POMOCY! nie moge usunąć ANTIVIRUS XP 2008 - podaje loga

mr.prezes666 · 5 Sierpień 2008 20:54

Witam,

trochę nie wypada być nowym i od razu z problemem :oops:

Załapałem wirusa?? ANTIVIRUS XP 2008 i żadnym sposobem jak do tej pory nie mogę go wyplenić

Próbowałem kierować się wskazówek na innych postach i usunąć chwasta, lecz bezskutecznie :!:

Proszę o pomoc i wskazówki

Podaje log z HijackThis:

:o

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:46:04, on 2008-08-05

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

C:\Documents and Settings\All Users\Dane aplikacji\ipajadmr\elubkvgx.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\mrmjkxsv.exe

C:\WINDOWS\system32\mnihebyj.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\rhc1e8j0eae3\rhc1e8j0eae3.exe

C:\WINDOWS\system32\pphc5e8j0eae3.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\mnihebyj.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\msntb.dll

O3 - Toolbar: Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [lphc5e8j0eae3] C:\WINDOWS\system32\lphc5e8j0eae3.exe

O4 - HKLM…\Run: [sMrhc1e8j0eae3] C:\Program Files\rhc1e8j0eae3\rhc1e8j0eae3.exe

O4 - HKCU…\Run: [actstrproc] C:\WINDOWS\system32\mnihebyj.exe

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM…\Policies\Explorer\Run: [iZws0nOkF4] C:\Documents and Settings\All Users\Dane aplikacji\ipajadmr\elubkvgx.exe

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O8 - Extra context menu item: MSN Search - res://C:\Program Files\MSN Toolbar Suite\msntb.dll/search.htm

O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\en-ww\msntabres.dll.mui/229?9c654e89597640308ff3e7ea5560729f

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\en-ww\msntabres.dll.mui/230?9c654e89597640308ff3e7ea5560729f

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 6496058125

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O21 - SSODL: MonWin - {31734C8A-D408-73CF-4445-0B8E5B11881E} - C:\Program Files\glhphed\MonWin.dll

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

O23 - Service: WEP/WPA-PMK key recovery service (WZCOOK) - Unknown owner - C:\Documents and Settings\Jan Jaworski\Pulpit\aircrack-ng-0.9.2-win\bin\wzcook.exe (file missing)

–

End of file - 8649 bytes

:!: :!: :!: :!: :!: Z góry dziękuję :!: :!: :!: :!: :!:

mr.prezes666 · 5 Sierpień 2008 21:21

Dodaje jeszcze log z COMBOFIX

ComboFix 08-07-27.2 - 2008-08-05 22:08:33.8 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.575 [GMT 1:00]

Running from: C:\Documents and Settings\Jan Jaworski\Pulpit\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Jan Jaworski\Dane aplikacji\rhc1e8j0eae3

C:\Program Files\rhc1e8j0eae3

C:\WINDOWS\system32\blphc5e8j0eae3.scr

C:\WINDOWS\system32\lphc5e8j0eae3.exe

C:\WINDOWS\system32\phc5e8j0eae3.bmp

C:\WINDOWS\system32\pphc5e8j0eae3.exe

.

((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))

.

2008-08-05 22:12 . 2008-08-05 22:12 133,120 --a------ C:\WINDOWS\system32\lphc5e8j0eae3.exe

2008-08-05 22:12 . 2008-08-05 22:12 90,838 --a------ C:\WINDOWS\system32\phc5e8j0eae3.bmp

2008-08-05 22:12 . 2008-08-05 22:12 77,824 --a------ C:\WINDOWS\system32\xglojwrq.exe

2008-08-05 22:12 . 2008-08-05 22:12 60,928 --a------ C:\WINDOWS\system32\blphc5e8j0eae3.scr

2008-08-05 21:38 . 2008-08-05 21:38 94,208 --a------ C:\WINDOWS\system32\30.tmp

2008-08-05 21:27 . 2008-08-05 21:27 77,824 --a------ C:\WINDOWS\system32\mnihebyj.exe

2008-08-05 21:11 . 2008-08-05 21:11 77,824 --a------ C:\WINDOWS\system32\gjezovqh.exe

2008-08-05 19:57 . 2008-08-05 19:57 77,824 --a------ C:\WINDOWS\system32\abqnepol.exe

2008-08-05 19:01 . 2008-08-05 19:01

2008-08-05 19:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-08-05 19:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-08-05 18:59 . 2008-08-05 18:59 77,824 --a------ C:\WINDOWS\system32\ifshsbij.exe

2008-08-05 07:17 . 2008-08-05 07:17

2008-08-05 07:16 . 2008-08-05 07:16 86,016 --a------ C:\WINDOWS\system32\chqnmhmz.exe

2008-08-04 18:30 . 2008-08-04 18:30

2008-08-04 18:04 . 2008-08-04 18:04 114,176 --a------ C:\WINDOWS\system32\lalalune.exe

2008-08-04 18:04 . 2008-08-04 18:04 81,920 --a------ C:\WINDOWS\system32\zuhebmxk.exe

2008-08-04 17:28 . 2008-08-04 17:28

2008-08-04 17:28 . 2008-08-04 17:28 90,112 --a------ C:\WINDOWS\system32\ulavgdal.exe

2008-08-03 16:51 . 2008-08-03 16:52

2008-07-28 00:46 . 2008-07-28 00:46

2008-07-27 14:12 . 2006-09-27 16:09

2008-07-27 14:12 . 2008-08-05 22:09

2008-07-27 14:12 . 2006-09-27 16:09

2008-07-27 14:12 . 2006-08-25 10:18

2008-07-27 14:12 . 2006-09-27 16:09

2008-07-27 14:12 . 2008-07-27 14:12

2008-07-27 13:38 . 2008-07-27 13:38

2008-07-27 13:38 . 2008-07-27 13:38 49,152 --a------ C:\WINDOWS~DF88CF.tmp

2008-07-26 20:13 . 2008-07-26 20:23 4,632,580 --a------ C:\Program Files\setuppol.exe

2008-07-26 19:53 . 2008-07-26 22:50

2008-07-25 20:03 . 2008-07-25 20:03

2008-07-25 18:22 . 2008-07-25 18:22 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX

2008-07-24 18:24 . 2008-07-24 19:37

2008-07-24 18:06 . 2008-07-24 18:06

2008-07-24 17:59 . 2008-07-25 20:48

2008-07-06 22:55 . 2008-07-06 22:55

2008-07-06 22:48 . 2008-07-06 22:48

2008-07-06 22:44 . 2008-07-06 22:44

2008-07-06 22:12 . 2008-07-06 22:16

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-05 21:12 --------- d-----w C:\Program Files\rhc1e8j0eae3

2008-08-05 07:54 --------- d-----w C:\Documents and Settings\Jan Jaworski\Dane aplikacji\uTorrent

2008-08-04 21:51 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Symantec

2008-08-04 17:06 --------- d-----w C:\Documents and Settings\Jan Jaworski\Dane aplikacji\Skype

2008-08-04 16:41 --------- d-----w C:\Documents and Settings\Jan Jaworski\Dane aplikacji\skypePM

2008-07-26 20:21 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-07-26 20:19 --------- d-----w C:\Program Files\Symantec

2008-07-25 19:48 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-07-25 17:32 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-07-25 15:57 --------- d-----w C:\Program Files\Google

2008-06-30 16:25 8,213,400 ----a-w C:\Program Files\Firefox Setup 3.0.exe

2008-06-27 17:47 --------- d-----w C:\Program Files\Common Files\Skype

2008-06-25 22:18 --------- d-----w C:\Documents and Settings\Jan Jaworski\Dane aplikacji\XnView

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-17 16:32 --------- d-----w C:\Program Files\Eidos

2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-05-14 22:20 701,237 ----a-w C:\Program Files\budzik104.exe

2008-04-19 17:56 2,228,534 ----a-w C:\Program Files\audacity-win-1.2.6.exe

2008-04-13 14:24 25,802,312 ----a-w C:\Program Files\wmp11-windowsxp-x86-PL-PL.exe

2008-04-10 20:47 1,495,112 ----a-w C:\Program Files\install_flash_player.exe

2008-03-09 18:06 3,061,518 ----a-w C:\Program Files\Setup_MagicISO.exe

2008-02-14 19:23 18,067,416 ----a-w C:\Program Files\setupUK.exe

2008-02-14 15:29 219,952 ----a-w C:\Program Files\utorrent.exe

2008-01-27 20:10 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2007-09-30 11:21 5,979,191 ----a-w C:\Program Files\realalt160.exe

2007-09-29 16:22 6,221,304 ----a-w C:\Program Files\winamp535_full_emusic-7plus.exe

2007-09-29 16:04 61,647,736 ----a-w C:\Program Files\directx_aug2007_redist.exe

2007-06-24 00:45 4,213,173 ----a-w C:\Program Files\ffdshow_rev1183_20070519_clsid.exe

2007-06-23 18:18 6,448,349 ----a-w C:\Program Files\realalt152.exe

2007-06-10 21:48 2,090,016 ----a-w C:\Program Files\aresregular209_installer.exe

2007-06-01 17:46 4,109,584 ----a-w C:\Program Files\gg77.exe

2007-05-25 20:37 2,248,200 ----a-w C:\Program Files\SopCast.zip

2007-05-25 20:10 1,925,464 ----a-w C:\Program Files\NeoDownloaderLiteSetup.exe

2007-05-25 19:04 11,832,700 ----a-w C:\Program Files\XnView-win-full.zip

2007-05-12 21:00 11,694,924 ----a-w C:\Program Files\QLoaderFull.exe

2007-04-18 19:37 21,734,668 ----a-w C:\Program Files\nero6009.exe

2007-04-13 20:02 750,527 ----a-w C:\Program Files\screamer038.exe

2006-10-15 19:27 1,441,018 ----a-w C:\Program Files\ALLPlayer.exe

2006-09-01 17:18 1,039,438 ----a-w C:\Program Files\wrar351pl.exe

.

((((((((((((((((((((((((((((( snapshot@2008-07-27_20.37.14.78 )))))))))))))))))))))))))))))))))))))))))

.

2008-08-05 21:11:11 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1fc.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“actstrproc”=“C:\WINDOWS\system32\mnihebyj.exe” [2008-08-05 21:27 77824]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 12:00 15360]

“actsmartchk”=“C:\WINDOWS\system32\xglojwrq.exe” [2008-08-05 22:12 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-05-01 12:04 7557120]

“lphc5e8j0eae3”=“C:\WINDOWS\system32\lphc5e8j0eae3.exe” [2008-08-05 22:12 133120]

“SMrhc1e8j0eae3”=“C:\Program Files\rhc1e8j0eae3\rhc1e8j0eae3.exe” [2008-08-05 12:43 9467904]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

“IZws0nOkF4”=“C:\Documents and Settings\All Users\Dane aplikacji\ipajadmr\elubkvgx.exe” [2008-08-04 17:28 57344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

“NoDispBackgroundPage”= 1 (0x1)

“NoDispScrSavPage”= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

“{56F9679E-7826-4C84-81F3-532071A8BCC5}”= “C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll” [2006-03-13 12:11 233472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

“MonWin”= {31734C8A-D408-73CF-4445-0B8E5B11881E} - C:\Program Files\glhphed\MonWin.dll [2008-08-05 07:17 122880]

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Bluetooth Manager.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Bluetooth Manager.lnk

backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Windows Desktop Search.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Windows Desktop Search.lnk

backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^Jan Jaworski^Menu Start^Programy^Autostart^Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnk]

path=C:\Documents and Settings\Jan Jaworski\Menu Start\Programy\Autostart\Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnk

backup=C:\WINDOWS\pss\Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\actadmsrv]

–a------ 2008-08-05 21:11 77824 C:\WINDOWS\system32\gjezovqh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdmApi]

–a------ 2008-08-05 18:59 77824 C:\WINDOWS\system32\ifshsbij.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

–a------ 2007-05-04 01:32 961024 C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

–a------ 2004-08-04 12:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

–a------ 2005-10-06 05:20 122940 C:\WINDOWS\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EnMnt]

–a------ 2008-08-05 19:57 77824 C:\WINDOWS\system32\abqnepol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

–a------ 2007-05-10 15:36 2111176 C:\Program Files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]

–a------ 2005-11-28 10:41 602182 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]

–a------ 2005-12-05 11:37 667718 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc5e8j0eae3]

–a------ 2008-08-05 22:12 133120 C:\WINDOWS\system32\lphc5e8j0eae3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msgsh]

–a------ 2008-08-04 17:28 90112 C:\WINDOWS\system32\ulavgdal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

–a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

–a------ 2006-05-01 12:04 7557120 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRotateSysTray]

–a------ 2006-05-01 12:04 49152 C:\WINDOWS\system32\nvsysrot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\procchkwin]

–a------ 2008-08-04 18:04 81920 C:\WINDOWS\system32\zuhebmxk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-05-30 15:54 21718312 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhc1e8j0eae3]

–a------ 2008-08-05 12:43 9467904 C:\Program Files\rhc1e8j0eae3\rhc1e8j0eae3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

–a------ 2006-03-02 15:02 761948 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]

–a------ 2006-01-05 14:02 352256 C:\Program Files\Toshiba\TOSHIBA Applet\THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]

–a------ 2005-04-12 12:04 65536 C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]

–a------ 2006-02-02 12:11 73728 C:\Program Files\Toshiba\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinStrUtil]

–a------ 2008-08-05 07:16 86016 C:\WINDOWS\system32\chqnmhmz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

–a------ 2005-10-15 14:29 88203 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

–a------ 2006-05-01 12:04 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

–a------ 2005-12-09 23:49 15691264 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDispVol]

–a------ 2005-09-16 14:44 73728 C:\WINDOWS\system32\TDispVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]

–a------ 2005-08-04 14:16 266240 C:\WINDOWS\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\utorrent.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\CS1.6 pod-Bot\hl.exe”=

“C:\Program Files\Toshiba\ConfigFree\CFXFER.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\Program Files\Ares\Ares.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“1700:TCP”= 1700:TCP:MioNet Remote Drive Access

“1641:TCP”= 1641:TCP:MioNet Remote Drive Verification

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 15:35]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 15:37]

S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys []

S3 nenum13E;nenum13E;C:\DOCUME~1\JANJAW~1\USTAWI~1\Temp\nenum13E.sys []

S3 SPC610NC;Philips SPC500NC Webcam;C:\WINDOWS\system32\DRIVERS\SPC610NC.SYS []

S3 WZCOOK;WEP/WPA-PMK key recovery service;C:\Documents and Settings\Jan Jaworski\Pulpit\aircrack-ng-0.9.2-win\bin\wzcook.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{538fafde-2d88-11dc-b0e6-00a0d164c1dc}]

\Shell\AutoRun\command - F:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f323e479-5050-11dc-b140-00a0d164c1dc}]

\Shell\AutoRun\command - F:\USBNB.exe

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.google.pl/

R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

O8 -: &MSN Search - C:\Program Files\MSN Toolbar Suite\msntb.dll/search.htm

O8 -: E&ksport do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 -: Open in new background tab - C:\Program Files\MSN Toolbar Suite\en-ww\msntabres.dll.mui/229?9c654e89597640308ff3e7ea5560729f

O8 -: Open in new foreground tab - C:\Program Files\MSN Toolbar Suite\en-ww\msntabres.dll.mui/230?9c654e89597640308ff3e7ea5560729f

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-05 22:12:10

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

C:\Documents and Settings\Jan Jaworski\Dane aplikacji\rhc1e8j0eae3

C:\Documents and Settings\Jan Jaworski\Dane aplikacji\rhc1e8j0eae3\Quarantine

C:\Documents and Settings\Jan Jaworski\Dane aplikacji\rhc1e8j0eae3\Quarantine\Autorun

C:\Documents and Settings\Jan Jaworski\Dane aplikacji\rhc1e8j0eae3\Quarantine\Autorun\HKCU

C:\Documents and Settings\Jan Jaworski\Dane aplikacji\rhc1e8j0eae3\Quarantine\Autorun\HKCU\RunOnce

C:\Documents and Settings\Jan Jaworski\Dane aplikacji\rhc1e8j0eae3\Quarantine\Autorun\HKLM

C:\Documents and Settings\Jan Jaworski\Dane aplikacji\rhc1e8j0eae3\Quarantine\Autorun\HKLM\RunOnce

C:\Documents and Settings\Jan Jaworski\Dane aplikacji\rhc1e8j0eae3\Quarantine\Autorun\StartMenuAllUsers

C:\Documents and Settings\Jan Jaworski\Dane aplikacji\rhc1e8j0eae3\Quarantine\Autorun\StartMenuCurrentUser

