Robaki i trojan.... (?)


(system) #1

Witam.

Na wstępie chciałbym zaznaczyć, że jest to mój pierwszy wątek-post, więc proszę o wyrozumiałość :slight_smile:

Mam poważny problem, sam sobie nie poradzę więc proszę o pomoc.

Po 1- zamiast tapety na pulpicie pojawił mi się niebieski ekran z napisem: Warning: Spyware threat has been detected on your PC.

Po 2 - samoczynnie uruchamia mi się okno z IE, po czym się zawiesza na jakiś czas.

Po 3 - Nie działa mi Menedżer zadań, ani ctrl+alt+del, ani ctrl+shift+esc.

Po 4 - wyskakuje mi dymek, z paska zadań o treści: Internet attect attempt detected...

Po 5 - komputer się strasznie muli i zawiesza, czasem jest problem z uruchomieniem.

Proszę o pomoc, nie chciałbym uciekać się do formatu, komputer jest mi strasznie potrzebny.

Załączam logi z Combofix'a i Hijackthis:

Log z Combofix'a:

ComboFix 08-04-01.2 - Adam 2008-04-02 19:27:13.7 - FAT32 x86

Running from: C:\Documents and Settings\Adam\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\seekmo

C:\Program Files\seekmo\seekmohook.dll

C:\WINDOWS\180ax.exe

C:\WINDOWS\2020search.dll

C:\WINDOWS\2020search2.dll

C:\WINDOWS\bjam.dll

C:\WINDOWS\bokja.exe

C:\WINDOWS\cdsm32.dll

C:\WINDOWS\default.htm

C:\WINDOWS\mspphe.dll

C:\WINDOWS\mssvr.exe

C:\WINDOWS\saiemod.dll

C:\WINDOWS\salm.exe

C:\WINDOWS\stcloader.exe

C:\WINDOWS\swin32.dll

C:\WINDOWS\system32\msixu.dll

C:\WINDOWS\system32\wer8274.dll

C:\WINDOWS\TEMP\salm.exe

C:\WINDOWS\updatetc.exe

C:\WINDOWS\voiceip.dll

.

((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))

.

2008-04-02 15:34 . 2008-04-02 15:34

2008-04-02 15:34 . 2008-04-02 15:34

2008-04-02 15:34 . 2008-04-02 15:34

2008-04-02 15:34 . 2008-04-02 15:34

2008-04-02 15:33 . 2008-04-02 15:33

2008-04-02 15:33 . 2008-04-02 15:34

2008-04-02 15:14 . 2008-04-02 15:14

2008-04-02 14:20 . 2008-04-02 14:20

2008-04-02 00:31 . 2008-04-02 00:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-04-02 00:31 . 2008-04-02 00:31 1,409 --a------ C:\WINDOWS\QTFont.for

2008-04-01 07:47 . 2008-04-01 07:47

2008-04-01 07:46 . 2008-04-01 07:46

2008-04-01 07:46 . 2008-04-01 07:46

2008-04-01 07:46 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-04-01 07:46 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-04-01 07:46 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-04-01 07:46 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-04-01 07:25 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys

2008-04-01 07:25 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys

2008-04-01 07:14 . 2008-04-01 07:14 269,334 --a------ C:\WINDOWS\system32\psnmtgr.bmp

2008-03-31 22:47 . 2008-03-31 22:47 269,334 --a------ C:\WINDOWS\system32\ofedgnetsbet.bmp

2008-03-31 22:27 . 2008-03-31 22:27

2008-03-31 22:26 . 2008-03-31 22:26 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

2008-03-31 22:25 . 2008-03-31 22:25

2008-03-31 22:25 . 2008-03-31 22:25

2008-03-31 22:25 . 2008-03-31 22:25

2008-03-31 22:16 . 2008-03-31 22:16

2008-03-31 22:16 . 2008-03-31 22:16 24,320 --a------ C:\WINDOWS\didduid.ini

2008-03-31 22:15 . 2008-03-31 22:15 17,152 --a------ C:\WINDOWS\123messenger.per

2008-03-31 20:02 . 2008-03-31 20:02 90,537 --a------ C:\WINDOWS\system32\sbwltbxa.exe

2008-03-31 13:00 . 2008-03-31 13:00 269,334 --a------ C:\WINDOWS\system32\tsnidofeh.bmp

2008-03-30 19:17 . 2008-03-30 19:17 269,334 --a------ C:\WINDOWS\system32\qhkbetcradgnal.bmp

