RATUNKU Z AMVO!!!!

[szczawik]

prosze o pomoc w zneutralizowaniu tego robala.. dodam ze jst on na laptopie i mam tam ukrytą partycję z win XP,czy to coś zmienia?

[Czarodziejczarek]

Powiem ci tylko tyle przyjacielu daj log z combofix tak ci większość osób, które się na tym znają napisze.

https://www.instalki.pl/download/programy/windows/bezpieczenstwo/antyspyware/combofix/

Pomogą. Cierpliwości:)

A poza tym wylecz pendraiva itp...

Tylko dodam jeszcze jedno. Gdy ja robiłem log z combofixa wyłączyłem wszelkie programy antywirusowe i spywarowe bo mi nie chciał zrobić tego loga. Potem wszystko poszło ok.

Czekaj na PP3088 i HUBERTA2T oni się ZNAJĄ na tym jak mało kto!!!

[szczawik]

ok,dzięki wielkie zaraz jak tylko skończe format dysku zewnętrznego włącze combofixa i wyśle loga, 500gb troche sie formatuje:D

[szczawik]

oto mój log:

ComboFix 08-05-11.1 - gfgf 2008-05-12 23:36:35.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.144 [GMT 2:00]
Running from: C:\Documents and Settings\gfgf\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
D:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 22:44 . 2008-05-12 22:44 <DIR> d---s---- C:\Documents and Settings\gfgf\UserData
2008-05-12 22:43 . 2008-05-12 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-12 14:51 . 2008-05-12 20:47 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-12 14:46 . 2008-05-12 14:46 <DIR> d--hs---- C:\Recycled

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 11:32 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-12 11:31 --------- d-----w C:\Program Files\Ahead
2008-05-12 11:28 --------- d-----w C:\Program Files\Yahoo!
2008-05-12 11:24 --------- d-----w C:\Program Files\Launch Manager
2008-05-12 11:19 --------- d-----w C:\Program Files\WIDCOMM
2008-05-12 11:19 --------- d-----w C:\Documents and Settings\gfgf\Application Data\Symantec
2008-04-23 05:42 103,762 --sh--r C:\tym8a.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 12:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 12:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 12:17 118784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"LaunchApp"="Alaunch" []
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 15:02 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 13:07 761946]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 11:15 45056]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45 2462208]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 15:50 69632]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 20:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 15:27 52848]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-03 07:59 218240]
"NAV CfgWiz"="C:\Program Files\Norton AntiVirus\CfgWiz.exe" [2005-09-30 13:33 120464]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 14:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 19:29 352256]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 12:54 3080704]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-07-20 22:15 593920]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00 397312]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-09-23 13:08 61440]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-17 10:45:32 618557]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\tym8a.exe
\Shell\explore\Command - F:\tym8a.exe
\Shell\open\Command - F:\tym8a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\tym8a.exe
\Shell\explore\Command - G:\tym8a.exe
\Shell\open\Command - G:\tym8a.exe

*Newly Created Service* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder
"2006-09-06 22:06:08 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 23:39:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\DOCUME~1\gfgf\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-12 23:41:22 - machine was rebooted [gfgf]
ComboFix-quarantined-files.txt 2008-05-12 21:41:08

Pre-Run: 49,133,420,544 bytes free
Post-Run: 49,160,814,592 bytes free

138

[Czarodziejczarek]

Usunąłem wpis Przepraszam...

[huber2t]

Czrodziejek tak się nie robi, jeśli sie nie znasz to nie pomogaj bo podałes dobre wpisy i pliki,

Do wyleczenia pendrive z wirusów użyj Perlovga Removal Tool lub format
Nie odłączając pendriva wykonaj to:

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko

File::
C:\tym8a.exe
F:\tym8a.exe
G:\tym8a.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=-
"LaunchApp"=-
"NeroFilterCheck"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]


Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

[szczawik]

oto log:

ComboFix 08-05-12.1 - gfgf 2008-05-13 8:07:44.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.155 [GMT 2:00]
Running from: C:\Documents and Settings\gfgf\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\gfgf\Desktop\CFScript.txt.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\tym8a.exe
F:\tym8a.exe
G:\tym8a.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\tym8a.exe
F:\tym8a.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-12 22:44 . 2008-05-12 22:44 <DIR> d---s---- C:\Documents and Settings\gfgf\UserData
2008-05-12 22:43 . 2008-05-12 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-12 14:51 . 2008-05-12 20:47 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-12 14:46 . 2008-05-12 14:46 <DIR> d--hs---- C:\Recycled

