Problem z programem gratyfikant - trojany

Oprogramowanie komputerowe Problemy z oprogramowaniem
#1

ComboFix 08-07-23.4 - STACJA 2008-07-24 12:36:56.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.84 [GMT 2:00]

Running from: C:\Documents and Settings\STACJA\Pulpit\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\Program Files\Common Files\vcclient

C:\Program Files\Common Files\vcclient\ClientUpdater.bat

C:\Program Files\Common Files\vcclient\ICSharpCode.SharpZipLib.dll

C:\Program Files\Common Files\vcclient\VCClient.exe.config

C:\Program Files\Common Files\vcclient\VCUpdate.exe

C:\Program Files\Common Files\vcclient\VCUpdate.exe.config

C:\Program Files\Common Files\vcclient\Version.txt

C:\Program Files\winupdates

C:\Program Files\winupdates\a.zip

C:\WINDOWS.0\desktop.html

C:\WINDOWS.0\hosts

C:\WINDOWS.0\secure32.html

C:\WINDOWS.0\system32\bszip.dll

C:\WINDOWS.0\system32\ckvo.exe

C:\WINDOWS.0\system32\ckvo0.dll

C:\WINDOWS.0\system32\cmd.com

C:\WINDOWS.0\system32\guard.tmp

C:\WINDOWS.0\system32\netstat.com

C:\WINDOWS.0\system32\ping.com

C:\WINDOWS.0\system32\regedit.com

C:\WINDOWS.0\system32\svcp.csv

C:\WINDOWS.0\system32\taskkill.com

C:\WINDOWS.0\system32\tasklist.com

C:\WINDOWS.0\system32\tracert.com

C:\WINDOWS.0\system32\winsub.xml

C:\WINDOWS.0\system32\zlbw.dll

.

((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))

.

2008-07-24 12:30 . 2008-07-24 12:30

2008-07-24 12:30 . 2008-07-24 12:30

2008-07-24 12:30 . 2008-07-24 12:30 17,408 --a------ C:\WINDOWS.0\system32\drivers\pxark.sys

2008-07-24 06:58 . 2008-07-24 06:57 117,946 -r-hs---- C:\g2pfnid.com

2008-07-23 08:13 . 2008-07-24 06:57 77,312 -r-hs---- C:\WINDOWS.0\system32\ckvo1.dll

2008-07-07 12:20 . 2008-07-07 12:20 10,257 --a------ C:\SP__DZIELCZE_GOSPODASTWO_ROLNE_W_BRUSACH_ZUS_2008-06.kdu

2008-07-01 10:00 . 2008-07-24 10:25

2008-06-27 08:11 . 2008-07-16 09:03

2008-06-27 08:11 . 2008-06-27 08:11 56 --ah----- C:\WINDOWS.0\system32\ezsidmv.dat

2008-06-27 08:09 . 2008-07-24 10:25

2008-06-26 12:55 . 2008-06-26 12:55

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-24 10:42 262,144 —ha-w C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT

2008-07-24 10:42 262,144 —ha-w C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT

2008-07-24 10:42 262,144 —ha-w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT

2008-07-24 10:42 262,144 —ha-w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT

2008-07-24 10:19 --------- d-----w C:\Documents and Settings\STACJA\Dane aplikacji\InsERT GT

2008-07-24 08:22 --------- d-----w C:\Program Files\Gadu-Gadu

2008-07-24 05:37 --------- d-----w C:\Program Files\WeatherCast

2008-07-18 07:30 --------- d-----w C:\Documents and Settings\STACJA\Dane aplikacji\AdobeUM

2008-07-15 13:05 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Dane aplikacji\InsERT

2008-06-20 17:42 246,784 ----a-w C:\WINDOWS.0\system32\mswsock.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS.0\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS.0\system32\drivers\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS.0\system32\drivers\tcpip6.sys

2008-06-14 18:01 273,024 ------w C:\WINDOWS.0\system32\drivers\bthport.sys

2008-06-04 12:25 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-05-31 19:09 55,104 ----a-r C:\WINDOWS.0\system32\w95scm.DLL

2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS.0\system32\quartz.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS.0\system32\ctfmon.exe” [2004-08-04 09:44 15360]

“WeatherCast”=“C:\Program Files\WeatherCast\Weather.exe” [2004-02-19 12:17 132096]

“Orb”=“C:\Program Files\Winamp Remote\bin\OrbTray.exe” [2007-12-18 03:02 471040]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2003-12-12 11:31 335872]

“AdaptecDirectCD”=“C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe” [2003-03-26 11:15 684032]

“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-05-16 01:19 79224]

“Samsung PanelMgr”=“C:\WINDOWS.0\Samsung\PanelMgr\ssmmgr.exe” [2006-08-16 05:10 503808]

“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2007-12-20 17:16 37376]

“SoundMan”=“SOUNDMAN.EXE” [2003-12-18 08:00 64512 C:\WINDOWS.0\SOUNDMAN.EXE]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS.0\System32\CTFMON.EXE” [2004-08-04 09:44 15360]