2008-03-29 14:22 . 2008-03-29 14:22 269,334 --a------ C:\WINDOWS\system32\qhgrmdormtkr.bmp

2008-03-28 14:33 . 2008-03-28 14:33 269,334 --a------ C:\WINDOWS\system32\etojitobat.bmp

2008-03-28 11:57 . 2001-01-01 12:34 2,238 --a------ C:\WINDOWS\TOCA2.ICO

2008-03-28 11:57 . 2001-01-01 12:34 1,406 --a------ C:\WINDOWS\Toca2x.ico

2008-03-28 11:57 . 2001-01-01 12:34 766 --a------ C:\WINDOWS\NET2.ICO

2008-03-28 11:57 . 2001-01-01 12:34 318 --a------ C:\WINDOWS\SETUP.ICO

2008-03-28 11:56 . 2001-01-01 12:34 1,393,152 --a------ C:\WINDOWS\system32\Mfc42d.dll

2008-03-28 11:56 . 2001-01-01 12:34 373,248 --a------ C:\WINDOWS\system32\Msvcrtd.dll

2008-03-28 11:55 . 2001-01-01 12:34 327,168 --a------ C:\WINDOWS\IsUn0415.exe

2008-03-26 22:59 . 2008-03-26 22:59 269,334 --a------ C:\WINDOWS\system32\cbmpgnmhgfad.bmp

2008-03-26 19:14 . 2008-03-26 19:14

2008-03-26 11:42 . 2008-03-26 11:42 269,334 --a------ C:\WINDOWS\system32\japcnmpgralkn.bmp

2008-03-26 11:40 . 2008-03-26 11:40

2008-03-26 11:38 . 2008-03-26 11:38

2008-03-25 21:24 . 2008-03-25 21:24 269,334 --a------ C:\WINDOWS\system32\fqdkrmtsfihkb.bmp

2008-03-25 20:26 . 2001-10-26 17:29 88,064 --a------ C:\WINDOWS\system32\cnvfa.dll

2008-03-25 19:24 . 2008-03-25 19:24 269,334 --a------ C:\WINDOWS\system32\obalkbmt.bmp

2008-03-25 18:41 . 2008-03-25 18:41 269,334 --a------ C:\WINDOWS\system32\adkfahcjepgj.bmp

2008-03-25 18:14 . 2008-03-25 18:14 269,334 --a------ C:\WINDOWS\system32\qdgbedcjehgbmh.bmp

2008-03-25 18:02 . 2008-03-25 18:02 269,334 --a------ C:\WINDOWS\system32\lcfqdsb.bmp

2008-03-25 17:37 . 2008-03-25 17:37 468 --a------ C:\WINDOWS\eReg.dat

2008-03-25 17:16 . 2008-03-25 17:16 269,334 --a------ C:\WINDOWS\system32\bmtgjmpobmp.bmp

2008-03-23 21:14 . 2008-03-23 21:14

2008-03-17 22:12 . 2008-03-17 22:12 36,700 --ah----- C:\WINDOWS\system32\mlfcache.dat

2008-03-17 22:02 . 2008-03-17 22:02

2008-03-15 21:24 . 2008-03-15 21:24

2008-03-14 18:24 . 2008-03-14 18:24

2008-03-14 18:23 . 2008-03-14 18:23

2008-03-13 00:52 . 2008-03-13 00:52

2008-03-11 20:31 . 2008-03-11 20:31

2008-03-09 15:20 . 2008-03-09 15:20

2008-03-05 11:59 . 2008-03-05 11:59

2008-03-05 11:59 . 2008-03-05 11:59 2,238 --a------ C:\WINDOWS\system32\cmd$3.ico

2008-03-05 11:59 . 2008-03-05 11:59 2,238 --a------ C:\WINDOWS\system32\cmd$2.ico

2008-03-05 11:59 . 2008-03-05 11:59 2,238 --a------ C:\WINDOWS\system32\cmd$1.ico

2008-03-05 11:58 . 2008-03-05 11:59 2,238 --a------ C:\WINDOWS\system32\cmd.ico

2008-03-05 10:55 . 2008-03-05 10:55

2008-03-04 11:42 . 2008-03-04 11:42

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-02 17:23 22,528 ----a-w C:\WINDOWS\system32\drivers\nhcDriver.sys

2008-04-02 13:34 28,928 ----a-w C:\WINDOWS\system32\MSNSA32.dll

2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe

2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2008-02-29 12:45 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL

2008-02-29 12:45 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS

2008-02-29 12:45 360,064 ----a-w C:\WINDOWS\system32\dllcache\TCPIP.SYS

2008-02-24 13:11 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2008-02-19 23:56 --------- d-----w C:\Program Files\SubEdit-Player

2008-02-19 19:31 --------- d-----w C:\Program Files\Object Desktop

2008-02-15 14:11 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys

2008-02-15 14:11 --------- d-----w C:\Program Files\Hamachi

2008-02-07 11:50 --------- d-----w C:\Program Files\Alwil Software

2008-01-27 20:54 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2008-01-11 04:41 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll

.

