Problem z Virtumode i Virtumode.sci


(system) #1

witam mam następujący problem z Virtumode i Virtumode.sci znalazłem to Spybot i nie mogłem usunąć skanowałem również antywirusem Ashampoo i tez nie dało sie usunąć generalnie ten syf zwalnia mi sprzęt i samoistnie otwiera witryny.

do tego dołączam loga z HijackThis mam nadzieje ze pomożecie mi to usunąć w jakis sposób PS:( ręcznie próbowałem usunąć pliki i wpisy w rejestrze )

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:53:42, on 2008-12-06

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 SP3 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe

F:\Gadu-Gadu\gg\gg.exe

C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\Vidalia Bundle\Tor\tor.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\foobar2000\foobar2000.exe

C:\Program Files\Last.fm\LastFM.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

c:\program files\common files\installshield\updateservice\isuspm.exe

C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource= ... =CT1098640

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsmx.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)

O1 - Hosts: 64.91.255.87 http://www.dcsresearch.com

O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE

O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe"

O4 - HKLM..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Security Suite Pro\feedback.exe" /dump:os_startup

O4 - HKLM..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM..\Run: [OutpostMonitor] "C:\Program Files\Agnitum\Outpost Security Suite Pro\op_mon.exe" /tray /noservice

O4 - HKCU..\Run: [Gadu-Gadu] "F:\Gadu-Gadu\gg\gg.exe" /tray

O4 - HKCU..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - HKCU..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"

O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKCU..\Run: [Total CMA Pack] C:\Program Files\Total CMA Pack\Total CMA Pack.exe

O4 - HKUS\S-1-5-19..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User '?')

O4 - HKUS\S-1-5-19..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')

O4 - HKUS\S-1-5-20..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User '?')

O4 - HKUS\S-1-5-21-299502267-152049171-1417001333-1001..\Run: [Gadu-Gadu] "F:\Gadu-Gadu\gg\gg.exe" /tray (User '?')

O4 - HKUS\S-1-5-21-299502267-152049171-1417001333-1001..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot (User '?')

O4 - HKUS\S-1-5-21-299502267-152049171-1417001333-1001..\Run: [Total CMA Pack] C:\Program Files\Total CMA Pack\Total CMA Pack.exe (User '?')

O4 - HKUS\S-1-5-18..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User '?')

O4 - HKUS.DEFAULT..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O4 - S-1-5-21-299502267-152049171-1417001333-1001 Startup: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User '?')

O4 - Startup: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ashampoo AntiVirus Service.lnk = C:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe

O8 - Extra context menu item: Ściągnij przez IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O8 - Extra context menu item: Ściągnij wszystkie linki przez IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Ściągnij zawartość wideo FLV przez IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL

O20 - AppInit_DLLs: iiyozx.dll dcdndg.dll nmnngj.dll qagjif.dll

O23 - Service: Usługa bramy warstwy aplikacji (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avGuard Service (avGuard) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--

End of file - 9548 bytes


(Olixxx94) #2

fix w HijackThis. Daj log z Combofix.


(system) #3

ComboFix 08-12-05.06 - User 2008-12-06 16:34:22.1 - NTFSx86

Uruchomiony z: c:\documents and settings\User\Moje dokumenty\Downloads\Programs\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\User\Dane aplikacji.#

c:\windows\dcstds3.dll

c:\windows\system\oeminfo.ini

c:\windows\system32\cfillnmp.ini

c:\windows\system32\cfillnmp.ini2

c:\windows\system32\fpexxycy.ini

c:\windows\system32\movpwfws.dll

c:\windows\system32\pmnllifc.dll

c:\windows\system32\pqjaqy.dll

c:\windows\system32\qagjif.dll

c:\windows\system32\snjvuvup.dll

c:\windows\system32\ssqOICRh.dll

c:\windows\system32\tgmlgamo.dll

c:\windows\system32\tuvULCvu.dll

c:\windows\system32\ulvqwebx.dll

c:\windows\system32\ycyxxepf.dll

c:\windows\system32\zthjpr.dll

c:\windows\Tasks\dxazyhdp.job

c:\windows\Tasks\tfloqfeg.job

.

((((((((((((((((((((((((( Pliki utworzone od 2008-11-06 do 2008-12-06 )))))))))))))))))))))))))))))))

.