C:\Documents and Settings\All Users.WINDOWS.0\Menu Start\Programy\Autostart\

Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-10-06 01:00:00 111376]

Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 16:23:32 74308]

Uruchamianie pakietu Office.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-10-06 01:00:00 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

–a------ 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“AntiVirusOverride”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Winamp Remote\bin\Orb.exe”=

“C:\Program Files\Winamp Remote\bin\OrbTray.exe”=

“C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe”=

R0 pxark;pxark;C:\WINDOWS.0\system32\drivers\pxark.sys [2008-07-24 12:30]

R1 aswSP;avast! Self Protection;C:\WINDOWS.0\system32\drivers\aswSP.sys [2008-05-16 01:20]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS.0\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]

R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-07-24 12:30]

R2 MSSQL$INSERTGT;MSSQL$INSERTGT;C:\Program Files\Microsoft SQL Server\MSSQL$INSERTGT\Binn\sqlservr.exe [2002-12-17 16:26]

R2 SVKP;SVKP;C:\WINDOWS.0\system32\SVKP.sys [2005-09-19 09:39]

R3 usbscan;Sterownik skanera USB;C:\WINDOWS.0\system32\DRIVERS\usbscan.sys [2004-08-04 07:58]

S3 MTK;Media Technology Kernel Driver;C:\WINDOWS.0\system32\Drivers\mtk.sys []

S3 SQLAgent$INSERTGT;SQLAgent$INSERTGT;C:\Program Files\Microsoft SQL Server\MSSQL$INSERTGT\Binn\sqlagent.EXE [2002-12-17 16:23]

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS.0\system32\DRIVERS\USBSTOR.SYS [2004-08-04 09:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{35e44e00-997c-11da-90fd-4d6564696130}]

\Shell\AutoRun\command - C:\WINDOWS.0\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe

\Shell\Open(0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{91d8bcfa-f8a8-11db-92cd-4d6564696130}]

\Shell\AutoRun\command - EXPLORER.EXE

\Shell\explore\Command - EXPLORER.EXE

\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{a39fcbcb-3b7c-11dd-942f-000feac705da}]

\Shell\AutoRun\command - 1nkbd8h.bat

\Shell\explore\Command - 1nkbd8h.bat

\Shell\open\Command - 1nkbd8h.bat

.

        • ORPHANS REMOVED - - - -

HKCU-Run-kamsoft - C:\WINDOWS.0\system32\ckvo.exe

HKLM-Run-BearShare - C:\BearShare\BearShare.exe

MSConfigStartUp-aupd - C:\WINDOWS.0\system32\sywsvcs.exe

MSConfigStartUp-BearShare - C:\BearShare\BearShare.exe

MSConfigStartUp-CU1 - C:\Program Files\Common Files\VCClient\VCClient.exe

MSConfigStartUp-CU2 - C:\Program Files\Common Files\VCClient\VCMain.exe

MSConfigStartUp-drsmartloadb - c:\drsmartloadb.exe

MSConfigStartUp-PayTime - C:\WINDOWS.0\system32\paytime.exe

MSConfigStartUp-Services - C:\WINDOWS.0\system32\17.tmp

MSConfigStartUp-Windows installer - C:\winstall.exe

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.onet.pl/

R0 -: HKLM-Main,Local Page = c:\secure32.html

R0 -: HKLM-Main,Start Page = c:\secure32.html

R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore

O8 -: Winamp Toolbar Search - C:\Documents and Settings\All Users.WINDOWS.0\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O17 -: HKLM\CCS\Interface{01F0EC93-1E7F-4C49-8CA0-1DA730982406}: NameServer = 194.204.159.1,194.204.152.34

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS.0\Java\classes\dajava.cab

C:\WINDOWS.0\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS.0\Java\classes\xmldso.cab

C:\WINDOWS.0\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A41} - hxxps://www.pekaobiznes24.pl/components … XPEKAO.cab

C:\WINDOWS.0\Downloaded Program Files\SignActivXPEKAO.ocx

O16 -: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} - hxxp://www.bph.pl/static/demo/demo_seza … ActivX.cab

C:\WINDOWS.0\Downloaded Program Files\SignActivX.ocx

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-24 12:43:45

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

**************************************************************************

.

Completion time: 2008-07-24 12:52:53 - machine was rebooted

ComboFix-quarantined-files.txt 2008-07-24 10:52:42

Pre-Run: 66,262,102,016 bajtów wolnych

Post-Run: 66,695,610,368 bajt˘w wolnych

182 — E O F — 2008-07-09 12:01:15

#2

Pobierz ComboFix, ale nie uruchamiaj

Otwórz notatnik i wklej do niego:

File::

C:\g2pfnid.com


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35e44e00-997c-11da-90fd-4d6564696130}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91d8bcfa-f8a8-11db-92cd-4d6564696130}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a39fcbcb-3b7c-11dd-942f-000feac705da}]

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklejto.pl lub na http://wklej.org a w poście dajesz tylko link

#3

gdzie jest ten link mam go spisać z paska u góry??

#4

Tak mas ztak zrobić