46

Log z Malwarebytes' Anti-Malware

Kod: Zaznacz wszystko: mbam-log-2010-03-03 (22-07-56).txt Typ skanowania: Pełne skanowanie (C:\|D:\|) Przeskanowane obiekty: 151602 Upłynęło: 16 minute(s), 59 second(s) Zainfekowane procesy w pamięci: 0 Zainfekowane moduły pamięci: 0 Zainfekowane klucze rejestru: 4 Zainfekowane wartości rejestru: 0 Zainfekowane pliki rejestru: 0 Zainfekowane foldery: 1 Zainfekowane pliki: 3 Zainfekowane procesy w pamięci: (Nie wykryto groźnych plików) Zainfekowane moduły pamięci: (Nie wykryto groźnych plików) Zainfekowane klucze rejestru: HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> No action taken. Zainfekowane wartości rejestru: (Nie wykryto groźnych plików) Zainfekowane pliki rejestru: (Nie wykryto groźnych plików) Zainfekowane foldery: C:\WINDOWS\system32\System32 (Trojan.Agent) -> No action taken. Zainfekowane pliki: C:\WINDOWS\system32\System32\wins32.exe (Backdoor.Bifrose) -> No action taken. C:\WINDOWS\system32\System32\klog.dat (Trojan.Agent) -> No action taken. C:\Documents and Settings\Mateusz\Dane aplikacji\addon.dat (Malware.Trace) -> No action taken.

Log z OTL

Kod: Zaznacz wszystko: http://www.wklej.org/id/289842/

Log z Gmer

Kod: Zaznacz wszystko: GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-03-03 22:43:09 Windows 5.1.2600 Dodatek Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\Mateusz\USTAWI~1\Temp\axlirpod.sys ---- System - GMER 1.0.15 ---- SSDT sppw.sys ZwCreateKey [0xF72940E0] SSDT sppw.sys ZwEnumerateKey [0xF72ACDA4] SSDT sppw.sys ZwEnumerateValueKey [0xF72AD132] SSDT sppw.sys ZwOpenKey [0xF72940C0] SSDT sppw.sys ZwQueryKey [0xF72AD20A] SSDT sppw.sys ZwQueryValueKey [0xF72AD08A] SSDT sppw.sys ZwSetValueKey [0xF72AD29C] INT 0x62 ? 86528BF8 INT 0x63 ? 8652BBF8 INT 0x73 ? 8652BBF8 INT 0xA4 ? 865ACBF8 ---- Kernel code sections - GMER 1.0.15 ---- ? rvtcm.sys Nie można odnaleźć określonego pliku. ! ? sppw.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF594D000, 0x1C5D38, 0xE8000020] .text USBPORT.SYS!DllUnload F592C8AC 5 Bytes JMP 865AC1D8 init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xEF6D6A80] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7295042] sppw.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F729513E] sppw.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72950C0] sppw.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7295800] sppw.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72956D6] sppw.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72A4B90] sppw.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 865261F8 Device \FileSystem\Fastfat \FatCdrom 8627B500 Device \Driver\usbohci \Device\USBPDO-0 8628F500 Device \Driver\dmio \Device\DmControl\DmIoDaemon 865AD1F8 Device \Driver\dmio \Device\DmControl\DmConfig 865AD1F8 Device \Driver\dmio \Device\DmControl\DmPnP 865AD1F8 Device \Driver\dmio \Device\DmControl\DmInfo 865AD1F8 Device \Driver\usbehci \Device\USBPDO-1 863FF1F8 Device \Driver\USB_RNDIS \Device\{6F918B05-D4F4-4B28-8E79-FB3FE215BA94} RNDISMP.SYS (Remote NDIS Miniport/Microsoft Corporation) Device \Driver\Ftdisk \Device\HarddiskVolume1 865291F8 Device \Driver\Cdrom \Device\CdRom0 862C3500 Device \Driver\Ftdisk \Device\HarddiskVolume2 865291F8 Device \Driver\atapi \Device\Ide\IdePort0 [F71E7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F71E7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 [F71E7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 85F271F8 Device \Driver\NetBT \Device\NetbiosSmb 85F271F8 Device \Driver\usbohci \Device\USBFDO-0 8628F500 Device \Driver\usbehci \Device\USBFDO-1 863FF1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85F0C1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 85F0C1F8 Device \Driver\Ftdisk \Device\FtControl 865291F8 Device \Driver\nvgts \Device\Scsi\nvgts2Port3Path0Target0Lun0 865271F8 Device \Driver\nvgts \Device\Scsi\nvgts1 865271F8 Device \Driver\nvgts \Device\Scsi\nvgts2 865271F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{6F918B05-D4F4-4B28-8E79-FB3FE215BA94} 85F271F8 Device \FileSystem\Fastfat \Fat 8627B500 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 86270500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC9 0xE2 0xB6 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEC 0x08 0xD2 0x5B ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC9 0xE2 0xB6 0x67 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEC 0x08 0xD2 0x5B ... ---- EOF - GMER 1.0.15 ----

