PROBLEM Z security system warning


(A P Krzysztofik) #1

Co jakiś czas pojawia mi się okienko (security system warning) lub (protection control panel) Temat jak czytałem jest znany wiec podaje log i bardzo proszę o pomoc [-o<

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:14:31, on 2008-04-13

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\lg_fwupdate\fwupdate.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\jgpslqbo.exe

C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Netia\Net\netianet.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Ares\Ares.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spele.nl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: vnbptxlf - {9620B51A-BAB2-4FF5-8BB7-45C2C5510777} - (no file)

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun

O4 - HKLM..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM..\RunServices: [Office XP hack] c:\office_patch.exe hack

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU..\Run: [bqohxumu] C:\WINDOWS\system32\jgpslqbo.exe

O4 - HKCU..\Run: [frgxfgoq] C:\WINDOWS\system32\tijsdohe.exe

O4 - HKCU..\Run: [fmcakwua] C:\WINDOWS\system32\shqlunwt.exe

O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open With JPEGCompress - res://C:\Program Files\JPEGCompress\owjc.dll/CONTEXT_HANDLE.HTM

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://slimak.onet.pl/_m/wirusy/ArcaOnline.cab

O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.0_03) -

O17 - HKLM\System\CCS\Services\Tcpip..{EF32C61C-4F98-4DB3-A433-7AAE379D2A6F}: NameServer = 213.241.79.37 83.238.255.76

O20 - Winlogon Notify: cbXQgecB - cbXQgecB.dll (file missing)

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - E:\PROGRAMY\ARES\chatServer.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--

End of file - 5299 bytes


(Laszjwrz) #2
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)

O3 - Toolbar: vnbptxlf - {9620B51A-BAB2-4FF5-8BB7-45C2C5510777} - (no file)

O20 - Winlogon Notify: cbXQgecB - cbXQgecB.dll (file missing)

Fix

C:\WINDOWS\system32\jgpslqbo.exe

C:\WINDOWS\system32\tijsdohe.exe

C:\WINDOWS\system32\shqlunwt.exe

To bym przeskanował na http://virustotal.com/pl


(huber2t) #3

fix w hijackthis

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\system32\jgpslqbo.exe

C:\WINDOWS\system32\tijsdohe.exe

C:\WINDOWS\system32\shqlunwt.exe

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.


(A P Krzysztofik) #4

ComboFix 08-04-12.5 - ADMIN 2008-04-13 19:06:55.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.267 [GMT 2:00]

Running from: E:\PROGRAMY\ComboFix.exe

Command switches used :: E:\PROGRAMY\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

C:\WINDOWS\system32\jgpslqbo.exe

C:\WINDOWS\system32\shqlunwt.exe

C:\WINDOWS\system32\tijsdohe.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\jgpslqbo.exe

C:\WINDOWS\system32\shqlunwt.exe

C:\WINDOWS\system32\tijsdohe.exe

.

((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))

.

2008-04-13 08:58 . 2008-04-13 08:58

2008-04-11 16:18 . 2008-04-12 07:48

2008-04-11 02:34 . 2008-04-11 02:34

2008-04-11 02:20 . 2008-04-13 09:03

2008-04-11 02:20 . 2008-04-11 02:20

2008-04-11 02:20 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-04-11 02:20 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-04-11 02:20 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-04-11 02:20 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-04-10 16:37 . 2008-04-10 16:37 98,304 --a------ C:\WINDOWS\system32\dslaruhm.exe

2008-04-10 16:07 . 2008-04-10 16:07

2008-04-10 14:00 . 2008-04-10 14:00 3,648 --a------ C:\WINDOWS\system32\tqirwgnb.dll

2008-04-10 13:24 . 2008-04-10 16:14

2008-04-10 13:00 . 2008-04-10 13:36 774 ---hs---- C:\WINDOWS\system32\reeauhhd.ini

2008-04-10 12:55 . 2008-04-10 12:55 3,648 --a------ C:\WINDOWS\system32\odovmgik.dll

2008-04-09 02:53 . 2008-04-09 02:53

2008-04-09 01:31 . 2008-04-09 01:31

2008-04-08 23:51 . 2008-04-08 23:51 3,648 --a------ C:\WINDOWS\system32\xvhpunba.dll

2008-04-08 17:34 . 2008-04-08 17:34

2008-04-08 16:05 . 2008-04-08 16:05 153 --a------ C:\WINDOWS\wininit.ini

2008-04-08 15:36 . 2008-04-11 17:57

2008-04-08 15:20 . 2008-04-08 15:20

2008-04-06 21:21 . 2008-04-06 21:21

2008-04-03 18:40 . 2008-04-03 18:40 7,168 --ahs---- C:\WINDOWS\Thumbs.db

2008-03-31 20:07 . 2008-03-31 20:07

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-13 07:03 --------- d-----w C:\Program Files\FlashGet

