alert39
(alert39%)
4 Grudzień 2007 10:56
#1
Witam Wszystkich Mądrych ludzi,
Proszę o sprawdzenie loga oraz dalszą pomoc w usunięciu tych “potworów” z mojego komputera.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:35:05, on 2007-12-04 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Acer\eManager\anbmServ.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Eset\nod32krn.exe D:\Program Files\Spyware Doctor\svcntaux.exe D:\Program Files\Spyware Doctor\swdsvc.exe C:\WINDOWS\system32\svchost.exe D:\Program Files\Spyware Doctor\SDTrayApp.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\acer\epm\epm-dm.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Launch Manager\LaunchAp.exe C:\Program Files\Launch Manager\PowerKey.exe C:\Program Files\Launch Manager\HotkeyApp.exe C:\Program Files\Launch Manager\OSDCtrl.exe C:\Program Files\Launch Manager\Wbutton.exe C:\Program Files\Acer\eRecovery\Monitor.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allegro.pl/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM…\Run: [preload] C:\Windows\RUNXMLPL.exe O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [EPM-DM] c:\acer\epm\epm-dm.exe O4 - HKLM…\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot O4 - HKLM…\Run: [iMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32 O4 - HKLM…\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM…\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM…\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [LaunchAp] “C:\Program Files\Launch Manager\LaunchAp.exe” O4 - HKLM…\Run: [PowerKey] “C:\Program Files\Launch Manager\PowerKey.exe” O4 - HKLM…\Run: [LManager] “C:\Program Files\Launch Manager\HotkeyApp.exe” O4 - HKLM…\Run: [CtrlVol] “C:\Program Files\Launch Manager\CtrlVol.exe” O4 - HKLM…\Run: [LMgrOSD] “C:\Program Files\Launch Manager\OSDCtrl.exe” O4 - HKLM…\Run: [Wbutton] “C:\Program Files\Launch Manager\Wbutton.exe” O4 - HKLM…\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [sDTray] “D:\Program Files\Spyware Doctor\SDTrayApp.exe” O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: hp officejet 4100 series.lnk = ? O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {112857FE-03FF-11D5-9A3F-0080C8D85044} (GameDesire Solitaires) - http://67.15.101.33/g_bin/pl/solitaire_2_0_0_28.cab O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/pl/boards_2_0_0_33.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows … 1275631046 O16 - DPF: {A9ED6AA2-D9D4-4D71-9586-E293E2E3580B} (GameDesire Marbles&Diamonds&Runes) - http://67.15.101.33/g_bin/pl/marbles_2_0_0_32.cab O16 - DPF: {AD7013FF-1D9A-4F36-94A6-3CD408A663F9} (GameDesire BreakOut) - http://67.15.101.3/g_bin/pl/breakout_2_0_0_27.cab O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.33/g_bin/pl/words_2_0_0_51.cab O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.33/g_bin/pl/wordssingle_2_0_0_48.cab O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.33/g_bin/pl/mahjong_2_0_0_31.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\swdsvc.exe – End of file - 8203 bytes
Złączono Posta : 04.12.2007 (Wto) 15:33
Log z ComboFix:
http://wklej.org/id/b46bd35645
Gutek
(Gutek)
4 Grudzień 2007 15:59
#2
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo oraz
Pobierz program SDFix
alert39
(alert39%)
4 Grudzień 2007 18:56
#3
http://wklej.org/id/1bf92458af
Złączono Posta : 04.12.2007 (Wto) 21:01
SDFix: Version 1.116 Run by FILIP on 2007-12-04 at 20:44 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\SYSTEM32\AB62.T - Deleted C:\WINDOWS\SYSTEM32\AA62.T - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-04 20:51:20 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI detected NTDLL code modification: ZwClose scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “C:\Program Files\Gadu-Gadu\GG.EXE”=“C:\Program Files\Gadu-Gadu\GG.EXE:*:Enabled:Gadu-Gadu - program główny” “C:\Program Files\Skype\Phone\Skype.exe”=“C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. The whole world can talk for free.” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Fri 22 Dec 2006 1,024 …HR — “C:\WINDOWS\system32\NTICDMK7.dll” Fri 22 Dec 2006 1,024 …HR — “C:\WINDOWS\system32\NTIMPEG2.dll” Fri 22 Dec 2006 1,024 …HR — “C:\WINDOWS\system32\NTIMP3.dll” Fri 22 Dec 2006 1,024 …HR — “C:\WINDOWS\system32\NTIFCD3.dll” Fri 22 Dec 2006 1,024 …HR — “C:\WINDOWS\system32\NTIBUN4.dll” Thu 23 Aug 2007 3,766 A.SH. — “C:\WINDOWS\system32\KGyGaAvL.sys” Thu 23 Aug 2007 88 …SHR — “C:\WINDOWS\system32\63F7E2779C.sys” Wed 17 Oct 2007 5,903,928 A…H. — “C:\Program Files\Picasa2\setup.exe” Sat 2 Jun 2007 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Wed 28 Nov 2007 38,912 …H. — “C:\Documents and Settings\FILIP\Pulpit~WRL0557.tmp” Thu 15 Nov 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\1738c621b33e51e95e7a1d6339d42049\BIT1D.tmp” Fri 27 Apr 2007 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp” Mon 30 Oct 2006 427,008 A…H. — “C:\Documents and Settings\FILIP\Pulpit\PZG 20062007\GUsI 2006\TO TEN RAPORT KASOWY~WRL2892.tmp” Sun 12 Nov 2006 429,056 A…H. — “C:\Documents and Settings\FILIP\Pulpit\PZG 20062007\GUsI 2006\TO TEN RAPORT KASOWY~WRL3096.tmp” Sun 12 Nov 2006 428,544 A…H. — “C:\Documents and Settings\FILIP\Pulpit\PZG 20062007\GUsI 2006\TO TEN RAPORT KASOWY~WRL3984.tmp” Wed 18 Jan 2006 26,624 A…H. — “C:\Documents and Settings\FILIP\Pulpit\PZG 20062007\GUsI 2006\Partner 05\RATYăSKA PANI\od Basi~WRL0003.tmp” Finished!
Gutek
(Gutek)
4 Grudzień 2007 21:02
#4
Na koniec - Skan AVG Anti-Spyware 7.5 po update + raport
Gutek
(Gutek)
5 Grudzień 2007 13:35
#6
Powinno być Ok, tylko ciasteczka
alert39
(alert39%)
6 Grudzień 2007 11:27
#7
dzięki Gutek2222 za pomoc, ale dalej muli, a dr zawiesza się pod koniec skanowania i nie da się już usunąć wirusów, wykrywa jakieś większe robactwo. Jeszcze niepokoi mnie to że laptop sam się wyłącza nie wiadomo dlaczego.
Gutek
(Gutek)
6 Grudzień 2007 16:55
#8
alert39
(alert39%)
7 Grudzień 2007 21:46
#9
Po użyciu jv16 PowerTools jest widoczna poprawa
Zobaczymy jak będzie się zachowywał jutro.
Serdeczne dzięki Gutek2222
Złączono Posta : 08.12.2007 (Sob) 11:56
Wczoraj korzystając z programu jv 16 PowerTools - wyskoczyło mi okienko, 18/100 potem 49/100 a dziś już jest super 100/100. Wszystko śmiga aż miło :mrgreen:
Jeszcze raz wielkie dzięki Gutek2222