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 11:32 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-12 11:31 --------- d-----w C:\Program Files\Ahead
2008-05-12 11:28 --------- d-----w C:\Program Files\Yahoo!
2008-05-12 11:24 --------- d-----w C:\Program Files\Launch Manager
2008-05-12 11:19 --------- d-----w C:\Program Files\WIDCOMM
2008-05-12 11:19 --------- d-----w C:\Documents and Settings\gfgf\Application Data\Symantec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 12:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 12:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 12:17 118784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 15:02 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 13:07 761946]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 11:15 45056]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45 2462208]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 15:50 69632]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 20:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 15:27 52848]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-03 07:59 218240]
"NAV CfgWiz"="C:\Program Files\Norton AntiVirus\CfgWiz.exe" [2005-09-30 13:33 120464]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 14:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 19:29 352256]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 12:54 3080704]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-07-20 22:15 593920]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00 397312]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-09-23 13:08 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-17 10:45:32 618557]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]

*Newly Created Service* - CATCHME
*Newly Created Service* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder
"2006-09-06 22:06:08 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 08:09:27
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-13 8:10:00
ComboFix2.txt 2008-05-12 21:41:24
ComboFix-quarantined-files.txt 2008-05-13 06:09:54

Pre-Run: 49,734,025,216 bytes free
Post-Run: 49,729,142,784 bytes free

106

[szczawik]

dołączam kolejny log jako że dyski kompa miałem oznaczone C i D a dysk zewnętrzny jako F więc zmieniłem adresy docelowe tak żeby poszukał ten syf na wszysttkich dyskach..

ComboFix 08-05-12.1 - gfgf 2008-05-13 8:14:20.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.155 [GMT 2:00]
Running from: C:\Documents and Settings\gfgf\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\gfgf\Desktop\CFScript.txt.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\tym8a.exe
D:\tym8a.exe
F:\tym8a.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\tym8a.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-12 22:44 . 2008-05-12 22:44 <DIR> d---s---- C:\Documents and Settings\gfgf\UserData
2008-05-12 22:43 . 2008-05-12 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-12 14:51 . 2008-05-12 20:47 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-12 14:46 . 2008-05-12 14:46 <DIR> d--hs---- C:\Recycled

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 11:32 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-12 11:31 --------- d-----w C:\Program Files\Ahead
2008-05-12 11:28 --------- d-----w C:\Program Files\Yahoo!
2008-05-12 11:24 --------- d-----w C:\Program Files\Launch Manager
2008-05-12 11:19 --------- d-----w C:\Program Files\WIDCOMM
2008-05-12 11:19 --------- d-----w C:\Documents and Settings\gfgf\Application Data\Symantec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 12:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 12:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 12:17 118784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 15:02 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 13:07 761946]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 11:15 45056]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45 2462208]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 15:50 69632]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 20:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 15:27 52848]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-03 07:59 218240]
"NAV CfgWiz"="C:\Program Files\Norton AntiVirus\CfgWiz.exe" [2005-09-30 13:33 120464]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 14:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 19:29 352256]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 12:54 3080704]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-07-20 22:15 593920]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00 397312]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-09-23 13:08 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-17 10:45:32 618557]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]

*Newly Created Service* - CATCHME
*Newly Created Service* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder
"2006-09-06 22:06:08 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 08:15:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-13 8:16:20
ComboFix3.txt 2008-05-12 21:41:24
ComboFix-quarantined-files.txt 2008-05-13 06:16:14
ComboFix2.txt 2008-05-13 06:10:02

Pre-Run: 49,698,930,688 bytes free
Post-Run: 49,686,282,240 bytes free

106

[huber2t]

Log wyglada na czysty

Usuń ręcznie folder C: \Qoobox,usuń instalkę Combofix z dysku

Wyłącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

Włącz przywracanie systemu.