wszystko już zrobione a emulatory napędów są usunięte

**Posty:** 18165 · przez **wojtas** 04 Mar 2010, 00:13

Pobierz i uruchom narzędzie
The Avenger
Wklej do okienka programu

Files to delete:

C:\WINDOWS\system32\System32\wins32.exe
C:\WINDOWS\system32\System32\klog.dat
C:\Documents and Settings\Mateusz\Dane aplikacji\addon.dat

Folders to delete:

C:\WINDOWS\system32\System32

Registry keys to delete:

HKEY_CURRENT_USER\SOFTWARE\XML
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW
HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC

Klikasz Execute,

wg. logu:

DRV - File not found [Kernel | Disabled | Stopped] -- -- (abp480n5)

mamy do czynienia z Sality :

http://www.searchengines.pl/Infekcje-plikow-wykonywalnych-exe-dll-scr-t122692.html

poczytaj zastosuj sie do rad (zrób skan Webem pokaż raport + wklejasz na forum raport: C:\avenger.txt oraz loga z combofixa

**Posty:** 11 · przez **.Infinity-** 04 Mar 2010, 01:00

Log z Combofix

Kod: Zaznacz wszystko: ComboFix 10-03-03.03 - Mateusz 2010-03-03 23:54:12.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.1022.756 [GMT 1:00] Uruchomiony z: c:\documents and settings\Mateusz\Pulpit\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\gsindi16.dll c:\windows\system32\ieuinit.inf . ((((((((((((((((((((((((( Pliki utworzone od 2010-02-03 do 2010-03-03 ))))))))))))))))))))))))))))))) . 2010-03-03 20:48 . 2010-03-03 20:48 -------- d-----w- c:\documents and settings\Mateusz\Dane aplikacji\Malwarebytes 2010-03-03 20:48 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-03 20:48 . 2010-03-03 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-03 20:48 . 2010-03-03 20:48 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Malwarebytes 2010-03-03 20:48 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-03 19:20 . 2009-12-10 13:48 41504 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys 2010-03-03 19:19 . 2010-03-03 19:19 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation 2010-03-03 19:19 . 2010-03-03 19:19 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Diskeeper Corporation 2010-03-03 19:19 . 2010-03-03 19:19 -------- d-----w- c:\program files\Windows Home Server 2010-03-03 19:19 . 2010-03-03 19:19 -------- d-----w- c:\program files\Diskeeper Corporation 2010-03-03 19:19 . 2010-03-03 19:19 -------- d-----w- c:\documents and settings\Mateusz\X86 2010-03-03 19:19 . 2010-03-03 19:19 -------- d-----w- c:\documents and settings\Mateusz\X64 2010-03-03 18:02 . 2008-04-14 20:51 82432 ----a-w- C:\ws2_32.dll 2010-03-03 01:40 . 2010-03-03 01:40 -------- d-----w- c:\documents and settings\Mateusz\Dane aplikacji\DAEMON Tools 2010-03-03 01:40 . 2010-03-03 01:40 -------- d-----w- c:\documents and settings\Mateusz\Dane aplikacji\DAEMON Tools Pro 2010-03-03 01:35 . 2010-03-03 01:35 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Tlen.pl 2010-03-03 01:00 . 2010-03-03 01:00 691696 ----a-w- c:\windows\system32\drivers\sptd.sys 2010-03-03 01:00 . 2010-03-03 01:08 -------- d-----w- c:\documents and settings\Mateusz\Dane aplikacji\DAEMON Tools Lite 2010-03-03 01:00 . 2010-03-03 01:00 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\DAEMON Tools Lite 2010-03-03 00:11 . 