Crizz
(Cris1)
29 Listopad 2007 16:15
#1
Dobry,
Ten sam problem. Log z ComboFixa:
ComboFix 07-11-19.4C - Mama 2007-11-29 16:42:39.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.203 [GMT 1:00] Running from: C:\Documents and Settings\Mama\Pulpit\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Menu Start\Live Safety Center.lnk C:\Documents and Settings\All Users\Menu Start\Online Security Guide.lnk C:\Documents and Settings\Crizz\Dane aplikacji\DriveCleaner Free C:\Documents and Settings\Crizz\Dane aplikacji\DriveCleaner Free\Logs\update.log C:\Documents and Settings\Crizz\err.log C:\Documents and Settings\Crizz\Pulpit\Live Safety Center.lnk C:\Documents and Settings\Crizz\Pulpit\Online Security Guide.lnk C:\Documents and Settings\Crizz\ResErrors.log C:\Documents and Settings\Crizz\Ulubione\Online Security Guide.lnk C:\Documents and Settings\Mama\Pulpit\Live Safety Center.lnk C:\Documents and Settings\Mama\Pulpit\Online Security Guide.lnk C:\Documents and Settings\Mama\Ulubione\Online Security Guide.lnk C:\Program Files\Common Files\drivecleaner free C:\WINDOWS\system32\awvts.dll C:\WINDOWS\system32\kspevbiq.dllbox C:\WINDOWS\system32\stvwa.ini C:\WINDOWS\system32\stvwa.ini2 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 ))))))))))))))))))))))))))))))) . 2007-11-29 16:48 20,810 —hs---- C:\WINDOWS\system32\kspevbiq.dllbox 2007-11-29 16:34 793,372 —hs---- C:\WINDOWS\system32\rplnwdoj.ini 2007-11-29 16:34 85,056 --a------ C:\WINDOWS\system32\jodwnlpr.dll 2007-11-29 16:31 77,888 --a------ C:\WINDOWS\system32\pnsbolkk.dll 2007-11-28 21:57 10,752 --a------ C:\WINDOWS\system32\md5.dll 2007-11-28 17:20 145,984 --a------ C:\WINDOWS\system32\kspevbiq.dll 2007-11-26 22:08 2007-11-26 20:08 2007-11-19 18:19 14 --a------ C:\WINDOWS\popcinfot.dat 2007-11-19 18:19 0 --a------ C:\WINDOWS\popcreg.dat 2007-11-17 21:00 389,120 --a------ C:\WINDOWS\system32\ACTSKN43.OCX 2007-11-17 21:00 188,416 --a------ C:\WINDOWS\system32\actsplash.ocx 2007-11-17 18:14 17,024 --a------ C:\WINDOWS\system32\drivers\KMWDFilter.SYS 2007-11-04 17:43 2007-11-03 22:58 2007-11-03 10:22 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-17 17:14 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-25 21:07 --------- d-----w C:\Program Files\Winamp Toolbar 2007-10-25 21:07 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar 2007-10-22 14:45 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Gadu-Gadu 2007-10-17 13:41 --------- d-----w C:\Documents and Settings\Crizz\Dane aplikacji\SharpReader 2007-10-14 12:58 --------- d-----w C:\Documents and Settings\Crizz\Dane aplikacji\Skype 2007-10-05 15:33 --------- d-----w C:\Program Files\Java 2007-10-03 14:22 --------- d-----w C:\Documents and Settings\Mama\Dane aplikacji\Talkback . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}] 2007-10-04 21:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{512a1b71-9fb6-4016-b962-cbb31a3f32d0}] 2007-11-29 16:31 77888 --a------ C:\WINDOWS\system32\pnsbolkk.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}] 2007-11-28 17:20 145984 --a------ C:\WINDOWS\system32\kspevbiq.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{B2D2D370-1406-4BA9-8702-0BD96CBD4CBD}] 2007-11-27 17:13 37376 --a------ C:\WINDOWS\system32\gebyaba.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 21:06 1135968] “{11A69AE4-FBED-4832-A2BF-45AF82825583}”= C:\WINDOWS\system32\kspevbiq.dll [2007-11-28 17:20 145984] [HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1] [HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand] [HKEY_CLASSES_ROOT\clsid{11a69ae4-fbed-4832-a2bf-45af82825583}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] “{11A69AE4-FBED-4832-A2BF-45AF82825583}”= C:\WINDOWS\system32\kspevbiq.dll [2007-11-28 17:20 145984] [HKEY_CLASSES_ROOT\clsid{11a69ae4-fbed-4832-a2bf-45af82825583}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-06-01 12:32] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-06-24 19:24] “Gadu-Gadu”=“D:\Programy\Gadu-Gadu 7.6\Program\gg.exe” [2007-05-10 15:36] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Ptipbmf”=“ptipbmf.dll” [2003-06-20 15:06 C:\WINDOWS\system32\ptipbmf.dll] “NVMixerTray”=“C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” [2004-06-03 20:51] “ATIModeChange”=“Ati2mdxx.exe” [2001-09-04 10:24 C:\WINDOWS\system32\Ati2mdxx.exe] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-03-23 21:10] “QuickTime Task”=“D:\Programy\Quicktime 6\Program\qttask.exe” [2006-11-27 18:44] “FineReader7NewsReaderPro”=“D:\Programy\FineReader 7\Program\AbbyyNewsReader.exe” [2003-12-10 00:19] “CloneCDTray”=“D:\Programy\CloneCD\Program\CloneCDTray.exe” [2005-05-19 14:47] “DAEMON Tools”=“D:\Programy\Daemon Tools 4.08\Program\daemon.exe” [2006-11-12 11:48] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 00:11] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50] “InCD”=“D:\Programy\Nero 7 Essentials\Program\Nero 7\InCD\InCD.exe” [2006-05-30 14:22] “avast!”=“D:\Programy\AVAST4~1.7\Program\ashDisp.exe” [2007-09-06 11:06] “System Guards”=“D:\Programy\System Guards\Program\SysGuards.exe” [2007-11-08 16:07] “f0a3b31c”=“C:\WINDOWS\system32\jodwnlpr.dll” [2007-11-29 16:34] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 23:44] [hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{B2D2D370-1406-4BA9-8702-0BD96CBD4CBD}”= C:\WINDOWS\system32\gebyaba.dll [2007-11-27 17:13 37376] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyaba] gebyaba.dll 2007-11-27 17:13 37376 C:\WINDOWS\system32\gebyaba.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kspevbiq] kspevbiq.dll 2007-11-28 17:20 145984 C:\WINDOWS\system32\kspevbiq.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “Authentication Packages”= msv1_0 C:\WINDOWS\system32\awvts.dll . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-29 16:49:45 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-29 16:53:35 - machine was rebooted . — E O F —
Z góry dziękuję za pomoc.
Gutek
(Gutek)
29 Listopad 2007 23:27
#2
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo, przed nowym logiem:
Wklej do Notatnika:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=-
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
Z menu Notatnika Plik Zapisz jako Ustaw rozszerzenie na “Wszystkie pliki” Zapisz jako FIX.REG uruchom ten plik (dwuklik) .
Crizz
(Cris1)
30 Listopad 2007 21:08
#3
Dzięki, już sobie poradziłem