sytuacja wgląda tak komputer działa po pewnym x czasie włącza się samoistnie instalacja spyguardian. Komputer jest po formacie zabezpieczony Kaspersky Internet Security 2006 6.0.2.614. Prosił bym o pomoc bo ten program ściąga trojany
Daj logi z hijackthis i combofix
ComboFix 07-11-08.1 - Joniec 2007-11-12 20:24:42.1 - FAT32 x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.901 [GMT 1:00]
Running from: C:\Documents and Settings\Joniec\Pulpit\ComboFix.exe
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\onnmp.ini2
C:\WINDOWS\system32\onnmp.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnno.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.
2007-11-12 20:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 20:19
2007-11-12 19:34 36,352 --a------ C:\WINDOWS\system32\gebywtu.dll
2007-11-12 19:33
2007-11-12 19:28
2007-11-12 11:24
2007-11-12 11:13
2007-11-12 11:08
2007-11-12 10:40
2007-11-12 10:21
2007-11-12 10:18
2007-11-12 10:18
2007-11-12 10:14
2007-11-12 10:14
2007-11-12 10:11
2007-11-12 10:11
2007-11-12 10:11 6,144 --a------ C:\WINDOWS\system32\drivers\k750cm.sys
2007-11-12 10:11 5,744 --a------ C:\WINDOWS\system32\drivers\k750wh.sys
2007-11-11 21:55 35,328 --a------ C:\WINDOWS\system32\urqrrpn.dll
2007-11-11 21:54
2007-11-11 13:29
2007-11-11 13:21 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-11 13:05
2007-11-11 13:00
2007-11-11 13:00 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-11-11 12:59
2007-11-11 12:59
2007-11-11 12:59
2007-11-11 12:59 2,977,792 --------- C:\WINDOWS\UNNeroVision.exe
2007-11-11 12:59 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-11-11 12:59 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-11-11 12:59 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-11-11 12:59 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-11-11 12:59 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-11-11 12:59 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-11-11 12:59 38,912 --------- C:\WINDOWS\system32\picn20.dll
2007-11-11 12:59 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
2007-11-11 12:52 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2007-11-11 12:39
2007-11-11 12:35
2007-11-11 12:27 2,953,216 --a------ C:\WINDOWS\system32\dllcache\xpsp2res.dll
2007-11-11 12:27 219,648 --a------ C:\WINDOWS\system32\dllcache\uxtheme.dll
2007-11-11 12:25 375,643 --a------ C:\WINDOWS\system32\vimc.exe
2007-11-11 12:24 3,066,368 --a------ C:\WINDOWS\system32\longhornui.exe
2007-11-11 12:24 19,968 --a------ C:\WINDOWS\system32\reico.exe
2007-11-11 12:23
2007-11-11 12:23
2007-11-11 12:23
2007-11-11 12:23 111,104 --a------ C:\WINDOWS\system32\Uharc.exe
2007-11-11 12:23 81,920 --a------ C:\WINDOWS\system32\closeapp.exe
2007-11-11 12:07
2007-11-11 12:07
2007-11-11 12:07 16,201,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-11 12:07 36,896 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-11 12:02
2007-11-11 12:01
2007-11-11 12:01
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 19:28 92,228 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-12 19:28 407,024 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-11 11:24 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-11-11 10:57 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-11 10:56 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-11 10:54 --------- d-----w C:\Documents and Settings\Joniec\Dane aplikacji\Gadu-Gadu
2007-11-11 10:52 --------- d-----w C:\Program Files\XP Codec Pack
2007-11-11 10:52 --------- d-----w C:\Program Files\Winamp
2007-11-11 10:51 --------- d-----w C:\Program Files\SubEdit-Player
2007-11-11 10:51 --------- d-----w C:\Program Files\PowerStrip
2007-11-11 10:51 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2007-11-11 10:50 --------- d-----w C:\Program Files\Gadu-Gadu
2007-11-11 10:46 --------- d-----w C:\Documents and Settings\Joniec\Dane aplikacji\ATI
2007-11-11 10:42 --------- d–h--w C:\Program Files\InstallShield Installation Information
2007-11-11 10:42 --------- d-----w C:\Program Files\ATI Technologies
2007-11-11 10:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-11 10:33 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-11 10:32 --------- d-----w C:\Program Files\Usługi online
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}]
2007-11-11 21:55 35328 --a------ C:\WINDOWS\system32\urqrrpn.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2005-08-12 14:43]
“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2004-12-20 19:41]
“SoundMan”=“SOUNDMAN.EXE” [2005-06-20 21:42 C:\WINDOWS\SOUNDMAN.EXE]
“kis”=“C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe” [2006-03-24 19:09]
“PowerStrip”=“c:\program files\powerstrip\pstrip.exe” [2007-04-08 14:22]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 12:00]
“DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2007-08-29 16:09]
“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-05-10 15:36]
“Steam”=“d:\gry\steamcs+\steam.exe” [2007-11-11 12:58]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}”= C:\WINDOWS\system32\urqrrpn.dll [2007-11-11 21:55 35328]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrrpn]
urqrrpn.dll 2007-11-11 21:55 35328 C:\WINDOWS\system32\urqrrpn.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packages”= msv1_0 C:\WINDOWS\system32\pmnno.dll
R1 BIOS;BIOS;??\C:\WINDOWS\system32\drivers\BIOS.sys
R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 20:29:56
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-12 20:36:14 - machine was rebooted
.
— E O F —
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:41:05, on 2007-11-12
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\program files\powerstrip\pstrip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay
O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM…\Run: [kis] “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe”
O4 - HKLM…\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033
O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray
O4 - HKCU…\Run: [steam] “d:\gry\steamcs+\steam.exe” -silent
O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: Dodaj do Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
–
End of file - 3757 bytes
Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE
Pozdrawiam Gutek2222
Wklej do Notatnika:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=-
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
Z menu Notatnika >>> Plik >>> Zapisz jako >>> Ustaw rozszerzenie na “Wszystkie pliki” >>> Zapisz jako FIX.REG >>> uruchom ten plik (dwuklik).
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: ** Qoobox**.
Po tym nowy log z Combo