Pulpit ze znakiem Biohazard i napisem "Your Privacy..."

Dla specjalistów Bezpieczeństwo
#1

Od wczoraj mam problem z tym virusem, który zmienia tapetę na czerwoną za znakiem biohazard i napisem “your privacy is in danger”. Wiem, że wiele osób miało ten problem, nawet sam próbowałem coś poradzić ale poskutkowało może na 4h. Proszę o pomoc, oto log z HijackThis:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 18:32:38, on 2008-04-20

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

Boot mode: Normal


Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32Ati2evxx.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32spoolsv.exe

C:Program FilesGrisoftAVG Anti-Spyware 7.5guard.exe

C:Program FilesESETESET Smart Securityekrn.exe

C:Program FilesPC Tools AntiVirusPCTAVSvc.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSsystem32Ati2evxx.exe

C:WINDOWSsystem32RunDll32.exe

C:WINDOWSsystem32rundll32.exe

C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe

C:Program FilesWinampwinampa.exe

C:Program FilesATI TechnologiesATI.ACEcli.exe

C:Program FilesPC Tools AntiVirusPCTAV.exe

C:Program FilesD-Toolsdaemon.exe

C:Program FilesGoogleGoogle Talkgoogletalk.exe

C:Program FilesESETESET Smart Securityegui.exe

C:WINDOWSsystem32ctfmon.exe

C:Program FilesCommon FilesAheadLibNMBgMonitor.exe

C:Program FilesMessengermsmsgs.exe

C:Program FilesHPDigital Imagingbinhpqtra08.exe

C:Program FilesCommon FilesAheadLibNMIndexStoreSvr.exe

C:Program FilesHPDigital ImagingbinhpqSTE08.exe

C:WINDOWSsystem32wuauclt.exe

C:Program FilesCommon FilesAheadLibNMIndexingService.exe

C:Program FilesATI TechnologiesATI.ACEcli.exe

C:Program FilesATI TechnologiesATI.ACEcli.exe

C:WINDOWSsystem32rundll32.exe

C:WINDOWSsystem32rundll32.exe

C:Program FilesWindows Media Playerwmplayer.exe

D:ProgramyGadu-Gadugg.exe

C:Program FilesMozilla Firefoxfirefox.exe

C:WINDOWSexplorer.exe

D:PawełProgramyHiJackThis_v2.exe


R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.onet.pl/

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll

O2 - BHO: (no name) - {31E4C02F-9B14-452F-8163-86FAD63FE680} - C:WINDOWSsystem32geBsqRhI.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:DownloadsBitComettoolsBitCometBHO_1.1.7.4.dll

O2 - BHO: (no name) - {4020100D-29D7-4392-AFD5-5AD713FF4B88} - C:WINDOWSsystem32hgGwwWoL.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:PROGRA~1MEGAUP~1MEGAUP~1.DLL

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:PROGRA~1MEGAUP~1MEGAUP~1.DLL

O4 - HKLM..Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM..Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM..Run: [ATIPTA] "C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe"

O4 - HKLM..Run: [VGAUtil] C:WINDOWSsystem32G-VGA.exe

O4 - HKLM..Run: [WinampAgent] C:Program FilesWinampwinampa.exe

O4 - HKLM..Run: [ATICCC] "C:Program FilesATI TechnologiesATI.ACEcli.exe" runtime -Delay

O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime

O4 - HKLM..Run: [!AVG Anti-Spyware] "C:Program FilesGrisoftAVG Anti-Spyware 7.5avgas.exe" /minimized

O4 - HKLM..Run: [PCTAVApp] "C:Program FilesPC Tools AntiVirusPCTAV.exe" /MONITORSCAN

O4 - HKLM..Run: [DAEMON Tools-1033] "C:Program FilesD-Toolsdaemon.exe" -lang 1033

O4 - HKLM..Run: [NeroFilterCheck] C:Program FilesCommon FilesAheadLibNeroCheck.exe

O4 - HKLM..Run: [googletalk] C:Program FilesGoogleGoogle Talkgoogletalk.exe /autostart

O4 - HKLM..Run: [egui] "C:Program FilesESETESET Smart Securityegui.exe" /hide /waitservice

