Live Safety Center i Online Security Guide

lokio · 15 Listopad 2007 19:22

witam, pomocy!

na pulpicie tworzą mi sie ikony: Live Safety Center i Online Security Guide

ciągle pojawia mi sie taki komunikat lub inne ale tego samego typu:

Security Alert:

Spywere found

Trojan-Spy.win32@mx

Networm-i.Virus@fp

Malware threats

Warning

Pojawiają się strony internetowe w IE

oto log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:18:37, on 2007-11-15

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

E:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

C:\WINDOWS\V0230Mon.exe

C:\WINDOWS\Fonts\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

E:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\rMa18yy\rMa18yy2328.exe

C:\WINDOWS\17PHolmes1188.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ffyzsgct.dll

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM…\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup

O4 - HKLM…\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [Lexmark X1100 Series] “C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe”

O4 - HKLM…\Run: [sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”

O4 - HKLM…\Run: [AVFX Engine] E:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

O4 - HKLM…\Run: [V0230Mon.exe] C:\WINDOWS\V0230Mon.exe

O4 - HKLM…\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe

O4 - HKLM…\Run: [58dd559a] rundll32.exe “C:\WINDOWS\system32\lhecbatg.dll”,b

O4 - HKLM…\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO

O4 - HKLM…\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [LClock] C:\Program Files\LClock\lclock.exe

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [Creative Live! Cam Manager] E:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll

O9 - Extra ‘Tools’ menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ … /CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip…{B65CAFD8-22D9-46FA-9E51-E078AD664A76}: NameServer = 194.204.159.1,194.204.152.34

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Google\Google Desktop Search\Plugins\gdSkype\skype4com.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe

–

End of file - 7341 bytes

Gutek · 15 Listopad 2007 19:45

Na początek

Pobierz program SDFix

lokio · 15 Listopad 2007 20:25

SDFix: Version 1.114

Run by Luk on 2007-11-15 at 21:08

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting…

Normal Mode:

Checking Files:

Trojan Files Found:

C:\X.DAT - Deleted

C:\Z.DAT - Deleted

C:\Documents and Settings\Luk\x.dat - Deleted

C:\Documents and Settings\Luk\z.dat - Deleted

C:\Documents and Settings\Luk\f.exe - Deleted

C:\n.bat - Deleted

C:\winlogon.exe - Deleted

C:\WINDOWS\Fonts\Crack.exe - Deleted

C:\WINDOWS\Fonts\svchost.exe - Deleted

C:\WINDOWS\mrofinu1188.exe - Deleted

Folder C:\WINDOWS\Fonts’ - Removed

Removing Temp Files…

ADS Check:

C:\WINDOWS

No streams found.

C:\WINDOWS\system32

No streams found.

C:\WINDOWS\system32\svchost.exe

No streams found.

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-15 21:18:09

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden services & system hive …

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

“s1”=dword:e46a328a

“s2”=dword:dd964871

“h0”=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

“h0”=dword:00000000

“ujdew”=hex:76,d6,25,55,40,1e,0e,79,1d,2b,a2,28,c2,b6,62,f3,27,84,f7,b1,7e,…

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

“p0”=“C:\Program Files\DAEMON Tools”

“h0”=dword:00000001

“khjeh”=hex:5a,21,6f,09,85,98,85,79,72,a6,bf,c1,c0,22,9b,42,9f,db,b4,00,d2,…

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

“a0”=hex:20,01,00,00,04,53,47,55,f5,a1,f1,0d,f4,87,04,b5,b8,e9,ed,b1,8a,…

“khjeh”=hex:d5,86,2a,07,a8,45,36,d9,58,2e,9f,ee,37,ce,af,d3,03,64,b9,e1,4b,…

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

“khjeh”=hex:f3,88,2b,28,bd,1c,7f,2d,8a,c5,30,84,e0,0f,22,15,bd,f8,90,87,80,…

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

“khjeh”=hex:7a,7e,e3,49,bb,1c,87,76,a6,48,5b,74,cb,9d,61,fa,a2,4e,38,36,df,…

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]

