Komp muli i net muli

Dla specjalistów Bezpieczeństwo
#1

Witam prosze o sprawdzenie loga i jak cos usunac to jak bardzo prosze

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:45:07, on 2007-09-16

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\dllcache\mravsc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dllcache\services.exe

C:\WINDOWS\system32\dllcache\ivchost.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\mikaserv.exe

E:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Winamp\winamp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\scrcons32.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\RunServices: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\scrcons32.exe

O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\scrcons32.exe

O4 - HKCU\..\RunServices: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\scrcons32.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-21-1993962763-562591055-725345543-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-1993962763-562591055-725345543-1003\..\Run: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\scrcons32.exe (User '?')

O4 - HKUS\S-1-5-21-1993962763-562591055-725345543-1003\..\RunServices: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\scrcons32.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-18\..\RunServices: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\scrcons32.exe (User '?')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunServices: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\scrcons32.exe (User 'Default user')

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{B980AA98-4B38-4167-9AD8-50748DEAEB5E}: NameServer = 213.241.79.37 83.238.255.76

O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINDOWS\system32\dllcache\mravsc32.exe

O23 - Service: mika_serv (mikaserv) - Unknown owner - C:\WINDOWS\mikaserv.exe

O23 - Service: Mims service (Mimserv) - Unknown owner - C:\WINDOWS\system32\dllcache\services.exe

O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


--

End of file - 4458 bytes
#2

W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem ) pliki na czerwono ręcznie z dysku

#3

@Leon$ - usuwanie podałeś niezbyt starannie: nie wszystkie wpisy podałeś i poza tym przy usuwaniu “O23” nie wystarczy sfiksować w Hijacku i usunąć plik, trzeba usunąć także usługę.

@swrs -

#4

Report SDfix

SDFix: Version 1.104


Run by Marcin on 2007-09-16 at 19:48


Microsoft Windows XP [Wersja 5.1.2600]


Running From: C:\SDFix


Safe Mode:

Checking Services: 


Name:

Distributed Allocated Memory Unit

Mimserv

mshexdefx

MSWindows


ImagePath:

"C:\WINDOWS\system32\dllcache\mravsc32.exe" 

"C:\WINDOWS\system32\dllcache\services.exe" 

"C:\WINDOWS\system32\dllcache\ivchost.exe" 

"C:\WINDOWS\System32\urdvxc.exe" /service


Distributed Allocated Memory Unit - Deleted

Mimserv - Deleted

mshexdefx - Deleted

MSWindows - Deleted




Restoring Windows Registry Values

Restoring Windows Default Hosts File


Rebooting...



Normal Mode:

Checking Files: 


Trojan Files Found:


C:\WINDOWS\system32\.exe - Deleted

C:\WINDOWS\SYSTEM32\HMM.EXE - Deleted

C:\WINDOWS\SYSTEM32\IT.EXE - Deleted

C:\WINDOWS\SYSTEM32\DLLCACHE\SERVICES.EXE - Deleted

C:\WINDOWS\system32\.exe - Deleted

C:\WINDOWS\system32\dllcache\ivchost.exe - Deleted

C:\WINDOWS\system32\dllcache\mravsc32.exe - Deleted

C:\WINDOWS\system32\i - Deleted

C:\WINDOWS\system32\urdvxc.exe - Deleted




Removing Temp Files...


ADS Check:


C:\WINDOWS

No streams found. 


C:\WINDOWS\system32

No streams found. 


C:\WINDOWS\system32\svchost.exe

No streams found.


C:\WINDOWS\system32\ntoskrnl.exe

No streams found.




                                 Final Check:


Remaining Services:

------------------





Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\WINDOWS\\System32\\scrcons32.exe"="C:\\WINDOWS\\System32\\scrcons32.exe:*:Enabled:WMI Standard Event Consumer - Scripting"

"C:\\WINDOWS\\mikaserv.exe"="C:\\WINDOWS\\mikaserv.exe:*:Enabled:mikaserv for w32"


Remaining Files:

---------------


File Backups: - C:\SDFix\backups\backups.zip


Files with Hidden Attributes:



Finished!

