Otoz mam problem z wirusem zwanym Brontok nie da rady tego dziada usunac w zaden sposob, z kolejnym startem systemu problem nadal wystepuje
Tutaj Logi
Combofix
- Kod: Zaznacz wszystko
ComboFix 09-03-22.01 - Administrator 2009-03-24 18:40:51.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.2047.1806 [GMT 1:00]
Uruchomiony z: C:\ComboFix.exe
UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\inetinfo.exe
c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\lsass.exe
c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\services.exe
c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\winlogon.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\odbcasvc.exe
c:\windows\system32\Process.exe
c:\windows\system32\setup.ini
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ODBCASVC
-------\Service_odbcasvc
((((((((((((((((((((((((( Pliki utworzone od 2009-02-24 do 2009-03-24 )))))))))))))))))))))))))))))))
.
2009-03-24 18:03 . 2009-03-24 18:03 <DIR> d-------- C:\klwk
2009-03-24 18:03 . 2009-03-24 18:03 <DIR> d-------- C:\brontok-washer
2009-03-24 18:03 . 2009-03-24 18:02 1,249,226 --a------ C:\brontok-washer.zip
2009-03-24 18:03 . 2009-03-24 18:02 123,387 --a------ C:\klwk.zip
2009-03-24 15:48 . 2009-03-24 15:41 88,064 --a------ C:\brontgui.com
2009-03-23 14:38 . 2009-03-23 13:51 2,934,725 -ra------ C:\ComboFix.exe
2009-03-23 14:38 . 2009-03-23 13:57 1,661,611 --a------ C:\SmitfraudFix.exe
2009-03-23 14:26 . 2009-03-23 14:26 <DIR> d-------- c:\windows\ERUNT
2009-03-23 14:26 . 2009-03-23 14:26 580,096 --a------ c:\windows\system32\dllcache\user32.dll
2009-03-23 14:24 . 2009-03-23 14:31 <DIR> d-------- C:\SDFix
2009-03-23 14:24 . 2009-03-23 14:24 <DIR> d-------- c:\program files\Trend Micro
2009-03-22 14:05 . 2009-03-22 14:05 118 --a------ c:\windows\system32\MRT.INI
2009-03-20 17:10 . 2009-03-20 18:39 <DIR> d-------- c:\program files\Gra w ciemno
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 17:03 --------- d-----w c:\program files\Wru
2009-02-24 14:23 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Bluetooth
2009-02-20 13:22 --------- d-----w c:\program files\frag grim support
2009-02-20 13:21 --------- d-----w c:\program files\eMule
2009-02-20 13:15 --------- d-----w c:\program files\ESET
2009-02-20 13:15 --------- d-----w c:\program files\Alawar
2009-02-20 13:14 --------- d-----w c:\program files\Winamp
2009-02-20 12:56 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-20 12:56 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Malwarebytes
2009-02-19 16:04 --------- d-----w c:\program files\F1 Challange KRC 2007
2009-02-19 15:48 --------- d-----w c:\program files\EA GAMES
2009-02-18 00:44 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\NFS Underground
2009-02-11 09:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 09:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 14:11 --------- d-----w c:\program files\EACom
2009-02-10 14:10 --------- d-----w c:\program files\Electronic Arts
2007-12-28 11:46 32 ----a-w c:\documents and settings\All Users\Dane aplikacji\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-12-07 21686568]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"List Regs"="c:\docume~1\USER\DANEAP~1\FRAGGR~1\enc bait.exe" [2009-02-20 630784]
"Gadu-Gadu"="d:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"OrangeDeamon"="c:\program files\Orange\Orange.exe" [2008-05-16 20336640]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 c:\windows\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-12-21 c:\windows\system32\advpack.dll]
c:\documents and settings\Administrator\Menu Start\Programy\Autostart\
Empty.pif [2006-07-26 42667]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R3 Stmatm;ATM/ADSL miniport;c:\windows\system32\drivers\stmatm.sys [2009-01-07 60533]
R3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\drivers\torususb.sys [2009-01-07 684672]
S3 RT2400;RT2400 Wireless Driver;c:\windows\system32\drivers\RT2400.sys [2007-12-28 62848]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a698e14-b64e-11dd-b55c-001d7d217003}]
\Shell\1\Command - m:\.\recycled\info.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3aee48d7-01b7-11de-b64a-001d7d217003}]
\Shell\1\Command - m:\.\recycled\info.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ff932c2-a0f5-11dc-95e0-806d6172696f}]
\Shell\AutoRun\command - G:\Run.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61e956de-a1be-11dc-907b-001d7d217003}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74d40e58-0660-11de-b657-001d7d217003}]
\Shell\1\Command - m:\.\recycled\info.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe
.
Zawartość folderu 'Zaplanowane zadania'
2009-03-24 c:\windows\Tasks\A1EF9961918415D1.job
- c:\docume~1\user\daneap~1\fraggr~1\Slow gram gpl.exe [2009-02-20 14:23]
.
- - - - USUNIĘTO PUSTE WPISY - - - -
HKLM-Run-NetPumper - c:\program files\NetPumper\NetPumperIEProxy.exe
HKLM-Run-BearShare - d:\program files\BearShare\BearShare.exe
.
------- Skan uzupełniający -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\USER\Dane aplikacji\Mozilla\Firefox\Profiles\9koyke7x.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPBOARDS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPBREAKOUT.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCARDS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPDARTS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPDOMINO.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMAHJONG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMAKAOV2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMARBLES.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPNAVY.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPPOKER.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSLOTS70.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSOCCER.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPWORDS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPWORDSSINGLE.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 18:44:21
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\documents and settings\USER\Ustawienia lokalne\Dane aplikacji\winlogon.exe
c:\documents and settings\USER\Ustawienia lokalne\Dane aplikacji\services.exe
c:\documents and settings\USER\Ustawienia lokalne\Dane aplikacji\lsass.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Czas ukończenia: 2009-03-24 18:45:39 - komputer został uruchomiony ponownie [USER]
ComboFix-quarantined-files.txt 2009-03-24 17:45:37
Przed: 71 939 260 416 bajtów wolnych
Po: 72,082,878,464 bajtów wolnych
187 --- E O F --- 2009-03-22 13:05:41
HijackThis
- Kod: Zaznacz wszystko
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:24:04, on 2009-03-24
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Orange\Orange.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [OrangeDeamon] C:\Program Files\Orange\Orange.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [List Regs] C:\DOCUME~1\USER\DANEAP~1\FRAGGR~1\enc bait.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Empty.pif = ?
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://edownload.grisoft.cz/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A94C0763-119F-4870-B79E-BFB60C7CEA33}: NameServer = 79.163.127.70 217.116.100.65
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 5685 bytes
Z gory dziekuje za pomoc i licze na szybka odpowiedz.