2010-03-03 00:11 -------- d-----w- c:\program files\SubEdit-Player 2010-03-02 23:59 . 2010-03-03 00:00 -------- d-----w- c:\program files\NAPI-PROJEKT 2010-03-02 22:46 . 2010-03-03 18:59 371776 ----a-w- c:\documents and settings\Mateusz\Dane aplikacji\id Software\quakelive\home\baseq3\cgamex86.dll 2010-03-02 22:44 . 2010-03-03 18:59 187456 ----a-w- c:\documents and settings\Mateusz\Dane aplikacji\id Software\quakelive\home\baseq3\uix86.dll 2010-03-02 22:43 . 2010-03-03 18:49 887856 ----a-w- c:\documents and settings\Mateusz\Dane aplikacji\id Software\quakelive\home\pb\pbcl.dll 2010-03-02 22:43 . 2010-03-03 18:49 57344 ----a-w- c:\documents and settings\Mateusz\Dane aplikacji\id Software\quakelive\home\pb\pbag.dll 2010-03-02 22:43 . 2010-03-03 18:49 2427968 ----a-w- c:\documents and settings\Mateusz\Dane aplikacji\id Software\quakelive\home\baseq3\quakelive.dll 2010-03-02 21:45 . 2010-03-02 21:45 -------- d-----w- c:\program files\iZotope 2010-03-02 21:11 . 2010-03-02 21:11 -------- d-----w- c:\documents and settings\Mateusz\Dane aplikacji\id Software 2010-03-02 21:11 . 2010-03-02 21:11 2373712 ----a-w- c:\windows\system32\pbsvc.exe 2010-03-02 15:51 . 2010-03-02 15:51 -------- d-----w- c:\documents and settings\Mateusz\Dane aplikacji\maxup 2010-03-01 21:56 . 2008-04-14 21:50 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll 2010-03-01 21:56 . 2008-04-14 20:52 89600 -c----w- c:\windows\system32\dllcache\msxml6r.dll 2010-03-01 21:53 . 2010-03-01 21:56 -------- d-----w- c:\windows\ServicePackFiles 2010-03-01 21:53 . 2008-04-14 21:51 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe 2010-03-01 21:40 . 2009-10-15 16:33 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll 2010-03-01 21:40 . 2009-10-15 16:33 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll 2010-02-28 15:21 . 2010-02-28 15:21 -------- d-s---w- c:\documents and settings\Mateusz\UserData 2010-02-28 15:21 . 2010-02-28 15:21 -------- d-----w- c:\documents and settings\NetworkService\Dane aplikacji\Xfire 2010-02-28 01:28 . 2010-02-28 01:29 -------- d-----w- c:\documents and settings\Mateusz\Ustawienia lokalne\Dane aplikacji\Adobe 2010-02-28 01:22 . 2010-02-28 01:22 -------- d-----w- c:\program files\Common Files\Adobe 2010-02-27 23:57 . 2010-02-27 23:57 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe 2010-02-27 23:36 . 2010-02-27 23:36 1078 ----a-r- c:\documents and settings\Mateusz\Dane aplikacji\Microsoft\Installer\{0F9196C6-58B4-445B-B56E-B1200FECC151}\_4ae13d6c.exe 2010-02-27 23:36 . 2010-02-27 23:36 1078 ----a-r- c:\documents and settings\Mateusz\Dane aplikacji\Microsoft\Installer\{0F9196C6-58B4-445B-B56E-B1200FECC151}\_2cd672ae.exe 2010-02-27 23:36 . 2010-02-27 23:36 1078 ----a-r- c:\documents and settings\Mateusz\Dane aplikacji\Microsoft\Installer\{0F9196C6-58B4-445B-B56E-B1200FECC151}\_294823.exe 2010-02-27 23:36 . 2010-02-27 23:36 1078 ----a-r- c:\documents and settings\Mateusz\Dane aplikacji\Microsoft\Installer\{0F9196C6-58B4-445B-B56E-B1200FECC151}\_18be6784.exe 2010-02-27 23:36 . 2010-02-27 23:42 -------- d-----w- c:\program files\Microsoft Bootvis 2010-02-27 03:16 . 2008-04-14 21:51 221184 ----a-w- c:\windows\system32\wmpns.dll 2010-02-27 03:16 . 2010-02-27 03:16 -------- d-----w- c:\windows\system32\drivers\UMDF 2010-02-27 00:32 . 