Trojanie NetWorm-i.Virus@fp

Sahar · 14 Listopad 2007 12:51

Kolejny raz o żółtym trójkącie.

Mnie też wyskakiwały powiadomienia o trojanie NetWorm-i.Virus@fp.Przeskanowałam komputer w poszukiwaniu szpiegów i mój antywirys znalazł szpiega typu adware ale nie mógł go usunąć poddał go kwarantannie. Żółty trójkąt zniknął ale podejrzewam że bbestia gdzieś nadal siedzi. Przeskanowałam też kompa ptogramem HijackThis ale nie wiem co mogę bezpiecznie usunąć .Pomóżcie

Logi:

Logfile of HijackThis v1.99.1 Scan saved at 13:01:10, on 2007-11-14 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.EXE C:\Program Files\Prolink\PlayTV Pro\TVSCHL.EXE C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe C:\Program Files\Opera\Opera.exe D:\Wszysko inne\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file) O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\SYSTEM32\zyrndgnc.dll (file missing) O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe O4 - HKLM…\Run: [salestart] “C:\Program Files\Common Files\BestsellerAntivirus\bm.exe” dm=http://bestsellerantivirus.com;’>http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com O4 - HKLM…\Run: [F-Secure Manager] “C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE” /splash O4 - HKLM…\Run: [F-Secure TNB] “C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe” /CHECKALL /WAITFORSW O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Remote Controller.lnk = C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.EXE O4 - Global Startup: TVSCHL.lnk = C:\Program Files\Prolink\PlayTV Pro\TVSCHL.EXE O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet security\fsps\program\fslsp.dll O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe O23 - Service: Agent zarządzania F-Secure (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Dodam jeszcze że z komputerków jestem noga więc proszę baaaaardzo o jasne instrukcje. :oops:

Gutek · 14 Listopad 2007 17:20

Temat wydzielam

usuń wpisy HJT

Pobierz program SDFix

Sahar · 15 Listopad 2007 10:44

Witam

Postępowałam zgodnie z wskazówkami ale po usuwaniu przez SDFix`a komp uruchomił się ponownie ale był nadal w trybie awaryjnym i nie włączył sie na nowo SDFix.

Gutek · 15 Listopad 2007 15:39

czekam na log

Sahar · 15 Listopad 2007 22:12

Wklejam Log ale mam przeczucie że nadal jest źle

ComboFix 07-11-08.1 - Rodzinka 2007-11-15 22:34:34.1 - NTFSx86 Running from: C:\ComboFix.exe * Created a new restore point . Unable to gain System Privileges ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Menu Start\Live Safety Center.lnk C:\Documents and Settings\All Users\Menu Start\Online Security Guide.lnk C:\Documents and Settings\Rodzinka\Pulpit\Live Safety Center.lnk C:\Documents and Settings\Rodzinka\Pulpit\Online Security Guide.lnk C:\Documents and Settings\Rodzinka\ResErrors.log C:\Documents and Settings\Rodzinka\Ulubione\Online Security Guide.lnk C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\rttss.bak1 C:\WINDOWS\system32\rttss.bak2 C:\WINDOWS\system32\rttss.ini C:\WINDOWS\system32\ssttr.dll C:\WINDOWS\system32\yhrmcpvt.dllbox . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE -------\LEGACY_FMTR ((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 ))))))))))))))))))))))))))))))) . 2007-11-15 22:29 144,480 --a------ C:\WINDOWS\system32\yhrmcpvt.dll 2007-11-15 22:28 144,480 --a------ C:\WINDOWS\system32\yqyfqdff.dll 2007-11-15 22:27 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-15 12:31 85,056 --a------ C:\WINDOWS\system32\uarddojb.dll 2007-11-15 12:31 79,936 --a------ C:\WINDOWS\system32\satkvxlm.dll 2007-11-15 11:50 1,539,258 --a------ C:\ComboFix.exe 2007-11-14 23:21 2007-11-14 23:17 2007-11-13 22:54 2007-11-12 22:50 2007-11-12 22:44 58,128 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys 2007-11-12 22:44 37,008 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys 2007-11-12 22:41 2007-11-12 22:40 2007-11-12 22:39 2007-11-12 22:25 85,979,568 --a------ C:\Program Files\fs2008.exe 2007-11-12 20:28 89,664 --a------ C:\WINDOWS\system32\dxuxapgc.dll 2007-11-12 20:25 144,480 --a------ C:\WINDOWS\system32\qtlftpdk.dll 2007-11-12 19:19 81,472 --a------ C:\WINDOWS\system32\kbeofklg.dll 2007-11-11 00:06 81,472 --a------ C:\WINDOWS\system32\ysjnvbvn.dll 2007-11-11 00:03 85,056 --a------ C:\WINDOWS\system32\xhwobbcs.dll 2007-11-10 09:57 81,472 --a------ C:\WINDOWS\system32\tfkqngfs.dll 2007-11-09 23:59 88,128 --a------ C:\WINDOWS\system32\imvkboie.dll 2007-11-09 00:05 80,448 --a------ C:\WINDOWS\system32\feasrngl.dll 2007-11-08 23:09 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2007-11-08 23:06 2007-11-08 23:03 2007-11-08 11:38 2007-11-07 11:48 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll 2007-11-07 11:45 35,328 --------- C:\WINDOWS\system32\fccayab.dll 2007-11-07 11:45 82 --a------ C:\n.bat 2007-11-07 11:44 2007-11-07 11:44 2007-11-07 11:44 2007-10-28 10:22 2007-10-24 20:22 2007-10-24 20:10 2007-10-24 20:07 2007-10-17 12:59 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-10-17 12:59 31,616 --a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-10-17 12:54 2007-10-17 12:40 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-15 11:33 --------- d-----w C:\Program Files\Asystent usługi digital locker 2007-11-13 21:10 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2007-11-12 20:38 --------- d-----w C:\Program Files\Windows Media Connect 2 2007-11-12 20:38 --------- d-----w C:\Program Files\DivX 2007-11-12 20:37 --------- d-----w C:\Program Files\LIVEUPDATE 2007-11-08 10:37 1,061,888 ----a-w C:\Program Files\DigitalLockerAssistant_pl.msi 2007-10-27 18:38 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-20 09:53 --------- d-----w C:\Program Files\Java 2007-10-19 10:16 --------- d-----w C:\Program Files\Opera 2007-10-17 11:52 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-06-14 10:44 25,072,608 ----a-w C:\Program Files\AVSDVDPlayer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{1C1DD717-53B2-485E-A17B-C9977C205E10}] 2007-11-07 11:45 35328 --------- C:\WINDOWS\SYSTEM32\fccayab.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{2B13C9AE-666C-4758-BF40-69B4DD27D1B4}] [HKEY_LOCAL_MACHINE~\Browser Helper Objects{9F0809CB-AED9-4EFD-8374-82FEB6431719}] 2007-11-15 23:00 313952 --a------ C:\WINDOWS\system32\awvvw.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}] 2007-11-15 22:29 144480 --a------ C:\WINDOWS\SYSTEM32\yhrmcpvt.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{D1C7A1A2-2B7F-43B9-9343-2573F3564754}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{11A69AE4-FBED-4832-A2BF-45AF82825583}”= C:\WINDOWS\SYSTEM32\yhrmcpvt.dll [2007-11-15 22:29 144480] [HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2004-10-29 15:50] “Host Process”=“C:\WINDOWS\Fonts\svchost.exe” [] “F-Secure Manager”=“C:\Program Files\F-Secure Internet Security\Common\FSM32.exe” [2007-05-25 14:12] “F-Secure TNB”=“C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe” [2007-05-25 14:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2007-08-31 16:46] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] Remote Controller.lnk - C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.EXE [2006-09-13 13:58:14] TVSCHL.lnk - C:\Program Files\Prolink\PlayTV Pro\TVSCHL.EXE [2006-09-13 13:58:14] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{1C1DD717-53B2-485E-A17B-C9977C205E10}”= C:\WINDOWS\SYSTEM32\fccayab.dll [2007-11-07 11:45 35328] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccayab] fccayab.dll 2007-11-07 11:45 35328 C:\WINDOWS\system32\fccayab.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yhrmcpvt] yhrmcpvt.dll 2007-11-15 22:29 144480 C:\WINDOWS\system32\yhrmcpvt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zyrndgnc] zyrndgnc.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “Authentication Packages”= msv1_0 C:\WINDOWS\system32\awvvw.dll R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys R1 F-Secure HIPS;F-Secure HIPS;??\C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys R2 BT878;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT878.SYS R2 BTTUNER;BtTuner, WDM TV Tuner;C:\WINDOWS\system32\drivers\BTTUNER.SYS R2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.SYS R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys R2 nvTUNEP;nVidia WDM TVTuner;C:\WINDOWS\system32\DRIVERS\nvtunep.sys R2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys R3 F-Secure Gatekeeper;F-Secure Gatekeeper;??\C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys R3 netrcacm;RCA USB Digital Cable Modem Driver;C:\WINDOWS\system32\DRIVERS\netrcacm.sys S3 DstAudio;DstAudio;C:\WINDOWS\system32\DRIVERS\DstAudio.sys S3 DstVideo;DstVideo;C:\WINDOWS\system32\DRIVERS\DstVideo.sys S4 F-Secure Filter;F-Secure File System Filter;??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys S4 F-Secure Recognizer;F-Secure File System Recognizer;??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys . Contents of the ‘Scheduled Tasks’ folder “2007-10-19 08:06:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” “2007-11-15 10:26:48 C:\WINDOWS\Tasks\Scheduled scanning task.job” - C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exe . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-15 22:59:12 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … C:\WINDOWS\system32\wvvwa.ini 317 bytes C:\WINDOWS\system32\wvvwa.ini2 317 bytes scan completed successfully hidden files: 2 ************************************************************************** . Completion time: 2007-11-15 23:07:57 - machine was rebooted . — E O F —

Złączono Posta : 15.11.2007 (Czw) 23:25

Nadal mam ikonki z Online Security Guide i Live Safety Center i żółty Trójkąt

Gutek · 15 Listopad 2007 22:29

Wklej do Notatnika:

File:: C:\WINDOWS\system32\yhrmcpvt.dll C:\WINDOWS\system32\yqyfqdff.dll C:\WINDOWS\system32\uarddojb.dll C:\WINDOWS\system32\satkvxlm.dll C:\WINDOWS\system32\dxuxapgc.dll C:\WINDOWS\system32\qtlftpdk.dll C:\WINDOWS\system32\kbeofklg.dll C:\WINDOWS\system32\ysjnvbvn.dll C:\WINDOWS\system32\xhwobbcs.dll C:\WINDOWS\system32\tfkqngfs.dll C:\WINDOWS\system32\imvkboie.dll C:\WINDOWS\system32\feasrngl.dll C:\WINDOWS\system32\bdod.bi C:\WINDOWS\system32\fccayab.dll C:\n.bat Folder:: C:\WINDOWS\system32\Mz18r C:\Temp\mZOr Registry:: [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{1C1DD717-53B2-485E-A17B-C9977C205E10}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{2B13C9AE-666C-4758-BF40-69B4DD27D1B4}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{9F0809CB-AED9-4EFD-8374-82FEB6431719}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{D1C7A1A2-2B7F-43B9-9343-2573F3564754}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{11A69AE4-FBED-4832-A2BF-45AF82825583}”=- [-HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Host Process”=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{1C1DD717-53B2-485E-A17B-C9977C205E10}”=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccayab] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yhrmcpvt] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zyrndgnc]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo, ale przed logiem:

Wklej do Notatnika:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=-

"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\

  00

Z menu Notatnika Plik Zapisz jako Ustaw rozszerzenie na “Wszystkie pliki” Zapisz jako FIX.REG uruchom ten plik (dwuklik).

Sahar · 15 Listopad 2007 23:02

Czy ja to mam wlkeić do notatnika który się pojawił po skanowaniu ComboFix czy do nowego - czystego???

Piwollo · 15 Listopad 2007 23:17

Sahar nowego, czystego.

Start -> Uruchom -> notepad.exe

Sahar · 15 Listopad 2007 23:43

Zrobiłam wg. instrukcji na końcu dodałam do rejestru (mam nadzieje że tak miałam zrobić) . mAM TEŻ NADZIEJĘ ŻE BĘDZIE JUŻ DOBRZE. DZIĘKI ZA POMOC I CIERPLIWOŚĆ POZDRAWIAM

Piwollo · 15 Listopad 2007 23:45

Daj nowe logi z HijackThis, SilentRunners i ComboFix.

BTW: 900 post

Gutek · 16 Listopad 2007 06:26

Daj log tylko z Combo - Piwollo nie rób zamieszania

Sahar · 16 Listopad 2007 15:35

Dzisiaj nie mogłam włączyć kompa (bardzo powoli się uruchamiał i chciał żebym podała hasło przy logowaniu - a ja nie mam hasła i nigdy nie miałam ) Uruchomiłam przez Tryb awaryjny OSTATNIE DOBRE URUCHOMIENIE i oto jestem ale co się dzieje Jak zwykle miałam pecha i coś poszło nie tak .Nadal mam go jeszcze raz COMBOFix`em potraktować i wkleić Log???

Gutek · 16 Listopad 2007 17:42

Tak daj nowy log z Combo

Sahar · 16 Listopad 2007 18:14

Wklejam nowy Log:

ComboFix 07-11-08.1 - Rodzinka 2007-11-16 19:01:27.4 - NTFSx86 Running from: C:\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 ))))))))))))))))))))))))))))))) . 2007-11-16 00:45 8,047 --a------ C:\FIX.REG 2007-11-15 22:27 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-15 11:50 1,539,258 --a------ C:\ComboFix.exe 2007-11-14 23:21 2007-11-14 23:17 2007-11-13 22:54 2007-11-12 22:50 2007-11-12 22:44 58,128 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys 2007-11-12 22:44 37,008 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys 2007-11-12 22:41 2007-11-12 22:40 2007-11-12 22:39 2007-11-12 22:25 85,979,568 --a------ C:\Program Files\fs2008.exe 2007-11-08 23:09 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2007-11-08 23:06 2007-11-08 23:03 2007-11-08 11:38 2007-11-07 11:48 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll 2007-11-07 11:44 2007-10-28 10:22 2007-10-24 20:22 2007-10-24 20:10 2007-10-24 20:07 2007-10-17 12:59 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-10-17 12:59 31,616 --a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-10-17 12:54 2007-10-17 12:40 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-15 22:20 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2007-11-12 20:38 --------- d-----w C:\Program Files\Windows Media Connect 2 2007-11-12 20:38 --------- d-----w C:\Program Files\DivX 2007-11-12 20:37 --------- d-----w C:\Program Files\LIVEUPDATE 2007-11-08 10:37 1,061,888 ----a-w C:\Program Files\DigitalLockerAssistant_pl.msi 2007-10-27 18:38 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-20 09:53 --------- d-----w C:\Program Files\Java 2007-10-19 10:16 --------- d-----w C:\Program Files\Opera 2007-10-17 11:52 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-06-14 10:44 25,072,608 ----a-w C:\Program Files\AVSDVDPlayer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2004-10-29 15:50] “F-Secure Manager”=“C:\Program Files\F-Secure Internet Security\Common\FSM32.exe” [2007-05-25 14:12] “F-Secure TNB”=“C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe” [2007-05-25 14:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] Remote Controller.lnk - C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.EXE [2006-09-13 13:58:14] TVSCHL.lnk - C:\Program Files\Prolink\PlayTV Pro\TVSCHL.EXE [2006-09-13 13:58:14] R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys R1 F-Secure HIPS;F-Secure HIPS;??\C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys R2 BT878;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT878.SYS R2 BTTUNER;BtTuner, WDM TV Tuner;C:\WINDOWS\system32\drivers\BTTUNER.SYS R2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.SYS R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys R2 nvTUNEP;nVidia WDM TVTuner;C:\WINDOWS\system32\DRIVERS\nvtunep.sys R2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys R3 F-Secure Gatekeeper;F-Secure Gatekeeper;??\C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys R3 netrcacm;RCA USB Digital Cable Modem Driver;C:\WINDOWS\system32\DRIVERS\netrcacm.sys S3 DstAudio;DstAudio;C:\WINDOWS\system32\DRIVERS\DstAudio.sys S3 DstVideo;DstVideo;C:\WINDOWS\system32\DRIVERS\DstVideo.sys S4 F-Secure Filter;F-Secure File System Filter;??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys S4 F-Secure Recognizer;F-Secure File System Recognizer;??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys . Contents of the ‘Scheduled Tasks’ folder “2007-10-19 08:06:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” “2007-11-16 15:32:27 C:\WINDOWS\Tasks\Scheduled scanning task.job” - C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exe . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-16 19:06:22 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-16 19:07:56 C:\ComboFix2.txt … 2007-11-16 00:40 C:\ComboFix3.txt … 2007-11-16 00:01 . — E O F –

Gutek · 16 Listopad 2007 18:18

No już powinno być Ok

Sahar · 16 Listopad 2007 18:23

Dzięki za pomoc ale może pomożesz mi jeszcze w kwestii dzisiejszego uruchamiania kompa dlaczego się nie chciał uruchomić i kazał mi się logować???

Gutek · 16 Listopad 2007 19:18

Pewnie to było związane z fixem -

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=-

"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\

  00