Problem z Bestsellerantivirus + logi z Combofixa i hijacka


(Mocherek) #1

Mam broblem z tymi wszystkimi smiesznymi trojanami itd... czyli z wyskakujacymi okienkami w dolnym prawym rogu. Prosze o sprawdzenie logow i POMOC w usunieciu tego. Z gory dzieki.

Logfile of Browser Hijack Recover(BHR) v2.2

http://www.browser-hijack.com/

Log created on 2007-11-11 11-55-12

Microsoft Windows XP Professional Dodatek Service Pack. 1 (Build 2600)

Internet Explorer v6.0.2800.1106 Update Versions: ;SP1;

[Process Manager] - [Process]

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wdfmgr.exe

C:\WINDOWS\Mixer.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe

D:\Office\Office12\GrooveMonitor.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Browser Hijack Recover\bhr.exe

[iE Options] - [Normal]

R0 - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/windows/ie_intl/en/start/

R0 - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Window Title =

[iE Options] - [iE Menu]

[iE Options] - [internet Options]

[iE Options] - [iE Search Hooks]

[iE Add-Ons] - [Toolbars]

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\iqcemqzy.dll

[iE Add-Ons] - [Explorer Bars]

[iE Add-Ons] - [Context Menu]

[iE Add-Ons] - [bHOs]

O2 - BHO: (No Name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Office\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (No Name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - C:\WINDOWS\system32\xxyyyvv.dll

O2 - BHO: (No Name) - {9687DEBF-D9BF-4693-BB99-888CF1B05392} - C:\WINDOWS\System32\awvvu.dll

O2 - BHO: (No Name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\iqcemqzy.dll

O2 - BHO: {7739e2b9-4c37-ed09-97a4-f1b1e8460e9c} - {c9e0648e-1b1f-4a79-90de-73c49b2e9377} - C:\WINDOWS\System32\nwxweeww.dll

[iE Add-Ons] - [Tools Menu]

O9 - Extra "Tool" Menu Item: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

[iE Add-Ons] - [Tools Button]

O9 - Extra "Tool" Menu Item: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

[system Options]

[startUp]

ComboFix 07-11-08.1 - tm 2007-11-11 11:57:30.5 - FAT32 x86

Running from: C:\Documents and Settings\tm\Pulpit\ComboFix.exe

.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Menu Start\Live Safety Center.lnk

C:\Documents and Settings\All Users\Menu Start\Online Security Guide.lnk

C:\Documents and Settings\tm\Pulpit\Live Safety Center.lnk

C:\Documents and Settings\tm\Pulpit\Online Security Guide.lnk

C:\Documents and Settings\tm\Ulubione\Online Security Guide.lnk

C:\WINDOWS\System32\awvvu.dll

C:\WINDOWS\system32\csrs.exe

C:\WINDOWS\system32\iqcemqzy.dllbox

C:\WINDOWS\system32\uvvwa.bak1

C:\WINDOWS\system32\uvvwa.ini

C:\WINDOWS\system32\xxyyyvv.dll

.

---- Previous Run -------

.

C:\Documents and Settings\All Users\Menu Start\Live Safety Center.lnk

C:\Documents and Settings\All Users\Menu Start\Online Security Guide.lnk

C:\Documents and Settings\tm\Pulpit\Live Safety Center.lnk

C:\Documents and Settings\tm\Pulpit\Online Security Guide.lnk

C:\Documents and Settings\tm\Ulubione\Online Security Guide.lnk

C:\WINDOWS\system32\iqcemqzy.dllbox

C:\WINDOWS\system32\isass.exe

C:\WINDOWS\system32\uvvwa.bak2

C:\WINDOWS\system32\uvvwa.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_FMTR

((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))

.

2007-11-11 11:48

2007-11-11 11:24 79,936 --a------ C:\WINDOWS\system32\nwxweeww.dll

2007-11-11 11:22 2,432 --a------ C:\WINDOWS\system32\unpr.sys

2007-11-10 21:01 58,368 --a------ C:\WINDOWS\NirCmd.exe

2007-11-10 19:40 85,056 --a------ C:\WINDOWS\system32\ujbmavfd.dll

2007-11-10 19:40 81,472 --a------ C:\WINDOWS\system32\kcvydqwb.dll

2007-11-10 19:33

2007-11-09 16:09 77,888 --a------ C:\WINDOWS\system32\ewemciqj.dll

2007-11-09 16:06 88,128 --a------ C:\WINDOWS\system32\sdukhqef.dll

2007-11-08 16:55

2007-11-08 15:26

2007-11-08 14:05 86,080 --a------ C:\WINDOWS\system32\pmlodujc.dll

2007-11-08 14:05 80,448 --a------ C:\WINDOWS\system32\hqqpodka.dll

2007-11-07 15:21 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll

2007-11-07 15:21 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll

2007-11-07 14:09 79,936 --a------ C:\WINDOWS\system32\oyqpildv.dll

2007-11-07 14:04 145,984 --a------ C:\WINDOWS\system32\yojqobmp.dll

2007-11-07 14:04 145,984 --a------ C:\WINDOWS\system32\iqcemqzy.dll

2007-11-04 15:43

2007-10-29 10:15

2007-10-29 09:39 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

2007-10-29 09:39 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys

2007-10-28 09:10

2007-10-27 23:02

2007-10-26 18:25

2007-10-25 21:01 3,580 --a------ C:\WINDOWS\system32\d3d9caps.dat

2007-10-25 16:34

2007-10-24 15:12

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-05 20:20 --------- d-----w C:\Program Files\Anti-Blaxx

2007-10-01 21:59 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-10-01 21:59 --------- d--h--r C:\Documents and Settings\tm\Dane aplikacji\SecuROM

2007-10-01 08:15 310 ----a-w C:\Documents and Settings\tm\Dane aplikacji\regdatels.dat

2007-09-30 21:50 --------- d-----w C:\Program Files\Lomsel Shutdown

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}]

2007-11-07 14:04 145984 --a------ C:\WINDOWS\system32\iqcemqzy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{c9e0648e-1b1f-4a79-90de-73c49b2e9377}]

2007-11-11 11:24 79936 --a------ C:\WINDOWS\System32\nwxweeww.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\iqcemqzy.dll [2007-11-07 14:04 145984]

[HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoBandCustomize"=0 (0x0)

"NoToolbarCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoBandCustomize"=0 (0x0)

"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iqcemqzy]

iqcemqzy.dll 2007-11-07 14:04 145984 C:\WINDOWS\system32\iqcemqzy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzlo32]

winzlo32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Notification Packages"=

"Authentication Packages"= msv1_0 C:\WINDOWS\System32\awvvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\844d82c5]

rundll32.exe "C:\WINDOWS\System32\pmlodujc.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

"C:\Program Files\Gadu-Gadu\gg.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

"D:\Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]

C:\WINDOWS\System32\LXSUPMON.EXE RUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]

"C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com;'>http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

C:\Program Files\Winamp\winampa.exe

.

Contents of the 'Scheduled Tasks' folder

"2007-11-10 11:45:02 C:\WINDOWS\Tasks\Lomsel01102007_091625.job"

  • C:\Program Files\Lomsel Shutdown\Shutdown.exe

.

**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-11 12:05:03

Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI

detected NTDLL code modification:

ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-11-11 12:06:04 - machine was rebooted

.

--- E O F ---


(Gutek) #2

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

Wklej do Notatnika:

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po tym nowy log z Combo


(Mocherek) #3

Zrobilem to co polecales i po resecie kompa wyskoczylo okienko zeby wybrac urzytkownika, po wpisywaniu haslo badz na urzytkownika badz na admina haslo nie dzialalo musialem jeszcze raz windowsa instalowac zeby wogole kompa wlaczyc. narazie niema tego bestsell..... zaraz wysle loga z combo.

Złączono Posta : 11.11.2007 (Nie) 17:31


(Gutek) #4

przeskanuj plik na http://virusscan.jotti.org/ i wklej wynik