2010-02-27 00:32 -------- d-----w- c:\documents and settings\Mateusz\ErrorLogs 2010-02-26 14:15 . 2010-02-26 14:15 -------- d-----w- c:\windows\system32\AGEIA 2010-02-26 14:15 . 2010-02-26 14:15 -------- d-----w- c:\program files\AGEIA Technologies 2010-02-26 14:14 . 2010-02-28 01:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-02-26 11:21 . 2009-05-04 08:46 2835656 -c----w- c:\documents and settings\All Users\Dane aplikacji\~0\speedupmypc2009.exe 2010-02-26 11:21 . 2010-02-27 01:49 -------- dc-h--w- c:\documents and settings\All Users\Dane aplikacji\~0 2010-02-26 00:30 . 2010-02-26 00:30 -------- d-----w- c:\documents and settings\Mateusz\.jpi_cache 2010-02-25 20:59 . 2010-03-02 23:35 -------- d-----w- c:\program files\Odkurzacz 2010-02-25 20:46 . 2010-02-25 20:54 -------- d-----w- c:\program files\Enigma Software Group 2010-02-25 13:51 . 2010-02-25 13:51 3532 ----a-w- C:\drmHeader.bin 2010-02-24 19:14 . 2010-02-24 19:14 -------- d-----w- c:\documents and settings\Mateusz\Ustawienia lokalne\Dane aplikacji\Identities 2010-02-24 19:11 . 2010-02-24 19:11 -------- d-----w- c:\documents and settings\Mateusz\Ustawienia lokalne\Dane aplikacji\Help 2010-02-24 19:06 . 2003-10-16 17:07 32768 ----a-w- c:\windows\system32\WooDial2000.dll 2010-02-24 19:05 . 2010-02-24 19:05 -------- d-----w- c:\program files\Java Web Start 2010-02-24 19:05 . 2010-02-24 19:05 -------- d-----w- c:\program files\Java 2010-02-24 19:05 . 2002-11-01 19:15 41068 ------w- c:\windows\system32\ActPanel.dll 2010-02-24 19:05 . 2010-02-24 19:14 -------- d-----w- c:\program files\Neostrada TP 2010-02-24 19:04 . 2010-02-24 19:04 -------- d-sh--w- c:\windows\ftpcache 2010-02-24 19:03 . 2004-08-12 03:40 28672 ----a-r- c:\windows\system32\adinst32.dll 2010-02-24 17:44 . 2010-02-24 17:44 3584 ----a-r- c:\documents and settings\Mateusz\Dane aplikacji\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe 2010-02-24 17:44 . 2010-02-24 17:44 -------- d-----w- c:\program files\Windows Installer Clean Up 2010-02-24 17:44 . 2010-02-24 17:44 -------- d-----w- c:\program files\MSECACHE 2010-02-24 17:28 . 2006-06-29 12:07 14048 ------w- c:\windows\system32\spmsg2.dll 2010-02-24 17:28 . 2010-03-01 21:55 -------- d-----w- c:\windows\system32\pl-PL 2010-02-24 17:27 . 2010-02-24 17:27 158528 ----a-w- c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat 2010-02-24 17:26 . 2010-02-24 17:26 -------- d-----w- c:\windows\system32\XPSViewer 2010-02-24 17:26 . 2010-02-24 17:26 -------- d-----w- c:\program files\Reference Assemblies 2010-02-24 17:26 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll 2010-02-24 17:26 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2010-02-24 17:26 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2010-02-24 17:26 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2010-02-24 17:26 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2010-02-24 17:26 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2010-02-24 17:26 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2010-02-24 17:26 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2010-02-24 17:26 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe 2010-02-24 17:05 . 