2008-04-13 06:58 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-12 20:25 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-04-12 19:43 --------- d-----w C:\Program Files\lg_fwupdate

2008-04-10 14:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-04-09 15:02 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search Destroy

2008-03-28 14:02 --------- d-----w C:\Program Files\GoD

2008-03-10 18:12 --------- d-----w C:\Program Files\Gadu-Gadu

2008-03-02 10:45 --------- d-----w C:\Program Files\CyberLink DVD Solution

2008-03-02 10:45 --------- d-----w C:\Program Files\CyberLink

2008-01-17 10:19 720,896 ----a-w C:\WINDOWS\iun6002.exe

2007-05-25 19:44 19,552 ----a-w C:\Documents and Settings\ADMIN\Dane aplikacji\GDIPFONTCACHEV1.DAT

2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]

"bqohxumu"="C:\WINDOWS\system32\jgpslqbo.exe" []

"frgxfgoq"="C:\WINDOWS\system32\tijsdohe.exe" []

"fmcakwua"="C:\WINDOWS\system32\shqlunwt.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2005-04-15 05:01 77824 C:\WINDOWS\SOUNDMAN.EXE]

"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-05 22:20 249856]

"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-03-23 12:06 888832]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 18:35 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

"Office XP hack"="c:\office_patch.exe" [2001-09-05 01:00 8878]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 15:44:06 29696]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQgecB]

cbXQgecB.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"E:\PROGRAMY\ARES\Ares.exe"=

"C:\Program Files\Gadu-Gadu\gg.exe"=

"C:\Program Files\Ares\Ares.exe"=

"C:\Program Files\Mozilla Firefox\firefox.exe"=

"C:\Program Files\NAPI-PROJEKT\napisy.exe"=

"C:\Program Files\KONAMI\Pro Evolution Soccer 2008\PES2008.exe"=

"C:\Documents and Settings\ADMIN\Pulpit\PES2008.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8461:TCP"= 8461:TCP:GoD High Port

"8462:TCP"= 8462:TCP:GoD Low Port

R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v2.6.75a\ATI Tray Tools\atitray.sys [2005-10-14 12:53]

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

"2008-04-12 22:00:00 C:\WINDOWS\Tasks\At1.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 07:00:00 C:\WINDOWS\Tasks\At10.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 08:00:00 C:\WINDOWS\Tasks\At11.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 09:00:00 C:\WINDOWS\Tasks\At12.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 10:00:00 C:\WINDOWS\Tasks\At13.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 11:00:00 C:\WINDOWS\Tasks\At14.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 12:00:00 C:\WINDOWS\Tasks\At15.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 13:00:00 C:\WINDOWS\Tasks\At16.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 14:00:00 C:\WINDOWS\Tasks\At17.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 15:00:00 C:\WINDOWS\Tasks\At18.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 16:00:00 C:\WINDOWS\Tasks\At19.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-12 23:00:00 C:\WINDOWS\Tasks\At2.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 17:00:01 C:\WINDOWS\Tasks\At20.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-11 18:00:00 C:\WINDOWS\Tasks\At21.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-11 19:00:00 C:\WINDOWS\Tasks\At22.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-12 20:00:00 C:\WINDOWS\Tasks\At23.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-12 21:00:00 C:\WINDOWS\Tasks\At24.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-12 22:00:00 C:\WINDOWS\Tasks\At25.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-12 23:00:00 C:\WINDOWS\Tasks\At26.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 00:00:00 C:\WINDOWS\Tasks\At27.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 01:00:00 C:\WINDOWS\Tasks\At28.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 02:00:00 C:\WINDOWS\Tasks\At29.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 00:00:00 C:\WINDOWS\Tasks\At3.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 03:00:00 C:\WINDOWS\Tasks\At30.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 04:00:00 C:\WINDOWS\Tasks\At31.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 05:00:00 C:\WINDOWS\Tasks\At32.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 06:00:00 C:\WINDOWS\Tasks\At33.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 07:00:00 C:\WINDOWS\Tasks\At34.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 08:00:00 C:\WINDOWS\Tasks\At35.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 09:00:00 C:\WINDOWS\Tasks\At36.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 10:00:00 C:\WINDOWS\Tasks\At37.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 11:00:00 C:\WINDOWS\Tasks\At38.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 12:00:00 C:\WINDOWS\Tasks\At39.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 01:00:00 C:\WINDOWS\Tasks\At4.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 13:00:00 C:\WINDOWS\Tasks\At40.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 14:00:00 C:\WINDOWS\Tasks\At41.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 15:00:00 C:\WINDOWS\Tasks\At42.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 16:00:00 C:\WINDOWS\Tasks\At43.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 17:00:01 C:\WINDOWS\Tasks\At44.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-11 18:00:00 C:\WINDOWS\Tasks\At45.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-11 19:00:00 C:\WINDOWS\Tasks\At46.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-12 20:00:00 C:\WINDOWS\Tasks\At47.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-12 21:00:00 C:\WINDOWS\Tasks\At48.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 02:00:00 C:\WINDOWS\Tasks\At5.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 03:00:00 C:\WINDOWS\Tasks\At6.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 04:00:00 C:\WINDOWS\Tasks\At7.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 05:00:00 C:\WINDOWS\Tasks\At8.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 06:00:00 C:\WINDOWS\Tasks\At9.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

.

