Problem z usunięciem wirusa "Win spyware protect"


(Thawar) #1

Witam. Niestety sciagnąłem dziś nie sprawdzony plik i jak sie potem okazalo byl to wirus, mianowicie : Co kilka minut otwiera sie strona kierujaca do "antywirusa" (o to link na który przekierowuje : http://www.system-defender.com/freeware ... id=37&p=01), obok czasu widnieje napis "Virus Alert!" po ponownym uruchomieniu komputera tapeta została zmieniona na coś bardzo podobnego do poprzednich "objawów. W start brak elementow takich jak programy M.komputer, dokumenty itd. W "Moim komputerze brak dostepu do dysku, menadzer tez zostal wylączony ... Wczoraj formatowałem dysk twardy i niestety nie mialem żadnego antywirusa na komputerze... Szybko zainstalowalem Avasta wykryl wirusa lecz... nic z nim nie uczynil.

Bardzo prosze o pomoc, poniewaz zabraklo juz mi pomysłów jak z tym walczyc

O to mój log :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:06: VIRUS ALERT!, on 2008-07-16

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\wvremcon.exe

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\lg_fwupdate\fwupdate.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\ALCFDRTM.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\PROGRA~1\NEOSTR~1\Watch.exe

C:\Documents and Settings\All Users\Dane aplikacji\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\BitComet\BitComet.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\C2D\USTAWI~1\Temp\Rar$EX00.187\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O3 - Toolbar: qndsfmao - {264BFEF2-1935-497C-9FD4-6EEF1FAA2764} - C:\WINDOWS\qndsfmao.dll

O4 - HKLM..\Run: [CnxDslTaskBar] "C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe" "ZTE Corporation\ZXDSL852"

O4 - HKLM..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"

O4 - HKLM..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM..\Run: [wvremcon] C:\WINDOWS\wvremcon.exe

O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"

O4 - HKLM..\Run: [38991291] rundll32.exe "C:\WINDOWS\system32\oifpjdqy.dll",b

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - HKCU..\Run: [s9201] "C:\Documents and Settings\All Users\Dane aplikacji\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe" /autorun

O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: &D&ownload &with BitComet - res://C**** :\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C**** :\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C**** :\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C**** :\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C**** :\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

O17 - HKLM\System\CCS\Services\Tcpip..{21783BC8-DB1F-4F8D-9DF9-7B971BAF3CB5}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O21 - SSODL: evgratsm - {718328C9-E163-4FD8-9ABB-55774973E880} - C:\WINDOWS\evgratsm.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--

End of file - 7205 bytes


(Dmirecki) #2

FIX:

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\qndsfmao.dll

C:\WINDOWS\wvremcon.exe

C:\WINDOWS\system32\oifpjdqy.dll

C:\WINDOWS\evgratsm.dll


Folder::

C:\Documents and Settings\All Users\Dane aplikacji\SecuriSoft SARL\WinSpywareProtect

Plik -> zapisz jako -> CFScript.txt

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

88953CFScript-createdbyMiekiemoes.gif

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum + nowy log z HijackThis.

Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: **** Qoobox


(Thawar) #3

Wielkie dzieki, jak narazie wszystko dobrze....

Pierwsze co zrobie teraz to usune avasta... Jaki program antywirusowy warty jest polecenia ?

Log1

ComboFix 08-07-15.4 - C2D 2008-07-16 19:37:33.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1588 [GMT 2:00]

Running from: C:\Documents and Settings\C2D\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\C2D\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

C:\WINDOWS\evgratsm.dll

C:\WINDOWS\qndsfmao.dll

C:\WINDOWS\system32\oifpjdqy.dll

C:\WINDOWS\wvremcon.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Dane aplikacji\SecuriSoft SARL\WinSpywareProtect

C:\Documents and Settings\All Users\Dane aplikacji\SecuriSoft SARL\WinSpywareProtect\LOG\20080716184400140.log

C:\Documents and Settings\All Users\Dane aplikacji\SecuriSoft SARL\WinSpywareProtect\LOG\20080716193155671.log

C:\Documents and Settings\All Users\Dane aplikacji\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe

C:\Documents and Settings\C2D\Pulpit\Error Cleaner.url

C:\Documents and Settings\C2D\Ulubione\Error Cleaner.url

C:\Documents and Settings\C2D\Ulubione\Privacy Protector.url

C:\Documents and Settings\C2D\Ulubione\SpywareMalware Protection.url

C:\WINDOWS\eprt.exe

C:\WINDOWS\evgratsm.dll

C:\WINDOWS\privacy_danger

C:\WINDOWS\privacy_danger\images\capt.gif

C:\WINDOWS\privacy_danger\images\danger.jpg

C:\WINDOWS\privacy_danger\images\down.gif

C:\WINDOWS\privacy_danger\images\spacer.gif

C:\WINDOWS\privacy_danger\index.htm

C:\WINDOWS\system32\jkkJcAPh.dll

C:\WINDOWS\system32\knnqBJlm.ini

C:\WINDOWS\system32\knnqBJlm.ini2

C:\WINDOWS\system32\mlJBqnnk.dll

C:\WINDOWS\system32\oifpjdqy.dll

C:\WINDOWS\system32\wvUmjKCr.dll

C:\WINDOWS\system32\yqdjpfio.ini

C:\WINDOWS\wvremcon.exe

.

((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16 )))))))))))))))))))))))))))))))

.

2008-07-16 18:20 . 2008-07-16 18:20

2008-07-16 18:09 . 2008-07-16 14:29 102,400 --a------ C:\WINDOWS\agpqlrfm.exe

2008-07-16 18:08 . 2008-07-16 19:37

2008-07-16 18:05 . 2008-07-16 18:05

2008-07-16 18:05 . 2008-07-16 18:05

2008-07-16 18:05 . 2004-10-25 20:02 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys

2008-07-16 18:05 . 1999-11-02 10:01 6,173 --a------ C:\WINDOWS\system32\drivers\Entech.vxd

2008-07-16 18:05 . 2004-06-22 15:44 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys

2008-07-16 18:05 . 2001-11-19 19:05 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys

2008-07-16 18:04 . 2008-07-16 18:04 69 --a------ C:\WINDOWS\NeroDigital.ini

2008-07-16 15:18 . 2008-07-16 15:18 32 --a------ C:\WINDOWS\wowCP.ini

2008-07-16 14:56 . 2008-07-16 14:59

2008-07-16 14:56 . 2008-07-16 15:30 678 --a------ C:\WINDOWS\wincmd.ini

2008-07-16 14:56 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\UC.PIF

2008-07-16 14:56 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\RAR.PIF

2008-07-16 14:56 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\PKZIP.PIF

2008-07-16 14:56 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\PKUNZIP.PIF

2008-07-16 14:56 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\NOCLOSE.PIF

2008-07-16 14:56 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\LHA.PIF

2008-07-16 14:56 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\ARJ.PIF

2008-07-16 14:27 . 2008-07-16 14:27

2008-07-16 14:24 . 2008-07-16 14:24 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-07-16 13:09 . 2008-07-16 13:14

2008-07-16 13:09 . 2008-07-16 13:09

2008-07-16 12:51 . 2008-07-16 12:52

2008-07-16 09:41 . 2008-07-16 19:42

2008-07-16 09:41 . 2008-07-16 09:41

2008-07-16 09:41 . 1998-06-24 00:00 115,016 --------- C:\WINDOWS\system32\MSINET.OCX

2008-07-16 09:41 . 1998-07-22 00:00 102,912 --------- C:\WINDOWS\system32\Vb6stkit.dll

2008-07-16 09:41 . 1998-07-22 00:00 102,160 --------- C:\WINDOWS\system32\VB6KO.DLL

2008-07-16 09:41 . 2005-03-09 16:16 16,384 --a------ C:\WINDOWS\system32\lgfwunis.exe

2008-07-16 09:41 . 2008-07-16 19:42 259 --a------ C:\WINDOWS\lgfwup.ini

2008-07-16 09:40 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll

2008-07-16 09:40 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll

2008-07-16 09:40 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll

2008-07-16 09:40 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll

2008-07-16 09:40 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll

2008-07-16 09:40 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe

2008-07-16 09:40 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll

2008-07-16 09:39 . 2008-07-16 09:39

2008-07-16 09:39 . 2008-07-16 09:40

2008-07-16 09:39 . 2008-07-16 09:40

2008-07-16 09:39 . 2006-11-02 08:55 2,973,696 --------- C:\WINDOWS\NuNinst.exe

2008-07-16 09:39 . 2005-07-08 16:17 99,584 --------- C:\WINDOWS\system32\drivers\InCDfs.sys

2008-07-16 09:39 . 2006-11-02 08:55 59,042 --------- C:\WINDOWS\NuNinst.cfg

2008-07-16 09:39 . 2005-07-08 16:17 29,696 --------- C:\WINDOWS\system32\drivers\InCDpass.sys

