Proszę, pomóżcie usunąć to cholerne Vundo

Groovemaker · 13 Listopad 2007 01:56

Jak w temacie, próbowałem robić to samodzielnie na podstawie wielu już postów, ale nie dam sobie rady. A ten trojan doprowadza mnie do rozpaczy. Pomóżcie, błagam!

ComboFix 07-11-08.1 - Przemek 2007-11-13 2:46:02.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.210 [GMT 1:00]

Running from: C:\Documents and Settings\Przemek\Pulpit\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\gypyncnr.dllbox

.

((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))

.

2007-11-13 01:54 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-11-13 00:17 144,480 --a------ C:\WINDOWS\system32\mvsdypcq.dll

2007-11-13 00:17 144,480 --a------ C:\WINDOWS\system32\gypyncnr.dll

2007-11-11 23:58

2007-11-11 23:23

2007-11-11 23:16 88,128 --a------ C:\WINDOWS\system32\gphvjubm.dll

2007-11-10 11:47

2007-11-10 11:45

2007-11-04 01:04

2007-11-04 01:02

2007-11-04 00:03

2007-11-03 23:58

2007-11-02 23:09

2007-11-02 23:09 197,120 --a------ C:\WINDOWS\system32\Bentley 6-75.scr

2007-10-30 16:24

2007-10-26 22:04

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-11 23:01 --------- d-----w C:\Program Files\FlashGet

2007-11-11 15:58 --------- d-----w C:\Program Files\WindowBlinds5GE

2007-11-09 16:29 --------- d–h--w C:\Program Files\InstallShield Installation Information

2007-11-05 15:02 --------- d-----w C:\Documents and Settings\Przemek\Dane aplikacji\Skype

2007-11-04 15:04 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help

2007-10-26 21:04 --------- d-----w C:\Program Files\Winamp

2007-10-02 13:37 --------- d-----w C:\Documents and Settings\Przemek\Dane aplikacji\Teleca

2007-10-02 13:29 --------- d-----w C:\Documents and Settings\Przemek\Dane aplikacji\Sony Ericsson

2007-10-02 13:25 --------- d-----w C:\Program Files\Sony Ericsson

2007-10-02 13:25 --------- d-----w C:\Program Files\Common Files\Teleca Shared

2007-10-02 13:25 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared

2007-10-02 13:25 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Teleca

2007-10-02 13:25 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Sony Ericsson

2007-10-01 00:02 --------- d-----w C:\Program Files\Java

2007-01-01 17:41 13 —h–w C:\Documents and Settings\All Users\Dane aplikacji\ÝŮĂÄ3113›.sys

2006-07-21 22:33 20 —h–w C:\Documents and Settings\All Users\Dane aplikacji\PKP_DLea.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]

C:\WINDOWS\system32\efcdedb.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{08cee581-1c87-4303-a766-71a984c9161f}]

C:\WINDOWS\system32\lbdrwmag.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}]

2007-11-13 00:17 144480 --a------ C:\WINDOWS\system32\gypyncnr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{11A69AE4-FBED-4832-A2BF-45AF82825583}”= C:\WINDOWS\system32\gypyncnr.dll [2007-11-13 00:17 144480]

[HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“PathNvidiaTV”=“C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe” []

“WheelMouse”=“C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [2004-08-25 16:31]

“SoundMan”=“SOUNDMAN.EXE” [2004-12-22 10:09 C:\WINDOWS\SOUNDMAN.EXE]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-02-04 00:24]

“nwiz”=“nwiz.exe” [2005-06-15 10:20 C:\WINDOWS\system32\nwiz.exe]

“NVRTCLK”=“C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe” [2003-12-30 10:44]

“NVRaidService”=“C:\WINDOWS\system32\nvraidservice.exe” [2005-01-17 06:43]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2005-06-15 10:20]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-06-15 10:20]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 09:50]

“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2005-05-11 22:12]

“DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2005-12-10 15:57]

“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-04-30 14:38]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 03:00]

“nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-06-23 00:53]

“Sony Ericsson PC Suite”=“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [2006-11-24 00:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CursorXP”=“C:\Program Files\CursorXP\CursorXP.exe” [2005-01-19 16:34]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00]

C:\Documents and Settings\Przemek\Menu Start\Programy\Autostart\

NetMeter.lnk - C:\Program Files\NetMeter\NetMeter.exe [2004-03-04 14:47:30]

PowerReg Scheduler.exe [2006-02-08 12:33:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

“{01CD0B31-9154-45F2-9414-F5D64B74EAF6}”= C:\WINDOWS\system32\efcdedb.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdedb]

efcdedb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gypyncnr]

gypyncnr.dll 2007-11-13 00:17 144480 C:\WINDOWS\system32\gypyncnr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]

C:\PROGRA~1\WINDOW~4\wbsrv.dll 2005-12-22 09:21 176128 C:\PROGRA~1\WINDOW~4\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“AppInit_DLLs”=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^msn_0711_upd022301.exe]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\msn_0711_upd022301.exe

backup=C:\WINDOWS\pss\msn_0711_upd022301.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Active Desktop Calendar]

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b0882e7f]

rundll32.exe “C:\WINDOWS\system32\gphvjubm.dll”,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UGA6P_0001_N122M2210]

“C:\DOCUME~1\Przemek\USTAWI~1\Temp\wintavsnet.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

“C:\Program Files\Winamp\winampa.exe”

R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys

R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys

S2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;“C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe”

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys

.

Contents of the ‘Scheduled Tasks’ folder

“2007-02-11 16:00:36 C:\WINDOWS\Tasks\Uniblue SpyEraser.job”

C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

.

**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-13 02:49:15

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-11-13 2:50:03 - machine was rebooted

.

— E O F —

JNJN · 13 Listopad 2007 07:49

Groovemaker

Przeczytaj tematy przyklejone w dziale i popraw posta.JNJN

popula · 13 Listopad 2007 08:15

Poczytaj TEN materiał.

Gutek · 13 Listopad 2007 19:29

Wklej do Notatnika:

File:: C:\WINDOWS\system32\efcdedb.dll C:\WINDOWS\system32\lbdrwmag.dll C:\WINDOWS\system32\mvsdypcq.dll C:\WINDOWS\system32\gypyncnr.dll C:\WINDOWS\system32\gphvjubm.dll Registry:: [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{01CD0B31-9154-45F2-9414-F5D64B74EAF6}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{08cee581-1c87-4303-a766-71a984c9161f}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{11A69AE4-FBED-4832-A2BF-45AF82825583}”=- [-HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{01CD0B31-9154-45F2-9414-F5D64B74EAF6}”=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdedb] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gypyncnr] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b0882e7f] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UGA6P_0001_N122M2210]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo