Proszę o sprawdzenie loga


(Bandyta 52) #1

Pojawiają mi się na pulpicie cały czas 2 skróty: "Windows Update" i "Help and upport center", jednak gdy patrze we właściwościach na plik docelowy to jest adres:http://storageprotector.com/clean..... Próbowałem już usunąć to SDfix z trybu awaryjnego z konta administratora. Dodadkowo na dysku C mam pełno plików pos1A.tmp Tych plikow jes ze 100 albo wiecej. A oto log z HiJacka:

Logfile of HijackThis v1.99.1

Scan saved at 23:24, on 2008-02-20

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\acer\epm\epm-dm.exe

C:\Program Files\Launch Manager\PowerKey.exe

C:\Program Files\Launch Manager\OSDCtrl.exe

C:\Program Files\Acer\eRecovery\Monitor.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\JavaCore\JavaCore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Acer\eManager\anbmServ.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\KILLER\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pip.gov.pl/html/pl/html/07062009.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F3 - REG:win.ini: run=C:\WINDOWS\mmhren1.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\fwvajiov.dll

O4 - HKLM..\Run: [preload] C:\Windows\RUNXMLPL.exe

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe

O4 - HKLM..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot

O4 - HKLM..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"

O4 - HKLM..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"

O4 - HKLM..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"

O4 - HKLM..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe

O4 - HKLM..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM..\Run: [Microsoft hren1] C:\WINDOWS\mmhren1.exe

O4 - HKCU..\Run: [WintelUpdate] C:\jupss.exe

O4 - HKCU..\Run: [Microsoft hren1] C:\WINDOWS\mmhren1.exe

O4 - HKCU..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: fwvajiov - C:\WINDOWS\SYSTEM32\fwvajiov.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe

O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe


(Leon$) #2

Wyłącz przywracanie systemu na wszystkich dyskach

wpisy

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pip.gov.pl/html/pl/html/07062009.htm

F3 - REG:win.ini: run=C:\WINDOWS\mmhren1.exe

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\fwvajiov.dll

O4 - HKLM\..\Run: [Microsoft hren1] C:\WINDOWS\mmhren1.exe

O4 - HKCU\..\Run: [WintelUpdate] C:\jupss.exe

O4 - HKCU\..\Run: [Microsoft hren1] C:\WINDOWS\mmhren1.exe

O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe

O20 - Winlogon Notify: fwvajiov - C:\WINDOWS\SYSTEM32\fwvajiov.dll

usuń HijackThisem >> Fix checked pobierz Combofix http://www.searchengines.pl/index.php?showtopic=86306&st=0&p=395642entry395642 ale nie włączaj otwórz notatnik i wklej

File::

C:\WINDOWS\mmhren1.exe

C:\WINDOWS\system32\fwvajiov.dll

C:\jupss.exe

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri ... iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania

Po restarcie jeśli wszystko będzie OK usuń ręcznie folder C: \Qoobox

:slight_smile:


(Bandyta 52) #3

Złośliwe ikonki poznikały. Na dysku nie ma tez tych plików co były. Dzięki piękne. A oto log:

ComboFix 08-02-20.2 - Celina 2008-02-21 0:47:38.2 - FAT32 x86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.317 [GMT 1:00]

Running from: C:\Documents and Settings\Celina\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Celina\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

C:\jupss.exe

C:\WINDOWS\mmhren1.exe

C:\WINDOWS\system32\fwvajiov.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\fwvajiov.dll

C:\WINDOWS\mmhren1.exe

C:\WINDOWS\system32\fwvajiov.dll

C:\WINDOWS\system32\fwvajiov.dllbox

.

((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))

.

2008-02-21 00:16 . 2008-02-21 00:16

2008-02-21 00:07 . 2008-02-19 23:41

2008-02-20 21:46 . 2008-02-20 21:46

2008-02-20 21:32 . 2008-02-20 21:32

2008-02-19 23:57 . 2008-02-21 00:25 14 --ah----- C:\WINDOWS\mmax_hren2.ini

2008-02-19 07:01 . 2008-02-19 07:01

2008-02-17 20:34 . 2008-02-17 20:34

2008-02-17 14:44 . 2008-02-17 14:44

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-20 22:04 3,466 ----a-w C:\WINDOWS\system32\tmp.reg

2008-01-11 05:41 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll

2007-12-19 22:58 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll

2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys

2007-12-08 05:14 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2007-12-06 11:06 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2007-12-06 11:05 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll

2007-12-04 18:42 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll

2007-12-04 18:42 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"preload"="C:\Windows\RUNXMLPL.exe" [2005-05-19 17:09 32768]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31 126976]

"SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 77824 C:\WINDOWS\SOUNDMAN.EXE]

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 11:12 102490]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 11:11 708698]

"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-06-01 14:17 192512]

"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-03-15 10:03 2893824]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 16:00 208952]

"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 16:00 59392]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 16:00 455168]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 16:00 455168]

"PowerKey"="C:\Program Files\Launch Manager\PowerKey.exe" [2002-08-30 15:02 94208]

"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480]

"LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [2005-07-25 10:45 241664]

"eRecoveryService"="C:\Program Files\Acer\eRecovery\Monitor.exe" [2005-06-29 17:26 352256]

"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-07-20 15:44 73728]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 16:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]

--a------ 2005-07-12 11:36 299008 C:\Program Files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]

--a------ 2005-07-25 13:36 32768 C:\Program Files\Launch Manager\LaunchAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]

--a------ 2005-06-06 11:52 69632 C:\Program Files\Launch Manager\HotkeyApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxccmon.exe]

--a------ 2005-07-21 02:17 192512 C:\Program Files\Lexmark 3300 Series\lxccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

--------- 2005-03-09 18:59 49152 C:\Program Files\Arcade\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2007-09-13 13:31 22880040 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher /Minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]

--a------ 2004-01-26 11:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]

--a------ 2005-07-25 13:34 81920 C:\Program Files\Launch Manager\Wbutton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WooCnxMon]

--a------ 2003-10-16 18:07 24576 C:\PROGRA~1\NEOSTR~1\CnxMon.exe

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 17:14]

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2005-03-21 15:39]

R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]

R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]

R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08]

R2 int15.sys;int15.sys;C:\Program Files\Acer\eRecovery\int15.sys [2005-01-13 14:46]

R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-03-04 16:37]

R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]

R3 POWERKEY;POWERKEY;C:\Program Files\Launch Manager\POWERKEY.sys [2000-12-19 18:29]

S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []

S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-21 00:51:49

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Acer\eManager\anbmServ.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

.

**************************************************************************

.

Completion time: 2008-02-21 0:52:53 - machine was rebooted [Celina]

ComboFix-quarantined-files.txt 2008-02-20 23:52:52

.

2008-02-12 20:48:33 --- E O F ---


(jessica) #4

@bartek52

Wklej do Notatnika :

File::

C:\WINDOWS\mmax_hren2.ini


Driver::

Wbutton

>>Plik>>Zapisz jako... >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

Ma się rozpocząć usuwanie. (i powstanie log). Daj ten log, który powstanie w trakcie usuwania.

Log wklej na http://wklej.org/, a w poście daj tylko link.(czyli skopiuj adres z paska adresów) .

Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C: **** Qoobox.

jessi


(Agatonster) #5

bartek_52 ,Zapoznaj się z tym tematem i zmień tytuł na konkretny, mówiący o problemie.W celu dokonania zaleconej korekty - proszę użyć przycisku [ac7a4cd89050aa6e.gifprzy poście otwierającym ten temat.

Zignorowanie zalecenia będzie skutkowało usunięciem tematu do Kosza.

W związku ze zmianą, jaka obowiązuje przy wklejaniu logów w tym dziale, przeczytaj i zastosuj się do Tematu

](http://www.fotosik.pl)