log.txt

Win32:Onlinegames-CAZ [Trj]

Witam. mam problem z wirusem Win32:Onlinegames-CAZ . Nie pomaga usuwanie go, ani kwarantanna. Wklejam więc loga z Combofix oraz hijackthis. Błagam pomóżcie - nie wiemy co robić. Z góry dzięki za pomoc.


ComboFix 08-02-11.2 - admin 2008-02-11 14:52:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.794 [GMT 1:00]
Running from: E:\instalki\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
C:\Autorun.inf
C:\Documents and Settings\admin\Dane aplikacji\ShoppingReport
C:\Documents and Settings\admin\Dane aplikacji\ShoppingReport\cs\Config.xml
C:\Documents and Settings\admin\Dane aplikacji\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\admin\Dane aplikacji\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\admin\Dane aplikacji\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\admin\Dane aplikacji\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\admin\Dane aplikacji\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\admin\Dane aplikacji\ShoppingReport\cs\res2\WhiteList.dbs
C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINDOWS\system32\amvo.exe
D:\Autorun.inf
E:\Autorun.inf
C:\Program Files\ShoppingReport

.
((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-10 19:54 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-10 19:54 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-10 19:54 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-10 19:54 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-10 19:54 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-10 19:54 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-10 19:53 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-10 19:53 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-10 08:23 . 2008-02-10 07:43 105,168 -r-hs---- C:\d6fagcs8.cmd
2008-02-05 18:37 . 2008-02-05 18:36 103,673 -r-hs---- C:\188qsm.bat
2008-02-03 10:25 . 2008-02-04 16:36 103,367 -r-hs---- C:\2ifetri.cmd
2008-02-02 23:13 . 2008-02-02 23:13 104,644 -r-hs---- C:\i.cmd
2008-01-30 14:34 . 2008-02-01 15:46 103,574 -r-hs---- C:\h.cmd
2008-01-26 16:27 . 2008-01-14 23:59 105,698 -r-hs---- C:\d.com
2008-01-26 16:27 . 2008-01-28 14:12 105,293 -r-hs---- C:\xo8wr9.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 21:13 --------- d-----w C:\Documents and Settings\admin\Dane aplikacji\Skype
2008-02-10 19:38 --------- d-----w C:\Documents and Settings\admin\Dane aplikacji\skypePM
2008-02-10 18:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-10 18:10 --------- d-----w C:\Documents and Settings\admin\Dane aplikacji\Azureus
2008-02-08 19:18 --------- d-----w C:\Program Files\Lavasoft
2008-02-08 19:18 --------- d-----w C:\Documents and Settings\admin\Dane aplikacji\Lavasoft
2008-01-19 20:01 --------- d-----w C:\Program Files\Java
2008-01-19 19:55 --------- d-----w C:\Documents and Settings\admin\Dane aplikacji\gretl
2008-01-19 17:07 --------- d-----w C:\Program Files\Azureus
2008-01-05 22:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 22:00 --------- d-----w C:\Program Files\Vimicro
2008-01-05 22:00 --------- d-----w C:\Documents and Settings\admin\Dane aplikacji\InstallShield
2007-12-28 17:46 --------- d-----w C:\Program Files\Sony Ericsson
2007-12-26 12:59 --------- d-----w C:\Program Files\Share_Accelerator_MM
2007-12-23 11:23 --------- d-----w C:\Program Files\Apple Software Update
2007-12-23 11:23 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2007-12-16 07:57 --------- d-----w C:\Program Files\Web Hottest Videos Personal Player
2007-12-16 07:50 --------- d-----w C:\Documents and Settings\admin\Dane aplikacji\FrostWire
2007-12-04 17:35 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2007-04-29 20:14 59,110 ----a-w C:\WINDOWS\Fonts\friday13.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2007-11-10 06:41 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-11-10 06:41 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{40D1C3A7-4FFB-4443-B3A0-A64B2DF7FC3B}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
{4596013B-6C31-408B-A266-DEAE5C086DC2}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
" {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} " = C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2007-11-10 06:41 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" CTFMON.EXE " = " C:\WINDOWS\system32\ctfmon.exe " [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" RemoteControl " = " C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe " [2003-10-31 19:42 32768]
" WinampAgent " = " D:\Programy\Winamp\winampa.exe " [2006-01-30 20:13 35328]
" HPDJ Taskbar Utility " = " C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe " [2004-06-21 21:35 172032]
" NeroFilterCheck " = " C:\WINDOWS\system32\NeroCheck.exe " [2001-07-09 10:50 155648]
" Sony Ericsson PC Suite " = " C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe " [2005-10-26 16:17 159744]
" HP Component Manager " = " C:\Program Files\HP\hpcoretech\hpcmpmgr.exe " [2004-05-12 15:18 241664]
" avast! " = " C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe " [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
" CTFMON.EXE " = " C:\WINDOWS\system32\CTFMON.EXE " [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone - szybkie uruchamianie.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
C:\WINDOWS\system32\amvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath323Domino]
--a------ 2007-01-09 12:56 49152 C:\WINDOWS\Domino.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Simcast]
C:\Program Files\Simcast Media\Simcast\SimcastAlerts.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SimcastUpdate]
--a------ 2006-10-02 19:34 86536 C:\Program Files\Simcast Media\Simcast\SimcastUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
" SoundMan " =SOUNDMAN.EXE
" PinnacleDriverCheck " =C:\WINDOWS\system32\PSDrvCheck.exe
" MSConfig " =C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
" BigDogPath323VMSnap " =C:\WINDOWS\VMSnap23.exe

R3 vmfilter323;323 filter service, Normal;C:\WINDOWS\system32\drivers\vmfilter323.sys [2006-08-08 11:25]
R3 ZSMC326;Vimicro USB2.0 PC Camera(VC0323);C:\WINDOWS\system32\Drivers\usbvm323.sys [2007-04-03 16:22]
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys []
S3 KTalk;KTalk;C:\DOCUME~1\admin\USTAWI~1\Temp\ktalk.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44b3d733-cbef-11dc-86b9-000a4818bbc8}]
\Shell\AutoRun\command - G:\h.cmd
\Shell\explore\Command - G:\h.cmd
\Shell\open\Command - G:\h.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6aab4358-3946-11dc-8352-000a4818bbc8}]
\Shell\AutoRun\command - H:\h.cmd
\Shell\explore\Command - H:\h.cmd
\Shell\open\Command - H:\h.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c016c7e-ed88-11da-bd16-000a4818bbc8}]
\Shell\AutoRun\command - xo8wr9.exe
\Shell\explore\Command - xo8wr9.exe
\Shell\open\Command - xo8wr9.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9452c2f5-bf49-11db-8126-000a4818bbc8}]
\Shell\AutoRun\command - G:\2ifetri.cmd
\Shell\explore\Command - G:\2ifetri.cmd
\Shell\open\Command - G:\2ifetri.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1dd7954-bcf4-11db-811d-000a4818bbc8}]
\Shell\AutoRun\command - G:\ylr.exe
\Shell\explore\Command - G:\ylr.exe
\Shell\open\Command - G:\ylr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f539d836-6ec5-11dc-844e-000a4818bbc8}]
\Shell\AutoRun\command - G:\2ifetri.cmd
\Shell\explore\Command - G:\2ifetri.cmd
\Shell\open\Command - G:\2ifetri.cmd

*Newly Created Service* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder
" 2008-02-03 11:19:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 14:58:39
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2008-02-11 15:01:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-11 14:01:00
.
2008-01-09 07:05:48 --- E O F ---


Download file - link to post