O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"

O4 - HKLM..Run: [SDFix] D:PAWE~1ProgramySDFixSDFixRunThis.bat /second

O4 - HKLM..Run: [4893ebbf] rundll32.exe "C:WINDOWSsystem32aqtgsvat.dll",b

O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe

O4 - HKCU..Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:Program FilesCommon FilesAheadLibNMBgMonitor.exe"

O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background

O4 - HKCU..Run: [PCTAVApp] "C:Program FilesPC Tools AntiVirusPCTAV.exe" /MONITORSCAN

O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')

O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:Program FilesHPDigital Imagingbinhpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000

O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL

O20 - Winlogon Notify: hgGwwWoL - C:WINDOWSSYSTEM32hgGwwWoL.dll

O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:WINDOWSsystem32Lmgjlm32.dll (file missing)

O21 - SSODL: aKunX - {4893EB11-E239-41BB-4622-F5F26DDFF85A} - C:WINDOWSsystem32pobm.dll (file missing)

O21 - SSODL: vadokmxt - {6CDD5EFB-2E32-4321-B30F-920B356BF7B7} - C:WINDOWSvadokmxt.dll

O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:WINDOWSsystem32browseui.dll

O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:WINDOWSsystem32browseui.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:Program FilesGrisoftAVG Anti-Spyware 7.5guard.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:Program FilesESETESET Smart SecurityEHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:Program FilesESETESET Smart Securityekrn.exe

O23 - Service: NBService - Nero AG - C:Program FilesNeroNero 7Nero BackItUpNBService.exe

O23 - Service: NMIndexingService - Nero AG - C:Program FilesCommon FilesAheadLibNMIndexingService.exe

O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:Program FilesPC Tools AntiVirusPCTAVSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe

O24 - Desktop Component 0: Privacy Protection - file:///C:WINDOWSprivacy_dangerindex.htm

O24 - Desktop Component 1: (no name) - (no file)


--

End of file - 7632 bytes
#2

Daj nowe logi z ukośnikami

#3

hmm… dziwne powinny być. zaraz dodam nowy log :slight_smile:

W dniu 20.04.2008 , o godzinie 19:15 został dopisany post przez cronodevil

Nowy log, z ukośnikami ;) , oczywiście HijackThis:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

# Scan saved at 19:10:42, on 2008-04-20

# Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

# Boot mode: Normal

#  

# Running processes:

# C:\WINDOWS\System32\smss.exe

# C:\WINDOWS\system32\winlogon.exe

# C:\WINDOWS\system32\services.exe

# C:\WINDOWS\system32\lsass.exe

# C:\WINDOWS\system32\Ati2evxx.exe

# C:\WINDOWS\system32\svchost.exe

# C:\WINDOWS\System32\svchost.exe

# C:\WINDOWS\system32\spoolsv.exe

# C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

# C:\Program Files\ESET\ESET Smart Security\ekrn.exe

# C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe

# C:\WINDOWS\system32\svchost.exe

# C:\WINDOWS\system32\Ati2evxx.exe

# C:\WINDOWS\system32\RunDll32.exe

# C:\WINDOWS\system32\rundll32.exe

# C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

# C:\Program Files\Winamp\winampa.exe

# C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

# C:\Program Files\PC Tools AntiVirus\PCTAV.exe

# C:\Program Files\D-Tools\daemon.exe

# C:\Program Files\Google\Google Talk\googletalk.exe

# C:\Program Files\ESET\ESET Smart Security\egui.exe

# C:\WINDOWS\system32\ctfmon.exe

# C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

# C:\Program Files\Messenger\msmsgs.exe

# C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

# C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

# C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

# C:\WINDOWS\system32\wuauclt.exe

# C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

# C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

# C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

# C:\WINDOWS\system32\rundll32.exe

# C:\WINDOWS\system32\rundll32.exe

# C:\Program Files\Windows Media Player\wmplayer.exe

# D:\Programy\Gadu-Gadu\gg.exe

# C:\Program Files\Mozilla Firefox\firefox.exe

# C:\WINDOWS\explorer.exe

# D:\Paweł\Programy\HiJackThis_v2.exe

#  

# R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

# R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

# R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

# R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

# R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

# O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

# O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

# O2 - BHO: (no name) - {31E4C02F-9B14-452F-8163-86FAD63FE680} - C:\WINDOWS\system32\geBsqRhI.dll

# O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Downloads\BitComet\tools\BitCometBHO_1.1.7.4.dll

# O2 - BHO: (no name) - {4020100D-29D7-4392-AFD5-5AD713FF4B88} - C:\WINDOWS\system32\hgGwwWoL.dll

# O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

# O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

# O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

# O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

# O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

# O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\system32\G-VGA.exe

# O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

# O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

# O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

# O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

# O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN

# O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

# O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

# O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

# O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

# O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

# O4 - HKLM\..\Run: [SDFix] D:\PAWE~1\Programy\SDFix\SDFix\RunThis.bat /second

# O4 - HKLM\..\Run: [4893ebbf] rundll32.exe "C:\WINDOWS\system32\aqtgsvat.dll",b

# O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

# O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

# O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

# O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN

# O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

# O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

# O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

# O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

# O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

# O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

# O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

# O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab

# O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

# O20 - Winlogon Notify: hgGwwWoL - C:\WINDOWS\SYSTEM32\hgGwwWoL.dll

# O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Lmgjlm32.dll (file missing)

# O21 - SSODL: aKunX - {4893EB11-E239-41BB-4622-F5F26DDFF85A} - C:\WINDOWS\system32\pobm.dll (file missing)

# O21 - SSODL: vadokmxt - {6CDD5EFB-2E32-4321-B30F-920B356BF7B7} - C:\WINDOWS\vadokmxt.dll

# O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

# O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

# O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

# O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

# O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

# O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe

# O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe

# O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

# O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

# O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe

# O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

# O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

# O24 - Desktop Component 1: (no name) - (no file)

#  

# -- 

# End of file - 7632 bytes
#4

fix w hiajckthis

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\system32\geBsqRhI.dll

C:\WINDOWS\system32\hgGwwWoL.dll

C:\WINDOWS\system32\pobm.dll 

C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

C:\WINDOWS\vadokmxt.dll

C:\WINDOWS\privacy_danger\index.htm

C:\WINDOWS\system32\Lmgjlm32.dll

C:\WINDOWS\SYSTEM32\hgGwwWoL.dll

C:\WINDOWS\system32\aqtgsvat.dll


Folder::

C:\PROGRA~1\MEGAUP~1

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

#5

Oto log z ComboFix:

1. ComboFix 08-04-18.3 - Boczula 2008-04-20 19:32:14.3 - NTFSx86

   2. Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.122 [GMT 2:00]

   3. Running from: D:\Mozilla Ściąganie\ComboFix.exe

   4. Command switches used :: D:\Mozilla Ściąganie\CFScript.txt

   5. * Created a new restore point

   6. * Resident AV is active

   7.  

   8.  

   9. [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [/b][/color]

  10.  

  11. FILE ::

  12. C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

  13. C:\WINDOWS\privacy_danger\index.htm

  14. C:\WINDOWS\system32\aqtgsvat.dll

  15. C:\WINDOWS\system32\geBsqRhI.dll

  16. C:\WINDOWS\SYSTEM32\hgGwwWoL.dll

  17. C:\WINDOWS\system32\hgGwwWoL.dll

  18. C:\WINDOWS\system32\Lmgjlm32.dll

  19. C:\WINDOWS\system32\pobm.dll

  20. C:\WINDOWS\vadokmxt.dll

  21. .

  22.  

  23. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

  24. .

  25.  

  26. C:\PROGRA~1\MEGAUP~1

  27. C:\PROGRA~1\MEGAUP~1\tbuninstall.exe

  28. C:\PROGRA~1\MEGAUP~1\toolbar.ini

  29. C:\PROGRA~1\MEGAUP~1\uninstall.exe

  30. C:\WINDOWS\privacy_danger

  31. C:\WINDOWS\privacy_danger\images\capt.gif

  32. C:\WINDOWS\privacy_danger\images\danger.jpg

  33. C:\WINDOWS\privacy_danger\images\down.gif

  34. C:\WINDOWS\privacy_danger\images\spacer.gif

  35. C:\WINDOWS\privacy_danger\index.htm

  36. C:\WINDOWS\system32\aqtgsvat.dll

  37. C:\WINDOWS\system32\efpiddjf.ini

  38. C:\WINDOWS\system32\fjddipfe.dll

  39. C:\WINDOWS\system32\geBsqRhI.dll

  40. C:\WINDOWS\system32\hgGwwWoL.dll

  41. C:\WINDOWS\system32\hgGyabxY.dll

  42. C:\WINDOWS\system32\IhRqsBeg.ini

  43. C:\WINDOWS\system32\IhRqsBeg.ini2

  44. C:\WINDOWS\vadokmxt.dll

  45.  

  46. .

  47. ((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))

  48. .

  49.  

  50. 2008-04-20 14:59 . 2008-04-20 19:321,541,157---hs----C:\WINDOWS\system32\tavsgtqa.ini

  51. 2008-03-30 12:12 . 2008-04-05 22:2554,156--ah-----C:\WINDOWS\QTFont.qfn

  52. 2008-03-30 12:12 . 2008-03-30 12:121,409--a------C:\WINDOWS\QTFont.for

  53. 2008-03-29 11:08 . 2001-03-23 17:29880,912--a------C:\WINDOWS\WM8EUTIL.exe

  54. 2008-03-20 13:59 . 2001-04-11 05:4780,384--a------C:\WINDOWS\gamedelete.exe

  55.  

  56. .

  57. (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

  58. .

  59. 2008-04-20 17:40---------d-----wC:\Program Files\PC Tools AntiVirus

  60. 2008-04-20 14:10---------d-----wC:\Documents and Settings\Boczula\Dane aplikacji\Azureus

  61. 2008-04-20 09:04---------d-----wC:\Program Files\ESET

  62. 2008-04-19 10:3998,304----a-wC:\WINDOWS\wxvgsdbq.exe

  63. 2008-04-19 10:3998,304----a-wC:\WINDOWS\olgdqarf.exe

  64. 2008-04-19 07:513,456----a-wC:\WINDOWS\system32\tmp.reg

  65. 2008-04-18 13:51---------d-----wC:\Documents and Settings\Boczula\Dane aplikacji\LimeWire

  66. 2008-04-16 19:25---------d-----wC:\Documents and Settings\Boczula\Dane aplikacji\Image Zone Express

  67. 2008-04-03 19:50---------d-----wC:\Documents and Settings\Boczula\Dane aplikacji\Hamachi

  68. 2008-03-26 16:22---------d--h--wC:\Program Files\InstallShield Installation Information

  69. 2008-03-26 16:22---------d-----wC:\Program Files\Common Files\InstallShield

  70. 2008-03-20 08:091,845,504----a-wC:\WINDOWS\system32\win32k.sys

  71. 2008-03-13 16:51---------d-----wC:\Documents and Settings\Boczula\Dane aplikacji\PC Tools

  72. 2008-03-13 14:36---------d-----wC:\Program Files\MIKSOFT

  73. 2008-03-08 20:25---------d-----wC:\Documents and Settings\Boczula\Dane aplikacji\Skype

  74. 2008-03-05 21:4725,280----a-wC:\WINDOWS\system32\drivers\hamachi.sys

  75. 2008-03-01 20:03---------d-----wC:\Program Files\Electronic Arts

  76. 2008-03-01 12:27---------d-----wC:\Program Files\Microsoft.NET

  77. 2008-02-21 09:23---------d-----wC:\Program Files\Common Files\Adobe

  78. 2008-02-20 21:41---------d-----wC:\Documents and Settings\Boczula\Dane aplikacji\ESET

  79. 2008-02-20 21:38---------d-----wC:\Documents and Settings\All Users\Dane aplikacji\ESET

  80. 2008-02-20 06:51282,624----a-wC:\WINDOWS\system32\gdi32.dll

  81. 2008-02-20 05:3845,568----a-wC:\WINDOWS\system32\dnsrslvr.dll

  82. 2008-02-16 11:42356,352-c--a-wC:\WINDOWS\eSellerateEngine.dll

  83. 2008-02-16 09:05662,016----a-wC:\WINDOWS\system32\wininet.dll

  84. 2008-01-23 22:0886,016----a-wC:\WINDOWS\system32\OpenAL32.dll

  85. 2008-01-21 15:00921,600----a-wC:\WINDOWS\system32\vorbisenc.dll

  86. 2008-01-21 15:00237,568----a-wC:\WINDOWS\system32\OggDS.dll

  87. 2008-01-21 15:00188,416----a-wC:\WINDOWS\system32\vorbis.dll

  88. 2008-01-21 14:599,216----a-wC:\WINDOWS\system32\cpuinf32.dll

  89. 2008-01-21 14:59755,200----a-wC:\WINDOWS\system32\ir50_32.dll

  90. 2008-01-21 14:5945,056----a-wC:\WINDOWS\system32\ogg.dll

  91. 2008-01-21 14:59245,760----a-wC:\WINDOWS\system32\mplvpx.dll

  92. 2008-01-21 14:591,415,680----a-wC:\WINDOWS\system32\WMV9VCM.dll

  93. 2008-01-21 14:58740,442----a-wC:\WINDOWS\system32\DivX.dll

  94. 2008-01-21 14:58391,168----a-wC:\WINDOWS\system32\i263_32.drv

  95. 2008-01-21 14:571,559,040----a-wC:\WINDOWS\system32\xvidcore.dll

  96. 2004-05-06 11:1140,448----a-wC:\Documents and Settings\Boczula\trial_setup.exe

  97. 2001-11-23 04:08712,704-c--a-wC:\WINDOWS\inf\OTHER\AUDIO3D.DLL

  98. .

  99.  

 100. ((((((((((((((((((((((((((((( snapshot@2008-04-20_14.54.52.90 )))))))))))))))))))))))))))))))))))))))))

 101. .

 102. - 2008-04-20 12:48:112,048--s-a-wC:\WINDOWS\bootstat.dat

 103. + 2008-04-20 17:39:522,048--s-a-wC:\WINDOWS\bootstat.dat

 104. .

 105. ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 106. .

 107. .

 108. *Note* empty entries & legit default entries are not shown

 109. REGEDIT4

 110.  

 111. [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

 112. "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]

 113. "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 17:14 147456]

 114. "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

 115. "PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-05-17 11:41 1074736]

 116.  

 117. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

 118. "Cmaudio"="cmicnfg.cpl" []

 119. "BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 00:44 33280 C:\WINDOWS\system32\rundll32.exe]

 120. "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-08-16 01:58 335872]

 121. "VGAUtil"="C:\WINDOWS\system32\G-VGA.exe" []

 122. "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 00:22 35328]

 123. "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]

 124. "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-18 16:36 286720]

 125. "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

 126. "PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-05-17 11:41 1074736]

 127. "DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]

 128. "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]

 129. "googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 23:22 3739648]

 130. "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-11-23 22:51 1410304]

 131. "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

 132. "SDFix"="D:\PAWE~1\Programy\SDFix\SDFix\RunThis.bat /second" []

 133. "4893ebbf"="C:\WINDOWS\system32\aqtgsvat.dll" []

 134.  

 135. [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

 136. "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

 137. "WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" []

 138.  

 139. C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

 140. HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]

 141. Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

 142.  

 143. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

 144. "vadokmxt"= {C189E286-C042-42DC-8645-A390047C3783} - C:\WINDOWS\vadokmxt.dll []

 145.  

 146. [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGwwWoL]

 147. hgGwwWoL.dll

 148.  

 149. [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

 150. "EnableFirewall"= 0 (0x0)

 151.  

 152. [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

 153. "%windir%\\system32\\sessmgr.exe"=

 154. "D:\\Programy\\Gadu-Gadu\\gg.exe"=

 155. "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

 156. "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

 157. "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

 158. "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

 159. "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

 160. "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

 161. "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

 162. "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

 163. "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

 164. "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

 165. "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

 166. "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

 167. "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

 168. "D:\\Gry\\PC\\CS\\hlds.exe"=

 169. "C:\\Program Files\\Skype\\Phone\\Skype.exe"=

 170.  

 171. [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

 172. "25200:TCP"= 25200:TCP:BitComet 25200 TCP

 173. "25200:UDP"= 25200:UDP:BitComet 25200 UDP

 174. "24739:TCP"= 24739:TCP:BitComet 24739 TCP

 175. "24739:UDP"= 24739:UDP:BitComet 24739 UDP

 176. "25883:TCP"= 25883:TCP:BitComet 25883 TCP

 177. "25883:UDP"= 25883:UDP:BitComet 25883 UDP

 178. "9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager

 179. "9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

 180. "27015:TCP"= 27015:TCP:CS

 181. "27016:TCP"= 27016:TCP:CS 2

 182. "27066:TCP"= 27066:TCP:CS 3

 183.  

 184. S3 USBSHGX;SHARP GSM GPRS USB Driver 2.1.0;C:\WINDOWS\system32\DRIVERS\usbgx_2.sys [2004-09-07 01:32]

 185.  

 186. [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

 187. \Shell\AutoRun\command - F:\Setup.exe

 188.  

 189. .

 190. Contents of the 'Scheduled Tasks' folder

 191. "2008-04-17 17:51:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

 192. - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

 193. "2008-04-20 17:40:08 C:\WINDOWS\Tasks\XoftSpySE 2.job"

 194. - D:\Pawe

 195. "2008-04-19 01:02:34 C:\WINDOWS\Tasks\XoftSpySE.job"

 196. - D:\Pawe

 197. .

 198. **************************************************************************

 199.  

 200. catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

 201. Rootkit scan 2008-04-20 19:41:11

 202. Windows 5.1.2600 Dodatek Service Pack 2 NTFS

 203.  

 204. scanning hidden processes ...

 205.  

 206. scanning hidden autostart entries ...

 207.  

 208. scanning hidden files ...

 209.  

 210. scan completed successfully

 211. hidden files: 0

 212.  

 213. **************************************************************************

 214. .

 215. ------------------------ Other Running Processes ------------------------

 216. .

 217. C:\WINDOWS\system32\ati2evxx.exe

 218. C:\WINDOWS\system32\ati2evxx.exe

 219. C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

 220. C:\Program Files\ESET\ESET Smart Security\ekrn.exe

 221. C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe

 222. C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe

 223. C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

 224. .

 225. **************************************************************************

 226. .

 227. Completion time: 2008-04-20 19:46:01 - machine was rebooted

 228. ComboFix-quarantined-files.txt 2008-04-20 17:45:56

 229. ComboFix2.txt 2008-04-20 12:56:09

 230. ComboFix3.txt 2008-04-20 08:46:59

 231.  

 232. Pre-Run: 1,292,460,032 bajtów wolnych

 233. Post-Run: 1,308,000,256 bajt˘w wolnych

 234.  

 235. 205--- E O F ---2008-04-20 08:15:44


[/code]

PS. Sorka ale nie mogłem usunąć tych numerków… :?

W dniu 20.04.2008, o godzinie 20:23 został dopisany post przez cronodevil

Jeśli ktoś będzie miał czas to proszę o potwierdzenie czystego log’u, bądź wykrycie jakiegoś syfa :wink: Z góry dzięki ;]

#6

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile:

#7

Oto log po operacji:

http://wklej.org/id/4af2723854

PS. Dałem w takiej formie bo myślę, że jest bardziej przejrzysta :smiley:

#8

Log wygląda na czysty

zrób optymalizacje uruchamiania http://cybertrash.netarteria.pl/cyber/index.php/topic,378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE

włącz przywracanie systemu

:slight_smile:

#9

Komputer załapał zwiechę, i nie dokończyło skanowania Kasperskim(i tak cos długo ciągneło, było jakieś 6% O_o), jutro postaram się zeskanować i podać raport, dzięki za dzisiejszą pomoc :smiley:

#10

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

#11

Mialem tez tak to wirus trojan donwload usunolem smitfraudfix.