“khjeh”=hex:64,a3,fc,d1,14,9e,09,a3,1d,a0,4b,54,9a,08,85,90,33,2b,d4,7f,5c,…

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]

“khjeh”=hex:b2,aa,d3,af,84,1b,14,8c,ce,43,7f,3b,5f,1f,7b,3c,a8,a9,36,e2,0a,…

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

“h0”=dword:00000000

“ujdew”=hex:76,d6,25,55,40,1e,0e,79,1d,2b,a2,28,c2,b6,62,f3,27,84,f7,b1,7e,…

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

“p0”=“C:\Program Files\DAEMON Tools”

“h0”=dword:00000001

“khjeh”=hex:5a,21,6f,09,85,98,85,79,72,a6,bf,c1,c0,22,9b,42,9f,db,b4,00,d2,…

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

“a0”=hex:20,01,00,00,04,53,47,55,f5,a1,f1,0d,f4,87,04,b5,b8,e9,ed,b1,8a,…

“khjeh”=hex:d5,86,2a,07,a8,45,36,d9,58,2e,9f,ee,37,ce,af,d3,03,64,b9,e1,4b,…

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

“khjeh”=hex:f3,88,2b,28,bd,1c,7f,2d,8a,c5,30,84,e0,0f,22,15,bd,f8,90,87,80,…

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

“khjeh”=hex:7a,7e,e3,49,bb,1c,87,76,a6,48,5b,74,cb,9d,61,fa,a2,4e,38,36,df,…

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]

“khjeh”=hex:64,a3,fc,d1,14,9e,09,a3,1d,a0,4b,54,9a,08,85,90,33,2b,d4,7f,5c,…

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]

“khjeh”=hex:b2,aa,d3,af,84,1b,14,8c,ce,43,7f,3b,5f,1f,7b,3c,a8,a9,36,e2,0a,…

scanning hidden registry entries …

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]

“Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,…

scanning hidden files …

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 4 Aug 2004 60,928 A.SH. — “C:\Program Files\Outlook Express\msimn.exe”

Tue 16 Oct 2007 5,903,928 A…H. — “C:\Program Files\Picasa2\setup.exe”

Wed 4 Aug 2004 4,639 A.SH. — “C:\Program Files\Windows Media Player\mplayer2.exe”

Wed 4 Aug 2004 73,728 A.SH. — “C:\Program Files\Windows Media Player\wmplayer.exe”

Thu 15 Nov 2007 20,810 …SH. — “C:\WINDOWS\system32\ffyzsgct.dllbox”

Sun 29 Apr 2007 4,348 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak”

Mon 22 Jul 2002 418,816 …HR — “C:\WINDOWS\system32\Tools\All.exe”

Fri 19 Jul 2002 390,144 …HR — “C:\WINDOWS\system32\Tools\Change.exe”

Fri 19 Jul 2002 574,464 …HR — “C:\WINDOWS\system32\Tools\CheckPath.exe”

Tue 20 Aug 2002 430,592 …HR — “C:\WINDOWS\system32\Tools\Counter.exe”

Tue 23 Jul 2002 390,656 …HR — “C:\WINDOWS\system32\Tools\DelFolders.exe”

Fri 22 Nov 2002 399,872 …HR — “C:\WINDOWS\system32\Tools\DirectSetup.exe”

Fri 19 Jul 2002 388,096 …HR — “C:\WINDOWS\system32\Tools\RegClean.exe”

Fri 19 Jul 2002 388,608 …HR — “C:\WINDOWS\system32\Tools\Regexe.exe”

Mon 2 Dec 2002 431,616 …HR — “C:\WINDOWS\system32\Tools\Restart.exe”

Fri 19 Jul 2002 388,096 …HR — “C:\WINDOWS\system32\Tools\RunRegexe.exe”

Thu 15 Nov 2007 4,286 A…H. — “C:\Documents and Settings\Luk\Ustawienia lokalne\Temp\ico3.tmp”

Thu 15 Nov 2007 4,286 A…H. — “C:\Documents and Settings\Luk\Ustawienia lokalne\Temp\ico4.tmp”

