Mam problem z komputerem proszę o analizę loga

Dla specjalistów Bezpieczeństwo
#1

Od kilku dni mam problem z komputerem w prawym dolnym rogu pojawiają się chmurki z informacjami o wirusach:

Spywere found

Trojan-Spy.win32@mx

Networm-i.Virus@fp

Malware threats

Warning

Pojawiają się strony internetowe na których proszą mnie o zainstalowanie programu antywirusowego, pojawiają się również reklamy. Komputer zawiesza się a żaden antywirós nie może sobie poradzić z wirusami.

To mój HijackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:30:00, on 2007-11-09

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\rundll32.exe

C:\DOCUME~1\AGATA\USTAWI~1\Temp\sheqipoi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll (file missing)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\cmxjbuny.dll

O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe”

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: FreshDownload - {6DE606F2-3C28-4F55-860B-CB181EA35A92} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://220.227.116.204/activex/AMC.cab

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/AGATA/Pulpit/THE%20RASMUS_LOST_ZAGUBIENI_pliki/reynaldo0145ew7qu1.jpg

O24 - Desktop Component 1: (no name) - http://espanol.geocities.com/latinsoaps … lo/001.jpg

O24 - Desktop Component 2: (no name) - http://www.geocities.com/yadhiracarrill … rillo1.jpg

O24 - Desktop Component 3: (no name) - http://www.latin.cz/uvod/odkazy/foto_he … rro/45.jpg

O24 - Desktop Component 4: (no name) - http://www.latin.cz/uvod/odkazy/foto_he … rro/50.jpg

O24 - Desktop Component 5: (no name) - http://www.latin.cz/uvod/odkazy/foto_he … rro/28.jpg

End of file - 4296 bytes

A to ComboFix:

ComboFix 07-11-08.1 - AGATA 2007-11-09 1:29:44.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.96 [GMT 1:00]

Running from: C:\Documents and Settings\AGATA\Pulpit\ComboFix.exe

.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\AGATA\Pulpit\Live Safety Center.lnk

C:\Documents and Settings\AGATA\Pulpit\Online Security Guide.lnk

C:\Documents and Settings\AGATA\Ulubione\Online Security Guide.lnk

C:\Documents and Settings\All Users.WINDOWS\Menu Start\Live Safety Center.lnk

C:\Documents and Settings\All Users.WINDOWS\Menu Start\Online Security Guide.lnk

C:\WINDOWS\system32\cmxjbuny.dllbox

C:\WINDOWS\system32\jkklk.dll

.

---- Previous Run -------

.

C:\Documents and Settings\AGATA\Pulpit\Live Safety Center.lnk

C:\Documents and Settings\AGATA\Pulpit\Online Security Guide.lnk

C:\Documents and Settings\AGATA\Ulubione\Online Security Guide.lnk

C:\Documents and Settings\All Users.WINDOWS\Menu Start\Live Safety Center.lnk

C:\Documents and Settings\All Users.WINDOWS\Menu Start\Online Security Guide.lnk

C:\Program Files\Common Files\inetget

C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe

C:\Program Files\tclock\tclock_install.exe

C:\Program Files\Temporary

C:\Program Files\Temporary\wininstall.exe

C:\Program Files\WinAble

C:\Program Files\windows

C:\Temp\1cb

C:\Temp\1cb\syscheck.log

C:\WINDOWS\cookies.ini

C:\WINDOWS\system32\cmxjbuny.dllbox

C:\WINDOWS\system32\klkkj.bak1

C:\WINDOWS\system32\klkkj.bak2

C:\WINDOWS\system32\klkkj.ini

C:\WINDOWS\system32\klkkj.ini2

C:\WINDOWS\system32\klkkj.tmp

C:\WINDOWS\system32\ldinfo.ldr

C:\WINDOWS\system32\m2

C:\WINDOWS\system32\o1

C:\WINDOWS\system32\pac.txt

C:\WINDOWS\system32\v4

C:\WINDOWS\Temp\84060345.exe

C:\WINDOWS\winshow.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_DOMAINSERVICE

-------\DomainService

-------\LEGACY_DOMAINSERVICE

-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))

.

2007-11-09 01:32 173,540 --a------ C:\WINDOWS\system32\ddaby.dll

2007-11-09 01:13 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-11-09 00:51

2007-11-09 00:24 86,080 --a------ C:\WINDOWS\system32\ovxsbksa.dll

2007-11-09 00:21 80,448 --a------ C:\WINDOWS\system32\jnpapdrc.dll

2007-11-09 00:19 71,232 --a------ C:\WINDOWS\system32\jnlhnaoy.exe

2007-11-09 00:13 71,232 --a------ C:\WINDOWS\system32\yidvamll.exe

2007-11-09 00:10 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2007-11-09 00:10 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-11-09 00:10 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-11-09 00:10 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-11-08 23:52 86,080 --a------ C:\WINDOWS\system32\uwdatfnk.dll

2007-11-08 23:49 80,448 --a------ C:\WINDOWS\system32\aytlgnvs.dll

2007-11-08 23:47 71,232 --a------ C:\WINDOWS\system32\cpjkqbwx.exe

2007-11-08 23:40 80,448 --a------ C:\WINDOWS\system32\ahiwypnn.dll

2007-11-08 23:32 71,232 --a------ C:\WINDOWS\system32\sdxyrheu.exe

2007-11-08 21:19 80,448 --a------ C:\WINDOWS\system32\gdnehyxi.dll

2007-11-08 21:13 86,080 --a------ C:\WINDOWS\system32\atynheae.dll

2007-11-08 21:11 71,232 --a------ C:\WINDOWS\system32\xetiegxi.exe

2007-11-08 20:14 80,448 --a------ C:\WINDOWS\system32\admkeijp.dll

2007-11-08 20:08 71,232 --a------ C:\WINDOWS\system32\grxkudhb.exe

2007-11-08 19:55

2007-11-08 19:20

2007-11-08 19:08 80,448 --a------ C:\WINDOWS\system32\ofdmgabj.dll

2007-11-08 19:05 71,232 --a------ C:\WINDOWS\system32\jmsbmirh.exe

2007-11-08 16:04 80,448 --a------ C:\WINDOWS\system32\okipmocc.dll

2007-11-08 15:55 71,232 --a------ C:\WINDOWS\system32\wksyoxuq.exe

2007-11-08 14:06 80,448 --a------ C:\WINDOWS\system32\hwbtktba.dll

2007-11-08 14:05 71,232 --a------ C:\WINDOWS\system32\fqqpdrjp.exe

2007-11-08 13:38 80,448 --a------ C:\WINDOWS\system32\ntqhtbdf.dll

2007-11-08 13:38 71,232 --a------ C:\WINDOWS\system32\bodntixg.exe

2007-11-08 12:38 80,448 --a------ C:\WINDOWS\system32\tioxmsto.dll

2007-11-08 12:38 71,232 --a------ C:\WINDOWS\system32\olcdoemf.exe

2007-11-08 12:35 80,448 --a------ C:\WINDOWS\system32\uqtydrib.dll

2007-11-08 12:34 86,080 --------- C:\WINDOWS\system32\fejcnxha.dll

2007-11-08 12:32 71,232 --a------ C:\WINDOWS\system32\muqdaoyl.exe

2007-11-08 12:19 80,448 --a------ C:\WINDOWS\system32\kmbscged.dll

2007-11-08 12:17 71,232 --a------ C:\WINDOWS\system32\tytqgauq.exe

2007-11-08 11:50 80,448 --a------ C:\WINDOWS\system32\pyfbcvqk.dll

2007-11-08 11:48 71,232 --a------ C:\WINDOWS\system32\mtvnpfqh.exe

2007-11-08 11:41

2007-11-08 10:07 86,080 --------- C:\WINDOWS\system32\xbgtgqai.dll

2007-11-08 10:01 80,448 --a------ C:\WINDOWS\system32\qwkufhxb.dll

2007-11-08 09:59 71,232 --a------ C:\WINDOWS\system32\foyobqnd.exe

2007-11-08 09:54 86,080 --------- C:\WINDOWS\system32\mojoyyop.dll

2007-11-08 09:51 80,448 --a------ C:\WINDOWS\system32\itexryhm.dll

2007-11-08 09:46 71,232 --a------ C:\WINDOWS\system32\oqvxpexk.exe

2007-11-07 17:19 79,936 --a------ C:\WINDOWS\system32\kbhywjiy.dll

2007-11-07 17:13 86,080 --a------ C:\WINDOWS\system32\bryprrwl.dll

2007-11-07 17:10 71,232 --a------ C:\WINDOWS\system32\sodlqhbs.exe

2007-11-07 11:37 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat

2007-11-07 11:37 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat

2007-11-07 11:36

2007-11-07 11:36

2007-11-07 11:36 5,702,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2007-11-07 11:36 40,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2007-11-07 11:27

2007-11-07 09:30

2007-11-06 20:52 298,104 --a------ C:\WINDOWS\system32\imon.dll

2007-11-06 19:01 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-11-06 17:17 81,472 --a------ C:\WINDOWS\system32\mvtritem.dll

2007-11-06 17:09 145,984 --a------ C:\WINDOWS\system32\cmxjbuny.dll

2007-11-06 17:08 145,984 --a------ C:\WINDOWS\system32\eloaljmj.dll

2007-11-06 16:56

2007-11-06 16:56

2007-11-06 16:56

2007-11-06 16:56 36,352 --a------ C:\WINDOWS\system32\gebxwvw.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-09 00:36 79,484 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2007-11-09 00:36 4,820 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx

2007-11-09 00:36 1,572,864 —ha-w C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT

2007-11-09 00:36 1,572,864 —ha-w C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT

2007-11-09 00:36 1,572,864 —ha-w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT

2007-11-09 00:36 1,572,864 —ha-w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT

2007-11-09 00:20 --------- d-----w C:\Program Files\TClock

2007-11-08 11:35 --------- d-----w C:\Program Files\Axis Communications

2007-11-08 11:31 --------- d-----w C:\Program Files\BitComet

2007-11-07 17:32 --------- d-----w C:\Program Files\Java

2007-11-07 17:28 --------- d-----w C:\Program Files\Winamp

2007-11-07 17:27 --------- d-----w C:\Program Files\Apple Software Update

2007-11-07 17:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Apple Computer

2007-11-06 20:37 --------- d—a-w C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\TEMP

2007-09-10 22:20 --------- d-----w C:\Program Files\Yahoo!

2007-09-10 22:20 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Yahoo!

2007-07-21 13:43 20,392 -c–a-w C:\Documents and Settings\AGATA\Dane aplikacji\GDIPFONTCACHEV1.DAT

2006-11-02 17:39:23 88 -csh–r C:\WINDOWS\system32\9380E06095.sys

2006-11-02 17:39:31 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{031656A7-6BEE-403F-B672-B197A9EE6A39}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{03DD2B24-8B6C-4103-8F97-EF55E34AB86A}]

C:\Program Files\NetMeeting\hokelovuC:\WINDOWS\System32\v4\caws83122.exe.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{634BBAB7-3F60-4426-944F-A62B9007F67F}]

2007-11-06 16:56 36352 --a------ C:\WINDOWS\System32\gebxwvw.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{74ef5d06-98fe-40e9-8ee7-dd6b058d0f29}]

2007-11-09 00:21 80448 --a------ C:\WINDOWS\System32\jnpapdrc.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}]

2007-11-06 17:09 145984 --a------ C:\WINDOWS\system32\cmxjbuny.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{ba6d83bf-2ac3-4585-9522-f0ae8e28c290}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{D3BF1D55-496D-49BF-BB4D-B1708ABDC2FA}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{E6E57497-1CB7-4E92-8437-DCE47B7D5754}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{11A69AE4-FBED-4832-A2BF-45AF82825583}”= C:\WINDOWS\system32\cmxjbuny.dll [2007-11-06 17:09 145984]

[HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

“{11A69AE4-FBED-4832-A2BF-45AF82825583}”= C:\WINDOWS\system32\cmxjbuny.dll [2007-11-06 17:09 145984]

[HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“WMC_AutoUpdate”="" []

“AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe” [2007-06-28 12:51]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

“{634BBAB7-3F60-4426-944F-A62B9007F67F}”= C:\WINDOWS\System32\gebxwvw.dll [2007-11-06 16:56 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmxjbuny]

cmxjbuny.dll 2007-11-06 17:09 145984 C:\WINDOWS\system32\cmxjbuny.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxwvw]

gebxwvw.dll 2007-11-06 16:56 36352 C:\WINDOWS\system32\gebxwvw.dll

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys

.

**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-09 01:38:22

Windows 5.1.2600 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-11-09 1:41:05 - machine was rebooted

.

— E O F —

Bardzo proszę o pomoc.

#2

Wklej do Notatnika:

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222