Oczyszczacz komputera - ciągłe próby zainstalowania się

Dla specjalistów Bezpieczeństwo
#1

Witam! Mam problem jak w temacie. Systematycznie otwiera mi się stona oczyszczacza. Nie dopuszczam do instalcji, ale jak zablokować tą stronę? Bardzo proszę o sprawdzenie logów z programów HijackThis i ComboFix (może jednak jest już zainstalowany oczyszczacz)?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:17:19, on 2008-07-04

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16681)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Launch Manager\HotkeyApp.exe

C:\Program Files\Synaptics\SynTP\SynTPStart.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Windows\explorer.exe

C:\Windows\system32\conime.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM…\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM…\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM…\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM…\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM…\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM…\Run: [HotkeyApp] “C:\Program Files\Launch Manager\HotkeyApp.exe”

O4 - HKLM…\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe

O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM…\Run: [ccApp] “c:\Program Files\Common Files\Symantec Shared\ccApp.exe”

O4 - HKLM…\Run: [osCheck] “c:\Program Files\Norton Internet Security\osCheck.exe”

O4 - HKLM…\Run: [recinfo91] c:\RecInfo\RecInfo.exe

O4 - HKLM…\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe

O4 - HKLM…\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe

O4 - HKLM…\Run: [Wbutton] C:\Program Files\Launch Manager\WButton.exe

O4 - HKCU…\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [MSServer] rundll32.exe C:\Users\admin\AppData\Local\Temp\tuvUMcax.dll,#1

O4 - HKCU…\Run: [MSSMSGS] rundll32.exe winouw32.rom,LNiRun

O4 - HKCU…\Run: [cmds] rundll32.exe C:\Users\admin\AppData\Local\Temp\ljJBtqQh.dll,c

O4 - HKCU…\Run: [3a1bbb3a] rundll32.exe “C:\Users\admin\AppData\Local\Temp\efbcibcr.dll”,b

O4 - HKUS\S-1-5-19…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘USŁUGA SIECIOWA’)

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

O13 - Gopher Prefix:

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe

O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe

End of file - 6592 bytes

A teraz ComboFix

ComboFix 08-07-04.1 - admin 2008-07-04 21:27:49.1 - NTFSx86

Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1250.1.1045.18.223 [GMT 2:00]

Running from: D:\instalki\ochrona komputera\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Windows\system32\x64

.

((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))

.

2008-07-04 21:16 . 2008-07-04 21:16

2008-07-01 15:14 . 2008-07-01 15:14

2008-06-29 15:25 . 2008-06-29 15:26

2008-06-29 13:01 . 2008-06-29 13:01

2008-06-29 13:01 . 2008-06-29 13:01

2008-06-28 14:49 . 2008-06-28 14:49

2008-06-26 09:17 . 2008-06-26 09:17 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys

2008-06-26 09:17 . 2008-06-26 09:17 194,560 --a------ C:\Windows\System32\WebClnt.dll

2008-06-26 09:17 . 2008-06-26 09:17 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys

2008-06-26 09:17 . 2008-06-26 09:17 41,984 --a------ C:\Windows\System32\drivers\monitor.sys

2008-06-26 09:14 . 2008-06-26 09:14 1,585,664 --a------ C:\Windows\System32\setupapi.dll

2008-06-26 09:12 . 2008-06-26 09:12 2,027,008 --a------ C:\Windows\System32\win32k.sys

2008-06-26 09:12 . 2008-06-26 09:12 223,232 --a------ C:\Windows\System32\WMASF.DLL

2008-06-26 09:12 . 2008-06-26 09:12 9,728 --a------ C:\Windows\System32\LAPRXY.DLL

2008-06-26 09:12 . 2008-06-26 09:12 2,048 --a------ C:\Windows\System32\asferror.dll

2008-06-26 09:11 . 2008-06-26 09:11 296,448 --a------ C:\Windows\System32\gdi32.dll

2008-06-26 09:11 . 2008-06-26 09:11 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys

2008-06-26 09:11 . 2008-06-26 09:11 14,848 --a------ C:\Windows\System32\wshrm.dll

2008-06-26 09:11 . 2008-06-26 09:11 11,776 --a------ C:\Windows\System32\sbunattend.exe

2008-06-26 09:10 . 2008-06-26 09:10 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll

2008-06-26 09:10 . 2008-06-26 09:10 1,686,528 --a------ C:\Windows\System32\gameux.dll

2008-06-26 09:09 . 2008-06-26 09:09 1,327,104 --a------ C:\Windows\System32\quartz.dll

2008-06-26 09:09 . 2008-06-26 09:09 130,048 --a------ C:\Windows\System32\drivers\srv2.sys

2008-06-26 09:09 . 2008-06-26 09:09 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys

2008-06-26 09:09 . 2008-06-26 09:09 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys

2008-06-26 09:09 . 2008-06-26 09:09 83,968 --a------ C:\Windows\System32\dnsrslvr.dll

2008-06-26 09:09 . 2008-06-26 09:09 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys

2008-06-26 09:09 . 2008-06-26 09:09 24,576 --a------ C:\Windows\System32\dnscacheugc.exe

2008-06-26 09:07 . 2008-06-26 09:07 826,368 --a------ C:\Windows\System32\wininet.dll

2008-06-26 09:05 . 2008-06-26 09:05 2,048 --a------ C:\Windows\System32\tzres.dll

2008-06-24 07:33 . 2008-06-24 07:33 1,712,984 --a------ C:\Windows\System32\wuaueng.dll

2008-06-24 07:33 . 2008-06-24 07:33 1,524,224 --a------ C:\Windows\System32\wucltux.dll

2008-06-24 07:33 . 2008-06-24 07:33 549,720 --a------ C:\Windows\System32\wuapi.dll

2008-06-24 07:33 . 2008-06-24 07:33 163,000 --a------ C:\Windows\System32\wuwebv.dll

2008-06-24 07:33 . 2008-06-24 07:33 80,896 --a------ C:\Windows\System32\wudriver.dll

2008-06-24 07:33 . 2008-06-24 07:33 53,080 --a------ C:\Windows\System32\wuauclt.exe

2008-06-24 07:33 . 2008-06-24 07:33 43,352 --a------ C:\Windows\System32\wups2.dll

2008-06-24 07:33 . 2008-06-24 07:33 33,624 --a------ C:\Windows\System32\wups.dll

2008-06-24 07:33 . 2008-06-24 07:33 31,232 --a------ C:\Windows\System32\wuapp.exe

2008-06-24 00:54 . 2008-06-24 00:54

2008-06-24 00:50 . 2008-06-24 00:50

2008-06-24 00:47 . 2008-06-24 00:52

2008-06-24 00:47 . 2008-06-24 00:47

2008-06-23 21:57 . 2005-11-10 12:54 402,944 --a------ C:\Windows\System32\drivers\BLKWGU.sys

2008-06-23 21:48 . 2008-06-23 21:48

2008-06-23 21:47 . 2008-06-23 21:47

2008-06-23 21:40 . 2008-06-23 21:40

2008-06-23 21:40 . 2008-07-02 16:32

2008-06-23 21:39 . 2008-06-23 21:40

2008-06-23 21:39 . 2008-06-23 21:42

2008-06-23 21:39 . 2008-06-26 16:55

2008-06-23 21:39 . 2008-06-23 21:40

2008-06-23 21:39 . 2008-06-23 21:40

2008-06-23 21:39 . 2008-06-23 21:40

2008-06-23 21:39 . 2008-06-29 13:01

2008-06-23 21:39 . 2008-06-23 21:40

2008-06-23 21:39 . 2008-06-24 00:47

2008-06-23 21:35 . 2008-06-23 21:35

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-26 07:22 --------- d-----w C:\Program Files\Windows Sidebar

2008-06-26 07:22 --------- d-----w C:\Program Files\Windows Mail

2008-06-26 07:13 944,184 ----a-w C:\Windows\System32\winload.exe

2008-06-26 07:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-06-26 07:10 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll

2008-06-26 07:10 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll

2008-06-26 07:10 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll

2008-06-26 07:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll

2008-06-26 07:07 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2008-06-26 07:06 56,320 ----a-w C:\Windows\System32\iesetup.dll

2008-06-26 07:06 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2008-06-23 22:35 --------- d-----w C:\Program Files\Norton Internet Security

2008-06-23 22:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-06-23 22:32 --------- d-----w C:\ProgramData\Symantec

2008-06-23 22:31 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF

2008-06-23 22:31 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS

2008-06-23 22:31 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT

2008-06-23 22:31 --------- d-----w C:\Program Files\Symantec

2008-06-23 19:50 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-06-23 19:35 --------- d-sh–w C:\ProgramData\Ulubione

2008-06-23 19:35 --------- d-sh–w C:\ProgramData\Szablony

2008-06-23 19:35 --------- d-sh–w C:\ProgramData\Pulpit

2008-06-23 19:35 --------- d-sh–w C:\ProgramData\Menu Start

2008-06-23 19:35 --------- d-sh–w C:\ProgramData\Dokumenty

2008-06-23 19:35 --------- d-sh–w C:\ProgramData\Dane aplikacji

2007-12-13 15:22 174 --sha-w C:\Program Files\desktop.ini

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Sidebar”=“C:\Program Files\Windows Sidebar\sidebar.exe” [2008-06-26 09:11 1232896]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2008-03-20 12:04 2127296]

“cmds”=“C:\Users\admin\AppData\Local\Temp\ljJBtqQh.dll” [2008-06-29 15:05 284672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“IgfxTray”=“C:\Windows\system32\igfxtray.exe” [2007-06-06 11:52 142104]