2008-07-16 09:39 . 2006-11-02 08:55 28,672 --------- C:\WINDOWS\system32\drivers\InCDrm.sys

2008-07-16 09:39 . 2005-07-08 16:17 8,704 --------- C:\WINDOWS\system32\drivers\InCDrec.sys

2008-07-16 09:38 . 2008-07-16 09:39

2008-07-16 09:38 . 2008-07-16 09:38

2008-07-16 09:38 . 2008-07-16 09:38

2008-07-16 09:38 . 2004-10-01 15:00 40,960 --a------ C:\Program Files\Uninstall_CDS.exe

2008-07-15 19:07 . 2008-07-15 19:07

2008-07-15 18:06 . 2003-08-15 18:31 353,024 -ra------ C:\WINDOWS\system32\drivers\Cap7134.sys

2008-07-15 17:16 . 2008-07-15 17:16

2008-07-15 17:16 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll

2008-07-15 17:15 . 2008-07-15 17:15

2008-07-15 17:09 . 2008-07-15 17:09

2008-07-15 17:09 . 2008-07-15 17:16

2008-07-15 17:08 . 2008-07-15 17:08

2008-07-15 15:17 . 2008-07-15 15:42

2008-07-15 09:43 . 2008-07-16 14:27

2008-07-14 17:28 . 2008-07-14 17:28

2008-07-14 17:27 . 2006-02-04 03:50 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd

2008-07-14 17:27 . 2006-02-04 03:50 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys

2008-07-14 17:22 . 2008-07-14 17:22

2008-07-14 17:19 . 2008-07-14 17:19

2008-07-14 15:24 . 2008-07-14 15:24 0 -ra------ C:\logwmemory.bin

2008-07-14 15:23 . 2008-07-14 15:23

2008-07-14 15:23 . 2008-07-14 15:23

2008-07-14 12:18 . 2008-07-14 12:19

2008-07-14 09:27 . 2008-07-14 09:27 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2008-07-14 08:50 . 2008-07-14 08:50

2008-07-14 08:50 . 2008-07-14 08:50

2008-07-14 08:50 . 2008-07-14 08:50

2008-07-14 08:50 . 2001-12-10 17:42 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll

2008-07-14 08:50 . 2001-12-10 17:42 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll

2008-07-14 08:50 . 2001-12-10 17:42 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll

2008-07-14 08:50 . 2001-12-10 17:42 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll

2008-07-14 08:50 . 2001-12-10 17:42 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll

2008-07-14 08:50 . 2001-12-10 17:42 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll

2008-07-14 08:46 . 2005-01-11 06:56 78,336 --a------ C:\WINDOWS\system32\SilSupp.cpl

2008-07-14 08:46 . 2005-01-19 11:30 67,200 -ra------ C:\WINDOWS\system32\drivers\SI3132.sys

2008-07-14 08:46 . 2004-11-01 08:21 10,368 -ra------ C:\WINDOWS\system32\drivers\SiWinAcc.sys

2008-07-14 08:44 . 2006-06-17 14:36 83,968 -ra------ C:\WINDOWS\system32\drivers\Rtenicxp.sys

2008-07-14 08:43 . 2005-06-21 16:47 6,016 --------- C:\WINDOWS\system32\drivers\ALLOW-IO.SYS

2008-07-14 08:31 . 2008-07-14 09:16

2008-07-14 08:31 . 2008-07-16 19:35

2008-07-14 08:31 . 2008-07-14 08:31 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll

2008-07-14 08:13 . 2008-07-16 18:10

2008-07-14 08:06 . 2008-07-14 08:06

2008-07-14 08:06 . 2008-07-14 08:06 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav

2008-07-14 08:06 . 2008-07-14 08:06 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav

2008-07-14 08:06 . 2008-07-14 08:06 73,728 --a------ C:\WINDOWS\ALCFDRTM.EXE

2008-07-14 08:04 . 2007-11-14 15:18 553 --a------ C:\WINDOWS\USetup.iss

2008-07-14 08:02 . 2008-07-14 08:02

2008-07-14 08:02 . 2008-07-16 18:05

2008-07-14 08:00 . 2008-07-14 08:00

2008-07-14 08:00 . 2008-07-14 08:01

2008-07-14 08:00 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

2008-07-13 22:16 . 2008-07-13 22:16

2008-07-13 22:16 . 2008-07-13 22:16

2008-07-13 22:15 . 2008-07-13 22:15

2008-07-13 22:14 . 2008-07-13 22:14

2008-07-13 22:14 . 2008-05-16 11:48 446,464 --a------ C:\WINDOWS\system32\NVUNINST.EXE

2008-07-13 22:14 . 2008-05-16 14:01 446,464 --a------ C:\WINDOWS\system32\nvudisp.exe

2008-07-13 22:14 . 2008-07-16 19:42 186,500 --a------ C:\WINDOWS\system32\nvapps.xml

2008-07-13 22:14 . 2008-05-16 14:01 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu

2008-07-13 22:13 . 2008-07-14 08:47

2008-07-13 22:13 . 2008-07-13 22:13

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-16 17:36 --------- d-----w C:\Program Files\Neostrada TP

2008-07-14 06:02 315,392 ----a-w C:\WINDOWS\HideWin.exe

2008-07-13 19:53 --------- d-----w C:\Program Files\ZTE Corporation

2008-07-13 19:48 --------- d-----w C:\Program Files\microsoft frontpage

2008-07-13 19:46 --------- d-----w C:\Program Files\Usługi online

2008-05-16 12:01 6,557,408 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296]

"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 12:29 220544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CnxDslTaskBar"="C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe" [2005-07-21 20:52 278528]

"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2005-07-21 08:33 20480]

"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [2005-07-21 08:33 53248]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]

"WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2004-09-08 20:51 106496]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]

"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-11-02 08:55 1397760]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2005-04-12 10:11 229376]

"nwiz"="nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]

"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 16:14 16859136 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"C:\Documents and Settings\C2D\Pulpit`\Repair.exe"=

"C:\Program Files\BitComet\BitComet.exe"=

"C:\Soldat\Soldat.exe"=

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"=

"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"=

"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12226:TCP"= 12226:TCP:BitComet 12226 TCP

"12226:UDP"= 12226:UDP:BitComet 12226 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-12 18:36]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-12 18:38]

R3 Cap7134;%Cap7134.DeviceDescProt%;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-08-15 18:31]

R3 CnxEtP;ZTE ZXDSL852 Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2005-05-20 18:27]

R3 CnxEtU;ZTE ZXDSL852 Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2005-05-20 18:27]

R3 CnxTgNW;ZTE ZXDSL852 WAN PPPoA Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgNW.sys [2005-05-20 18:28]

R3 PhTvTune;WDM TVTuner;C:\WINDOWS\system32\DRIVERS\PhTvTune.sys [2003-08-15 18:33]

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{264BFEF2-1935-497C-9FD4-6EEF1FAA2764} - C:\WINDOWS\qndsfmao.dll

HKCU-Run-s9201 - C:\Documents and Settings\All Users\Dane aplikacji\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe

HKLM-Run-wvremcon - C:\WINDOWS\wvremcon.exe

HKLM-Run-38991291 - C:\WINDOWS\system32\oifpjdqy.dll

SSODL-evgratsm-{718328C9-E163-4FD8-9ABB-55774973E880} - C:\WINDOWS\evgratsm.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-16 19:42:24

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\ComboFix\temp00

scan completed successfully

hidden files: 1

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\ALCFDRTM.EXE

C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

.

**************************************************************************

.

Completion time: 2008-07-16 19:44:41 - machine was rebooted

ComboFix-quarantined-files.txt 2008-07-16 17:43:44

Pre-Run: 199,928,463,360 bajtów wolnych

Post-Run: 199,914,180,608 bajt˘w wolnych

246 --- E O F --- 2008-07-15 07:43:24

Log2

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:47, on 2008-07-16

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\lg_fwupdate\fwupdate.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\ALCFDRTM.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\PROGRA~1\NEOSTR~1\Watch.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\BitComet\BitComet.exe

C:\Program Files\BitComet\tools\UPNP.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\C2D\USTAWI~1\Temp\Rar$EX00.578\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O4 - HKLM..\Run: [CnxDslTaskBar] "C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe" "ZTE Corporation\ZXDSL852"

O4 - HKLM..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"

O4 - HKLM..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Download with BitComet - res://C**** :\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Download all video with BitComet - res://C**** :\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Download all with BitComet - res://C**** :\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Eksportuj do programu Microsoft Excel - res://C**** :\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C**** :\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

O17 - HKLM\System\CCS\Services\Tcpip..{21783BC8-DB1F-4F8D-9DF9-7B971BAF3CB5}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--

End of file - 6860 bytes


(Dmirecki) #4

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\agpqlrfm.exe

Plik -> zapisz jako -> CFScript.txt

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

88953CFScript-createdbyMiekiemoes.gif

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum + nowy log z HijackThis.

Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: **** Qoobox