Problem z wyskakującymi ostrzeżeniami ataku na komputer

Przez pomyłkę zainstalowałem chyba reklamiarza, ściągnąłem ze strony crackfind.com plik o nazwie crack.exe i od tamtego czasu system informuje mnie że mój komputer jest zagrożony, wyskakują komunikaty (windows security alert, security panel, Spyware Alert) i otwierają się strony reklamujące programy które rzekomo miałyby mi pomóc. Wysyłam mojego loga z HiJacka

---------- http://wklej.org/id/10fdcd97aa ----------> pojawia się zamiasta tapety ostrzeżenie(your privacy is danger) pochodzące C:\WINDOWS\privacy_danger

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

najpierw automat - Daj log z ComboFix

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

O2 - BHO: (no name) - {81E9D4F6-5DD8-4F75-9437-A99F46E2B534} - (no file)

O4 - HKLM\..\Run: [000127d6] rundll32.exe "C:\WINDOWS\system32\ujpfrihm.dll",b

O4 - HKCU\..\Run: [teyfwqxn] C:\WINDOWS\system32\glafcnax.exe

O4 - HKCU\..\Run: [scibvpqb] C:\WINDOWS\system32\natcbqzs.exe

O4 - HKCU\..\Policies\Explorer\Run: [dmdric] C:\WINDOWS\system32\dmdric.exe

O20 - Winlogon Notify: wvUmlkKB - wvUmlkKB.dll (file missing)	

O21 - SSODL: dwnrpofk - {C28369DB-6A40-4E7D-B445-9661D487A18D} - C:\WINDOWS\dwnrpofk.dll

O21 - SSODL: vbgtorfd - {AF8B3F5D-080F-48F9-A311-45798CE143D6} - C:\WINDOWS\vbgtorfd.dll

usuń wpisy HJT

Nie zadzaiłał tak jak był opisany na forum.

ComboFix 08-03-30.1 - Tomikami 2008-03-31 14:07:13.1 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.587 [GMT 2:00]

Running from: C:\Documents and Settings\Tomikami\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Tomikami\Pulpit\Error Cleaner.url

C:\Documents and Settings\Tomikami\Pulpit\Privacy Protector.url

C:\Documents and Settings\Tomikami\Pulpit\SpywareMalware Protection.url

C:\Documents and Settings\Tomikami\Ulubione\Error Cleaner.url

C:\Documents and Settings\Tomikami\Ulubione\Privacy Protector.url

C:\Documents and Settings\Tomikami\Ulubione\SpywareMalware Protection.url

C:\Program Files\Common Files\download

C:\WINDOWS\dobe~1

C:\WINDOWS\dwnrpofk.dll

C:\WINDOWS\norlatmx.exe

C:\WINDOWS\privacy_danger

C:\WINDOWS\privacy_danger\images\capt.gif

C:\WINDOWS\privacy_danger\images\danger.jpg

C:\WINDOWS\privacy_danger\images\down.gif

C:\WINDOWS\privacy_danger\images\spacer.gif

C:\WINDOWS\privacy_danger\index.htm

C:\WINDOWS\rs.txt

C:\WINDOWS\system32\fccaApND.dll

C:\WINDOWS\system32\mhirfpju.ini

C:\WINDOWS\system32\mUFMWGgh.ini

C:\WINDOWS\system32\mUFMWGgh.ini2

C:\WINDOWS\system32\NTtEKnnn.ini

C:\WINDOWS\system32\NTtEKnnn.ini2

C:\WINDOWS\system32\NXHRuBeg.ini

C:\WINDOWS\system32\NXHRuBeg.ini2

C:\WINDOWS\system32\sstem3~1

C:\WINDOWS\system32\sstem3~1\s?stem32\

C:\WINDOWS\system32\ujpfrihm.dll

C:\WINDOWS\system32\w002ad3d.dll

C:\WINDOWS\vbgtorfd.dll

.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))

.

2008-03-31 01:38 . 2008-03-31 01:38

2008-03-31 01:19 . 2008-03-31 01:19

2008-03-31 01:19 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-03-31 01:19 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-03-31 01:19 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-03-31 01:19 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-03-31 01:15 . 2008-03-31 01:15

2008-03-30 12:41 . 2008-03-31 01:03 1,583,697 —hs---- C:\WINDOWS\system32\corsvndi.ini

2008-03-30 12:41 . 2008-03-30 12:41 114,688 --a------ C:\WINDOWS\system32\natcbqzs.exe

2008-03-30 10:33 . 2008-03-30 10:33

2008-03-30 10:13 . 2008-03-30 10:13

2008-03-30 00:03 . 2008-03-30 00:03

2008-03-30 00:02 . 2008-03-30 00:02

2008-03-30 00:02 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2008-03-29 23:42 . 2008-03-29 23:42