2009-11-27 14:20 . 2008-09-12 11:44 206,256 --a------ c:\windows\system32\idmmbc.dll

2008-12-06 16:38 . 2008-12-06 16:38

2008-12-06 16:38 . 2008-12-06 16:38

2008-12-06 16:38 . 2008-12-06 16:38

2008-12-06 16:29 . 2008-12-06 16:30

2008-12-06 07:39 . 2008-12-06 16:38 0 --a------ C:\log.tmp

2008-12-05 12:46 . 2008-12-05 12:46

2008-12-05 10:13 . 2008-12-05 10:13 42 --a------ c:\windows\system32\RegistryEasy.lie

2008-12-05 10:12 . 2008-12-05 11:12

2008-12-04 18:31 . 2008-12-06 00:27 27,801,632 --ahs---- c:\windows\system32\drivers\fidbox.dat

2008-12-04 18:31 . 2008-12-06 00:27 328,964 --ahs---- c:\windows\system32\drivers\fidbox.idx

2008-12-04 17:59 . 2008-12-04 17:59

2008-12-04 14:56 . 2008-12-04 14:56

2008-12-04 14:55 . 2008-12-04 14:55

2008-12-02 13:44 . 2008-04-14 20:50 21,504 --a------ c:\windows\system32\hidserv.dll

2008-12-02 13:44 . 2008-04-14 19:50 14,720 --a------ c:\windows\system32\drivers\kbdhid.sys

2008-12-02 13:40 . 2008-12-02 13:40

2008-12-02 13:40 . 2008-12-02 13:40

2008-12-02 13:09 . 2008-12-02 13:09 749 -rah----- c:\windows\WindowsShell.Manifest

2008-12-02 13:09 . 2008-12-02 13:09 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest

2008-12-02 13:09 . 2008-12-02 13:09 749 -rah----- c:\windows\system32\sapi.cpl.manifest

2008-12-02 13:09 . 2008-12-02 13:09 749 -rah----- c:\windows\system32\nwc.cpl.manifest

2008-12-02 13:09 . 2008-12-02 13:09 749 -rah----- c:\windows\system32\ncpa.cpl.manifest

2008-12-02 13:09 . 2008-12-02 13:09 488 -rah----- c:\windows\system32\logonui.exe.manifest

2008-12-02 12:49 . 2008-06-16 02:28 35,328 --a------ c:\windows\system32\irclass.dll

2008-12-02 12:49 . 2008-06-16 02:28 24,661 --a------ c:\windows\system32\spxcoins.dll

2008-12-01 11:50 . 2008-12-01 11:50

2008-12-01 11:49 . 2008-12-01 11:49 123 --a------ c:\windows\Winchat.ini

2008-12-01 11:45 . 2008-12-04 14:05 258 --a------ c:\windows\wininit.ini

2008-12-01 09:36 . 2008-12-05 11:08

2008-11-30 15:57 . 2008-11-30 16:04

2008-11-30 13:59 . 2008-11-30 14:35

2008-11-30 10:31 . 2008-11-30 10:31

2008-11-30 10:29 . 2008-11-30 10:38 519 --a------ C:\hpfr3420.xml

2008-11-30 10:28 . 2003-04-07 07:21 233,528 -ra------ c:\windows\system32\HPZidr12.dll

2008-11-30 10:28 . 2003-04-07 07:21 167,936 -ra------ c:\windows\system32\HPZipr12.dll

2008-11-30 10:28 . 2003-04-07 07:21 94,208 -ra------ c:\windows\system32\HPZipt12.dll

2008-11-30 10:28 . 2003-04-07 07:21 65,795 -ra------ c:\windows\system32\HPZipm12.exe

2008-11-30 10:28 . 2003-04-07 07:21 61,699 -ra------ c:\windows\system32\HPZinw12.exe

2008-11-30 10:28 . 2003-04-07 07:21 57,344 -ra------ c:\windows\system32\HPZisn12.dll

2008-11-30 10:28 . 2003-04-07 07:21 51,024 -ra------ c:\windows\system32\drivers\hpzid412.sys

2008-11-30 10:28 . 2003-04-07 07:21 16,080 -ra------ c:\windows\system32\drivers\HPZipr12.sys

2008-11-30 10:26 . 2008-04-13 22:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys

2008-11-30 10:26 . 2003-04-07 07:21 21,456 -ra------ c:\windows\system32\drivers\HPZius12.sys

2008-11-30 10:26 . 2008-04-13 22:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys

2008-11-29 15:06 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll

2008-11-29 14:44 . 2008-11-29 14:44

2008-11-29 14:44 . 2008-11-29 14:44

2008-11-29 14:42 . 2008-11-29 14:42

2008-11-29 04:40 . 2008-11-29 04:40

2008-11-29 04:10 . 2008-11-29 04:10 82,380 --a------ c:\windows\system32\drivers\AFS2K.SYS

2008-11-29 04:07 . 2008-11-29 04:07

2008-11-29 04:04 . 2008-11-29 04:10

2008-11-29 04:01 . 2008-11-29 04:11 20,458 --a------ c:\windows\hpoins01.dat

2008-11-29 04:01 . 2003-04-07 07:31 16,622 --------- c:\windows\hpomdl01.dat

2008-11-28 22:50 . 2008-11-28 22:50

2008-11-28 22:50 . 2008-03-12 15:38 9,344 --a------ c:\windows\system32\drivers\AshAvScan.sys

2008-11-28 14:30 . 2008-12-01 09:07

2008-11-28 14:14 . 2008-11-28 14:14

2008-11-28 13:54 . 2008-11-30 14:59

2008-11-28 09:29 . 2008-11-28 09:29

2008-11-28 09:13 . 2008-11-28 09:13

2008-11-28 09:12 . 2008-11-29 14:43

2008-11-28 09:10 . 2008-11-29 15:07

2008-11-28 09:09 . 2008-11-28 09:09

2008-11-28 05:27 . 2008-12-06 07:38

2008-11-27 06:39 . 2008-11-27 06:39

2008-11-25 05:58 . 2008-11-26 02:13

2008-11-25 05:58 . 2008-11-25 06:35

2008-11-25 05:58 . 2008-12-06 16:36

2008-11-22 17:20 . 2008-11-22 17:20

2008-11-22 17:11 . 2008-11-22 17:11

2008-11-22 17:09 . 2008-11-22 17:09

2008-11-22 17:09 . 2008-11-22 17:09

2008-11-21 13:43 . 2008-11-21 13:43

2008-11-21 13:43 . 2008-11-21 13:43

2008-11-21 13:42 . 2008-12-01 08:56

2008-11-21 13:42 . 2008-11-21 13:43

2008-11-21 04:01 . 2008-11-21 04:01

2008-11-21 02:24 . 2008-11-21 02:24 1,193 --a------ c:\windows\bestplayer.ini

2008-11-21 02:24 . 2008-11-21 02:24 187 --a------ c:\windows\bestplayer.bbt

2008-11-21 02:24 . 2008-11-21 02:24 91 --a------ c:\windows\bestplayer.bpp

2008-11-20 17:52 . 2008-11-20 18:18 709 --a------ c:\windows\CoD.INI

2008-11-20 17:49 . 2008-11-20 17:49

2008-11-20 17:49 . 2008-11-20 17:49

2008-11-20 17:49 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe

2008-11-20 17:22 . 2008-11-20 17:49

2008-11-20 04:35 . 2008-11-20 04:35

2008-11-20 04:35 . 2008-11-20 04:35

2008-11-20 04:35 . 2008-11-20 04:35

2008-11-20 04:35 . 2008-11-20 04:35

2008-11-20 03:18 . 2008-12-06 16:37

2008-11-20 03:16 . 2008-11-20 03:16

2008-11-20 03:16 . 2008-12-06 07:43

2008-11-19 22:12 . 2008-11-28 14:01

2008-11-19 00:00 . 2008-12-03 13:32 49 --a------ c:\windows\NeroDigital.ini

2008-11-18 21:48 . 2008-11-18 21:58 664 --a------ c:\windows\system32\d3d9caps.dat

2008-11-18 21:26 . 2008-11-18 21:26

2008-11-18 21:11 . 2008-11-18 21:11 0 --a------ c:\windows\ativpsrm.bin

2008-11-18 18:54 . 2008-11-18 18:54

2008-11-18 18:54 . 2008-11-18 18:54

2008-11-18 18:54 . 2008-11-18 18:54

2008-11-18 18:50 . 2008-11-18 18:50 716,272 --a------ c:\windows\system32\drivers\sptd.sys

2008-11-18 15:12 . 2008-11-18 15:12

2008-11-18 15:00 . 2008-11-18 15:00

2008-11-18 14:57 . 2008-11-18 14:57

2008-11-18 14:57 . 2008-11-18 14:57

2008-11-18 14:57 . 2001-07-06 14:41 569,344 --a------ c:\windows\system32\imagr5.dll

2008-11-18 14:57 . 2001-07-06 12:44 544,768 --a------ c:\windows\system32\imagx5.dll

2008-11-18 14:57 . 2001-07-06 18:24 283,920 --a------ c:\windows\system32\ImagXpr5.dll

2008-11-18 14:57 . 2001-07-09 11:50 155,648 --a------ c:\windows\system32\NeroCheck.exe

2008-11-18 14:57 . 2000-06-26 11:45 106,496 --a------ c:\windows\system32\TwnLib20.dll

2008-11-18 14:57 . 2001-06-26 08:15 38,912 --a------ c:\windows\system32\picn20.dll

2008-11-18 13:10 . 2008-12-02 13:11

2008-11-17 23:42 . 2008-11-17 23:45 266 --a------ c:\windows\WINCMD.INI

2008-11-17 21:35 . 2008-11-17 22:50

2008-11-17 21:33 . 2008-11-17 21:33

2008-11-17 21:26 . 2004-07-19 16:19 285,696 --a------ c:\windows\system32\kstvtune.ax

2008-11-17 21:26 . 2004-07-09 04:26 226,304 --a------ c:\windows\system32\kswdmcap.ax

2008-11-17 21:26 . 2004-07-09 04:26 83,968 --a------ c:\windows\system32\drivers\nabtsfec.sys

2008-11-17 21:26 . 2004-07-09 04:26 52,096 --a------ c:\windows\system32\drivers\msdv.sys

2008-11-17 21:26 . 2004-07-09 04:26 39,424 --a------ c:\windows\system32\ksxbar.ax

2008-11-17 21:26 . 2004-07-09 04:26 18,688 --a------ c:\windows\system32\drivers\wstcodec.sys

2008-11-17 21:26 . 2004-07-09 04:26 16,384 --a------ c:\windows\system32\drivers\ccdecode.sys

2008-11-17 21:26 . 2002-12-12 00:14 5,504 --a------ c:\windows\system32\drivers\mstee.sys

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-04 19:52 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy

2008-12-02 11:59 --------- d-----w c:\program files\Windows Media Connect 2

2008-11-28 13:01 --------- d-----w c:\program files\NAPI-PROJEKT

2008-11-28 13:01 --------- d-----w c:\program files\Last.fm

2008-11-28 04:16 --------- d-----w c:\program files\Kaspersky Lab

2008-11-22 16:11 --------- d-----w c:\program files\Common Files\InstallShield

2008-11-22 03:30 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-11-18 18:56 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-18 12:18 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files

2008-11-14 14:21 --------- d-----w c:\program files\D-Tools

2008-11-14 14:19 --------- d-----w c:\program files\DivX

2008-11-14 13:58 --------- d-----w c:\program files\Terayon

2008-11-14 13:56 --------- d-----w c:\program files\Creative

2008-11-14 13:55 --------- d-----w c:\documents and settings\User\Dane aplikacji\Creative

2008-11-14 13:49 --------- d-----w c:\program files\Common Files\Softwin

2008-11-14 13:46 --------- d-----w c:\program files\VideoLAN

2008-11-14 13:46 --------- d-----w c:\program files\SubEdit-Player

2008-11-14 13:46 --------- d-----w c:\program files\Real Alternative

2008-11-14 13:46 --------- d-----w c:\documents and settings\User\Dane aplikacji\vlc

2008-11-14 13:46 --------- d-----w c:\documents and settings\User\Dane aplikacji\Media Player Classic

2008-11-14 13:45 --------- d-----w c:\program files\Media Player Classic

2008-11-14 13:35 --------- d-----w c:\program files\Usługi online

2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys

2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll

2008-06-16 01:28 999,936 ----a-w c:\windows\inf\syssbck.dll

.

------- Sigcheck -------

2007-07-10 18:06 642560 ce594e18fe0d0af804f1f3694921ce62 c:\windows\system32\user32.dll

2008-06-16 02:28 361344 030dc4d48cc2b894fee2f390d8e66ad5 c:\windows\system32\drivers\tcpip.sys

2008-06-16 02:28 549888 335813eacd16e84f3047a3326f6e5473 c:\windows\system32\winlogon.exe

2008-07-07 22:43 2074240 0dbf1939df18ac8f8c1e4bd63d7d4b0f c:\windows\system32\ntkrnlpa.exe

2008-07-06 22:44 2197376 37d5daaeda594b9bee00c82f185cc549 c:\windows\system32\ntoskrnl.exe

2008-06-27 04:36 1424896 4ec7ed41d95d18b3cd1a2bd9dfefb591 c:\windows\explorer.exe

2008-06-16 02:28 112128 37ed43f3dec4400586554d61c3129478 c:\windows\system32\wuauclt.exe

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gadu-Gadu"="f:\gadu-gadu\gg\gg.exe" [2007-11-14 2131392]

"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]

"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2008-09-03 4013511]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-11-24 2745776]

"Total CMA Pack"="c:\program files\Total CMA Pack\Total CMA Pack.exe" [2008-08-19 42401]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]

"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-24 344064]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]

"ASM"="c:\program files\AOL\Active Security Monitor\ASMonitor.exe" [2006-06-06 2341888]

"CTHelper"="CTHELPER.EXE" [2003-10-06 c:\windows\system32\CTHELPER.EXE]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

"nltide_3"="advpack.dll" [2008-06-16 c:\windows\system32\advpack.dll]

c:\documents and settings\User\Menu Start\Programy\Autostart\

Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

Ashampoo AntiVirus Service.lnk - c:\program files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe [2008-11-28 669008]

hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 147456]

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672]

Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe"=

"%windir%\system32\sessmgr.exe"=

"c:\Program Files\uTorrent\uTorrent.exe"=

"f:\Gadu-Gadu\GG\GG.EXE"=

"d:\utorrent.exe"=

"c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"=

"c:\Program Files\Microsoft Office\Office12\GROOVE.EXE"=

"c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"=

NETSVCS REQUIRES REPAIRS - current entries shown

6to4

AppMgmt

AudioSrv

Browser

CryptSvc

DMServer

DHCP

EventSystem

HidServ

Ias

Iprip

Irmon

LanmanServer

LanmanWorkstation

Netman

Nla

Ntmssvc

NWCWorkstation

Nwsapagent

Rasauto

Rasman

Remoteaccess

Schedule

Seclogon

SENS

Sharedaccess

SRService

Tapisrv

TrkWks

W32Time

WZCSVC

Wmi

WmdmPmSp

winmgmt

xmlprov

napagent

hkmsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7b4386dd-b256-11dd-943a-806d6172696f}]

\Shell\AutoRun\command - j:\programs\nu2menu\nu2menu.exe

*Newly Created Service* - HELPSVC

.

Zawartość folderu 'Zaplanowane zadania'

2008-11-30 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1228037316.job

  • c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

.

  • USUNIĘTO PUSTE WPISY - - - -

URLSearchHooks-{ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)

BHO-{150C0BA4-C4EB-48B0-AECD-41FA75554F9D} - (no file)

BHO-{1BD410FF-B93A-44D3-BA75-DDDE70C1D722} - (no file)

BHO-{26EE2A33-AAA8-4614-B67B-A26F6815DEA0} - (no file)

BHO-{2916996F-B167-4943-B175-096D8B3F7A0A} - (no file)

BHO-{294D9F46-EE1A-47F2-9043-8DA7F765F66E} - c:\windows\system32\pmnllifc.dll

BHO-{33C00E76-9E62-46B1-8137-3DA064B14057} - (no file)

BHO-{5F7E0883-141A-4EF5-8C69-4F5953B0BB25} - (no file)

BHO-{601BADE8-CF34-49EA-BB94-BF39138974B6} - (no file)

BHO-{667E8798-ADD4-48E4-B56C-A5F16D8394E8} - (no file)

BHO-{73D61539-297B-4E01-8A56-FF9061B8872C} - (no file)

BHO-{7680684E-975C-4340-A429-49C29DE82E18} - (no file)

BHO-{7E7008D0-581A-4409-A4EF-66B1BE6D4BA4} - (no file)

BHO-{8875BF4F-913E-456D-B50B-66D2F2FE0E5A} - (no file)

BHO-{8929DFB1-C922-4B88-8D5F-4396AA4EE59B} - (no file)

BHO-{8D6FED33-E82B-46B7-9FD8-4375B9344EA8} - (no file)

BHO-{906846f5-fbee-47c4-af1c-94ffe7d3efbb} - c:\windows\system32\qagjif.dll

BHO-{91463db9-9a64-4329-8b5d-ebf4b3779da3} - (no file)

BHO-{93605fdd-f2ac-4cb1-be74-54fc724ce3b8} - (no file)

BHO-{a33fa132-deca-4819-b661-294a8e676f77} - (no file)

BHO-{AF209DB6-29BB-4F8B-84E8-2056EA999610} - c:\windows\system32\tuvULCvu.dll

BHO-{BBF54107-2AFA-486D-9C58-EBF44C6A0483} - (no file)

BHO-{C80F327B-7205-4328-B3DB-1BDD7E9C5B13} - (no file)

BHO-{D0316BA8-1659-4033-AF2A-4C42D0A6B4C9} - (no file)

BHO-{D0692152-4A96-4391-9DDA-9C7A2B643587} - (no file)

BHO-{E4A6E463-BD55-42C5-B01F-E9382E9F8ECB} - (no file)

BHO-{E5D2D611-224A-40FA-A586-808A7913810E} - (no file)

BHO-{ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)

WebBrowser-{ECDEE021-0D17-467F-A1FF-C7A115230949} - (no file)

HKLM-Run-OutpostFeedBack - c:\program files\Agnitum\Outpost Security Suite Pro\feedback.exe

HKLM-Run-avgnt - c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

HKLM-Run-OutpostMonitor - c:\program files\Agnitum\Outpost Security Suite Pro\op_mon.exe

ShellExecuteHooks- - (no file)

ShellExecuteHooks-{AF209DB6-29BB-4F8B-84E8-2056EA999610} - c:\windows\system32\tuvULCvu.dll

SSODL-- - (no file)

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://search.conduit.com?SearchSource= ... =CT1098640

uInternet Connection Wizard,ShellNext = hxxp://windowsmx.pl/

IE: &Winamp Search

IE: Download with IDM

IE: Ściągnij przez IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: Ściągnij wszystkie linki przez IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Ściągnij zawartość wideo FLV przez IDM - c:\program files\Internet Download Manager\IEGetVL.htm

FireFox -: Profile - c:\documents and settings\User\Dane aplikacji\Mozilla\Firefox\Profiles\kjy2ov5m.default\

FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll

FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-06 16:38:45

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

  • > 'winlogon.exe'(900)

c:\windows\system32\sfc_os.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\cscui.dll

  • > 'lsass.exe'(956)

c:\windows\system32\scecli.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2sgag.exe

c:\program files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe

c:\windows\system32\CTSVCCDA.EXE

c:\windows\system32\mnmsrvc.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\combofix\pv.cfexe

.

**************************************************************************

.

Czas ukończenia: 2008-12-06 16:39:49 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2008-12-06 15:39:47

Przed: 1 263 165 440 bajtów wolnych

Po: 1,197,928,448 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

386


(huber2t) #4

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::


Folder::

C:\32788R22FWJFW


Registry::

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b4386dd-b256-11dd-943a-806d6172696f}]

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->

cfscript10uc2.gif

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link


(system) #5

zrobiłem wedle polecenia spybot juz nie wykrywa tego paskudztwa ale był problem ze ładowaniem systemu przeinstalowałem go i chyba wszystko dobrze juz smiga dodaje loga po tym zabiegu

http://wklej.eu/index.php?id=8375bc97c1


(huber2t) #6

start>>uruchom>>>cmd

sc stop ute4odky

sc delete ute4odky

po każdej linijce enter

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar całego komputera http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

lub

Dr.WEB CureIt!


(system) #7

dzięki za pomoc combofix usuną zainfekowane pliku . spybotem przeskanowałem i CCleaner i jst juz w pozotku przeinstalowałem system i juz wszystko mi smiga normalnie dzięki serdeczne za pomoc

jedynie mma mała pozostałos w rejestrze która zauważyłem

Virtumonde.sci: [sBI $DDBC0B5E] Program pomocniczy przeglądarki (Klucz rejestru, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{AF209DB6-29BB-4F8B-84E8-2056EA999610}

edit

Proszę nie pisać posta pod postem. Od tego jest funkcja "edytuj"

(adpawl)