Thu 15 Nov 2007 4,286 A…H. — “C:\Documents and Settings\Luk\Ustawienia lokalne\Temp\ico5.tmp”

Thu 15 Nov 2007 4,286 A…H. — “C:\Documents and Settings\Luk\Ustawienia lokalne\Temp\ico6.tmp”

Thu 15 Nov 2007 4,286 A…H. — “C:\Documents and Settings\Luk\Ustawienia lokalne\Temp\ico7.tmp”

Wed 14 Nov 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\1738c621b33e51e95e7a1d6339d42049\BIT5.tmp”

Fri 10 Mar 2006 176,640 A…H. — “C:\Documents and Settings\Luk\Pulpit\PM\WWPP\5276 Biskupice\5276 PRZEPOMPOWNIA —CIEKŕW~WRL1362.tmp”

Mon 4 Jun 2007 188,416 A…H. — “C:\Documents and Settings\Luk\Pulpit\PM\WWPP\5276 Biskupice\5276 RAFLATAC~WRL2862.tmp”

Fri 10 Mar 2006 176,640 A…H. — “C:\Documents and Settings\Luk\Pulpit\PM\WWPP\5276 Biskupice\5276 zasilanie szafy telekomunikacyjnej~WRL1362.tmp”

Mon 5 Feb 2007 262,144 A…H. — “C:\Documents and Settings\Luk\Pulpit\PM\WWPP\5276 Biskupice\wp 5276 Dialog, Centertel~WRL1748.tmp”

Thu 2 Mar 2006 190,464 A…H. — “C:\Documents and Settings\Luk\Pulpit\PM\WWPP\5276 Biskupice\5276 LG INNOTEK\zasilanie zakadu - etap I~WRL3000.tmp”

Wed 14 Dec 2005 179,712 A…H. — “C:\Documents and Settings\Luk\Pulpit\PM\WWPP\5276 Biskupice\5276 LG INNOTEK\zasilanie zakadu - etap I~WRL3230.tmp”

Fri 30 Dec 2005 199,168 A…H. — “C:\Documents and Settings\Luk\Pulpit\PM\WWPP\5276 Biskupice\5276 LUCKY SMT\plac budowy~WRL1614.tmp”

Thu 2 Mar 2006 190,464 A…H. — “C:\Documents and Settings\Luk\Pulpit\PM\WWPP\5276 Biskupice\5276 LUCKY SMT\zasilanie zakadu - etap I~WRL3000.tmp”

Wed 14 Dec 2005 179,712 A…H. — “C:\Documents and Settings\Luk\Pulpit\PM\WWPP\5276 Biskupice\5276 LUCKY SMT\zasilanie zakadu - etap I~WRL3230.tmp”

Finished!

Gutek · 15 Listopad 2007 22:18

Daj log z ComboFix

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

Użyj ATF-Cleaner i oczyść TEMP - http://www.atribune.org/ccount/click.php?id=1

lokio · 15 Listopad 2007 22:35

Użyłem ATF - bez zmian oto log:

