Antywirus XP 2008

kajko · 6 Sierpień 2008 17:51

Witam.Po uruchomieniu co chwila włacza sie Antywirus XP 2008 i nie jestem w stanie go usunąć. Pulpit jest cały niebieski z napisem: WarninG Spyware detected on your computer!

baltek222 · 6 Sierpień 2008 17:59

Może te tematy okażą się pomocne:

http://forum.dobreprogramy.pl/viewtopic.php?t=260312

http://forum.dobreprogramy.pl/viewtopic.php?f=2&t=228918&start=0&st=0&sk=t&sd=a

kajko · 6 Sierpień 2008 18:02

Logfile of HijackThis v1.99.1

Scan saved at 20:00:48, on 2008-08-06

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

F:\Programy\Ewido Anti-Spyware\bebechy\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\lphcvjbj0eaap.exe

C:\Program Files\rhcrjbj0eaap\rhcrjbj0eaap.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

F:\Programy\Ewido Anti-Spyware\bebechy\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\WINDOWS\system32\nvsvc32.exe

F:\Programy\Alkohol 120%\bebechy\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\Mozilla Firefox\firefox.exe

F:\Programy do usuwania wirusów Hijackers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idg.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idg.pl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.idg.pl

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [shStatEXE] “C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE” /STANDALONE

O4 - HKLM…\Run: [McAfeeUpdaterUI] “C:\Program Files\McAfee\Common Framework\UdaterUI.exe” /StartedFromRunKey

O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM…\Run: [HP Software Update] “C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe”

O4 - HKLM…\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”

O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM…\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”

O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “F:\Programy\Adobe Reader\bebechy\Reader\Reader_sl.exe”

O4 - HKLM…\Run: [CloneCDTray] “C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s

O4 - HKLM…\Run: [systemProtect2] “F:\Programy\Strażnik Ucznia\bebechy\Strażnik Ucznia\syslock.exe”

O4 - HKLM…\Run: [!AVG Anti-Spyware] “F:\Programy\Ewido Anti-Spyware\bebechy\AVG Anti-Spyware 7.5\avgas.exe” /minimized

O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM…\Run: [lphcvjbj0eaap] C:\WINDOWS\system32\lphcvjbj0eaap.exe

O4 - HKLM…\Run: [sMrhcrjbj0eaap] C:\Program Files\rhcrjbj0eaap\rhcrjbj0eaap.exe

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [AlcoholAutomount] “F:\Programy\Alkohol 120%\bebechy\Alcohol 120\axcmd.exe” /automount

O4 - Global Startup: BlueSoleil.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows … 5093820936

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow … rtScan.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Programy\Ewido Anti-Spyware\bebechy\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\Programy\Alkohol 120%\bebechy\Alcohol 120\StarWind\StarWindServiceAE.exe

kajko · 6 Sierpień 2008 18:11

Proszę o sprawdzenie loga i instrukcje

djarta · 6 Sierpień 2008 18:16

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked

Pobierz ComboFix,ale nie uruchamiaj.

Wklej do Notatnika :

File::

C:\WINDOWS\system32\lphcvjbj0eaap.exe

C:\Program Files\rhcrjbj0eaap\rhcrjbj0eaap.exe

>>Plik>>Zapisz jako… >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

–>

Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log.

Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:** Qoobox.**

kajko · 6 Sierpień 2008 18:31

Dzięki ale czy mógłbyś napisać dokładniej z tym ComboFix bo nie do końca rozumiem

djarta · 6 Sierpień 2008 18:35

Dokładnie,powoli rób wszystko opisałem.

kajko · 6 Sierpień 2008 18:40

ComboFix 08-08-05.05 - Waldi 2008-08-06 20:35:38.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.442 [GMT 2:00]

Running from: F:\Pliki z Menadżera\ComboFix.exe

Command switches used :: C:\Documents and Settings\Waldi\Pulpit\CFScript.txt

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::

C:\Program Files\rhcrjbj0eaap\rhcrjbj0eaap.exe

C:\WINDOWS\system32\lphcvjbj0eaap.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Menu Start\Programy\Antivirus XP 2008

C:\Documents and Settings\All Users\Menu Start\Programy\Antivirus XP 2008\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Menu Start\Programy\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Menu Start\Programy\Antivirus XP 2008\License Agreement.lnk

C:\Documents and Settings\All Users\Menu Start\Programy\Antivirus XP 2008\Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Menu Start\Programy\Antivirus XP 2008\Uninstall.lnk

C:\Documents and Settings\All Users\Pulpit\Antivirus XP 2008.lnk

C:\Documents and Settings\Waldi\Dane aplikacji\rhcrjbj0eaap

C:\Program Files\Microsoft Security Adviser

C:\Program Files\Microsoft Security Adviser\mssadv_sp.log

C:\Program Files\myglobalsearch

C:\Program Files\myglobalsearch\bar\History\search

C:\Program Files\rhcrjbj0eaap

C:\Program Files\rhcrjbj0eaap\rhcrjbj0eaap.exe

C:\WINDOWS\system32\blphcvjbj0eaap.scr

C:\WINDOWS\system32\lphcvjbj0eaap.exe

C:\WINDOWS\system32\phcvjbj0eaap.bmp

.

((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))

.

2008-08-06 19:35 . 2008-08-06 19:35 0 --a------ C:\WINDOWS\system32\3.tmp

2008-08-06 18:00 . 2008-08-06 18:00 18,432 --a------ C:\0xf9.exe

2008-07-24 22:38 . 2008-07-24 22:38 51,600 --a------ C:\WINDOWS\system32\RadLightMPCUninstall.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-06 15:23 --------- d-----w C:\Documents and Settings\Waldi\Dane aplikacji\uTorrent

2008-07-15 07:52 --------- d-----w C:\Documents and Settings\Waldi\Dane aplikacji\Programer

2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-05-17 17:56 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE

2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll

2008-04-20 17:41 17,952 ----a-w C:\Documents and Settings\Waldi\Dane aplikacji\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 09:44 15360]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24 1694208]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 12:54 2131392]

“AlcoholAutomount”=“F:\Programy\Alkohol 120%\bebechy\Alcohol 120\axcmd.exe” [2007-07-02 12:29 220544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2007-12-05 02:41 8523776]

“ShStatEXE”=“C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE” [2006-11-30 09:50 112216]

“McAfeeUpdaterUI”=“C:\Program Files\McAfee\Common Framework\UdaterUI.exe” [2006-11-17 14:39 136768]

“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 17:40 155648]

“HP Software Update”=“C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe” [2003-06-25 12:24 49152]

“HP Component Manager”=“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [2003-10-23 20:51 233472]

“HPDJ Taskbar Utility”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe” [2003-07-28 15:43 188416]

“DeviceDiscovery”=“C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe” [2003-05-21 19:37 229437]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 05:25 144784]

“Adobe Reader Speed Launcher”=“F:\Programy\Adobe Reader\bebechy\Reader\Reader_sl.exe” [2007-05-11 14:06 40048]

“CloneCDTray”=“C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” [2006-09-28 21:21 57344]

“!AVG Anti-Spyware”=“F:\Programy\Ewido Anti-Spyware\bebechy\AVG Anti-Spyware 7.5\avgas.exe” [2008-04-06 19:38 6731312]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2007-12-05 02:41 81920]

“nwiz”=“nwiz.exe” [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]

“SoundMan”=“SOUNDMAN.EXE” [2005-06-20 15:42 77824 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 09:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2008-03-25 21:57:21 1183744]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\McAfee\Common Framework\FrameworkService.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\Bonjour\mDNSResponder.exe”=

“C:\Program Files\uTorrent\uTorrent.exe”=

“F:\Programy\BearShare\bebechy\BearShare.exe”=

“C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

“F:\Programy\eMule\bebechy\eMule\emule.exe”=

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

- - - ORPHANS REMOVED - - - -

HKLM-Run-SystemProtect2 - F:\Programy\Strażnik Ucznia\bebechy\Strażnik Ucznia\syslock.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-06 20:37:45

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-08-06 20:38:48

ComboFix-quarantined-files.txt 2008-08-06 18:38:24

Pre-Run: 22,609,256,448 bajtów wolnych

Post-Run: 23,944,421,376 bajtów wolnych

112 — E O F — 2008-07-10 17:41:16

kajko · 6 Sierpień 2008 18:43

Wkleiłem loga z ComboFix i wywaliłem folder C:Qoobox. Co dalej ??? z góry dziękuję

kajko · 6 Sierpień 2008 18:57

Co dalej log z ComboFix wklejony

Leon1 · 6 Sierpień 2008 18:58

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

kajko · 6 Sierpień 2008 19:13

ComboFix 08-08-05.05 - Waldi 2008-08-06 21:09:55.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.557 [GMT 2:00]

Running from: F:\Pliki z Menadżera\ComboFix.exe

Command switches used :: F:\Pliki z Menadżera\CFScript.txt

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::

C:\0xf9.exe

C:\WINDOWS\system32\3.tmp