Od wczoraj mam problem z komputerem. Przy otwieraniu stron pokazuje się coś takiego: Insecure Internet activity. Threat of virus attack. Skanowałam już różnymi antywirusami, ale żaden nie może sobie z tym poradzic. Nie wiem co dalej robić, proszę o pomoc!
Pobierz Combofix viewtopic.php?f=16&t=36654 przeskanuj system daj log
potem przeskanuj HijackThis 2.02 daj log
kolejność skanowania jak podałem
ComboFix 08-11-26.03 - Administrator 2009-03-21 15:58:20.1 - FAT32 x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.696 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe
* Utworzono nowy punkt przywracania
.
- TRYB ZREDUKOWANEJ FUNKCJONALNOŚCI -
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\myglobalsearch
c:\program files\myglobalsearch\bar\History\search
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((( Pliki utworzone od 2009-02-21 do 2009-03-21 )))))))))))))))))))))))))))))))
.
2009-03-21 13:11 . 2009-03-21 13:11 0 --------- c:\windows\PAVSHRB.INI
2009-03-21 11:04 . 2009-03-21 11:04
2009-03-21 10:24 . 2009-03-21 10:24
2009-03-21 10:23 . 2009-03-21 10:23
2009-03-20 23:57 . 2009-03-20 23:57
2009-03-20 12:38 . 2009-03-21 10:22 28,672 --a------ c:\program files\Common Files\file.exe
2009-03-20 12:37 . 2009-03-21 10:23 2,162,631 --a------ c:\program files\Common Files\InternetAntivirusPro.exe
2009-03-18 23:51 . 2005-03-05 22:32 25,600 --a------ c:\windows\system32\drivers\usbser.sys
2009-03-18 23:50 . 2009-03-18 23:50 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-18 23:50 . 2009-03-18 23:50 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2009-03-03 22:45 . 2009-03-03 22:45
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 15:48 --------- d-----w c:\program files\Liceum klasa 1 - Chemia podstawowa
2009-02-07 11:01 --------- d-----w c:\program files\Common Files\Borland Shared
2009-02-07 11:01 --------- d-----w c:\program files\Common Files\Athenasoft
2009-02-07 11:00 --------- d-----w c:\program files\Athenasoft
2009-02-01 17:44 --------- d-----w c:\program files\Konnekt
2009-02-01 17:44 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\stamina
2007-12-20 21:47 92,064 ----a-w c:\documents and settings\Administrator\mqdmmdm.sys
2007-12-20 21:47 9,232 ----a-w c:\documents and settings\Administrator\mqdmmdfl.sys
2007-12-20 21:47 79,328 ----a-w c:\documents and settings\Administrator\mqdmserd.sys
2007-12-20 21:47 66,656 ----a-w c:\documents and settings\Administrator\mqdmbus.sys
2007-12-20 21:47 6,208 ----a-w c:\documents and settings\Administrator\mqdmcmnt.sys
2007-12-20 21:47 5,936 ----a-w c:\documents and settings\Administrator\mqdmwhnt.sys
2007-12-20 21:47 4,048 ----a-w c:\documents and settings\Administrator\mqdmcr.sys
2007-12-20 21:47 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys
2007-12-20 21:47 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2004-08-03 15360]
“Konnekt”=“c:\program files\Konnekt\konnekt.exe” [2005-05-24 503808]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Smapp”=“c:\program files\Analog Devices\SoundMAX\SMTray.exe” [2002-11-08 98304]
“WOOWATCH”=“c:\progra~1\WANADOO\Watch.exe” [2002-12-09 20480]
“WOOTASKBARICON”=“c:\progra~1\WANADOO\TaskbarIcon.exe” [2002-12-09 45056]
“avast!”=“d:\avast\ashDisp.exe” [2008-11-26 81000]
“NeroCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]
“QuickTime Task”=“c:\program files\QuickTime\qttask.exe” [2006-09-01 282624]
“BearShare”=“d:\program files\BearShare\BearShare.exe” [2006-08-01 3313664]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-03 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
“iv”=“c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Internet Explorer\iv.exe” [2009-03-20 60416]
c:\documents and settings\Administrator\Menu Start\Programy\Autostart\
Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
DSLMON.LNK - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-06-19 962661]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
–a------ 2007-05-19 11:39 35328 d:\winamp pl\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001
“AntiVirusOverride”=dword:00000001
“FirewallOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“d:\Gadu-Gadu\gg.exe”=
“d:\BearShare Applications\BearShare\BearShare.exe”=
“c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=
“d:\Program Files\BearShare\BearShare.exe”=
“c:\Program Files\Bonjour\mDNSResponder.exe”=
“c:\Program Files\Konnekt\konnekt.exe”=
“c:\Program Files\Skype\Phone\Skype.exe”=
“c:\WINDOWS\System32\dpvsetup.exe”=
“c:\WINDOWS\System32\RUNDLL32.EXE”=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-28 114768]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys []
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-06-28 20560]
R2 ITGrdEngine;Guard Service;c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\services.exe [2009-03-20 193024]
R2 Kmm4xNT;Kmm4xNT;c:\windows\system32\drivers\Kmm4xNT.sys [2009-02-07 95484]
R2 PavProc;Panda Process Protection Driver;??\c:\windows\system32\DRIVERS\PavProc.sys []
S3 KMM4xUSB;KMM4xUSB Driver (kmm4xusb.sys);c:\windows\system32\Drivers\KMM4xUSB.sys [2009-02-07 40256]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\DRIVERS\se46bus.sys [2007-12-23 61536]
S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;c:\windows\system32\DRIVERS\se46mdfl.sys [2007-12-23 9360]
S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;c:\windows\system32\DRIVERS\se46mdm.sys [2007-12-23 97088]
S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\se46mgmt.sys [2007-12-23 88624]
S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\DRIVERS\se46nd5.sys [2008-01-01 18704]
S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\se46obex.sys [2007-12-23 86432]
S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\DRIVERS\se46unic.sys [2008-01-01 90800]
S3 se59bus;Sony Ericsson Device 089 driver (WDM);c:\windows\system32\DRIVERS\se59bus.sys [2007-12-22 61536]
S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;c:\windows\system32\DRIVERS\se59mdfl.sys [2007-12-22 9360]
S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;c:\windows\system32\DRIVERS\se59mdm.sys [2007-12-22 97088]
S3 se59mgmt;Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\se59mgmt.sys [2007-12-22 88624]
S3 se59nd5;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS);c:\windows\system32\DRIVERS\se59nd5.sys [2007-12-22 18704]
S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\se59obex.sys [2007-12-22 86432]
S3 se59unic;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM);c:\windows\system32\DRIVERS\se59unic.sys [2007-12-22 90800]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c581d084-4472-11dd-9baa-4d6564696130}]
\Shell\AutoRun\command - g:.system\S-1-6-21-2434476501-1644491937-600003330-1213\Autorun.exe
\Shell\open\command - g:.system\S-1-6-21-2434476501-1644491937-600003330-1213\Autorun.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PAVPROC
*Newly Created Service* - PAVPRSRV
*Newly Created Service* - SHLDDRV
.
-
-
-
- USUNIĘTO PUSTE WPISY - - - -
-
-
HKCU-Run-AQQ - d:\wapster\AQQ\AQQ.exe
HKLM-Run-adiras - adiras.exe
Notify-WgaLogon - (no file)
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.neostrada.pl
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: {0145CF41-B793-4CEF-AFD8-829B09625BC4} = 194.204.159.1 217.98.63.164
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\Downloaded Program Files\OggX.ocx - O16 -: {1E53EA77-34F2-474E-9046-B2B0C86F1821}
hxxp://www.eska.pl/streamplayers/OggX.ocx
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 15:58:50
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
Czas ukończenia: 2009-03-21 15:59:46
ComboFix-quarantined-files.txt 2009-03-21 14:59:44
Przed: 58 986 823 680 bajtów wolnych
Po: 63,986,434,048 bajtów wolnych
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect
154
– Dodane 21.03.2009 (So) 16:03 –
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:01:41, on 2009-03-21
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\avast\aswUpdSv.exe
D:\avast\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\WANADOO\TaskbarIcon.exe
D:\avast\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\services.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
D:\avast\ashMaiSv.exe
D:\avast\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Documents and Settings\Administrator\Pulpit\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O4 - HKLM…\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe
O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\WANADOO\TaskbarIcon.exe
O4 - HKLM…\Run: [avast!] D:\avast\ashDisp.exe
O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [bearShare] “D:\Program Files\BearShare\BearShare.exe” /pause
O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [Konnekt] “C:\Program Files\Konnekt\konnekt.exe” /autostart
O4 - HKCU…\Policies\Explorer\Run: [iv] “C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Internet Explorer\iv.exe”
O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: DSLMON.LNK = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {1E53EA77-34F2-474E-9046-B2B0C86F1821} (OggX Control) - http://www.eska.pl/streamplayers/OggX.ocx
O17 - HKLM\System\CCS\Services\Tcpip…{0145CF41-B793-4CEF-AFD8-829B09625BC4}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip…{0145CF41-B793-4CEF-AFD8-829B09625BC4}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\avast\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Guard Service (ITGrdEngine) - Unknown owner - C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\services.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
–
End of file - 6068 bytes
usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku. przecież to staroć
Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S … Tool.shtml
Flash Disinfector http://www.searchengines.pl/index.php?s … ntry369724
lub format
Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 ale nie włączaj
Podczas pobierania i skanu Combofixem proszę wyłączyć wszelkie zapory i antywirusy
Otwórz notatnik i wklej
zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe
Powinno rozpocząć się usuwanie
Potem log z usuwania Combofix
Dziękuję bardzo za pomoc!
Daj log z usuwania z combofix
czekam