2010-02-24 17:05 -------- d-----r- C:\AHCache 2010-02-24 16:39 . 2010-02-26 11:21 -------- d-----w- c:\program files\Uniblue 2010-02-24 16:34 . 2010-02-24 16:34 -------- d-----w- c:\program files\Trend Micro 2010-02-23 00:23 . 2010-03-03 00:01 -------- d-----w- c:\documents and settings\Mateusz\Dane aplikacji\DivX 2010-02-23 00:23 . 2009-11-14 00:49 120056 ------w- c:\windows\system32\pxcpyi64.exe 2010-02-23 00:23 . 2009-11-14 00:49 118520 ------w- c:\windows\system32\pxinsi64.exe 2010-02-23 00:22 . 2010-02-23 00:22 -------- d-----w- c:\program files\Common Files\DivX Shared 2010-02-22 09:33 . 2010-02-22 09:33 -------- d-----w- c:\documents and settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Google 2010-02-22 09:28 . 2010-02-25 18:04 -------- d-----w- c:\documents and settings\Mateusz\Ustawienia lokalne\Dane aplikacji\Temp 2010-02-22 09:28 . 2010-02-22 09:28 -------- d-----w- c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\Google 2010-02-21 16:49 . 2010-02-21 16:49 -------- d--h--w- c:\windows\system32\GroupPolicy 2010-02-20 23:51 . 2009-11-25 10:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-02-20 23:36 . 2008-03-21 12:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll 2010-02-20 23:35 . 2010-03-03 19:20 -------- dc----w- c:\windows\system32\DRVSTORE 2010-02-20 23:35 . 2008-09-24 11:45 22368 ----a-w- c:\windows\system32\drivers\ggsemc.sys 2010-02-20 23:35 . 2008-09-24 11:45 1107296 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll 2010-02-20 23:35 . 2008-09-24 11:45 10976 ----a-w- c:\windows\system32\drivers\ggflt.sys 2010-02-20 23:35 . 2010-02-20 23:35 -------- d-----w- c:\program files\Sony Ericsson 2010-02-20 10:09 . 2010-02-21 16:54 249856 ------w- c:\windows\Setup1.exe 2010-02-20 10:09 . 2010-02-21 16:54 73216 ----a-w- c:\windows\ST6UNST.EXE 2010-02-20 01:07 . 2010-03-02 22:44 -------- d-----w- c:\documents and settings\Mateusz\Ustawienia lokalne\Dane aplikacji\PunkBuster 2010-02-19 22:10 . 2010-02-25 21:10 -------- d-----w- c:\windows\Downloaded Installations 2010-02-19 21:51 . 2008-03-05 15:03 479752 ----a-w- c:\windows\system32\XAudio2_0.dll 2010-02-19 21:51 . 2008-03-05 15:03 238088 ----a-w- c:\windows\system32\xactengine3_0.dll 2010-02-19 21:51 . 2008-03-05 15:00 25608 ----a-w- c:\windows\system32\X3DAudio1_3.dll 2010-02-19 21:51 . 2008-03-05 14:56 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll 2010-02-19 21:51 . 2008-02-05 22:07 462864 ----a-w- c:\windows\system32\d3dx10_37.dll 2010-02-19 21:51 . 2007-10-22 02:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll 2010-02-19 21:51 . 2007-10-12 14:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll 2010-02-19 21:51 . 2007-10-02 08:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll 2010-02-19 21:51 . 2007-10-22 02:37 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll 2010-02-19 21:51 . 2007-07-19 23:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll 2010-02-19 21:51 . 2007-07-19 17:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll 2010-02-19 21:51 . 2007-07-19 17:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll 2010-02-19 21:51 . 2007-06-20 19:46 266088 ----a-w- c:\windows\system32\xactengine2_8.dll 2010-02-19 19:58 . 