2008-03-29 15:42 . 2005-02-12 15:43 245,760 --a------ C:\WINDOWS\system32\vbalColumnTreeView6.ocx

2008-03-29 15:42 . 1999-08-02 16:11 57,344 --a------ C:\WINDOWS\system32\CGZipLibrary.DLL

2008-03-29 15:42 . 2003-01-26 13:41 40,960 --a------ C:\WINDOWS\system32\SSubTmr6.dll

2008-03-29 15:19 . 2008-03-29 15:19

2008-03-29 15:19 . 2008-03-29 15:19 106,496 --a------ C:\WINDOWS\system32\glafcnax.exe

2008-03-29 02:05 . 2008-03-29 02:05 103 --a------ C:\WINDOWS\pro.INI

2008-03-28 15:38 . 2008-03-28 15:38 118 --a------ C:\WINDOWS\system32\MRT.INI

2008-03-28 15:36 . 2004-08-04 00:38 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys

2008-03-28 15:36 . 2004-08-04 00:38 14,848 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys

2008-03-28 15:35 . 2006-05-10 17:48 94,208 -ra------ C:\WINDOWS\KHALMNPR.Exe

2008-03-28 15:35 . 2006-05-10 17:56 71,680 -ra------ C:\WINDOWS\system32\drivers\LMouKE.Sys

2008-03-28 15:35 . 2006-05-10 17:56 27,264 -ra------ C:\WINDOWS\system32\drivers\LHidKE.Sys

2008-03-28 15:35 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

2008-03-28 15:35 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys

2008-03-27 20:43 . 2008-03-27 20:43 54,438 --a------ C:\WINDOWS\BricoPackUninst.cmd

2008-03-27 20:42 . 2008-03-27 20:43 2,359,350 --a------ C:\WINDOWS\BricoPack Wallpaper.bmp

2008-03-27 20:40 . 2008-03-27 20:40

2008-03-27 20:40 . 2008-03-27 20:43 6,120 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd

2008-03-27 19:28 . 2006-03-01 04:53 773,120 --a------ C:\WINDOWS\bubbles.scr

2008-03-27 19:27 . 2006-03-01 05:21 1,263,616 --a------ C:\WINDOWS\aurora.scr

2008-03-27 19:25 . 2006-03-03 14:42 117,248 --a------ C:\WINDOWS\Mystify.scr

2008-03-27 19:23 . 2006-03-01 05:21 117,248 --a------ C:\WINDOWS\ribbons.scr

2008-03-27 17:02 . 2008-03-27 17:02

2008-03-27 17:01 . 2008-03-27 17:02

2008-03-27 16:56 . 2008-03-27 16:56

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-27 18:43 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll

2008-03-27 16:19 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-03-27 16:19 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2007-12-18 08:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys

2007-12-07 13:38 3,080,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2007-12-06 12:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe

2007-12-04 17:42 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll

2007-12-04 17:42 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll

2007-03-18 19:56 337 ----a-w C:\Documents and Settings\Tomikami\Dane aplikacji\internaldb1942.dat

2007-03-14 23:02 13,046 ----a-w C:\Documents and Settings\Tomikami\Dane aplikacji\internaldb5436.dat

2007-03-14 23:02 0 ----a-w C:\Documents and Settings\Tomikami\Dane aplikacji\internaldb4604.dat

2006-12-30 11:35 179,200 ----a-w C:\Documents and Settings\Tomikami\Dane aplikacji\internaldb4827.dat

2006-12-13 16:04 151 ----a-w C:\Documents and Settings\Tomikami\Dane aplikacji\internaldb2807.dat

2006-11-29 20:10 0 ----a-w C:\Documents and Settings\Tomikami\Dane aplikacji\internaldb2391.dat

2006-11-17 14:42 0 ----a-w C:\Documents and Settings\Tomikami\Dane aplikacji\internaldb8253.dat

2006-11-17 14:42 0 ----a-w C:\Documents and Settings\Tomikami\Dane aplikacji\internaldb3902.dat

2006-11-17 14:42 0 ----a-w C:\Documents and Settings\Tomikami\Dane aplikacji\internaldb153.dat

.

