Troja Vundo i inne robactwo w kompie prosze o spr.logów

apollo13 · 12 Maj 2008 18:37

Witam!Prosze o pomoc w usunieciu wirusa vundo i reszty robakow.Nie moge otwierac stronek przez mozille i wyskakuja błędy,znikaja ikonki odswierza się pulpit i w ogóle komp muli. zamieszczam logi…

huber2t · 12 Maj 2008 18:38

Podaj log z Combofix

apollo13 · 12 Maj 2008 18:39

Logfile of HijackThis v1.99.1

Scan saved at 20:37:53, on 2009-05-12

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\netdde.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\tlntsvr.exe

C:\WINDOWS\System32\vssvc.exe

C:\Program Files\DialNet\WrOS.EXE

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\dmadmin.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Progsy\programy\Antywiry\Do ręcznej walki z wirusami\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O4 - HKLM…\Run: [] “C:\PROGRA~1\DialNet\FPLICE~1.EXE zhimakaimen//WINPOET_QUITTING_EVENT”

O4 - HKLM…\Run: [z-WrDialer] C:\Program Files\DialNet\WrDialer.exe

O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM…\Run: [bM07ca9cef] Rundll32.exe “C:\WINDOWS\system32\felmydcw.dll”,s

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip…{F5F10BEE-F203-467A-B500-77B7050F1616}: NameServer = 217.30.129.149 217.30.137.200

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: WinPPPoverEthernet - Fine Point Technologies, Inc. - C:\Program Files\DialNet\WrOS.EXE

Administrator - 09-05-12 20:24:34,43 Dodatek Service Pack 2

ComboFix 06.09.28 - Running from: “D:\Progsy\programy\Antywiry\Do r©cznej walki z wirusami”

Command switches used :: C:\ComboFix.txt

((((((((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 ))))))))))))))))))))))))))))))))))

2009-05-12 19:26 2,112 --a------ C:\WINDOWS\system32\nhpimshc.exe

2009-05-12 19:23 90,688 --a------ C:\WINDOWS\system32\pnkmvhyc.dll

2009-05-12 19:20 3,648 --a------ C:\WINDOWS\system32\bonvbsqe.dll

2009-05-12 19:17 100,416 --a------ C:\WINDOWS\system32\felmydcw.dll

2009-04-17 18:58 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe

2009-04-17 18:57 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2009-05-12 20:22 301066 --ahs---- C:\WINDOWS\system32\orutv.ini2

2009-05-12 20:16 -------- d-------- C:\Documents and Settings\Administrator\Dane aplikacji\skypePM

2009-05-12 19:14 -------- d-------- C:\Program Files\Norton Security Scan

2009-03-25 18:33 -------- d-------- C:\Program Files\SubEdit-Player

2009-03-24 17:50 -------- d-------- C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent

2009-03-07 22:16 91200 --a------ C:\WINDOWS\system32\iwmuemqg.dll

2009-03-07 22:13 96320 --a------ C:\WINDOWS\system32\rqrjywpa.dll

2009-03-07 22:12 92736 --a------ C:\WINDOWS\system32\yvpneifu.dll

2009-03-07 14:58 96320 --a------ C:\WINDOWS\system32\blgshrcr.dll

2009-03-07 14:57 92736 --a------ C:\WINDOWS\system32\qyiifbyf.dll

2009-03-06 22:04 96832 --a------ C:\WINDOWS\system32\jcugwcaj.dll

2009-03-06 22:01 91712 --a------ C:\WINDOWS\system32\whcgocvy.dll

2009-03-06 21:54 96832 --a------ C:\WINDOWS\system32\beqysgpw.dll

2009-03-06 21:54 91712 --a------ C:\WINDOWS\system32\fpxmwixt.dll

2009-03-05 21:55 96832 --a------ C:\WINDOWS\system32\pbqqtbng.dll

2009-03-05 21:52 91712 --a------ C:\WINDOWS\system32\gnlscmbw.dll

2009-03-01 12:47 88640 --a------ C:\WINDOWS\system32\wjlcahsj.dll

2009-03-01 12:42 91712 --a------ C:\WINDOWS\system32\kxjierry.dll

2009-02-28 21:39 89664 --a------ C:\WINDOWS\system32\pjjeikar.dll

2009-02-28 21:38 91712 --a------ C:\WINDOWS\system32\iodkavwy.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

@="“C:\PROGRA~1\DialNet\FPLICE~1.EXE zhimakaimen//WINPOET_QUITTING_EVENT”"

“z-WrDialer”=“C:\Program Files\DialNet\WrDialer.exe”

“MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto”

“BM07ca9cef”=“Rundll32.exe “C:\WINDOWS\system32\felmydcw.dll”,s”

“04f9af73”=“rundll32.exe “C:\WINDOWS\system32\pnkmvhyc.dll”,b”

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]

“DeskHtmlVersion”=dword:00000110

“DeskHtmlMinorVersion”=dword:00000005

“Settings”=dword:00000001

“GeneralFlags”=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

“Source”=“About:Home”

“SubscribedURL”=“About:Home”

“FriendlyName”=“Moja bieżąca strona główna”

“Flags”=dword:00000002

“Position”=hex:2c,00,00,00,0d,02,00,00,00,00,00,00,73,02,00,00,42,03,00,00,00,\

00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

“CurrentState”=hex:04,00,00,40

“OriginalStateInfo”=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\

ff,ff,04,00,00,00

“RestoredStateInfo”=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\

00,00,01,00,00,00

[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]

“{AEB6717E-7E19-11d0-97EE-00C04FD91972}”=""

“{B5A7F190-DDA6-4420-B3BA-52453494E6CD}”=“Groove GFS Stub Execution Hook”

“{E0EA1F31-B58F-47E8-A185-20C52DF9F168}”=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

“NoDriveTypeAutoRun”=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

“NTSpool”=“NTSpool.exe”

“Windows Printing Driver”=“WinPrint.exe”

“NT Security Service”=“NTSecurity.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

“dontdisplaylastusername”=dword:00000000

“legalnoticecaption”=""

“legalnoticetext”=""

“shutdownwithoutlogon”=dword:00000001

“undockwithoutlogon”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

“NoDriveAutoRun”=dword:03ffffff

“NoDriveTypeAutoRun”=dword:000000ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

“NoDriveTypeAutoRun”=dword:00000091

[HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

“NoDriveTypeAutoRun”=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

“PostBootReminder”="{7849596a-48ea-486e-8937-a2a3009f31a9}"

“CDBurn”="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

“WebCheck”="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

“SysTray”="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

“MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

“MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk]

“path”=“C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk”

“backup”=“C:\WINDOWS\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnkStartup”

“location”=“Startup”

“command”=“C:\PROGRA~1\MICROS~2\Office12\ONENOTEM.EXE /tsr”

“item”=“Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

“path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk”

“backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup”

“location”=“Common Startup”

“command”="C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE "

“item”=“Adobe Reader Speed Launch”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\04f9af73]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“rhqetvnn”

“hkey”=“HKLM”

“command”=“rundll32.exe “C:\WINDOWS\system32\rhqetvnn.dll”,b”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\a-winpoet-service]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“winpppoverethernet”

“hkey”=“HKLM”

“command”="“C:\Program Files\DialNet\winpppoverethernet.exe”"

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Alcmtr]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“ALCMTR”

“hkey”=“HKLM”

“command”=“ALCMTR.EXE”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“NMBgMonitor”

“hkey”=“HKCU”

“command”="“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”"

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BM07ca9cef]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“nbrithec”

“hkey”=“HKLM”

“command”=“Rundll32.exe “C:\WINDOWS\system32\nbrithec.dll”,s”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\combofix]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“Combobatch”

“hkey”=“HKLM”

“command”=“C:\WINDOWS\system32\kmd.exe /c C:\ComboFix(2)\Combobatch.bat”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTFMON.EXE]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“ctfmon”

“hkey”=“HKCU”

“command”=“C:\WINDOWS\system32\ctfmon.exe”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“daemon”

“hkey”=“HKCU”

“command”="“C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033"

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Drmupgds]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“Drmupgds”

“hkey”=“HKCU”

“command”=“C:\Program Files\Drmupgds\Drmupgds.exe”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\GrooveMonitor]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“GrooveMonitor”

“hkey”=“HKLM”

“command”="“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”"

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Host Process]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“svchost”

“hkey”=“HKLM”

“command”=“C:\WINDOWS\Fonts\svchost.exe”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“dumprep 0 -k”

“hkey”=“HKLM”

“command”="%systemroot%\system32\dumprep 0 -k"

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“msmsgs”

“hkey”=“HKCU”

“command”="“C:\Program Files\Messenger\msmsgs.exe” /background"

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“NeroCheck”

“hkey”=“HKLM”

“command”=“C:\WINDOWS\system32\NeroCheck.exe”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“NvCpl”

“hkey”=“HKLM”

“command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“NvMcTray”

“hkey”=“HKLM”

“command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“nwiz”

“hkey”=“HKLM”

“command”=“nwiz.exe /install”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RTHDCPL]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“RTHDCPL”

“hkey”=“HKLM”

“command”=“RTHDCPL.EXE”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\runner1]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“mrofinu1188”

“hkey”=“HKLM”

“command”=“C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\S3Trayp]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“S3trayp”

“hkey”=“HKLM”

“command”=“S3trayp.exe”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Skype]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“Skype”

“hkey”=“HKCU”

“command”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized"

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SkyTel]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“SkyTel”

“hkey”=“HKLM”

“command”=“SkyTel.EXE”

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“jusched”

“hkey”=“HKLM”

“command”="“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”"

“inimapping”=“0”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VTTimer]

“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

“item”=“VTTimer”

“hkey”=“HKLM”

“command”=“VTTimer.exe”

“inimapping”=“0”

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyyay

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gzwkcomc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyyvu

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders

securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the ‘Scheduled Tasks’ folder

C:\WINDOWS\tasks\1-Click Maintenance.job

C:\WINDOWS\tasks\Norton Security Scan.job

Completion time: 2009-05-12 20:26:26.04

ComboFix.txt

ComboFix2.txt

huber2t · 12 Maj 2008 18:49

fix w hijackthis

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\Program Files\DialNet\WrDialer.exe

C:\WINDOWS\system32\felmydcw.dll

C:\WINDOWS\system32\nhpimshc.exe

C:\WINDOWS\system32\pnkmvhyc.dll

C:\WINDOWS\system32\bonvbsqe.dll

C:\WINDOWS\system32\felmydcw.dll

C:\WINDOWS\system32\iwmuemqg.dll

C:\WINDOWS\system32\rqrjywpa.dll

C:\WINDOWS\system32\yvpneifu.dll

C:\WINDOWS\system32\blgshrcr.dll

C:\WINDOWS\system32\qyiifbyf.dll

C:\WINDOWS\system32\jcugwcaj.dll

C:\WINDOWS\system32\whcgocvy.dll

C:\WINDOWS\system32\beqysgpw.dll

C:\WINDOWS\system32\fpxmwixt.dll

C:\WINDOWS\system32\pbqqtbng.dll

C:\WINDOWS\system32\gnlscmbw.dll

C:\WINDOWS\system32\wjlcahsj.dll

C:\WINDOWS\system32\kxjierry.dll

C:\WINDOWS\system32\pjjeikar.dll

C:\WINDOWS\system32\iodkavwy.dll


Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"z-WrDialer"=-

"MSConfig"=-

"BM07ca9cef"=-

"04f9af73"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BM07ca9cef]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\04f9af73]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\runner1]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyyay]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gzwkcomc]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyyvu]