“HotKeysCmds”=“C:\Windows\system32\hkcmd.exe” [2007-06-06 11:52 154392]

“Persistence”=“C:\Windows\system32\igfxpers.exe” [2007-06-06 11:52 138008]

“HotkeyApp”=“C:\Program Files\Launch Manager\HotkeyApp.exe” [2007-07-26 15:56 192512]

“SynTPStart”=“C:\Program Files\Synaptics\SynTP\SynTPStart.exe” [2007-08-17 14:40 102400]

“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-02-26 21:46 153136]

“ccApp”=“c:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2006-10-25 01:08 107112]

“osCheck”=“c:\Program Files\Norton Internet Security\osCheck.exe” [2006-10-27 02:18 22696]

“recinfo91”=“c:\RecInfo\RecInfo.exe” [2007-06-06 13:33 2768896]

“RtHDVCpl”=“RtHDVCpl.exe” [2007-07-06 11:06 4669440 C:\Windows\RtHDVCpl.exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 03:48:00 40048]

Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 02:01:00 734872]

Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 11:23:10 1404928]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“UacDisableNotify”=dword:00000001

“InternetSettingsDisableNotify”=dword:00000001

“AutoUpdateDisableNotify”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

“DFSR-1”= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

“EnableFirewall”= 0 (0x0)

“DisabledInterfaces”= {FE69FB1E-3177-4F30-AA93-F6C4388936B0}

R1 Hotkey;Hotkey;C:\Windows\system32\drivers\Hotkey.sys [2003-04-28 12:27]

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080623.001\IDSvix86.sys [2008-06-03 17:55]

R2 TestHandler;Fujitsu Siemens Computers Diagnostic Testhandler;C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe [2006-12-08 11:52]

R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-05-31 10:51]

R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2006-10-24 15:40]

R3 WisLMSvc;WisLMSvc;“C:\Program Files\Launch Manager\WisLMSvc.exe” [2006-11-17 21:45]

S4 nvrd32;NVIDIA nForce RAID Driver;C:\Windows\system32\drivers\nvrd32.sys [2007-07-02 17:37]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{cb14cdfe-45f4-11dd-a3bd-0016d38cc182}]

\shell\AutoRun\command - op.bat

\shell\explore\Command - op.bat

\shell\open\Command - op.bat

*Newly Created Service* - CATCHME

*Newly Created Service* - COMHOST

.

Contents of the ‘Scheduled Tasks’ folder

“2008-06-23 22:35:26 C:\Windows\Tasks\Norton Internet Security - Uruchom pełne skanowanie systemu - admin.job”

  • c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:

.

        • ORPHANS REMOVED - - - -

HKCU-Run-MSSMSGS - winouw32.rom

HKLM-Run-CtrlVol - C:\Program Files\Launch Manager\CtrlVol.exe

HKLM-Run-LaunchAp - C:\Program Files\Launch Manager\LaunchAp.exe

HKLM-Run-Wbutton - C:\Program Files\Launch Manager\WButton.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-04 21:31:50

Windows 6.0.6000 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CtrlVol = C:\Program Files\Launch Manager\CtrlVol.exe???H?.???.??2.???,w???0???<???|???&w?!*w???3 ,w!?,w???.???.???F?L???~z?u??.???.???+?A???.???J?A???#???F?$l@?`??? A?/?s???J?A?[?@???.??v@???.???#???@???.???

LaunchAp = C:\Program Files\Launch Manager\LaunchAp.exe???H?.???.??2.???,w???0???<???|???&w?!*w???3 ,w!?,w???.???.???F?L???~z?u??.???.???+?A???.???J?A???#???F?$l@?`??? A?/?s???J?A?[?@???.??v@???.???#???@???.???

Wbutton = C:\Program Files\Launch Manager\WButton.exe???H?.???.??2.???,w???0???<???|???&w?!*w???3 ,w!?,w???.???.???F?L???~z?u??.???.???+?A???.???J?A???#???F?$l@?`??? A?/?s???J?A?[?@???.??v@???.???#???@???.???

scanning hidden files …

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe

-> C:\Users\admin\AppData\Local\Temp\ljJBtqQh.dll

.

Completion time: 2008-07-04 21:34:09

ComboFix-quarantined-files.txt 2008-07-04 19:33:01

Pre-Run: 48,052,731,904 bajtów wolnych

Post-Run: 47,974,313,984 bajtów wolnych

188 — E O F — 2008-06-26 09:38:22

#2

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=253052

Wklej do Notatnika:

Folder::

C:\Users\admin\AppData\Local\Temp


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo oraz skan http://www.kaspersky.pl/virusscanner.html

W trybie awaryjnym użyj http://www.brothersoft.com/prt-(perlovga-removal-tool)-60877.html