2010-02-19 20:23 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2010-02-19 19:46 . 2010-02-19 19:46 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Ashampoo 2010-02-19 18:01 . 2010-03-03 18:50 138504 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2010-02-19 18:01 . 2010-02-19 18:01 138056 ----a-w- c:\documents and settings\Mateusz\Dane aplikacji\PnkBstrK.sys 2010-02-19 18:00 . 2010-03-03 18:50 214488 ----a-w- c:\windows\system32\PnkBstrB.exe 2010-02-19 18:00 . 2010-03-02 21:11 75064 ----a-w- c:\windows\system32\PnkBstrA.exe . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-03 20:19 . 2010-02-18 21:11 67616 ----a-w- c:\documents and settings\Mateusz\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2010-03-03 17:03 . 2010-02-18 21:52 -------- d-----w- c:\documents and settings\Mateusz\Dane aplikacji\uTorrent 2010-03-03 05:28 . 2010-02-18 20:29 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-03-02 23:44 . 2010-02-18 20:35 -------- d-----w- c:\program files\Xfire 2010-03-02 21:45 . 2010-02-18 20:27 -------- d-----w- c:\program files\Winamp 2010-03-02 21:38 . 2010-02-18 20:27 -------- d-----w- c:\documents and settings\Mateusz\Dane aplikacji\Winamp 2010-03-02 15:51 . 2001-10-26 18:15 84916 ----a-w- c:\windows\system32\perfc015.dat 2010-03-02 15:51 . 2001-10-26 18:15 493632 ----a-w- c:\windows\system32\perfh015.dat 2010-02-28 15:33 . 2010-02-18 20:35 -------- d-----w- c:\documents and settings\Mateusz\Dane aplikacji\Xfire 2010-02-26 13:54 . 2010-02-18 21:55 -------- d-----w- c:\program files\uTorrent 2010-02-25 20:49 . 2010-02-18 20:37 -------- d-----w- c:\program files\SEC 2010-02-20 23:36 . 2010-02-20 23:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf 2010-02-20 23:36 . 2010-02-20 23:36 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf 2010-02-18 21:11 . 2010-02-18 21:11 -------- d-----w- c:\documents and settings\Mateusz\Dane aplikacji\ATI 2010-02-18 21:11 . 2010-02-18 21:11 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\ATI 2010-02-18 21:09 . 2010-02-18 21:09 -------- d-----w- c:\program files\A4Tech 2010-02-18 21:08 . 2010-02-18 21:08 -------- d-----w- c:\program files\Analog Devices 2010-02-18 20:55 . 2010-02-18 20:26 -------- d-----w- c:\program files\Common Files\InstallShield 2010-02-18 20:44 . 2010-02-18 20:44 0 ----a-w- c:\windows\nsreg.dat 2010-02-18 20:42 . 2010-02-18 20:42 0 ----a-w- c:\windows\ativpsrm.bin 2010-02-18 20:35 . 2010-02-18 20:34 -------- d-----w- c:\program files\ATI Technologies 2010-02-18 20:29 . 2010-02-18 20:29 -------- d-----w- c:\program files\AMD 2010-02-18 20:20 . 2010-02-18 20:20 -------- d-----w- c:\program files\microsoft frontpage 2010-02-18 20:19 . 2010-02-18 20:19 -------- d-----w- c:\program files\Usługi online 2010-02-18 20:17 . 2010-02-18 20:17 21856 ----a-w- c:\windows\system32\emptyregdb.dat 2010-02-11 03:16 . 2010-02-11 03:16 41872 ----a-w- c:\windows\system32\xfcodec.dll 2010-02-04 09:01 . 2010-02-19 21:57 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll 2010-02-04 09:01 . 2010-02-19 21:57 528216 ----a-w- c:\windows\system32\XAudio2_6.dll 2010-02-04 09:01 . 2010-02-19 21:57 238936 ----a-w- c:\windows\system32\xactengine3_6.dll 2010-02-04 09:01 . 2010-02-19 21:57 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2009-12-11 14:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-12-22 00:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray] 2007-07-22 16:39 345640 ----a-w- c:\program files\AGEIA Technologies\bin\TrayIcon.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Tlen.pl\\tlen.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "d:\\Moje graty\\gry\\Saints Row 2\\SR2_pc.exe"= "c:\\Documents and Settings\\Mateusz\\Moje dokumenty\\Downloads\\Worms 4\\Worms 4\\Worms 4.exe"= "d:\\Steam\\steamapps\\supermasterek\\day of defeat\\hl.exe"= "d:\\Steam\\steamapps\\supermasterek\\condition zero\\hl.exe"= "d:\\Steam\\steamapps\\supermasterek\\counter-strike\\hl.exe"= "d:\\Moje graty\\gry\\pes\\PES2008.exe"= "d:\\Moje graty\\gry\\CALL\\CoJBiBGame_x86.exe"= "c:\\Program Files\\Xfire\\Xfire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2010-03-03 41504] S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010-03-03 691696] S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-02-21 10976] . . ------- Skan uzupełniający ------- . uInternet Connection Wizard,ShellNext = hxxp://search.bearshare.com/ IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Mateusz\Dane aplikacji\Mozilla\Firefox\Profiles\08gl3cnk.default\ FF - prefs.js: browser.search.selectedEngine - FF - prefs.js: browser.startup.homepage - www.google.com\\ FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll FF - plugin: c:\documents and settings\Mateusz\Dane aplikacji\Mozilla\Firefox\Profiles\08gl3cnk.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll FF - plugin: c:\documents and settings\Mateusz\Dane aplikacji\Mozilla\plugins\np-mswmp.dll FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava11.dll FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava12.dll FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava13.dll FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava32.dll FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJPI140_03.dll FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava11.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava12.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava32.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJPI140_03.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOJI610.dll . - - - - USUNIĘTO PUSTE WPISY - - - - ActiveSetup-{2F818E95-AD98-C66D-87E1-0ABB2C090850} - c:\windows\system32\System32\wins32.exe AddRemove-DivX Plus DirectShow Filters - c:\program files\DivX\DivXDSFiltersUninstall.exe AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\DivXConverterUninstall.exe AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\program files\DivX\DivXPlayerUninstall.exe AddRemove-{B13A7C41581B411290FBC0395694E2A9} - c:\program files\DivX\DivXConverterUninstall.exe AddRemove-{B7050CBDB2504B34BC2A9CA0A692CC29} - c:\program files\DivX\DivXWebPlayerUninstall.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-03 23:56 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(660) c:\windows\system32\Ati2evxx.dll . Czas ukończenia: 2010-03-03 23:57:28 ComboFix-quarantined-files.txt 2010-03-03 22:57 Przed: 6 175 817 728 bajtów wolnych Po: 6 146 768 896 bajtów wolnych - - End Of File - - A557D99B311BA3118189F29210E79C58