ComboFix 07-11-08.1 - Luk 2007-11-15 23:23:53.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.558 [GMT 1:00] Running from: C:\Documents and Settings\Luk\Pulpit\ComboFix.exe . Unable to gain System Privileges ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Menu Start\Live Safety Center.lnk C:\Documents and Settings\All Users\Menu Start\Online Security Guide.lnk C:\Documents and Settings\Luk\Pulpit\Live Safety Center.lnk C:\Documents and Settings\Luk\Pulpit\Online Security Guide.lnk C:\Documents and Settings\Luk\Ulubione\Online Security Guide.lnk C:\WINDOWS\system32\dccdd.ini C:\WINDOWS\system32\dccdd.ini2 C:\WINDOWS\system32\ddccd.dll C:\WINDOWS\system32\ffyzsgct.dllbox . ((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 ))))))))))))))))))))))))))))))) . 2007-11-15 21:07 2007-11-15 20:54 36,352 --a------ C:\WINDOWS\system32\urqnkhg.dll 2007-11-15 20:40 36,352 --a------ C:\WINDOWS\system32\opnmjkl.dll 2007-11-15 20:18 2007-11-15 19:58 36,352 --a------ C:\WINDOWS\system32\jkkklmj.dll 2007-11-15 19:40 36,352 --a------ C:\WINDOWS\system32\tuvvurr.dll 2007-11-15 19:05 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-15 18:43 2007-11-15 18:18 2007-11-15 17:29 2007-11-15 17:29 2007-11-15 17:28 85,056 --a------ C:\WINDOWS\system32\lhecbatg.dll 2007-11-15 17:25 89,088 --a------ C:\WINDOWS\system32\atl71.dll 2007-11-15 17:17 145,984 --a------ C:\WINDOWS\system32\xilsvupw.dll 2007-11-15 17:17 145,984 --a------ C:\WINDOWS\system32\ffyzsgct.dll 2007-11-15 17:17 36,352 --a------ C:\WINDOWS\system32\pmnoopn.dll 2007-11-14 21:50 36,352 --a------ C:\WINDOWS\system32\pmnkhgg.dll 2007-11-14 21:49 2007-11-14 21:49 2007-11-14 21:49 2007-11-14 21:49 225,294 --a------ C:\Temp\o729R138.exe 2007-11-14 09:16 8,488,960 -----c— C:\WINDOWS\system32\dllcache\shell32.dll 2007-11-13 23:28 2007-11-13 23:28 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-11-13 23:28 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-11-13 23:28 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-11-13 23:28 22,328 --a------ C:\Documents and Settings\Luk\Dane aplikacji\PnkBstrK.sys 2007-11-13 23:18 2007-11-13 23:15 2007-11-13 19:44 2007-11-13 18:27 2007-11-13 08:28 36,352 --a------ C:\WINDOWS\system32\efccyvu.dll 2007-11-12 18:05 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll 2007-11-12 18:01 36,352 --a------ C:\WINDOWS\system32\wvurstr.dll 2007-11-12 18:00 2007-11-12 17:56 2007-11-12 17:36 2007-11-10 22:58 2007-11-10 22:58 2007-11-10 22:58 2007-11-09 22:58 2007-11-09 18:11 2007-11-08 16:19 2007-11-08 16:19 2007-11-06 17:17 2007-11-04 18:49 2007-11-04 18:48 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys 2007-11-02 21:48 2007-11-02 21:48 2007-11-02 21:48 2007-11-02 19:14 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe 2007-11-01 09:21 2007-10-30 20:36 2007-10-30 20:36 2007-10-30 17:31 75,776 --a------ C:\WINDOWS\system32\gzmrotate.dll 2007-10-29 22:09 2007-10-29 20:41 2007-10-27 12:51 2007-10-27 12:51 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-10-27 12:51 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-10-27 10:34 2007-10-26 23:29 2007-10-26 23:16 2007-10-26 23:01 2007-10-26 23:01 2007-10-23 17:42 2007-10-21 08:56 2007-10-21 08:56 2007-10-21 08:52 2007-10-21 08:52 2007-10-19 17:51 2007-10-19 17:49 2007-10-19 16:41 2007-10-19 16:37 2007-10-19 16:36 2007-10-19 16:36 2007-10-19 16:34 2007-10-19 16:32 2007-10-18 22:15 2007-10-16 21:03 2007-10-16 21:01 2007-10-16 21:00 2007-10-15 20:14 582,656 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-15 20:09 2007-10-15 20:07 2,374,472 -----c— C:\WINDOWS\system32\dllcache\wmvcore.dll 2007-10-15 19:02 2007-10-15 18:17 2007-10-15 18:15 2007-10-15 17:06 2007-10-15 16:50 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-10-15 16:50 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-10-15 16:50 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-10-15 16:50 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-10-15 16:50 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-10-15 16:50 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-10-15 16:50 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-10-15 16:48 2007-10-15 16:47 2007-10-15 16:47 2007-10-15 16:47 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-14 11:14 --------- d-----w C:\Documents and Settings\Luk\Dane aplikacji.purple 2007-11-13 22:28 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-09 20:38 --------- d-----w C:\Program Files\Wiedźmin 2007-11-04 17:42 --------- d-----w C:\Program Files\Mplayer 2007-11-02 20:48 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-11-01 08:33 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys 2007-10-31 13:34 --------- d-----w C:\Program Files\EA GAMES 2007-10-26 22:16 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-10-25 14:46 --------- d-----w C:\Program Files\UBISOFT 2007-10-16 19:42 --------- d-----w C:\Program Files\Picasa2 2007-10-15 20:43 --------- d-----w C:\Program Files\Firefox 2007-10-15 16:58 --------- d-----w C:\Program Files\Winamp 2007-10-15 16:42 --------- d-----w C:\Program Files\Google 2007-10-11 16:04 --------- d-----w C:\Program Files\Lexmark X1100 Series 2007-10-08 16:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help 2007-08-21 06:26 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2003-01-06 14:11 950,191 ----a-w C:\Program Files\wrar310pl.exe . ((((((((((((((((((((((((((((( snapshot@2007-11-15_20.54.13.73 ))))))))))))))))))))))))))))))))))))))))) . + 2007-11-13 22:40:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2007-11-15 20:07:56 8,388,608 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2007-11-15 20:07:56 593,920 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2007-11-13 22:40:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2007-11-15 20:07:43 8,388,608 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT + 2007-11-15 20:07:44 593,920 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat - 2007-11-15 19:52:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_610.dat + 2007-11-15 22:30:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_610.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{01CD0B31-9154-45F2-9414-F5D64B74EAF6}] 2007-11-12 18:01 36352 --a------ C:\WINDOWS\system32\wvurstr.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{51374ED6-9381-4EDF-8365-6E03849869F4}] C:\Program Files\NetMeeting\mesogihatC:\WINDOWS\system32\x24\jumper83122.exe.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{8C414B59-10BE-41BC-8F8B-E56508453D5E}] [HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}] 2007-11-15 17:17 145984 --a------ C:\WINDOWS\system32\ffyzsgct.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{e1cf8c6a-e9b6-48e5-9b12-eb8ab312bebf}] C:\WINDOWS\system32\mollswue.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{F2622E21-70DB-4B89-8DE0-C23E159A6D0C}] C:\WINDOWS\system32\sstqq.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{F8445C3E-2943-4F7C-9238-86F3488C3570}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{11A69AE4-FBED-4832-A2BF-45AF82825583}”= C:\WINDOWS\system32\ffyzsgct.dll [2007-11-15 17:17 145984] [HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2005-10-24 07:45 C:\WINDOWS\SOUNDMAN.EXE] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-02-13 14:05] “nwiz”=“nwiz.exe” [2006-02-13 14:05 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“NvMCTray.dll” [2006-02-13 14:05 C:\WINDOWS\system32\nvmctray.dll] “Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [2007-10-16 15:38] “GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-26 23:47] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 09:50] “Lexmark X1100 Series”=“C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe” [2003-08-19 16:09] “NWEReboot”="" [] “Sony Ericsson PC Suite”=“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [2005-10-26 15:17] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 11:06] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 00:11] “AVFX Engine”=“E:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe” [2006-08-16 00:12] “V0230Mon.exe”=“C:\WINDOWS\V0230Mon.exe” [2006-09-06 18:01] “58dd559a”=“C:\WINDOWS\system32\lhecbatg.dll” [2007-11-15 17:28] “Anti Trojan Elite”=“C:\Program Files\Anti Trojan Elite\TJEnder.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44] “LClock”=“C:\Program Files\LClock\lclock.exe” [] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-09-13 12:31] “Creative Live! Cam Manager”=“E:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe” [2006-09-06 08:42] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “Picasa Media Detector”=C:\Program Files\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{01CD0B31-9154-45F2-9414-F5D64B74EAF6}”= C:\WINDOWS\system32\wvurstr.dll [2007-11-12 18:01 36352] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ffyzsgct] ffyzsgct.dll 2007-11-15 17:17 145984 C:\WINDOWS\system32\ffyzsgct.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvurstr] wvurstr.dll 2007-11-12 18:01 36352 C:\WINDOWS\system32\wvurstr.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “Authentication Packages”= msv1_0 C:\WINDOWS\system32\ddccd.dll R3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys R3 V0230Vfx;V0230Vfx;C:\WINDOWS\system32\DRIVERS\V0230Vfx.sys R3 V0230VID;Live! Cam Video IM Pro;C:\WINDOWS\system32\DRIVERS\V0230VID.sys S3 ATE_PROCMON;ATE_PROCMON;??\C:\Program Files\Anti Trojan Elite\ATEPMon.sys S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-15 23:31:14 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-15 23:33:33 - machine was rebooted C:\ComboFix2.txt … 2007-11-15 20:55 C:\ComboFix3.txt … 2007-11-15 20:41 . — E O F —

Gutek · 16 Listopad 2007 06:25

Wklej do Notatnika:

File:: C:\WINDOWS\system32\urqnkhg.dll C:\WINDOWS\system32\opnmjkl.dll C:\WINDOWS\system32\jkkklmj.dll C:\WINDOWS\system32\tuvvurr.dll C:\WINDOWS\system32\ffyzsgct.dll C:\WINDOWS\system32\pmnoopn.dll C:\WINDOWS\system32\pmnkhgg.dll C:\Temp\o729R138.exe C:\WINDOWS\system32\efccyvu.dll C:\WINDOWS\system32\wvurstr.dll C:\WINDOWS\system32\gzmrotate.dll C:\WINDOWS\system32\mollswue.dll C:\WINDOWS\system32\sstqq.dll C:\WINDOWS\system32\ddccd.dll Folder:: C:\WINDOWS\system32\rMa18yy C:\Temp\abW9 C:\Program Files\NetMeeting Registry:: [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{01CD0B31-9154-45F2-9414-F5D64B74EAF6}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{51374ED6-9381-4EDF-8365-6E03849869F4}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{8C414B59-10BE-41BC-8F8B-E56508453D5E}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{e1cf8c6a-e9b6-48e5-9b12-eb8ab312bebf}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{F2622E21-70DB-4B89-8DE0-C23E159A6D0C}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{F8445C3E-2943-4F7C-9238-86F3488C3570}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{11A69AE4-FBED-4832-A2BF-45AF82825583}”=- [-HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “58dd559a”=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{01CD0B31-9154-45F2-9414-F5D64B74EAF6}”=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ffyzsgct] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvurstr]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo, ale jeszcze przed nowym logiem:

Wklej do Notatnika:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=-

"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\

  00

Z menu Notatnika Plik Zapisz jako Ustaw rozszerzenie na “Wszystkie pliki” Zapisz jako FIX.REG uruchom ten plik (dwuklik).

lokio · 16 Listopad 2007 17:59

Zrobiłem tak i te ikonki zniknęły, potem “przejechałem” jeszcze programem Spyware Doctor 5.1 i znalazł i usunął 2 trojany. Dzięki za pomoc! :o

Gutek · 28 Listopad 2007 17:09

Wklej do Notatnika:

File:: C:\WINDOWS\system32\bplwegan.dll C:\WINDOWS\system32\crehcjid.dll C:\WINDOWS\system32\ssqrpml.dll C:\WINDOWS\system32\tcpip_patcher.sys C:\WINDOWS\system32\vtutu.dll C:\WINDOWS\system32\pmnlm.dll C:\WINDOWS\system32\rhnwmkyc.dll C:\WINDOWS\system32\leulhmxt.dll C:\WINDOWS\system32\hcssyyhj.exe C:\WINDOWS\system32\lppnqcma.dll Registry:: [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{4A54500A-65FE-4F4A-B860-20EAE2F577F9}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{e6a024af-0b48-46e4-b22a-c2707df2a8b3}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{11A69AE4-FBED-4832-A2BF-45AF82825583}”=- [-HKEY_CLASSES_ROOT\clsid{11a69ae4-fbed-4832-a2bf-45af82825583}] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{4A54500A-65FE-4F4A-B860-20EAE2F577F9}”=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lppnqcma] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrpml] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo