papajkal
(Papajkal)
28 Sierpień 2008 14:36
#1
zainstalował mi się taki wirus, nic nie pomaga w jego usunięciu. Udało mi się zrobić logi, oto one:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:18: VIRUS ALERT!, on 2008-08-28 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\CachemanXP\CachemanXP.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ldmgr.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\przemek\Pulpit\sdstart.exe C:\DOCUME~1\przemek\USTAWI~1\Temp\is-KKTLK.tmp\sdstart.tmp C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\Spyware Doctor\Update.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O1 - Hosts: 85.255.117.186 www.openfunlinks.com O1 - Hosts: 209.85.51.238 szukaj.wp.plwebsecuritypage.com O1 - Hosts: 77.79.194.162 www.madziuniaz94.fotka.pl O3 - Toolbar: Protection Bar - {CC18AE76-7E65-4258-A193-9EA0C52DA6B8} - (no file) O3 - Toolbar: qalkfxor - {8BE3A45C-46D2-407E-8A70-878D0828634D} - C:\WINDOWS\qalkfxor.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [KAVWks50] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\kav.exe” /minimize /chkas O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [ldmgr] C:\WINDOWS\system32\ldmgr.exe O4 - HKLM…\Run: [e492f6ca] rundll32.exe “C:\WINDOWS\system32\shloycer.dll”,b O4 - HKLM…\Run: [iSTray] “C:\Program Files\Spyware Doctor\pctsTray.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Policies\Explorer\Run: [NTSpool] NTSpool.exe O4 - HKCU…\Policies\Explorer\Run: [Windows Security Tool] WinSecure.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Startup: - O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip…{8E6B4EF0-498D-49BE-869F-AFAF94DE67F6}: NameServer = 194.204.159.1 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O21 - SSODL: rqbmvpso - {34ADE82D-44ED-4459-8C55-891BFF2C50AA} - C:\WINDOWS\rqbmvpso.dll O21 - SSODL: pdoskegl - {F4C42185-3CDF-4550-AE93-DE79B02BBC6E} - C:\WINDOWS\pdoskegl.dll O22 - SharedTaskScheduler: clinker - {a4029063-4fe3-422c-ac72-12905c09642a} - (no file) O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Program Files\CachemanXP\CachemanXP.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Usługa Kaspersky Anti-Virus (kavsvc) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\kavsvc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe – End of file - 7251 bytes
co mam zrobić?
djarta
(djarta)
28 Sierpień 2008 14:55
#2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 O1 - Hosts: 85.255.117.186 www.openfunlinks.com O1 - Hosts: 209.85.51.238 szukaj.wp.plwebsecuritypage.com O1 - Hosts: 77.79.194.162 www.madziuniaz94.fotka.pl O3 - Toolbar: Protection Bar - {CC18AE76-7E65-4258-A193-9EA0C52DA6B8 O3 - Toolbar: qalkfxor - {8BE3A45C-46D2-407E-8A70-878D0828634D} - C:\WINDOWS\qalkfxor.dll O4 - HKLM…\Run: [ldmgr] C:\WINDOWS\system32\ldmgr.exe O4 - HKLM…\Run: [e492f6ca] rundll32.exe “C:\WINDOWS\system32\shloycer.dll”,b O4 - HKCU…\Policies\Explorer\Run: [NTSpool] NTSpool.exe O4 - HKCU…\Policies\Explorer\Run: [Windows Security Tool] WinSecure.exe O4 - Startup: - O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O21 - SSODL: rqbmvpso - {34ADE82D-44ED-4459-8C55-891BFF2C50AA} - C:\WINDOWS\rqbmvpso.dll O21 - SSODL: pdoskegl - {F4C42185-3CDF-4550-AE93-DE79B02BBC6E} - C:\WINDOWS\pdoskegl.dll O22 - SharedTaskScheduler: clinker - {a4029063-4fe3-422c-ac72-12905c09642a} - (no file)
Te w/w wpisy sfiksuj w Hijacku:
>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked
Pobierz program SDFix
* Dwuklik na SDFix.exe następnie program wypakuje się na dysk systemowy (standardowo C:\ SDFix )
* Zrestartuj komputer i wejdź do trybu awaryjnego (klawisz F8 przed bootem Windowsa)
* Wejdź do folderu z SDFix kliknij dwa razy na plik RunThis.bat
* Wciśnij Y nastąpi proces usuwania.
* Kiedy usuwanie się ukończy wciśnij dowolny klawisz (Any Key). Nastąpi restart komputera.
* Po restarcie SDFix uruchomi się ponownie, żeby dokończyć proces usuwania kiedy pojawi się w oknie programu Finished , wciśnij dowolny klawisz do zakończenia scryptu i załadowania ikon na pulpicie.
* Pokaż Report.txt znajdujący się w folderze SDFix .
Daj log z -----> ComboFix (niżej na stronie linku).
================
K.
Gutek
(Gutek)
28 Sierpień 2008 19:46
#3
Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=253052
papajkal
(Papajkal)
28 Sierpień 2008 19:56
#4
Kocham Cię, Ty który pomogłeś. Jak na razie wszystko działa jak dawniej, powróciła administrator (bo ten wirus chyba przejął mi admina systemu i nic się nie dało zrobić), ale wklejam te kody, tak jak prosiłeś:
Najpierw to z kroku nr. 3
ComboFix 08-08-28.02 - przemek 2008-08-28 21:34:45.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.570 [GMT 2:00] Running from: C:\Documents and Settings\przemek\Pulpit\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\przemek\Dane aplikacji\macromedia\Flash Player#SharedObjects\5UMAGJKY\bin.clearspring.com C:\Documents and Settings\przemek\Dane aplikacji\macromedia\Flash Player#SharedObjects\5UMAGJKY\bin.clearspring.com \clearspring.sol C:\Documents and Settings\przemek\Dane aplikacji\macromedia\Flash Player\macromedia.com \support\flashplayer\sys#bin.clearspring.com C:\Documents and Settings\przemek\Dane aplikacji\macromedia\Flash Player\macromedia.com \support\flashplayer\sys#bin.clearspring.com \settings.sol C:\Program Files\MyGlobalSearch C:\WINDOWS\system32\cocjjwdf.ini C:\WINDOWS\system32\fdwjjcoc.dll C:\WINDOWS\system32\ISuwDfhk.ini C:\WINDOWS\system32\ISuwDfhk.ini2 C:\WINDOWS\system32\khfdBRLE.dll C:\WINDOWS\system32\khfDwuSI.dll C:\WINDOWS\system32\recyolhs.ini C:\WINDOWS\system32\shloycer.dll . ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 ))))))))))))))))))))))))))))))) . 2008-08-28 17:24 . 2008-08-28 17:24 2008-08-28 17:22 . 2007-02-02 14:31 2008-08-28 17:22 . 2007-02-02 14:31 2008-08-28 17:22 . 2007-02-02 14:31 2008-08-28 17:22 . 2007-02-02 14:31 2008-08-28 17:22 . 2007-02-02 14:31 2008-08-28 17:22 . 2007-02-02 14:31 2008-08-28 17:22 . 2007-02-02 14:31 2008-08-28 17:22 . 2008-08-28 17:22 2008-08-28 17:11 . 2008-08-24 05:08 2008-08-28 16:18 . 2008-08-28 16:18 2008-08-28 16:14 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-08-28 16:14 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-08-28 16:14 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-08-28 16:14 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-08-28 16:13 . 2008-08-28 16:13 2008-08-28 16:13 . 2008-08-28 16:13 2008-08-28 15:51 . 2008-08-28 11:17 380,928 --a------ C:\WINDOWS\rodqgpvlkel.dll 2008-08-28 15:51 . 2008-08-28 11:17 233,472 --a------ C:\WINDOWS\pdoskegl.dll 2008-08-28 15:51 . 2008-08-28 11:17 188,416 --a------ C:\WINDOWS\rqbmvpso.dll 2008-08-28 15:51 . 2008-08-28 11:17 155,648 --a------ C:\WINDOWS\qalkfxor.dll 2008-08-28 15:51 . 2008-08-28 11:17 86,016 --a------ C:\WINDOWS\rvoelbxt.exe 2008-08-28 15:48 . 2008-08-28 15:48 2008-08-28 13:45 . 2008-08-28 13:45 2008-08-28 12:49 . 2008-08-28 12:49 2008-08-14 21:39 . 2008-08-14 21:39 2008-08-11 15:33 . 2008-08-11 15:33 1,927 --a------ C:\Documents and Settings\gfh.gp5 2008-08-09 19:18 . 2008-08-09 19:18 24,576 --ah----- C:\photothumb.db 2008-08-04 19:05 . 2008-08-04 19:05 2008-08-04 00:48 . 2008-08-04 00:41 263,888 --a------ C:\1.jpg 2008-08-04 00:48 . 2008-08-04 00:41 262,369 --a------ C:\4.jpg 2008-08-04 00:48 . 2008-08-04 00:41 262,112 --a------ C:\3.jpg 2008-08-04 00:48 . 2008-08-04 00:40 260,447 --a------ C:\2.jpg 2008-07-30 08:24 . 2008-07-30 08:24 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-27 19:00 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-07-22 13:56 --------- d-----w C:\Program Files\SEMC 2008-07-18 23:18 --------- d-----w C:\Program Files\JLC’s Software 2008-07-18 23:18 --------- d-----w C:\Documents and Settings\przemek\Dane aplikacji\JLC’s Software 2008-07-18 22:48 --------- d-----w C:\Program Files\ChrisTV Online 2008-07-13 10:54 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-07-12 14:25 --------- d-----w C:\Program Files\CachemanXP 2008-07-10 19:15 --------- d-----w C:\Program Files\Real Alternative 2008-07-08 23:39 --------- d-----w C:\Program Files\directx 2008-06-27 18:34 2,356 ----a-w C:\WINDOWS\system32\windfk.exe 2008-06-27 18:34 2,356 ----a-w C:\WINDOWS\system32\cmdld.exe 2008-01-18 14:41 1,024 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\1doc2pdf.dll 2008-02-03 16:46 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 15,360 2004-08-03 22:44:20 C:\WINDOWS\system32\bak\ctfmon.exe ----a-w 15,360 2004-08-03 22:44:20 C:\WINDOWS\system32\ctfmon.exe ----a-w 155,648 2001-07-09 09:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe ----a-w 98,407 2006-07-12 17:18:40 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\bak\kav.exe ----a-w 98,407 2007-04-08 04:05:16 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\kav.exe ----a-w 24,576 2003-10-16 17:07:10 C:\Program Files\Neostrada TP\bak\CnxMon.exe ----a-w 20,480 2003-10-16 17:07:12 C:\Program Files\Neostrada TP\bak\Watch.exe ----a-w 53,248 2003-10-16 17:07:12 C:\Program Files\Neostrada TP\bak\TaskbarIcon.exe ----a-w 75,520 2006-12-15 01:23:28 C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{E46A59BF-81A2-48B5-A88A-E262DDC9349E}] 2008-08-28 11:17 380928 --a------ C:\WINDOWS\rodqgpvlkel.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-10-22 12:22 7700480] “KAVWks50”=“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\kav.exe” [2007-04-08 06:05 98407] “NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-10-22 12:22 86016] “ISTray”=“C:\Program Files\Spyware Doctor\pctsTray.exe” [2008-07-16 09:16 1166216] “nwiz”=“nwiz.exe” [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:44 15360] “Picasa Media Detector”=“C:\Documents and Settings\przemek\Moje dokumenty\Picasa2\PicasaMediaDetector.exe” [2007-09-28 03:17 443968] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-02 15:48:50 113664] DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-02-02 15:57:25 962661] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] “rqbmvpso”= {1DEAFFF6-8D39-4A9D-8BCF-4EA7534B89F3} - C:\WINDOWS\rqbmvpso.dll [2008-08-28 11:17 188416] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “VIDC.YV12”= yv12vfw.dll [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized “Creative Live! Cam Manager”=“C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe” “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” /background “AlcoholAutomount”=“C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” /automount [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “ABBYY Community Agent”=C:\Program Files\ABBYY FineReader 5.0\CAgent.exe “IntelAudioStudio”=“C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe” TRAY “AVFX Engine”=C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe “RamSmash”=“C:\Program Files\RamSmash\RamSmash.exe” /start “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot “V0220Mon.exe”=C:\WINDOWS\V0220Mon.exe “e492f6ca”=rundll32.exe “C:\WINDOWS\system32\shloycer.dll”,b “ISTray”=“C:\Program Files\Spyware Doctor\pctsTray.exe” [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] “DisableMonitoring”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “D:\Program Files\BitComet\BitComet.exe”= “D:\Program Files\Konnekt\konnekt.exe”= “C:\totalcmd\TOTALCMD.EXE”= “C:\Program Files\eMule\emule.exe”= “C:\Program Files\Gadu-Gadu\gg.exe”= “C:\Program Files\NAPI-PROJEKT\napisy.exe”= “C:\WINDOWS\System32\LEXPPS.EXE”= “C:\WINDOWS\System32\dpvsetup.exe”= “C:\Program Files\Opera\Opera.exe”= “C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”= “C:\WINDOWS\System32\hdfmig.exe”= “C:\Program Files\Skype\Phone\Skype.exe”= “C:\WINDOWS\system32\ldmgr.exe”= [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “10106:TCP”= 10106:TCP:BitComet 10106 TCP “10106:UDP”= 10106:UDP:BitComet 10106 UDP “24693:TCP”= 24693:TCP:BitComet 24693 TCP “24693:UDP”= 24693:UDP:BitComet 24693 UDP R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [2006-07-05 13:46] R1 klmc;Sterownik KLMC;C:\WINDOWS\system32\drivers\klmc.sys [2006-07-12 19:23] R2 CachemanXPService;CachemanXP;C:\Program Files\CachemanXP\CachemanXP.exe [2008-04-30 19:54] R3 st3bus28;st3bus28;C:\WINDOWS\system32\DRIVERS\st3bus28.sys [2002-12-28 12:16] R3 st3mp28;st3mp28;C:\WINDOWS\system32\DRIVERS\st3mp28.sys [2002-12-28 12:16] R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);C:\WINDOWS\system32\DRIVERS\zebrceb.sys [2006-02-01 10:01] S3 EverestDriver;Lavalys EVEREST Kernel Driver;D:\Program Files\EVEREST\kerneld.wnt [2005-08-18 00:00] S3 V0220Dev;Live! Cam Video IM;C:\WINDOWS\system32\DRIVERS\V0220Dev.sys [2006-06-29 07:58] S3 V0220Vfx;V0220VFX;C:\WINDOWS\system32\DRIVERS\V0220Vfx.sys [2006-06-08 10:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8e7080e6-b574-11dc-a6f0-4d6564696130}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explore.exe . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\wglufmdf.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.pl . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-28 21:45:55 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver] “ImagePath”="??\D:\Program Files\EVEREST\kerneld.wnt" . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\SYSTEM32\LEXBCES.EXE C:\WINDOWS\SYSTEM32\LEXPPS.EXE C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 5.0 FOR WINDOWS WORKSTATIONS\KAVSVC.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE C:\WINDOWS\SYSTEM32\NVSVC32.EXE C:\PROGRAM FILES\SPYWARE DOCTOR\PCTSAUXS.EXE C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 5.0 FOR WINDOWS WORKSTATIONS\KLSWD.EXE C:\PROGRAM FILES\SPYWARE DOCTOR\PCTSSVC.EXE C:\PROGRAM FILES\ALCOHOL SOFT\ALCOHOL 120\STARWIND\STARWINDSERVICEAE.EXE C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-08-28 21:47:41 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-28 19:47:38 Pre-Run: 3,407,052,800 bajtów wolnych Post-Run: 4,088,332,288 bajt˘w wolnych 200 — E O F — 2008-03-11 02:09:11 a teraz z kroku numer dwa (program SdFix): SDFix: Version 1.219 Run by Administrator on 2008-08-28 at 17:26 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Restoring Windows Product ID To Remove Fake Virus Alert Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\ljJDUmMc.dll - Deleted C:\WINDOWS\EWGE.EXE - Deleted C:\Documents and Settings\przemek\Ulubione\Error Cleaner.url - Deleted C:\Documents and Settings\przemek\Pulpit\Error Cleaner.url - Deleted C:\Documents and Settings\przemek\Ulubione\Privacy Protector.url - Deleted C:\Documents and Settings\przemek\Pulpit\Privacy Protector.url - Deleted C:\Documents and Settings\przemek\Ulubione\SpywareMalware Protection.url - Deleted C:\Documents and Settings\przemek\Pulpit\SpywareMalware Protection.url - Deleted Folder C:\Documents and Settings\przemek\Dane aplikacji\Macromedia\Flash Player\macromedia.com \support\flashplayer\sys#w*w.redtube.com - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-28 17:33:36 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll ,-22019" “D:\Program Files\BitComet\BitComet.exe”=“D:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client” “D:\Program Files\Konnekt\konnekt.exe”=“D:\Program Files\Konnekt\konnekt.exe:*:Enabled:Konnekt - Core” “C:\totalcmd\TOTALCMD.EXE”=“C:\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows” “C:\Program Files\eMule\emule.exe”=“C:\Program Files\eMule\emule.exe:*:Enabled:eMule” “C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program glowny” “E:\Gry\TDU\TestDriveUnlimited.exe”=“E:\Gry\TDU\TestDriveUnlimited.exe:*:Enabled:Test Drive Unlimited” “E:\Program Files\Kolekcja Klasyki\Hidden Dangerous 2\HD2.exe”=“E:\Program Files\Kolekcja Klasyki\Hidden Dangerous 2\HD2.exe:*:Enabled:HD2” “E:\Program Files\LucasArts\Star Wars Empire at War\GameData\fpupdate.exe”=“E:\Program Files\LucasArts\Star Wars Empire at War\GameData\fpupdate.exe:*:Enabled:fpupdate” “C:\Program Files\NAPI-PROJEKT\napisy.exe”=“C:\Program Files\NAPI-PROJEKT\napisy.exe:*:Enabled:www.napiprojekt.pl” “C:\WINDOWS\System32\LEXPPS.EXE”=“C:\WINDOWS\System32\LEXPPS.EXE:*:Enabled:LEXPPS.EXE” “D:\Gry\Colin\DiRTDemo.exe”=“D:\Gry\Colin\DiRTDemo.exe:*:Enabled:DiRT Demo Executable” “D:\Gry\LOST_PLANET_TRIAL_DX9\LostPlanetDX9.exe”=“D:\Gry\LOST_PLANET_TRIAL_DX9\LostPlanetDX9.exe:*:Enabled:LostPlanetDX9” “C:\WINDOWS\System32\dpvsetup.exe”=“C:\WINDOWS\System32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test” “C:\WINDOWS\System32\rundll32.exe”=“C:\WINDOWS\System32\rundll32.exe:*:Enabled:Uruchamia plik DLL jako aplikacj©” “C:\Program Files\Opera\Opera.exe”=“C:\Program Files\Opera\Opera.exe:*:Enabled:Opera Internet Browser” “E:\Program Files\Wolfenstein - Enemy Territory\ET.exe”=“E:\Program Files\Wolfenstein - Enemy Territory\ET.exe:*:Enabled:ET” “E:\Program Files\Wolfenstein - Enemy Territory\ETDED.exe”=“E:\Program Files\Wolfenstein - Enemy Territory\ETDED.exe:*:Enabled:ETDED” “C:\Program Files\BearShare\BearShare.exe”=“C:\Program Files\BearShare\BearShare.exe:*:Enabled:BearShare” “C:\Program Files\BitComet\BitComet.exe”=“C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client” “C:\Program Files\Soulseek\slsk.exe”=“C:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek” “E:\Jedi\GameData\jamp.exe”=“E:\Jedi\GameData\jamp.exe:*:Enabled:Jedi Academy MultiPlayer” “C:\Program Files\SopCast\adv\SopAdver.exe”=“C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver” “C:\Program Files\SopCast\SopCast.exe”=“C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application” “C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=“C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote” “C:\WINDOWS\system32\wintime.exe”=“C:\WINDOWS\system32\wintime.exe:*:Enabled:cmdLD” “C:\WINDOWS\System32\hdfmig.exe”=“C:\WINDOWS\System32\hdfmig.exe:*:Enabled:helpLD” “C:\Program Files\Skype\Phone\Skype.exe”=“C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype” “C:\WINDOWS\system32\ldmgr.exe”=“C:\WINDOWS\system32\ldmgr.exe:*:Enabled:helpLD” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll ,-22019" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Sat 9 Jun 2007 2,045 …H. — “C:\WINDOWS\system32\whlb32f.dll” Sat 9 Sep 2006 2,045 …H. — “C:\WINDOWS\system32\whlb32g.dll” Sun 3 Feb 2008 952 A.SH. — “C:\WINDOWS\system32\KGyGaAvL.sys” Sat 6 Oct 2007 5,903,928 A…H. — “C:\Documents and Settings\przemek\Moje dokumenty\Picasa2\setup.exe” Thu 6 Dec 2007 229,376 A.SH. — “C:\Documents and Settings\przemek\Pulpit\Zdj©cia\przemki\SIVD4.tmp” Wed 21 May 2008 348,160 A.SH. — “C:\Documents and Settings\przemek\Pulpit\Zdj©cia\ťukowa 2008\SIV18.tmp” Thu 25 Oct 2007 1,301 …HR — “C:\Documents and Settings\przemek\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak” Finished! Jeżeli coś źle zrobiłem z tymi kodami (ta zmiana wklejania kodów czy coś) to przepraszam, ale pierwszy raz spotkałem się z takim czymś.
huber2t
(huber2t)
28 Sierpień 2008 20:04
#5
Pobierz ComboFix , ale nie uruchamiaj
Otwórz notatnik i wklej do niego:
File::
C:\WINDOWS\rodqgpvlkel.dll
C:\WINDOWS\pdoskegl.dll
C:\WINDOWS\rqbmvpso.dll
C:\WINDOWS\qalkfxor.dll
C:\WINDOWS\rvoelbxt.exe
Folder::
C:\FOUND.002
C:\FOUND.001
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E46A59BF-81A2-48B5-A88A-E262DDC9349E}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e7080e6-b574-11dc-a6f0-4d6564696130}]
Plik -> zapisz jako -> CFScript.txt .
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->
Rozpocznie się usuwanie i powstanie log, który dasz na forum.
Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link
papajkal
(Papajkal)
28 Sierpień 2008 20:14
#6
Ok, dzięki. Tak zrobiłem, oto i kod:
http://wklej.org/id/1595/
dobrze to wkleiłem?
huber2t
(huber2t)
28 Sierpień 2008 20:16
#7
Wykonaj ponownie wcześniejszą wskazówkę
papajkal
(Papajkal)
28 Sierpień 2008 20:28
#8
Tak też zrobiłem, oto kod:
http://wklej.org/id/1600/
Gutek
(Gutek)
28 Sierpień 2008 20:41
#9
Proszę pobrać i użyć Malwarebytes’ Anti-Malware
Wciskamy Scan , wybieramy dyski do skanowania i czekamy, na końcu wciskamy Remove Selected i Ok
papajkal
(Papajkal)
28 Sierpień 2008 22:13
#10
Zrobilem to, taki kod:
http://wklej.org/id/1630/
i to juz wszystko?
papajkal
(Papajkal)
29 Sierpień 2008 16:46
#12
Ok, jeszcze raz wielkie dzięki wszystkim którzy pomogli. Pozdrawiam