**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-13 19:08:25

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-13 19:08:59

ComboFix-quarantined-files.txt 2008-04-13 17:08:48

ComboFix2.txt 2008-04-13 07:58:53

ComboFix3.txt 2008-04-13 07:55:36

ComboFix4.txt 2008-04-13 07:44:37

ComboFix5.txt 2008-04-10 14:07:14

Pre-Run: 22,864,703,488 bajtów wolnych

Post-Run: 22,854,660,096 bajtów wolnych


(huber2t) #5

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\system32\tqirwgnb.dll

C:\WINDOWS\system32\reeauhhd.ini

C:\WINDOWS\system32\odovmgik.dll

C:\WINDOWS\system32\xvhpunba.dll


Folder::

C:\Documents and Settings\All Users\Dane aplikacji\retszmru


Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"bqohxumu"=-

"frgxfgoq"=-

"fmcakwua"=-

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox


(A P Krzysztofik) #6

Jak na razie jest ok. Dzieki bardzo za pomoc , =D> Kochani jesteście wielcy =D> a oto log po wszystkim

ComboFix 08-04-12.5 - ADMIN 2008-04-13 19:43:37.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.166 [GMT 2:00]

Running from: E:\PROGRAMY\ComboFix.exe

Command switches used :: E:\PROGRAMY\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

C:\WINDOWS\system32\odovmgik.dll

C:\WINDOWS\system32\reeauhhd.ini

C:\WINDOWS\system32\tqirwgnb.dll

C:\WINDOWS\system32\xvhpunba.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Dane aplikacji\retszmru

C:\Documents and Settings\All Users\Dane aplikacji\retszmru\nuvgjaby.exe

C:\WINDOWS\system32\odovmgik.dll

C:\WINDOWS\system32\reeauhhd.ini

C:\WINDOWS\system32\tqirwgnb.dll

C:\WINDOWS\system32\xvhpunba.dll

.

((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))

.

2008-04-13 08:58 . 2008-04-13 08:58

2008-04-11 16:18 . 2008-04-12 07:48

2008-04-11 02:34 . 2008-04-11 02:34

2008-04-11 02:20 . 2008-04-13 09:03

2008-04-11 02:20 . 2008-04-11 02:20

2008-04-11 02:20 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-04-11 02:20 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-04-11 02:20 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-04-11 02:20 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-04-10 16:37 . 2008-04-10 16:37 98,304 --a------ C:\WINDOWS\system32\dslaruhm.exe

2008-04-10 16:07 . 2008-04-10 16:07

2008-04-10 13:24 . 2008-04-10 16:14

2008-04-09 02:53 . 2008-04-09 02:53

2008-04-09 01:31 . 2008-04-09 01:31

2008-04-08 17:34 . 2008-04-08 17:34

2008-04-08 16:05 . 2008-04-08 16:05 153 --a------ C:\WINDOWS\wininit.ini

2008-04-08 15:36 . 2008-04-11 17:57

2008-04-08 15:20 . 2008-04-08 15:20

2008-04-03 18:40 . 2008-04-03 18:40 7,168 --ahs---- C:\WINDOWS\Thumbs.db

2008-03-31 20:07 . 2008-03-31 20:07

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-13 07:03 --------- d-----w C:\Program Files\FlashGet

2008-04-13 06:58 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-12 20:25 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-04-12 19:43 --------- d-----w C:\Program Files\lg_fwupdate

2008-04-10 14:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-04-09 15:02 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search Destroy

2008-03-28 14:02 --------- d-----w C:\Program Files\GoD

2008-03-10 18:12 --------- d-----w C:\Program Files\Gadu-Gadu

2008-03-02 10:45 --------- d-----w C:\Program Files\CyberLink DVD Solution

2008-03-02 10:45 --------- d-----w C:\Program Files\CyberLink

2008-01-17 10:19 720,896 ----a-w C:\WINDOWS\iun6002.exe

2007-05-25 19:44 19,552 ----a-w C:\Documents and Settings\ADMIN\Dane aplikacji\GDIPFONTCACHEV1.DAT

2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2005-04-15 05:01 77824 C:\WINDOWS\SOUNDMAN.EXE]

"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-05 22:20 249856]

"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-03-23 12:06 888832]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 18:35 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