------- Sigcheck -------

2008-02-29 14:45 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\TCPIP.SYS

2008-02-29 14:45 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\dllcache\TCPIP.SYS

2002-08-29 00:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys

2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys

2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS

2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys

2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys

2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{87657246-828D-41D6-A1C7-A77F8F62FF2D}]

2001-10-26 17:29 88064 --a------ C:\WINDOWS\system32\cnvfa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{A926C1CF-D477-43B5-82C7-71E7BF4DCFF4}]

2001-10-26 17:29 88064 --a------ C:\WINDOWS\system32\cnvfa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]

"Odkurzacz-MCD"="C:\Program Files\Odkurzacz\odk_mcd.exe" [2007-05-03 10:02 264704]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 16:27 68856]

"Internet Accelerator"="C:\Program Files\Pointstone\Internet Accelerator\InternetAccelerator.exe" [2007-06-12 17:38 813056]

"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 02:23 443968]

"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 12:24 167368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NotebookHardwareControl"="C:\Program Files\Notebook Hardware Control\nhc.exe" [2007-05-04 02:33 2629632]

"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2007-04-28 08:13 2610744]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-08-24 06:50 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-08-24 06:47 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-08-24 06:51 114688]

"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-07-26 11:36 69632]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-03-27 07:35 36352]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]

"SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 77824 C:\WINDOWS\soundman.exe]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-03-31 22:26 2957824]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41 602182]

"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-11-28 11:41 667718]

"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-11-28 11:47 569413]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\Adam\Menu Start\Programy\Autostart\

Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-03-14 18:23:43 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\plustab32]

plustab32.dll 2004-10-01 04:57 8704 C:\WINDOWS\system32\plustab32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\Program Files\Gadu-Gadu\gg.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{77bb743e-5a0a-11dc-bb68-000000000000}]

\Shell\AutoRun\command - EXPLORER.EXE

\Shell\explore\Command - EXPLORER.EXE

\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{89c335a6-4bee-11dc-bb41-0016d345206f}]

\Shell\AutoRun\command - H:\ekugb3.bat

\Shell\explore\Command - H:\ekugb3.bat

\Shell\open\Command - H:\ekugb3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{bbf0c108-80e9-11dc-bbb8-000000000000}]

\Shell\AutoRun\command - H:\v.com

\Shell\explore\Command - H:\v.com

\Shell\open\Command - H:\v.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d78222cd-a38f-11dc-bbe2-000000000000}]

\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d78222ce-a38f-11dc-bbe2-000000000000}]

\Shell\AutoRun\command - I:\xpbkh.com

\Shell\explore\Command - I:\xpbkh.com

\Shell\open\Command - I:\xpbkh.com

.

Contents of the 'Scheduled Tasks' folder

"2008-04-02 17:31:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"

  • C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

"2008-03-28 16:34:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-02 19:32:15

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-02 19:34:59

ComboFix-quarantined-files.txt 2008-04-02 17:34:52

Pre-Run: 1,233,551,360 bajtów wolnych

Post-Run: 1,222,000,640 bajtów wolnych

.

2008-04-02 17:10:54 --- E O F ---

Log z Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:36, on 2008-04-02

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\sbwltbxa.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Notebook Hardware Control\nhc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe

C:\Program Files\Pointstone\Internet Accelerator\InternetAccelerator.exe

C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Program Files\Last.fm\LastFMHelper.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Common Files\RbtProt\sgsrv.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

D:\ABAQUS\6.4-2SE\Documentation\monitor.exe

D:\ABAQUS\6.4-2SE\Documentation\monitor.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60337

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=60337

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {87657246-828D-41D6-A1C7-A77F8F62FF2D} - C:\WINDOWS\system32\cnvfa.dll

O2 - BHO: (no name) - {A926C1CF-D477-43B5-82C7-71E7BF4DCFF4} - C:\WINDOWS\system32\cnvfa.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O3 - Toolbar: Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O4 - HKLM..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet

O4 - HKLM..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s

O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

O4 - HKLM..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM..\Run: [spywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe

O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU..\Run: [internet Accelerator] C:\Program Files\Pointstone\Internet Accelerator\InternetAccelerator.exe

O4 - HKCU..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe

O4 - HKCU..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-21-1644491937-1482476501-725345543-1003..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-1644491937-1482476501-725345543-1003..\Run: [internet Accelerator] C:\Program Files\Pointstone\Internet Accelerator\InternetAccelerator.exe (User '?')

O4 - HKUS\S-1-5-21-1644491937-1482476501-725345543-1003..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')

O4 - HKUS\S-1-5-21-1644491937-1482476501-725345543-1003..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')

O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - S-1-5-21-1644491937-1482476501-725345543-1003 Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe (User '?')

O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Wklejacz Start - {2917BC45-6708-4538-B688-7318B3E9FF32} - C:\Documents and Settings\Adam\Pulpit\wkl.exe (file missing)

O9 - Extra button: Wklejacz Start - {797DE19A-2B59-4762-A97A-243A513BAD5F} - C:\Documents and Settings\Adam\Pulpit\wkl.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab

O17 - HKLM\System\CCS\Services\Tcpip..{B069262C-EB13-43B0-BD62-76991FA61F70}: NameServer = 208.67.222.222,208.67.220.220

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O20 - Winlogon Notify: plustab32 - C:\WINDOWS\SYSTEM32\plustab32.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: SoftGuard Service (SG_Service) - Unknown owner - C:\Program Files\Common Files\RbtProt\sgsrv.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

O23 - Service: Texis Monitor - Expansion Programs International, Inc. - D:\ABAQUS\6.4-2SE\Documentation\monitor.exe

--

End of file - 10351 bytes

Proszę o pomoc... :frowning:


(Baldys15) #2

Sfixuj:

C:\WINDOWS\system32\sbwltbxa.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,

zrób scan tym:

http://dobreprogramy.pl/index.php?dz=2& ... +2.1.1.314


(Gutek) #3

Wklej do Notatnika:

File::

C:\WINDOWS\didduid.ini

C:\WINDOWS\123messenger.per

C:\WINDOWS\system32\sbwltbxa.exe

C:\WINDOWS\system32\tsnidofeh.bmp

C:\WINDOWS\system32\qhkbetcradgnal.bmp

C:\WINDOWS\system32\qhgrmdormtkr.bmp

C:\WINDOWS\system32\etojitobat.bmp

C:\WINDOWS\system32\cbmpgnmhgfad.bmp

C:\WINDOWS\system32\japcnmpgralkn.bmp

C:\WINDOWS\system32\fqdkrmtsfihkb.bmp

C:\WINDOWS\system32\cnvfa.dll

C:\WINDOWS\system32\obalkbmt.bmp

C:\WINDOWS\system32\adkfahcjepgj.bmp

C:\WINDOWS\system32\qdgbedcjehgbmh.bmp

C:\WINDOWS\system32\lcfqdsb.bmp

C:\WINDOWS\eReg.dat

C:\WINDOWS\system32\bmtgjmpobmp.bmp

C:\WINDOWS\system32\cnvfa.dll

H:\ekugb3.bat

H:\v.com

I:\xpbkh.com

C:\WINDOWS\Tasks\Symantec NetDetect.job

C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


Folder::

C:\Program Files\zango

C:\Program Files\stc

C:\Program Files\180searchassistant

C:\Program Files\180search assistant

C:\Program Files\180solutions

C:\FOUND.012

C:\WINDOWS\FLEOK

C:\FOUND.011


Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87657246-828D-41D6-A1C7-A77F8F62FF2D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A926C1CF-D477-43B5-82C7-71E7BF4DCFF4}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po tym nowy log z Combo

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16t=213350


(system) #4

Sory wielkie za tytuł i źle wklejone logi, ale z tytułem to naprawdę nie wiedziałem co wymysleć.

Załączam loga z ponownego skanu Combofix'em. Komp działa już chyba dobrze, tylko przy starcie pojawiają się dwa komunikaty od avast'a o roolkitach, których nie daje się usunąć.

Załączam log'a:

http://wklej.org/id/2d944ebb2c

Ale jest już lepiej, i za to dziękuje :slight_smile:


(Leon$) #5

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/Security-Related/PRT-Perlovga-Removal-Tool.shtml lub format

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri ... iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

:slight_smile: