Problem z wirusem Win32.Adware.Virtumonde

Dla specjalistów Bezpieczeństwo
#1

NOD wykrył mi wczoraj wirusa i nie mogę go usunąć. Komputer się tnie, internet nie działa. Jestem na skraju wyczerpania nerwowego ;p

Korzystam z drugiego starego kompa i szukam pomocy na stronach. Jednak nie bardzo znam się ta tych wszystkich sprawach z oprogramowaniem itp.

Skanowałam komputer milionem programów i NIC. Dodam że korzystam z Windows Vista.

Czytałam coś o jakichś logach no i coś tam stworzyłam:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:48:31, on 2008-08-17

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Windows\ehome\ehtray.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\Users\TADEUS~1\AppData\Local\Temp\Rar$EX00.273\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= … &pf=laptop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= … &pf=laptop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= … &pf=laptop

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll

O1 - Hosts: ::1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {9AAA5AFE-38DE-40FF-A8C6-7FB2D35DDB8E} - C:\Windows\system32\cbXrPIbX.dll

O2 - BHO: (no name) - {AC84733C-0BF8-4C91-BEAD-CB227F0CF48A} - C:\Users\Tadeusz Karwowski\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R3TUDRZ4\3077htsbdjyf[1].dll

O2 - BHO: (no name) - {B5B7A84B-9E63-4B7E-8DE3-5EEDE7B248D2} - C:\Windows\system32\jftlqpsd.dll

O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O4 - HKLM…\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM…\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM…\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM…\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM…\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM…\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM…\Run: [QPService] “C:\Program Files\HP\QuickPlay\QPService.exe”

O4 - HKLM…\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM…\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

O4 - HKLM…\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM…\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM…\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM…\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM…\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”

O4 - HKLM…\Run: [egui] “C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice

O4 - HKLM…\Run: [MSServer] rundll32.exe C:\Windows\system32\efcDSLdb.dll,#1

O4 - HKLM…\Run: [47f27340] rundll32.exe “C:\Windows\system32\yrebenwo.dll”,b

O4 - HKLM…\Run: [bM44c140dc] Rundll32.exe “C:\Windows\system32\tvxofuip.dll”,s

O4 - HKCU…\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU…\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)

O4 - HKUS\S-1-5-19…\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)

O4 - HKUS\S-1-5-20…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll

O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O13 - Gopher Prefix:

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resourc … den-us.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game09.zylom.com/activex/zylomgamesplayer.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

End of file - 10394 bytes

Ponadto przy uruchamianiu komputera pojawia się :

[.ShellClassInfo]

LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

Pomocy

#2

fix w hijackthis

Pobierz ComboFix, ale nie uruchamiaj

Otwórz notatnik i wklej do niego:

File::

C:\Windows\system32\cbXrPIbX.dll

C:\Users\Tadeusz Karwowski\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R3TUDRZ4\3077htsbdjyf1.dll

C:\Windows\system32\jftlqpsd.dll

C:\Windows\system32\efcDSLdb.dll

C:\Windows\system32\yrebenwo.dll

C:\Windows\system32\tvxofuip.dll

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->

cfscript10uc2.gif

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklejto.pl lub na http://wklej.org a w poście dajesz tylko link

#3

wpisy

usuń HijackThisem >> Fix checked

Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 ale nie włączaj.

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile:

#4

wielkie dzięki, postaram się tak zrobić.

#5

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:16:31, on 2008-08-17

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Windows\RtHDVCpl.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\Explorer.exe

C:\Windows\system32\rundll32.exe

C:\Users\TADEUS~1\AppData\Local\Temp\Rar$EX00.335\HijackThis.exe

C:\Windows\explorer.exe

C:\Windows\System32\mobsync.exe

C:\Windows\system32\conime.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= … &pf=laptop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= … &pf=laptop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= … &pf=laptop

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1695D1A7-C0A3-4F58-947B-FAF7B051DFDA} - C:\Windows\system32\cbXrPIbX.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O4 - HKLM…\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM…\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM…\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM…\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM…\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM…\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM…\Run: [QPService] “C:\Program Files\HP\QuickPlay\QPService.exe”

O4 - HKLM…\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM…\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

O4 - HKLM…\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM…\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM…\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM…\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”

O4 - HKLM…\Run: [egui] “C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice

O4 - HKLM…\Run: [MSServer] rundll32.exe C:\Windows\system32\rqRIaXPg.dll,#1

O4 - HKLM…\Run: [bM44c140dc] Rundll32.exe “C:\Windows\system32\tvxofuip.dll”,s

O4 - HKCU…\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU…\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)

O4 - HKUS\S-1-5-19…\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)

O4 - HKUS\S-1-5-20…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll

O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O13 - Gopher Prefix:

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resourc … den-us.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game09.zylom.com/activex/zylomgamesplayer.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

End of file - 9502 bytes

Zrobiłam tak jak podałeś. Zobacze w czasie czy coś sie naprawiło.

#6

Daj log z usuwania Combofix

:slight_smile:

#7

Sory że tak długo ale wystąpiły pewne problemy :slight_smile:

ComboFix 08-08-16.01 - Tadeusz Karwowski 2008-08-17 14:48:05.2 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1973 [GMT 2:00]

Running from: C:\Users\Tadeusz Karwowski\Desktop\ComboFix.exe

Command switches used :: C:\Users\Tadeusz Karwowski\Desktop\CFScript.txt

* Created a new restore point

* Resident AV is active

FILE ::

C:\Users\Tadeusz Karwowski\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R3TUDRZ4\3077htsbdjyf[1].dll

C:\Windows\system32\cbXrPIbX.dll

C:\Windows\system32\efcDSLdb.dll

C:\Windows\system32\jftlqpsd.dll

C:\Windows\system32\tvxofuip.dll

C:\Windows\system32\yrebenwo.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Users\Tadeusz Karwowski\AppData\Roaming\Microsoft\SystemCertificates\My

.

((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))

.

2008-08-17 14:38 . 2008-08-17 14:46

2008-08-13 11:49 . 2008-07-16 03:32 2,048 --a------ C:\Windows\System32\tzres.dll

2008-08-13 09:32 . 2008-06-19 05:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL

2008-08-13 09:31 . 2008-06-27 03:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb

2008-08-13 09:31 . 2008-06-27 06:15 827,392 --a------ C:\Windows\System32\wininet.dll

2008-08-13 09:31 . 2008-04-18 07:48 269,312 --a------ C:\Windows\System32\es.dll

2008-08-13 09:30 . 2008-04-10 07:12 738,304 --a------ C:\Windows\System32\inetcomm.dll

2008-07-22 16:09 . 2008-07-22 16:54

2008-07-18 18:58 . 2008-07-18 19:02

2008-07-18 09:52 . 2008-06-26 03:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll

2008-07-18 09:52 . 2008-06-26 03:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll

2008-07-18 09:52 . 2008-06-26 05:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-17 12:51 --------- d-----w C:\Users\Tadeusz Karwowski\AppData\Roaming\Skype

2008-08-17 10:15 --------- d-----w C:\ProgramData\Symantec

2008-08-17 10:15 --------- d-----w C:\Program Files\Symantec AntiVirus

2008-08-17 10:15 --------- d-----w C:\Program Files\Symantec

2008-08-17 10:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-08-17 09:29 --------- d-----w C:\Users\Tadeusz Karwowski\AppData\Roaming\skypePM

2008-08-16 10:51 --------- d-----w C:\Users\Tadeusz Karwowski\AppData\Roaming\OpenOffice.org2

2008-08-14 13:55 --------- d-----w C:\Users\Tadeusz Karwowski\AppData\Roaming\Winamp

2008-08-13 09:48 --------- d-----w C:\Program Files\Windows Mail

2008-07-16 14:17 --------- d-----w C:\Program Files\Gadu-Gadu

2008-07-13 21:41 --------- d-----w C:\Program Files\NAPI-PROJEKT

2008-07-12 12:11 --------- d-----w C:\ProgramData\WildTangent

2008-07-05 11:53 --------- d-----w C:\Users\Tadeusz Karwowski\AppData\Roaming\muvee Technologies

2008-07-05 11:43 --------- d—a-w C:\ProgramData\TEMP

2008-06-28 17:51 0 —ha-w C:\Windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

2008-06-25 13:17 --------- d-----w C:\ProgramData\Zylom

2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll

2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll

2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll

2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe

2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll

2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll

2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll

2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll

2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll

2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll

2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll

2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll

2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll

2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll

2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll

2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll

2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin

2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin

2008-05-26 07:44 2,560 ----a-w C:\Windows\System32\bitcometres.dll

2008-04-13 21:13 32 ----a-w C:\Users\All Users\ezsid.dat

2008-04-13 21:13 32 ----a-w C:\ProgramData\ezsid.dat

2008-01-21 02:43 174 --sha-w C:\Program Files\desktop.ini

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

“{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}”= “C:\Program Files\Winamp Toolbar\winamptb.dll” [2008-03-20 00:36 1267040]

[HKEY_CLASSES_ROOT\clsid{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Sidebar”=“C:\Program Files\Windows Sidebar\sidebar.exe” [2008-01-21 04:23 1233920]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2008-02-01 17:26 22014760]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2008-03-20 12:04 2127296]

“ehTray.exe”=“C:\Windows\ehome\ehTray.exe” [2008-01-21 04:25 125952]

“WMPNSCFG”=“C:\Program Files\Windows Media Player\WMPNSCFG.exe” [2008-01-21 04:25 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“IgfxTray”=“C:\Windows\system32\igfxtray.exe” [2007-09-19 17:39 141848]

“HotKeysCmds”=“C:\Windows\system32\hkcmd.exe” [2007-09-19 17:38 154136]

“Persistence”=“C:\Windows\system32\igfxpers.exe” [2007-09-19 17:39 129560]

“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2008-01-18 13:31 1033512]

“SMSERIAL”=“C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe” [2007-01-17 15:34 634880]

“IAAnotif”=“C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe” [2007-10-24 12:02 178712]

“QPService”=“C:\Program Files\HP\QuickPlay\QPService.exe” [2007-12-20 05:27 468264]

“hpqSRMon”=“C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe” [2008-06-02 09:55 80896]

“HP Software Update”=“C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe” [2007-05-09 02:24 54840]

“hpWirelessAssistant”=“C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe” [2007-09-13 18:47 480560]

“WAWifiMessage”=“C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe” [2007-01-09 01:53 311296]

“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2008-04-01 20:49 36352]

“egui”=“C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” [2008-03-13 16:48 1443072]

“RtHDVCpl”=“RtHDVCpl.exe” [2007-10-09 18:59 4702208 C:\Windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“EnableLUA”= 0 (0x0)

“EnableUIADesktopToggle”= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“msacm.l3codecp”= l3codecp.acm

“msacm.divxa32”= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1405298967-3357334116-2463044672-1000]

“EnableNotificationsRef”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

“{FD70B73F-1FD2-4086-887E-17DB85C7E509}”= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader

“{50E85B62-97D2-4CB1-89E3-E9E26263F4C2}”= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader

“{750F4831-CFD0-48EB-966A-31F4D4A6793B}”= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

“{C43B89FB-672D-414B-AA5E-5A4CAB9028B5}”= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

“{CD52968A-5E2C-477F-9D1A-B0F2E2DF3423}”= C:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector

“{BE633EB7-A30E-4995-9363-7D4D4E18BC94}”= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl

“{D5FBDF57-0801-4DB4-A9A7-89D36E454DC9}”= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl

“{A91C4F27-BD6C-4674-8847-A68274199BD1}”= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl

“{979E409E-BDBF-4968-BBB6-C0E0E2C86B9A}”= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl

“{81D8D5B2-4F1A-43D0-8D06-27A98C00A3F5}”= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl

“{4D9BA8BA-CCA5-404E-AEA3-E31A8ECB2323}”= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl

“{63A92903-B599-44F8-9A2B-6189F8CBF3F7}”= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play

“{F6F0686D-312C-4480-A0A7-BE57DE9E2041}”= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program

“TCP Query User{64DE86CE-6E21-48E3-BCC6-810B5C00CDE8}C:\program files\emule\emule.exe”= UDP:C:\program files\emule\emule.exe:eMule

“UDP Query User{66AEDE61-72F5-42D6-AF3E-16DFBFEC8F10}C:\program files\emule\emule.exe”= TCP:C:\program files\emule\emule.exe:eMule

“TCP Query User{C7B4C70E-D1B9-46DA-A71D-F7AC7E8B92E2}C:\program files\videolan\vlc\vlc.exe”= UDP:C:\program files\videolan\vlc\vlc.exe:VLC media player

“UDP Query User{49A978BF-C9FE-408B-B508-2B03C056B501}C:\program files\videolan\vlc\vlc.exe”= TCP:C:\program files\videolan\vlc\vlc.exe:VLC media player

“{A7F77BD5-0DA1-46A7-AEF2-6BFD56134EAB}”= Disabled:UDP:12242:port

“TCP Query User{EF92AA25-2427-4845-8F0D-BE724CA8C835}C:\program files\gadu-gadu\gg.exe”= UDP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program glówny

“UDP Query User{D9C56A1A-8B0A-49F5-BE52-2794EFCA80F1}C:\program files\gadu-gadu\gg.exe”= TCP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program glówny

“{2ACEEF3D-B14C-4A7E-BF44-28BBA551D91C}”= UDP:11652:BitComet 11652 TCP

“{28398A7F-BBAF-4BB9-9AA8-2BF9402F60E9}”= TCP:11652:BitComet 11652 UDP

“TCP Query User{42A9FAB9-94BF-4906-97C2-0C116C146ADE}C:\program files\azureus\azureus.exe”= Disabled:UDP:C:\program files\azureus\azureus.exe:Azureus

