Adware.Virtumonde po raz kolejny

Dla specjalistów Bezpieczeństwo
#1

Prosze uprzejmie o pomoc w tej kwestii, widziałem że na Waszym forum potraficie sobie z tym poradzić a ja już jestem bliski desperacji.

Googlowałem conieco, klikałem w proponowane programiki ale wszystko bezskutecznie.

aha, to vista 32bit.

log z hijacka:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:38:53, on 2007-11-14

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16546)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANOTIF.EXE

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ASUS\ATK Media\DMedia.exe

C:\Windows\ASScrPro.exe

C:\Program Files\ESET\nod32kui.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Windows\Explorer.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\totalcmd\TOTALCMD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: (no name) - {1118A60F-B1FB-4D02-AF46-D0C7EEA7834B} - C:\Windows\system32\ljjgd.dll

O4 - HKLM…\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM…\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM…\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM…\Run: [skytel] Skytel.exe

O4 - HKLM…\Run: [iAAnotif] “C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe”

O4 - HKLM…\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM…\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe

O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM…\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE

O4 - HKLM…\Run: [ASUS Camera ScreenSaver] C:\Windows\ASScrProlog.exe

O4 - HKLM…\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe

O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”

O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

O4 - HKLM…\Run: [a46f99b1] rundll32.exe “C:\Windows\system32\ldfhwmkw.dll”,b

O4 - HKCU…\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”

O4 - HKUS\S-1-5-19…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘USŁUGA SIECIOWA’)

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab

O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe

O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

End of file - 5493 bytes

oraz combofix

ComboFix 07-11-08.1 - pawel 2007-11-14 14:38:46.1 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1250.1.1045.18.1227 [GMT 1:00]

Running from: C:\Users\pawel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GIY9NEU8\ComboFix[1].exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\p4p

C:\Program Files\p4p\Bookmark.ini

.

((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))

.

2007-11-14 14:35 51,200 --a------ C:\Windows\NirCmd.exe

2007-11-14 14:22

2007-11-14 08:36 0 --a------ C:\ntuser.dat

2007-11-13 18:36 127,168 —hs---- C:\Windows\System32\dgjjl.bak1

2007-11-13 18:36 88,128 --a------ C:\Windows\System32\ldfhwmkw.dll

2007-11-13 16:26 319,072 --------- C:\Windows\System32\ljjgd.dll

2007-11-13 16:21 35,840 --a------ C:\Windows\System32\nnnopnk.dll.vir

2007-11-13 16:21 20,992 --a------ C:\Windows\System32\winxby32.dll

2007-11-10 17:58

2007-11-10 17:58

2007-11-10 17:57

2007-11-10 17:57

2007-11-09 22:53

2007-11-09 21:00

2007-11-04 17:05 29,272 --------- C:\Windows\System32\AdobePDF.dll

2007-11-04 16:14

2007-11-04 16:14

2007-11-03 09:51

2007-11-01 13:58

2007-10-28 20:44

2007-10-28 20:39

2007-10-28 11:09

2007-10-28 09:47

2007-10-28 09:47

2007-10-28 09:17

2007-10-28 08:52

2007-10-28 08:52

2007-10-28 08:52

2007-10-28 08:52

2007-10-28 07:38

2007-10-28 06:55 28,040 --a------ C:\Windows\System32\mdimon.dll

2007-10-28 06:53

2007-10-28 06:53

2007-10-28 06:51

2007-10-28 06:47

2007-10-28 06:44

2007-10-28 06:43

2007-10-28 06:43 3,596,288 --a------ C:\Windows\System32\qt-dx331.dll

2007-10-28 06:43 1,559,040 --a------ C:\Windows\System32\xvidcore.dll

2007-10-28 06:43 739,840 --a------ C:\Windows\System32\divx.dll

2007-10-28 06:43 282,624 --a------ C:\Windows\System32\xvidvfw.dll

2007-10-28 06:43 217,088 --a------ C:\Windows\System32\yv12vfw.dll

2007-10-28 06:43 164,352 --a------ C:\Windows\System32\unrar.dll

2007-10-28 06:43 81,920 --a------ C:\Windows\System32\dpl100.dll

2007-10-28 06:43 7,680 --a------ C:\Windows\System32\ff_vfw.dll

2007-10-28 06:35

2007-10-28 06:33

2007-10-28 06:33

2007-10-28 06:33 545 --a------ C:\Windows\UC.PIF

2007-10-28 06:33 545 --a------ C:\Windows\RAR.PIF

2007-10-28 06:33 545 --a------ C:\Windows\PKZIP.PIF

2007-10-28 06:33 545 --a------ C:\Windows\PKUNZIP.PIF

2007-10-28 06:33 545 --a------ C:\Windows\NOCLOSE.PIF

2007-10-28 06:33 545 --a------ C:\Windows\LHA.PIF

2007-10-28 06:33 545 --a------ C:\Windows\ARJ.PIF

2007-10-28 05:56

2007-10-28 05:55

2007-10-28 05:52 45,056 --a------ C:\Windows\System32\acovcnt.exe

2007-10-28 05:45

2007-10-28 05:45

2007-10-28 05:45

2007-10-28 05:44

2007-10-28 05:44

2007-10-28 05:39

2007-10-28 05:38

2007-10-28 05:30 10 --a------ C:\RECOVERY.DAT

2007-10-28 05:29 29,752 --a------ C:\Windows\System32\drivers\AsDsm.sys

2007-10-28 05:28 1,060,424 --a------ C:\Windows\System32\WdfCoInstaller01000.dll

2007-10-28 05:28 196,608 --a------ C:\Windows\System32\SynCtrl.dll

2007-10-28 05:28 182,456 --a------ C:\Windows\System32\drivers\SynTP.sys

2007-10-28 05:28 163,840 --a------ C:\Windows\System32\SynCOM.dll

2007-10-28 05:28 143,360 --a------ C:\Windows\System32\SynTPAPI.dll

2007-10-28 05:28 110,592 --a------ C:\Windows\System32\SynTPCo4.dll

2007-10-28 05:28 48,000 --a------ C:\Windows\System32\drivers\jraid.sys

2007-10-28 05:28 6,912 --a------ C:\Windows\System32\drivers\JGOGO.sys

2007-10-28 05:27

2007-10-28 05:27

2007-10-28 05:27

2007-10-28 05:27

2007-10-28 05:27

2007-10-28 05:27 982,272 --a------ C:\Windows\System32\drivers\smserial.sys

2007-10-28 05:27 196,608 --a------ C:\Windows\System32\sm56co6a.dll

2007-10-28 05:26

2007-10-28 05:26

2007-10-28 05:26 2,384,897 --a------ C:\Windows\snuninst.exe

2007-10-28 05:26 2,222,080 --a------ C:\Windows\System32\drivers\NETw4v32.sys

2007-10-28 05:26 1,743,232 --a------ C:\Windows\System32\drivers\snp2uvc.sys

2007-10-28 05:26 1,048,576 -rah----- C:\F3Sr.BIN

2007-10-28 05:26 46,592 --a------ C:\Windows\System32\drivers\l160x86.sys

2007-10-28 05:26 28,160 --a------ C:\Windows\System32\drivers\sncduvc.sys

2007-10-28 05:26 7,680 --a------ C:\Windows\System32\drivers\ATKACPI.sys

2007-10-28 05:26 5,632 --a------ C:\Windows\System32\drivers\kbfiltr.sys

2007-10-28 05:24

2007-10-28 05:20

2007-10-28 05:20

2007-10-28 05:20 319,984 --a------ C:\Windows\System32\DifxApi.dll

2007-10-28 05:20 126,976 --a------ C:\Windows\System32\imsmudlg.exe

2007-10-28 05:18

2007-10-28 05:16

2007-10-28 05:13 90,112 --a------ C:\Windows\System32\snymsico.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-28 05:02 0 ----a-w C:\Windows\system32\drivers\1043_ASUSTeK_F3Sr.alu

2007-10-28 04:47 606,848 ----a-w C:\Windows\flashax.exe

2007-10-28 04:47 503,808 ----a-w C:\Windows\Asus_Camera_ScreenSaver.scr

2007-10-28 04:47 4,814,371 ----a-w C:\Windows\ASUS Camera ScreenSaver.exe

2007-10-28 04:47 37,232 ----a-w C:\Windows\ASScrProlog.exe

2007-10-28 04:47 33,136 ----a-w C:\Windows\ASScrPro.exe

2007-10-28 04:47 274,800 ----a-w C:\Windows\ASUS Camera ScreenSaver Uninstaller.exe

2007-10-28 04:47 12,288 ----a-w C:\Windows\impborl.dll

2007-10-28 04:38 0 —ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf

2007-10-28 04:10 319,456 ----a-w C:\Windows\DIFxAPI.dll

2007-10-28 04:10 315,392 ----a-w C:\Windows\HideWin.exe

2007-10-27 22:04 174 --sha-w C:\Program Files\desktop.ini

2007-10-27 21:59 --------- d-----w C:\Program Files\Windows Mail

2007-10-27 21:59 --------- d-----w C:\Program Files\Windows Defender

2007-10-27 21:59 --------- d-----w C:\Program Files\Windows Calendar

2007-10-27 21:48 8,192 ----a-w C:\Windows\System32\riched32.dll

2007-10-27 21:48 77,824 ----a-w C:\Windows\System32\rascfg.dll

2007-10-27 21:48 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys

2007-10-27 21:48 694,784 ----a-w C:\Windows\System32\localspl.dll

2007-10-27 21:48 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys

2007-10-27 21:48 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys

2007-10-27 21:48 52,736 ----a-w C:\Windows\System32\rasdiag.dll

2007-10-27 21:48 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys

2007-10-27 21:48 384,000 ----a-w C:\Windows\System32\netcfgx.dll

2007-10-27 21:48 36,864 ----a-w C:\Windows\System32\cdd.dll

2007-10-27 21:48 33,280 ----a-w C:\Windows\System32\traffic.dll

2007-10-27 21:48 32,768 ----a-w C:\Windows\System32\rasmxs.dll

2007-10-27 21:48 286,208 ----a-w C:\Windows\System32\ipnathlp.dll

2007-10-27 21:48 22,016 ----a-w C:\Windows\System32\rasser.dll

2007-10-27 21:48 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys

2007-10-27 21:48 15,360 ----a-w C:\Windows\System32\pacerprf.dll

2007-10-27 21:48 134,656 ----a-w C:\Windows\System32\dps.dll

2007-10-27 21:48 13,824 ----a-w C:\Windows\System32\wshqos.dll

2007-10-27 21:48 13,824 ----a-w C:\Windows\System32\icsunattend.exe

2007-10-27 21:37 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll

2007-10-27 21:37 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2007-10-27 21:37 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll

2007-10-27 21:37 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2007-10-27 21:35 56,320 ----a-w C:\Windows\System32\iesetup.dll

2007-10-27 21:35 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2007-10-27 21:35 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2007-10-27 21:33 57,856 ----a-w C:\Windows\System32\SLUINotify.dll

2007-10-27 21:33 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll

2007-10-27 21:33 39,936 ----a-w C:\Windows\System32\slcinst.dll

2007-10-27 21:33 351,232 ----a-w C:\Windows\System32\SLUI.exe

2007-10-27 21:33 33,280 ----a-w C:\Windows\System32\slwmi.dll

2007-10-27 21:33 268,288 ----a-w C:\Windows\System32\mcbuilder.exe

2007-10-27 21:33 223,232 ----a-w C:\Windows\System32\SLC.dll

2007-10-27 21:33 2,605,568 ----a-w C:\Windows\System32\SLsvc.exe

2007-10-27 21:33 186,368 ----a-w C:\Windows\System32\SLLUA.exe

2007-10-27 21:33 1,335,296 ----a-w C:\Windows\System32\msxml6.dll

2007-10-27 21:32 88,576 ----a-w C:\Windows\System32\avifil32.dll

2007-10-27 21:32 82,944 ----a-w C:\Windows\System32\mciavi32.dll

2007-10-27 21:32 8,138,240 ----a-w C:\Windows\System32\ssBranded.scr

2007-10-27 21:32 712,192 ----a-w C:\Windows\System32\WindowsCodecs.dll

2007-10-27 21:32 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr

2007-10-27 21:32 69,632 ----a-w C:\Windows\System32\sendmail.dll

2007-10-27 21:32 65,024 ----a-w C:\Windows\System32\avicap32.dll

2007-10-27 21:32 61,440 ----a-w C:\Windows\System32\ntprint.exe

2007-10-27 21:32 31,232 ----a-w C:\Windows\System32\msvidc32.dll

2007-10-27 21:32 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe

2007-10-27 21:32 3,470,008 ----a-w C:\Windows\System32\ntoskrnl.exe

2007-10-27 21:32 269,824 ----a-w C:\Windows\System32\schannel.dll

2007-10-27 21:32 220,160 ----a-w C:\Windows\System32\ntprint.dll

2007-10-27 21:32 123,904 ----a-w C:\Windows\System32\msvfw32.dll

2007-10-27 21:32 120,320 ----a-w C:\Windows\System32\dhcpcsvc6.dll

2007-10-27 21:32 12,800 ----a-w C:\Windows\System32\msrle32.dll

2007-10-27 21:32 10,240 ----a-w C:\Windows\System32\dhcpcmonitor.dll

2007-10-27 21:32 1,984,512 ----a-w C:\Windows\System32\authui.dll

2007-08-24 17:08 1,275,392 ----a-w C:\Windows\System32\msxml4.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{3B57AE55-1399-4AB2-924D-A852D57ECE92}]

2007-11-13 16:26 319072 --------- C:\Windows\system32\ljjgd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2007-10-27 22:44]

“StartCCC”=“C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 20:35]

“RtHDVCpl”=“RtHDVCpl.exe” [2007-07-06 04:06 C:\Windows\RtHDVCpl.exe]

“Skytel”=“Skytel.exe” [2007-06-15 09:45 C:\Windows\SkyTel.exe]

“IAAnotif”=“C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe” [2007-02-12 12:37]

“SMSERIAL”=“C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe” [2006-11-24 18:31]

“JMB36X IDE Setup”=“C:\Windows\RaidTool\xInsIDE.exe” [2007-03-20 07:36]

“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2007-03-02 22:24]

“ATKMEDIA”=“C:\Program Files\ASUS\ATK Media\DMEDIA.EXE” [2006-11-02 16:27]

“ASUS Camera ScreenSaver”=“C:\Windows\ASScrProlog.exe” [2007-10-28 05:47]

“ASUS Screen Saver Protector”=“C:\Windows\ASScrPro.exe” [2007-10-28 05:47]

“nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-10-27 21:50]

“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2007-10-10 06:28]

“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-01 15:57]

“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51]

“a46f99b1”=“C:\Windows\system32\ldfhwmkw.dll” [2007-11-13 18:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Sidebar”=“C:\Program Files\Windows Sidebar\sidebar.exe” [2006-11-02 13:35]

“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2007-06-27 19:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“EnableLUA”=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

“Authentication Packages”= msv1_0 C:\Windows\system32\ljjgd.dll

R0 AsDsm;AsDsm;C:\Windows\system32\drivers\AsDsm.sys

R2 ADSMService;ADSM Service;C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe

R2 ASLDRService;ASLDR Service;C:\Program Files\ATK Hotkey\ASLDRSrv.exe

R2 ASMMAP;ASMMAP;??\C:\Program Files\ATKGFNEX\ASMMAP.sys

R2 ATKGFNEXSrv;ATKGFNEX Service;C:\Program Files\ATKGFNEX\GFNEXSrv.exe

R2 ghaio;ghaio;??\C:\Program Files\ASUS\NB Probe\SPM\ghaio.sys

R2 GtFlashSwitch;GtFlashSwitch;“C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe”

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\l160x86.sys

R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys

R3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;C:\Windows\system32\DRIVERS\Gtm51Irp.sys

R3 GTPTSER;GT PT SER;C:\Windows\system32\DRIVERS\gtptser.sys

R3 GTUQBUS;GT UQ BUS;C:\Windows\system32\DRIVERS\gtuqbus.sys

R3 NETw4v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw4v32.sys

R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\Windows\system32\DRIVERS\snp2uvc.sys

S3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw3v32.sys

S3 nvlddmkm;nvlddmkm;C:\Windows\system32\DRIVERS\nvlddmkm.sys

S3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys

S3 TBS;Usługi podstawowe modułu TPM;C:\Windows\System32\svchost.exe -k LocalService

S3 TPM;TPM;C:\Windows\system32\drivers\tpm.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

bthsvcs BthServ

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-14 15:08:10

Windows 6.0.6000 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-11-14 15:11:34

.

— E O F —

#2

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

Wklej do Notatnika:

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo, ale przed:

Wklej do Notatnika:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=-

"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\

  00

Z menu Notatnika Plik Zapisz jako Ustaw rozszerzenie na “Wszystkie pliki” Zapisz jako FIX.REG uruchom ten plik (dwuklik).

#3

Dziękuję bardzo. Pomogło :). Nie wyskakują już żadne ostrzeżenia ani inne durności. Swoją drogą, NOD działał niezawodnie aż do tej pory przez ponad rok nie miałem żadnych wirusowych problemów. Czas na zmianę???

Aktualny log Combofixa wygląda tak.

#4

Już powinno być Ok