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

apollo13 · 12 Maj 2008 18:57

pushd “C:\327882R2FWJFW”

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Administrator\Dane aplikacji

cfldr=327882R2FWJFW

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=ADAM

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Administrator

kmd=CF3167.exe

LOGONSERVER=\ADAM

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\327882R2FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Samsung\Samsung PC Studio 3\

PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=0207

ProgramFiles=C:\Program Files

PROMPT=$

SESSIONNAME=Console

sfxname=C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe

system=C:\WINDOWS\system32

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp

TMP=C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp

USERDOMAIN=ADAM

USERNAME=Administrator

USERPROFILE=C:\Documents and Settings\Administrator

windir=C:\WINDOWS

=============================================

if not defined sfxname goto END

Nircmd win close ititle “ComboFix”

If [“C:\Documents and Settings\Administrator\Pulpit\CFScript.txt”] == [] Set “SfxCmd=”

if /I “C:\327882R2FWJFW” NEQ “C:\327882R2FWJFW” goto Abort

if exist “C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\327882R2FWJFW327882R2FWJFW.log” del “C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\327882R2FWJFW327882R2FWJFW.log”

SteelWerX Extended Configuration Access Control Lists

Written by Bobbi Flekman 2006 ©

Ownerchange for “C:\WINDOWS\system32\cmd.exe” to Administrators group was successful

copy /y “C:\WINDOWS\system32\cmd.exe” “C:\WINDOWS\system32\CF3167.exe”

Liczba skopiowanych plików: 1.

if not exist “C:\WINDOWS\system32\CF3167.exe” catchme -l nul -c “C:\WINDOWS\system32\cmd.exe” “C:\WINDOWS\system32\CF3167.exe”

For /F “tokens=*” %g in (“C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe”) do @(

set “FileName=%~ng”

set “FilePath=%~dpg”

)

Set FileName 2>nul | GREP -Gisqx “FileName=[-[:alnum:]@.]*” || (

nircmd infobox “You cannot rename ComboFix as ComboFix~n~nPlease use another name, preferbaly made up of alphanumeric characters” “”

goto END

)

DIR /AD/B C:* | FindStr.exe -IVX ComboFix 1>dirname00

FindStr.exe -LIXC:“ComboFix” dirname00 1>nul && call :NameChk

If exist dirname0? del /Q dirname0?

If exist “\ComboFix” DIR /AD “\ComboFix” 1>nul && (

rd /s/q “\ComboFix”

If exist “\ComboFix” (

PV -kf findstr.exe *.cfexe

rd /s/q “\ComboFix”

)

If exist “\ComboFix” (

handle “C:\ComboFix” | SED -r “/pid:/!d; s/.*: (.*): .*/\1/” 1>temp00

for /F “tokens=1,2” %g in (temp00) do @echo.y | Handle -p %g -c %h

del /q temp00

rd /s/q “\ComboFix”

)

If exist “\ComboFix” rd /s/q “\ComboFix”

If exist “\ComboFix” goto :eof

VER | Findstr.exe -ic:"[Version 6.0" && (Call :Vista ) ||

CD …

Set “comspec=C:\WINDOWS\system32\CF3167.exe”

(

echo.md “\ComboFix”

echo.Move /y “\327882R2FWJFW*” “\ComboFix”

echo.RD /S/Q “\327882R2FWJFW”

echo.Start “.” /d"C:\ComboFix" “C:\WINDOWS\system32\CF3167.exe” /k c.bat

echo.pv -kf cmd.exe

) 1>Start_.cmd

NirCmd exec hide “C:\WINDOWS\system32\CF3167.exe” /f:off /d /c call Start_.cmd

NirCmd execmd del “\327882R2FWJFW\prep.cmd”

EXIT

huber2t · 12 Maj 2008 19:00

Daj loga z usuwania z combofix

apollo13 · 12 Maj 2008 19:06

Administrator - 09-05-12 21:02:31,33 Dodatek Service Pack 2