Log z The Avenger

Kod: Zaznacz wszystko: ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Dodatek Service Pack 3) Wed Mar 03 23:40:00 2010 23:37:44: Error: Invalid registry syntax in command: "HKEY_CURRENT_USER\SOFTWARE\XML" Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry key deletion mode) 23:37:47: Error: Invalid registry syntax in command: "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle" Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry key deletion mode) 23:37:48: Error: Invalid registry syntax in command: "HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW" Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry key deletion mode) 23:37:50: Error: Invalid registry syntax in command: "HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC" Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry key deletion mode) ////////////////////////////////////////// Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: could not open file "C:\WINDOWS\system32\System32\wins32.exe" Deletion of file "C:\WINDOWS\system32\System32\wins32.exe" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "C:\WINDOWS\system32\System32\klog.dat" Deletion of file "C:\WINDOWS\system32\System32\klog.dat" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: file "C:\Documents and Settings\Mateusz\Dane aplikacji\addon.dat" not found! Deletion of file "C:\Documents and Settings\Mateusz\Dane aplikacji\addon.dat" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: folder "C:\WINDOWS\system32\System32" not found! Deletion of folder "C:\WINDOWS\system32\System32" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate.

**Posty:** 18165 · przez **wojtas** 04 Mar 2010, 19:15

pamiętaj że przed użyciem Combofixa należy skasować emulatory napędów

zasady wstawiania logów

zrób skan malwarebytes usuń co znajdzie i pokaż skan z DR Weba

**Posty:** 11 · przez **.Infinity-** 04 Mar 2010, 20:41

mówiłem ci już że usunąłem emulatory napędów

**Posty:** 18165 · przez **wojtas** 04 Mar 2010, 22:40

no to wykonaj resztę . bo dzisiaj mamy 4.03 a log z Combo jest z 3.03. pamietaj o MBAM i webie

**Posty:** 11 · przez **.Infinity-** 05 Mar 2010, 02:54

Kod: Zaznacz wszystko: Malwarebytes' Anti-Malware 1.44 Wersja bazy definicji: 3825 Windows 5.1.2600 Dodatek Service Pack 3 Internet Explorer 6.0.2900.5512 2010-03-05 00:30:18 mbam-log-2010-03-05 (00-30-18).txt Typ skanowania: Pełne skanowanie (C:\|D:\|) Przeskanowane obiekty: 154991 Upłynęło: 25 minute(s), 52 second(s) Zainfekowane procesy w pamięci: 1 Zainfekowane moduły pamięci: 1 Zainfekowane klucze rejestru: 5 Zainfekowane wartości rejestru: 1 Zainfekowane pliki rejestru: 0 Zainfekowane foldery: 0 Zainfekowane pliki: 11 Zainfekowane procesy w pamięci: C:\WINDOWS\msb.exe (Trojan.Agent) -> Unloaded process successfully. Zainfekowane moduły pamięci: c:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot. Zainfekowane klucze rejestru: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> Quarantined and deleted successfully. Zainfekowane wartości rejestru: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toy5knq8oc (Trojan.FakeAlert) -> Quarantined and deleted successfully. Zainfekowane pliki rejestru: (Nie wykryto groźnych plików) Zainfekowane foldery: (Nie wykryto groźnych plików) Zainfekowane pliki: c:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot. C:\System Volume Information\_restore{4CE2BE52-AF56-444A-AB3D-A8BC5A1AF9FC}\RP3\A0000234.exe (Trojan.Fraudpack) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4CE2BE52-AF56-444A-AB3D-A8BC5A1AF9FC}\RP4\A0000269.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4CE2BE52-AF56-444A-AB3D-A8BC5A1AF9FC}\RP4\A0000272.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4CE2BE52-AF56-444A-AB3D-A8BC5A1AF9FC}\RP4\A0000273.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4CE2BE52-AF56-444A-AB3D-A8BC5A1AF9FC}\RP4\A0000276.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{4CE2BE52-AF56-444A-AB3D-A8BC5A1AF9FC}\RP4\A0000277.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Dr.Web nie wykrył wirusów

**Posty:** 18165 · przez **wojtas** 05 Mar 2010, 11:33

jak sytuacja z kompem ?

**Posty:** 11 · przez **.Infinity-** 05 Mar 2010, 20:27

Mniej się wiesza ale się wiesza

**Posty:** 18165 · przez **wojtas** 05 Mar 2010, 20:31

to jeszcze raz na koniec, zestaw nowego logu z Combofixa , Gmera , i OTL