[szczawik]

oto raport kasperskiego:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
13 maj 2008 15:11:11
System operacyjny: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner wersja: 5.0.98.0
Ostatnia aktualizacja Kaspersky Anti-Virus13/05/2008
Liczba wpisów w bazie danych Kaspersky Anti-Virus768145
-------------------------------------------------------------------------------

Ustawienia skanowania:
Skanowanie przy użyciu następujących baz danych: rozszerzone
Skanuj archiwa: tak
Skanuj pocztowe bazy danych: tak

Obszar skanowania - Mój komputer:
C:\
D:\
E:\
F:\

Statystyki skanowania:
Liczba skanowanych obiektów: 36953
Liczba wykrytych wirusów: 0
Liczba zainfekowanych obiektów: 0
Liczba podejrzanych obiektów: 0
Czas trwania skanowania: 00:24:35

Nazwa zainfekowanego obiektu / Nazwa wirusa / Ostatnie działanie
C:\WINDOWS\system32\config\system.LOG Object is locked pominięty
C:\WINDOWS\system32\config\software.LOG Object is locked pominięty
C:\WINDOWS\system32\config\default.LOG Object is locked pominięty
C:\WINDOWS\system32\config\SECURITY Object is locked pominięty
C:\WINDOWS\system32\config\SAM Object is locked pominięty
C:\WINDOWS\system32\config\SAM.LOG Object is locked pominięty
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked pominięty
C:\WINDOWS\system32\config\Media Ce.evt Object is locked pominięty
C:\WINDOWS\system32\config\SYSTEM Object is locked pominięty
C:\WINDOWS\system32\config\SOFTWARE Object is locked pominięty
C:\WINDOWS\system32\config\DEFAULT Object is locked pominięty
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked pominięty
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked pominięty
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked pominięty
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked pominięty
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked pominięty
C:\WINDOWS\system32\h323log.txt Object is locked pominięty
C:\WINDOWS\Debug\PASSWD.LOG Object is locked pominięty
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked pominięty
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B8912961-B014-4580-9E97-D77EA715F48E}.crmlog Object is locked pominięty
C:\WINDOWS\WindowsUpdate.log Object is locked pominięty
C:\WINDOWS\SchedLgU.Txt Object is locked pominięty
C:\WINDOWS\Sti_Trace.log Object is locked pominięty
C:\WINDOWS\wiaservc.log Object is locked pominięty
C:\WINDOWS\wiadebug.log Object is locked pominięty
C:\WINDOWS\ModemLog_HDAUDIO Soft Data Fax Modem with SmartCP.txt Object is locked pominięty
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked pominięty
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked pominięty
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked pominięty
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked pominięty
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked pominięty
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked pominięty
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked pominięty
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked pominięty
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked pominięty
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked pominięty
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked pominięty
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked pominięty
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked pominięty
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked pominięty
C:\Documents and Settings\gfgf\NTUSER.DAT Object is locked pominięty
C:\Documents and Settings\gfgf\ntuser.dat.LOG Object is locked pominięty
C:\Documents and Settings\gfgf\Local Settings\History\History.IE5\index.dat Object is locked pominięty
C:\Documents and Settings\gfgf\Local Settings\History\History.IE5\MSHist012008051320080514\index.dat Object is locked pominięty
C:\Documents and Settings\gfgf\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty
C:\Documents and Settings\gfgf\Local Settings\Application Data\ApplicationHistory\ePower_DMC.exe.3ca0acde.ini.inuse Object is locked pominięty
C:\Documents and Settings\gfgf\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty
C:\Documents and Settings\gfgf\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked pominięty
C:\Documents and Settings\gfgf\Cookies\index.dat Object is locked pominięty
C:\Documents and Settings\gfgf\Application Data\Symantec\PendingAlertsQueue.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked pominięty
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked pominięty
C:\Program Files\Norton AntiVirus\Savrt\0514NAV~.TMP Object is locked pominięty
C:\Program Files\Norton AntiVirus\Savrt\0459NAV~.TMP Object is locked pominięty
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked pominięty
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked pominięty
C:\Program Files\Norton AntiVirus\AVError.log Object is locked pominięty
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty

Proces skanowania został zakończony.

[huber2t]

Tak jak widzisz w raporcie nic nie widać

Powinno byc ok

[szczawik]

dzięki wielkie!jesteś wielki!!