------- Sigcheck -------

2007-06-13 14:23 976896 e74ef52c79f3347a0b105b0b92bfed38 C:\WINDOWS\explorer.exe

2007-06-13 14:12 1034752 8db0650b211425b9cdb7d1c4a8f6b482 C:\WINDOWS$hf_mig$\KB938828\SP2QFE\explorer.exe

2004-08-03 22:44 1033728 379098a96e6c165b659de7e4328010ea C:\WINDOWS$NtUninstallKB938828$\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]

2007-10-04 22:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{81E9D4F6-5DD8-4F75-9437-A99F46E2B534}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= “C:\Program Files\Winamp Toolbar\winamptb.dll” [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 22:44 15360]

“NCLaunch”=“C:\WINDOWS\NCLAUNCH.EXe” [2006-10-30 15:28 40960]

“RocketDock”=“C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe” [2007-03-18 23:05 630784]

“teyfwqxn”=“C:\WINDOWS\system32\glafcnax.exe” [2008-03-29 15:19 106496]

“SpybotSD TeaTimer”=“d:\Program Files\Spybot - Search Destroy\TeaTimer.exe” [2008-01-28 11:43 2097488]

“scibvpqb”=“C:\WINDOWS\system32\natcbqzs.exe” [2008-03-30 12:41 114688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“nwiz”=“nwiz.exe” [2006-03-09 15:29 1519616 C:\WINDOWS\system32\nwiz.exe]

“SoundMAXPnP”=“C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe” [2004-07-27 13:48 1388544]

“SoundMAX”=“C:\Program Files\Analog Devices\SoundMAX\smax4.exe” [2004-08-06 08:27 860160]

“cFosSpeed”=“C:\Program Files\cFosSpeed\cFosSpeed.exe” [2006-11-17 11:36 822488]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00 132496]

“DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2005-12-10 16:57 133016]

“SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 11:38 866816]

“WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 14:49 20480]

“LClock”=“C:\Program Files\LClock\LClock.exe” [2004-09-20 01:27 65536]

“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2007-10-10 07:28 36352]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-03-09 15:29 7561216]

“!AVG Anti-Spyware”=“D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 11:25 6731312]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 22:44 15360]

C:\Documents and Settings\Tomikami\Menu Start\Programy\Autostart\

RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 23:05:02 630784]

TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 20:41:18 65536]

UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 08:43:08 180224]

Y’z Shadow.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 08:43:14 155648]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - C:\Program Files\SAGEM WiFi manager\WLANUTL.exe [2007-02-22 18:17:17 925696]

GetRight.lnk - D:\Program Files\GetRight\GetRight.exe [2007-03-08 01:51:16 4596808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“SynchronousMachineGroupPolicy”= 0 (0x0)

“SynchronousUserGroupPolicy”= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

“NoStrCmpLogical”= 1 (0x1)

“NoResolveSearch”= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoSMBalloonTip”= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

“dmdric”= C:\WINDOWS\system32\dmdric.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUmlkKB]

wvUmlkKB.dll

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]

R0 tffsport;M-Systems DiskOnChip 2000;C:\WINDOWS\system32\DRIVERS\tffsport.sys [2004-08-03 23:00]

R2 SOFTLOK;SOFTLOK;C:\WINDOWS\system32\drivers\SOFTLOK.sys [2000-03-17 09:07]

R3 N100;Sterownik karty Compaq Ethernet lub karty Fast Ethernet NIC;C:\WINDOWS\system32\DRIVERS\n100325.sys [2001-10-26 17:04]

R3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;C:\WINDOWS\system32\DRIVERS\WlanBZXP.sys [2005-12-22 14:45]

S1 vdrv8000;vdrv8000;C:\WINDOWS\system32\DRIVERS\vdrv8000.sys []

S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\autorun_PES2008.exe

.

Contents of the ‘Scheduled Tasks’ folder

“2007-01-20 10:38:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-31 14:12:42

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\cFosSpeed\spd.exe

C:\WINDOWS\System32\FTRTSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

.

**************************************************************************

.

Completion time: 2008-03-31 14:14:21 - machine was rebooted [Tomikami]

ComboFix-quarantined-files.txt 2008-03-31 12:14:20

Pre-Run: 685,293,568 bajtów wolnych

Post-Run: 569,966,592 bajt˘w wolnych

.

2008-03-28 14:38:28 — E O F —

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

Wklej do Notatnika:

File::

C:\WINDOWS\system32\corsvndi.ini

C:\WINDOWS\system32\natcbqzs.exe

C:\WINDOWS\system32\glafcnax.exe

C:\WINDOWS\pro.INI

C:\WINDOWS\system32\MRT.INI

C:\WINDOWS\system32\dmdric.exe

C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


Folder::

C:\Documents and Settings\All Users\Dane aplikacji\ivozitij


Driver::

vdrv8000

ZDCndis5


Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"teyfwqxn"=-

"scibvpqb"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

"dmdric"=-

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

Nowy Log z ComboFix

http://wklej.org/id/2ca4860b76