Problem z heur.win32

**Posty:** 1 · przez **The_Crow** 21 Kwi 2009, 12:02

Kaspersky Internet Security 09 przestał działać, odinstalowałem go i teraz nie chce się zainstalować, w MKS online wykrywa mi Heur.Win32. Załączam txt z combofixa

ComboFix 09-04-21.A1 - User 2009-04-21 11:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.3327.2834 [GMT 2:00]
Uruchomiony z: c:\documents and settings\User\Pulpit\ComboFix.exe
* Utworzono nowy punkt przywracania
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\ej10fkdo.bat
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\nmdfgds1.dll
c:\windows\system32\olhrwef.exe
D:\Autorun.inf
D:\ej10fkdo.bat
E:\Autorun.inf
E:\ej10fkdo.bat

.
((((((((((((((((((((((((( Pliki utworzone od 2009-03-21 do 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-20 14:27 . 2009-04-21 09:11 -------- d-----w c:\program files\SkanerOnline
2009-04-17 14:28 . 2007-10-11 06:19 45056 ----a-w c:\windows\Sim AQUARIUM 2.scr
2009-04-17 14:28 . 2009-04-21 08:35 -------- d-----w c:\program files\Sim AQUARIUM 2

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 09:50 . 2008-11-03 11:15 26622 ----a-w C:\lxcf.log
2009-04-20 14:52 . 2008-10-31 15:13 376864 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-20 14:52 . 2008-10-31 15:13 3416 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-20 14:52 . 2008-10-31 15:13 1516064 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-20 14:52 . 2008-10-31 15:13 15020 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-20 14:52 . 2009-04-20 14:40 11382 ----a-w C:\mksbasel.cpp.log
2009-04-20 07:15 . 2008-11-03 13:32 -------- d-----w c:\documents and settings\User\Dane aplikacji\Lasersoft Imaging
2009-04-15 13:46 . 2008-04-15 12:00 74230 ----a-w c:\windows\system32\perfc015.dat
2009-04-15 13:46 . 2008-04-15 12:00 448004 ----a-w c:\windows\system32\perfh015.dat
2009-04-15 09:40 . 2008-11-03 15:15 -------- d-----w c:\program files\Nowe Gadu-Gadu
2009-04-03 07:20 . 2008-11-03 10:41 -------- d-----w c:\program files\Lx_cats
2009-04-01 07:40 . 2009-02-24 14:43 -------- d-----w c:\program files\Java
2009-03-31 14:40 . 2008-11-03 10:06 -------- d-----w c:\documents and settings\User\Dane aplikacji\OpenOffice.org2
2009-03-16 14:22 . 2008-10-31 14:42 16752 ----a-w c:\documents and settings\User\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-03-09 03:19 . 2009-02-24 14:43 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2008-04-15 12:00 285696 ----a-w c:\windows\system32\pdh.dll
2009-03-03 14:34 . 2009-03-03 14:34 1663 ----a-w C:\photodex-presenter-install.log
2009-03-03 14:34 . 2009-03-03 14:34 -------- d-----w c:\documents and settings\User\Dane aplikacji\Netscape
2009-03-03 14:33 . 2009-03-03 14:33 -------- d-----w c:\documents and settings\User\Dane aplikacji\Photodex
2009-03-03 00:10 . 2008-04-15 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 08:16 . 2009-01-26 11:46 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-24 13:17 . 2009-02-24 13:17 -------- d-----w c:\program files\DIFX
2009-02-20 17:13 . 2008-04-15 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:07 . 2008-04-15 12:00 1847040 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:26 . 2008-04-14 21:59 2025472 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:26 . 2008-04-15 12:00 2146816 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:25 . 2008-04-15 12:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:53 . 2008-04-15 12:00 731136 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:53 . 2008-04-15 12:00 686592 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:53 . 2008-04-15 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:53 . 2008-04-15 12:00 722944 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:39 . 2008-04-15 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:58 . 2008-04-15 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-11-19 15:19 . 2008-11-19 15:19 24 --sha-w c:\windows\S12DEBCCC.tmp
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-01-24 2289664]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-17 13529088]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-17 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-13 16871936]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-17 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

c:\documents and settings\User\Menu Start\Programy\Autostart\
MutiKeyboard Driver.lnk - c:\program files\MultiKeyboard Driver\KbdDrv.exe [2008-11-3 366080]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Action Express (OpticPro ST64+).lnk - c:\program files\Plustek\OpticPro ST64+\Am32Plus.exe [2008-11-3 143360]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R3 AVPsys;AVPsys;c:\windows\system32\drivers\cdaudio.sys [2001-08-17 18688]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1e51x86.sys [2008-06-25 36864]
S3 Usbfilt;Usbfilt;c:\windows\SYSTEM32\DRIVERS\usbfilt.sys [2004-02-01 26166]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0825b42f-aca7-11dd-b30c-0022157c8ad1}]
\Shell\AutoRun\command - L:\xk2n.bat
\Shell\explore\Command - L:\xk2n.bat
\Shell\open\Command - L:\xk2n.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b383feb-1d18-11de-b380-0022157c8ad1}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a6b5435-2d7b-11de-b39d-0022157c8ad1}]
\Shell\AutoRun\command - L:\ej10fkdo.bat
\Shell\open\Command - L:\ej10fkdo.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61b0930f-f429-11dd-b35f-0022157c8ad1}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explore.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79d07c9a-d0f8-11dd-b339-0022157c8ad1}]
\Shell\AutoRun\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe
\Shell\open\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a14ee62-f74c-11dd-b360-0022157c8ad1}]
\Shell\AutoRun\command - p1y2.cmd
\Shell\explore\Command - p1y2.cmd
\Shell\open\Command - p1y2.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aee3a7c6-c1e3-11dd-b329-0022157c8ad1}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe

.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
uInternet Connection Wizard,ShellNext = iexplore
DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab
FF - ProfilePath - c:\documents and settings\User\Dane aplikacji\Mozilla\Firefox\Profiles\lct89cjy.default\
FF - prefs.js: browser.startup.homepage - www.google.pl
FF - plugin: c:\documents and settings\User\Dane aplikacji\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCARDS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMAHJONG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPWORDS.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 11:52
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'explorer.exe'(1416)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Czas ukończenia: 2009-04-21 11:52 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-04-21 09:52

Przed: 21 116 133 376 bajtów wolnych
Po: 21 958 414 336 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

172 --- E O F --- 2009-04-15 13:21

**Posty:** 18165 · przez **wojtas** 21 Kwi 2009, 12:10

obejmij logi w tagi code.