Złączono Posta _: 16.09.2007 (Nie) 20:00_I jeszcze 1 wyskakuje mi jakis blad jak sciagne i wlacze killboxa :confused: a tu log z ComboFix

http://wklej.org/id/ebba9b4b86

Złączono Posta _: 16.09.2007 (Nie) 20:13_PO tym wszystkim log z hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:16:45, on 2007-09-16

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\System32\mmdmm.exe

C:\WINDOWS\System32\spoolsvc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

E:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system\NOTEPAD.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\System32\ssqqopm.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [mmsass] mmdmm.exe

O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe

O4 - HKLM\..\RunServices: [mmsass] mmdmm.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-21-1993962763-562591055-725345543-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O8 - Extra context menu item: &Download all by WellGet - D:\DO ZACHOWANIA\CS\WellGet\nxall.htm

O8 - Extra context menu item: Download by &WellGet - D:\DO ZACHOWANIA\CS\WellGet\nxcatch.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{B980AA98-4B38-4167-9AD8-50748DEAEB5E}: NameServer = 213.241.79.37 83.238.255.76

O20 - Winlogon Notify: ssqqopm - C:\WINDOWS\SYSTEM32\ssqqopm.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: NOTEPAD - Unknown owner - C:\WINDOWS\system\NOTEPAD.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


--

End of file - 4375 bytes
#5

Ależ ta infekcja nabiera u Ciebie rozpędu!.! Jest coraz większa.!

Wklej do Notatnika :

File::

C:\WINDOWS\System32\mmdmm.exe

C:\WINDOWS\System32\spoolsvc.exe

C:\WINDOWS\system\NOTEPAD.exe

C:\WINDOWS\system32\ne1.exe

C:\WINDOWS\SYSTEM32\ssqqopm.dll

C:\WINDOWS\system32\it.exe

C:\WINDOWS\system32\dllcache\mravsc32.exe

C:\WINDOWS\system32\dllcache\services.exe

C:\WINDOWS\system32\re1.exe

C:\WINDOWS\system32\m2n1.exe 

C:\WINDOWS\Web\wcxnjhhj.exe

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\zejthvxk.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\tlrrsvlj.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\btlekkxb.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\btlekkxb.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\btlekkxb.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\btlekkxb.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\nbbrcrbb.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\estewkrn.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\necxlsbh.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\hsxenjvk.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\hnshlbtv.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\ewznktww.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\ecrvhvjh.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\trvnbvzr.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\tehbbexs.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\selznkbn.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\qnkstrhn.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\kenjxzsk.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\hzenbhql.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\cszbbkjb.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\cjrhtnee.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\sljktqsl.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\lenvstcw.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\lbncltew.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\vhzlshll.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\heclkcje.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\ejjtwclz.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\brbjhjhb.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\bbcrvske.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Common\xxrlrrck.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Common\slkweqkr.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Common\jjtkbtsb.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\rlkctexe.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\resrzjkr.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\kcqrjjel.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\jllrjejn.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\hlnbkbjt.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\cqlwbrtn.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\vtxbneqq.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\jzrjzkke.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\jqnsbclx.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\rc\rjzhtwer.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\zeektjlr.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\tjsnlncx.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\NetDiag\stleqtrb.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\NetDiag\bnkrcrqq.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\errors\xnejeese.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\ErrMsg\nvsbqtlx.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\DVDUpgrd\kvzexhbs.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\zwjcbxql.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\jlskvkjt.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\hhktjkel.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\CompatCtr\tcjqbtst.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\CompatCtr\nrbhslcz.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\CompatCtr\eqlrejrl.exe 

C:\WINDOWS\PCHEALTH\HELPCTR\System\CompatCtr\brvhkxjh.exe 

C:\WINDOWS\Help\tsbjbtvn.exe 

C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\tjnbzhbh.exe 

C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\lllknblj.exe 

C:\WINDOWS\Help\jjlenkbt.exe 

C:\WINDOWS\Help\jbnshhqj.exe 

C:\WINDOWS\Help\hwexrtne.exe 

C:\WINDOWS\Help\bzehxvnz.exe

C:\WINDOWS\System32\scrcons32.exe


Driver::

NOTEPAD

"DISTRIBUTED_ALLOCATED_MEMORY_UNIT"

MIMSERV


Registry::

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] 

"WMI Standard Event Consumer - Scripting"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run] 

"WMI Standard Event Consumer - Scripting"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] 

"mmsass"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"mmsass"=-

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie,

jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

(czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –> Klik

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Daj log z ComboFixa, bo to usuwanie potrwa jeszcze kilka tygodni, były już takie przypadki kilka dni temu, a właściwie tygodni…bo zaczęły się ok 20 sierpnia, a skończyły ok 12 września i usuwnie było nawet kilka razy dziennie przez cały ten czas. Trudna do usuwania infekcja.

jessi

#6

ok dzieki bardzo za porady i all a czy jak wgram nowego windowsa zrobie formata i new xp to bedzie ten problem ? bo teraz robilem tego foramta i antywir caly czas ze wirusy ten win chyba byl zawirusowany plz odp

#7

Dlaczego zaraz formatować?

Trzeba przynajmniej spróbować usuwać.

jessi