“UDP Query User{FC9618ED-A34E-4096-83B5-3E02C6A753A3}C:\program files\azureus\azureus.exe”= Disabled:TCP:C:\program files\azureus\azureus.exe:Azureus

“{4498E751-ADD8-429C-9093-05282043D143}”= UDP:C:\Program Files\BitComet\tools\CometBrowser.exe:BitComet Resource Browser

“{C6F7751E-E5FA-4D73-A8F4-F66752010F09}”= TCP:C:\Program Files\BitComet\tools\CometBrowser.exe:BitComet Resource Browser

“TCP Query User{14AA03F4-4DDC-4ED7-B755-015CB848DA2C}C:\program files\bitcomet\bitcomet.exe”= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client

“UDP Query User{8571E95B-E73A-4676-A29D-90588DA162FF}C:\program files\bitcomet\bitcomet.exe”= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client

“TCP Query User{C170FCB0-45D1-46C2-A41E-00AF5B2805C7}C:\program files\dc++\dcplusplus.exe”= Disabled:UDP:C:\program files\dc++\dcplusplus.exe:DCPlusPlus

“UDP Query User{E45164F9-8028-424C-94F9-F933F1CB440C}C:\program files\dc++\dcplusplus.exe”= Disabled:TCP:C:\program files\dc++\dcplusplus.exe:DCPlusPlus

“TCP Query User{5143AFF3-EE19-4731-8E21-5D4A0D7F5594}C:\program files\skype\phone\skype.exe”= Disabled:UDP:C:\program files\skype\phone\skype.exe:Onet.pl - Skype

“UDP Query User{06DC092F-885A-41EF-B4C8-C521591B1201}C:\program files\skype\phone\skype.exe”= Disabled:TCP:C:\program files\skype\phone\skype.exe:Onet.pl - Skype

[HKLM~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

“DoNotAllowExceptions”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]

“C:\Program Files\EarthLink TotalAccess\TaskPanl.exe”= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 epfwtdir;epfwtdir;C:\Windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]

R2 QPCapSvc;QuickPlay Background Capture Service (QBCS);C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe [2007-12-20 05:28]

R2 QPSched;QuickPlay Task Scheduler (QTS);C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe [2007-12-20 05:28]

R3 HpqRemHid;HP Remote Control HID Device;C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 20:30]

S2 EsetNod32Fix;Nod32 AV;C:\Windows\Regedit.exe [2008-01-21 04:24]

S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-21 04:23]

S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-21 04:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e74a50ed-63e3-11dd-bd25-001e68275308}]

\shell\AutoRun\command - F:\x0.cmd

\shell\explore\Command - F:\x0.cmd

\shell\open\Command - F:\x0.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

“C:\Program Files\Common Files\LightScribe\LSRunOnce.exe”

.

Contents of the ‘Scheduled Tasks’ folder

2008-08-16 C:\Windows\Tasks\User_Feed_Synchronization-{48BFAB22-24EA-4579-B890-FE77CBBCB6F4}.job

  • C:\Windows\system32\msfeedssync.exe [2008-01-21 04:24]

.

        • ORPHANS REMOVED - - - -

HKLM-Run-MSServer - C:\Windows\system32\iifcDUOE.dll

HKLM-Run-BM44c140dc - C:\Windows\system32\fhhrstiv.dll

ShellExecuteHooks-{7543347C-E33D-49FE-B2F0-580DAF43F608} - C:\Windows\system32\iifcDUOE.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-17 14:51:03

Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-08-17 14:52:40

ComboFix-quarantined-files.txt 2008-08-17 12:52:34

Pre-Run: 195,974,533,120 bytes free

Post-Run: 195,944,566,784 bytes free

194 — E O F — 2008-08-16 07:17:04

#8

Usuń te wpisy w HJT (może tych wpisów już nie być w HJT ale dla pewności sprawdź)

Uruchom HijackThis - Do a system scan only - w oknie programu pokaże się log - zaznacz kratki przy podanych wpisach - klikasz Fix checked

Pobierz Combofix ale nie uruchamiaj wklej do notatnika:

Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe

Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum.

Usuń ręcznie folder C:\Qoobox , usuń instalkę Combofix z dysku.

#9

Sprawdziłam, ale nie było tych wpisów.

Dzięki za pomoc, narazie wszystko działa bez zarzutu :slight_smile: UFfff

#10

W takim razie

usuń folder C: \Qoobox , C:\327882R2FWJFW oraz instalkę Combofix z dysku.

Przeczyść system oraz rejestr CCleaner

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar Mój komputer Kaspersky Online Scanner Uruchom pod IE daj raport na forum

lub Dr.WEB CureIt!