C:\Documents and Settings\Jan Jaworski\Dane aplikacji\rhc1e8j0eae3\Quarantine\BrowserObjects

C:\Documents and Settings\Jan Jaworski\Dane aplikacji\rhc1e8j0eae3\Quarantine\Packages

C:\WINDOWS\system32\lphc5e8j0eae3.exe 133120 bytes executable

C:\WINDOWS\system32\phc5e8j0eae3.bmp 90838 bytes

C:\WINDOWS\system32\xglojwrq.exe 77824 bytes executable

C:\WINDOWS\system32\pphc5e8j0eae3.exe 94208 bytes executable

scan completed successfully

hidden files: 15

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe

C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\PAStiSvc.exe

C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\pphc5e8j0eae3.exe

.

**************************************************************************

.

Completion time: 2008-08-05 22:17:33 - machine was rebooted

ComboFix-quarantined-files.txt 2008-08-05 21:17:30

ComboFix2.txt 2008-08-05 20:30:35

ComboFix3.txt 2008-08-05 17:50:51

ComboFix4.txt 2008-08-05 17:38:45

ComboFix5.txt 2008-08-05 21:08:22

Pre-Run: 61,801,938,944 bajtów wolnych

Post-Run: 61,777,403,904 bajt˘w wolnych

297 — E O F — 2008-07-24 10:21:03

huber2t · 6 Sierpień 2008 03:58

fix w hijakthis

Pobierz ComboFix, ale nie uruchamiaj

Otwórz notatnik i wklej do niego:

File::

C:\WINDOWS\system32\lphc5e8j0eae3.exe

C:\WINDOWS\system32\phc5e8j0eae3.bmp

C:\WINDOWS\system32\xglojwrq.exe

C:\WINDOWS\system32\blphc5e8j0eae3.scr

C:\WINDOWS\system32\30.tmp

C:\WINDOWS\system32\mnihebyj.exe

C:\WINDOWS\system32\gjezovqh.exe

C:\WINDOWS\system32\abqnepol.exe

C:\WINDOWS\system32\ifshsbij.exe

C:\WINDOWS\system32\chqnmhmz.exe

C:\WINDOWS\system32\lalalune.exe

C:\WINDOWS\system32\zuhebmxk.exe

C:\WINDOWS\system32\ulavgdal.exe

C:\WINDOWS\msdownld.tmp

C:\WINDOWS\~DF88CF.tmp


Folder::

C:\Documents and Settings\All Users\Dane aplikacji\ipajadmr

C:\Program Files\rhc1e8j0eae3

C:\Program Files\glhphed


Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"actstrproc"=-

"ctfmon.exe"=-

"actsmartchk"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"lphc5e8j0eae3"=-

"SMrhc1e8j0eae3"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"IZws0nOkF4"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"MonWin"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhc1e8j0eae3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinStrUtil]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{538fafde-2d88-11dc-b0e6-00a0d164c1dc}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f323e479-5050-11dc-b140-00a0d164c1dc}]


Driver::

nenum13E

WZCOOK

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklejto.pl lub na http://wklej.org a w poście dajesz tylko link

mr.prezes666 · 6 Sierpień 2008 17:02

Witam ponownie!!

Wielkie dzięki za odpowiedź :!:

Zrobiłem jak kazałeś a logi podaję poniżej:

Hijack This:

http://wklejto.pl/7438

Combofix:

http://wklejto.pl/7437

Proszę o sprawdzenie, czy już wszystko gra

Gutek · 6 Sierpień 2008 21:58

Wklej do Notatnika:

File::

C:\WINDOWS\system32\vatutmzc.exe

C:\WINDOWS\system32\buvyrqno.exe


Driver::

ATE_PROCMON

SPC610NC


Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc5e8j0eae3]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo oraz skan http://www.kaspersky.pl/virusscanner.html

mr.prezes666 · 6 Sierpień 2008 23:09

Dzięki serdeczne!

Zrobiłem jak mówiłeś…

Dla pewności dołączam loga z Combofix:

http://wklejto.pl/7459

Jeszcze raz dzięki i mam nadzieję, że już po wszystkim

huber2t · 7 Sierpień 2008 04:48

Log wyglada na czysty

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!