"Office XP hack"="c:\office_patch.exe" [2001-09-05 01:00 8878]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 15:44:06 29696]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQgecB]

cbXQgecB.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"E:\PROGRAMY\ARES\Ares.exe"=

"C:\Program Files\Gadu-Gadu\gg.exe"=

"C:\Program Files\Ares\Ares.exe"=

"C:\Program Files\Mozilla Firefox\firefox.exe"=

"C:\Program Files\NAPI-PROJEKT\napisy.exe"=

"C:\Program Files\KONAMI\Pro Evolution Soccer 2008\PES2008.exe"=

"C:\Documents and Settings\ADMIN\Pulpit\PES2008.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8461:TCP"= 8461:TCP:GoD High Port

"8462:TCP"= 8462:TCP:GoD Low Port

R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v2.6.75a\ATI Tray Tools\atitray.sys [2005-10-14 12:53]

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

"2008-04-12 22:00:00 C:\WINDOWS\Tasks\At1.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 07:00:00 C:\WINDOWS\Tasks\At10.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 08:00:00 C:\WINDOWS\Tasks\At11.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 09:00:00 C:\WINDOWS\Tasks\At12.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 10:00:00 C:\WINDOWS\Tasks\At13.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 11:00:00 C:\WINDOWS\Tasks\At14.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 12:00:00 C:\WINDOWS\Tasks\At15.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 13:00:00 C:\WINDOWS\Tasks\At16.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 14:00:00 C:\WINDOWS\Tasks\At17.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 15:00:00 C:\WINDOWS\Tasks\At18.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 16:00:00 C:\WINDOWS\Tasks\At19.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-12 23:00:00 C:\WINDOWS\Tasks\At2.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 17:00:01 C:\WINDOWS\Tasks\At20.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-11 18:00:00 C:\WINDOWS\Tasks\At21.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-11 19:00:00 C:\WINDOWS\Tasks\At22.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-12 20:00:00 C:\WINDOWS\Tasks\At23.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-12 21:00:00 C:\WINDOWS\Tasks\At24.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-12 22:00:00 C:\WINDOWS\Tasks\At25.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-12 23:00:00 C:\WINDOWS\Tasks\At26.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 00:00:00 C:\WINDOWS\Tasks\At27.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 01:00:00 C:\WINDOWS\Tasks\At28.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 02:00:00 C:\WINDOWS\Tasks\At29.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 00:00:00 C:\WINDOWS\Tasks\At3.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 03:00:00 C:\WINDOWS\Tasks\At30.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 04:00:00 C:\WINDOWS\Tasks\At31.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 05:00:00 C:\WINDOWS\Tasks\At32.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 06:00:00 C:\WINDOWS\Tasks\At33.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 07:00:00 C:\WINDOWS\Tasks\At34.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 08:00:00 C:\WINDOWS\Tasks\At35.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 09:00:00 C:\WINDOWS\Tasks\At36.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 10:00:00 C:\WINDOWS\Tasks\At37.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 11:00:00 C:\WINDOWS\Tasks\At38.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 12:00:00 C:\WINDOWS\Tasks\At39.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 01:00:00 C:\WINDOWS\Tasks\At4.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 13:00:00 C:\WINDOWS\Tasks\At40.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 14:00:00 C:\WINDOWS\Tasks\At41.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 15:00:00 C:\WINDOWS\Tasks\At42.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 16:00:00 C:\WINDOWS\Tasks\At43.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 17:00:01 C:\WINDOWS\Tasks\At44.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-11 18:00:00 C:\WINDOWS\Tasks\At45.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-11 19:00:00 C:\WINDOWS\Tasks\At46.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-12 20:00:00 C:\WINDOWS\Tasks\At47.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-12 21:00:00 C:\WINDOWS\Tasks\At48.job"

  • C:\WINDOWS\system32\winmds.exe

"2008-04-13 02:00:00 C:\WINDOWS\Tasks\At5.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 03:00:00 C:\WINDOWS\Tasks\At6.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 04:00:00 C:\WINDOWS\Tasks\At7.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 05:00:00 C:\WINDOWS\Tasks\At8.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

"2008-04-13 06:00:00 C:\WINDOWS\Tasks\At9.job"

  • C:\WINDOWS\system32\r5S6gc24.exe

.

**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-13 19:44:54

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-13 19:45:27

ComboFix-quarantined-files.txt 2008-04-13 17:45:16

ComboFix2.txt 2008-04-13 17:09:00

ComboFix3.txt 2008-04-13 07:58:53

ComboFix4.txt 2008-04-13 07:55:36

ComboFix5.txt 2008-04-13 07:44:37

Pre-Run: 22,858,141,696 bajtów wolnych

Post-Run: 22,848,688,128 bajtów wolnych


(Leon$) #7

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri ... iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile:


(Gutek) #8

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350