VIRTUMONDE///privacyREMOVER.M64

Dla specjalistów Bezpieczeństwo
#1

witam mam problem …

na pulpicie wyskoczyla mi tapeta na której jest napisane ze moj komp jest zainfekowany

Win32/Adware.Virtumonde

Win32/PrivacyRemover.M64

Czytałam we wczesniejszych postach o tym, ale kazdy przypadek jest inny wiec prosze o pomoc…

Z kompem w zasadzie nie dzieje sie nic co mogloby byc niepokojace.

Bardzo was prosze o pomoc

#2

Daj log z -----> ComboFix (niżej na stronie linku).

============

K.

#3

ComboFix 08-08-24.02 - RENATKA 2008-08-25 13:53:52.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.283 [GMT 2:00]

Running from: C:\Documents and Settings\RENATKA\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\blphc7hoj0en19.scr

C:\WINDOWS\system32\lphc7hoj0en19.exe

C:\WINDOWS\system32\phc7hoj0en19.bmp

.

((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))

.

2008-08-25 13:30 . 2008-08-25 13:30

2008-08-25 13:15 . 2008-08-25 13:17

2008-08-18 19:22 . 2008-08-19 16:18

2008-08-13 08:35 . 2008-05-01 16:33 331,776 -----c— C:\WINDOWS\system32\dllcache\msadce.dll

2008-08-04 12:52 . 2008-08-04 12:52

2008-08-04 12:52 . 1996-01-12 00:00 722,192 --a------ C:\WINDOWS\system32\VB40032.DLL

2008-08-04 12:52 . 1997-02-17 18:24 519,680 --a------ C:\WINDOWS\system32\DBGRID32.OCX

2008-08-04 12:52 . 1997-07-19 17:00 227,600 --a------ C:\WINDOWS\system32\MSFLXGRD.OCX

2008-08-04 12:52 . 1997-07-19 17:00 204,048 --a------ C:\WINDOWS\system32\DBLIST32.OCX

2008-08-04 12:52 . 1997-07-19 17:00 155,920 --a------ C:\WINDOWS\system32\COMCT232.OCX

2008-08-04 12:52 . 1997-07-19 17:00 129,808 --a------ C:\WINDOWS\system32\COMDLG32.OCX

2008-08-04 12:51 . 1998-10-07 12:54 327,168 --a------ C:\WINDOWS\IsUn0415.exe

2008-08-03 20:24 . 2008-08-03 20:25

2008-08-03 20:22 . 1999-10-09 17:30 305,152 --a------ C:\WINDOWS\IsUninst.exe

2008-08-03 20:22 . 2008-08-16 13:20 518 --a------ C:\WINDOWS\QIII.INI

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-25 12:01 32,037,408 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2008-08-25 12:00 664,608 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat

2008-08-25 12:00 --------- d-----w C:\Program Files\AutoConnect

2008-08-25 11:59 69,572 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx

2008-08-25 11:59 442,460 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2008-08-25 11:27 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab

2008-08-24 18:59 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\Skype

2008-08-24 16:43 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-08-24 16:40 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\skypePM

2008-08-24 14:13 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\uTorrent

2008-08-22 13:09 --------- d-----w C:\Program Files\Neostrada TP

2008-08-17 10:47 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\Nokia

2008-08-17 10:47 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\PC Suite

2008-08-14 06:44 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\Avant Browser

2008-08-06 18:28 96,976 ----a-w C:\WINDOWS\system32\drivers\klin.dat

2008-07-24 16:01 --------- d-----w C:\Program Files\Skype

2008-07-24 10:22 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat

2008-07-22 14:52 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-07-22 14:52 --------- d-----w C:\Program Files\Broderbund

2008-07-20 19:01 --------- d-----w C:\Program Files\Java

2008-07-13 06:30 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\Nokia Multimedia Player

2008-07-12 16:46 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles

2008-07-11 21:07 --------- d-----w C:\Program Files\Common Files\Adobe AIR

2008-07-11 21:07 --------- d-----w C:\Program Files\Adobe Media Player

2008-07-11 08:38 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\Media Player Classic

2008-07-08 20:39 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\AdobeUM

2008-07-08 14:10 --------- d-----w C:\Program Files\MSXML 4.0

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-07 17:36 --------- d-----w C:\Program Files\Common Files\Java

2008-07-07 13:56 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\Atari

2008-07-07 13:45 --------- d-----w C:\Program Files\Atari

2008-07-07 12:52 --------- d-----w C:\Program Files\PhotoFiltre Studio

2008-07-07 12:15 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys

2008-07-07 11:59 --------- d-----w C:\Program Files\Kaspersky Lab

2008-07-07 11:59 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files

2008-07-07 11:53 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\BVRP Software

2008-07-07 11:51 92,064 ----a-w C:\Documents and Settings\RENATKA\mqdmmdm.sys

2008-07-07 11:51 9,232 ----a-w C:\Documents and Settings\RENATKA\mqdmmdfl.sys

2008-07-07 11:51 79,328 ----a-w C:\Documents and Settings\RENATKA\mqdmserd.sys

2008-07-07 11:51 66,656 ----a-w C:\Documents and Settings\RENATKA\mqdmbus.sys

2008-07-07 11:51 6,208 ----a-w C:\Documents and Settings\RENATKA\mqdmcmnt.sys

2008-07-07 11:51 5,936 ----a-w C:\Documents and Settings\RENATKA\mqdmwhnt.sys

2008-07-07 11:51 4,048 ----a-w C:\Documents and Settings\RENATKA\mqdmcr.sys

2008-07-07 11:51 25,600 ----a-w C:\Documents and Settings\RENATKA\usbsermptxp.sys

2008-07-07 11:51 22,768 ----a-w C:\Documents and Settings\RENATKA\usbsermpt.sys

2008-07-07 11:51 --------- d-----w C:\Program Files\Motorola Phone Tools

2008-07-07 11:48 --------- d-----w C:\Program Files\Avanquest update

2008-07-07 11:48 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\InstallShield

2008-07-07 11:41 --------- d-----w C:\Program Files\PC Connectivity Solution

2008-07-07 11:41 --------- d-----w C:\Program Files\Nokia

2008-07-07 11:41 --------- d-----w C:\Program Files\DIFX

2008-07-07 11:41 --------- d-----w C:\Program Files\Common Files\PCSuite

2008-07-07 11:41 --------- d-----w C:\Program Files\Common Files\Nokia

2008-07-07 11:41 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\PC Suite

2008-07-07 11:40 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Installations

2008-07-07 11:37 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-07-07 11:33 --------- d-----w C:\Program Files\MarBit

2008-07-07 11:31 --------- d-----w C:\Program Files\Real Alternative

2008-07-07 11:31 --------- d-----w C:\Program Files\Media Player Classic

2008-07-07 11:30 --------- d-----w C:\Program Files\K-Lite Codec Pack

2008-07-07 11:11 --------- d-----w C:\Program Files\Common Files\Ahead

2008-07-07 11:10 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\Ahead

2008-07-07 11:08 --------- d-----w C:\Program Files\Nero

2008-07-07 11:04 --------- d-----w C:\Program Files\WinAVIVideoConverter

2008-07-07 11:03 --------- d-----w C:\Program Files\Microsoft.NET

2008-07-07 08:36 --------- d-----w C:\Program Files\Winamp

2008-07-07 08:29 --------- d-----w C:\Program Files\Common Files\Skype

2008-07-07 08:29 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype

2008-07-07 08:27 --------- d-----w C:\Program Files\HP

2008-07-07 08:27 --------- d-----w C:\Program Files\Hewlett-Packard

2008-07-07 08:21 --------- d–h--w C:\Documents and Settings\RENATKA\Dane aplikacji\PrintHood

2008-07-07 08:11 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\Thinstall

2008-07-07 08:02 --------- d-----w C:\Program Files\CodeStuff

2008-07-07 08:01 --------- d-----w C:\Program Files\Common Files\Adobe

2008-07-07 08:00 --------- d-----w C:\Program Files\D-Tools

2008-07-07 07:57 --------- d-----w C:\Program Files\uTorrent

2008-07-07 07:53 --------- d-----w C:\Program Files\WapSter

2008-07-07 07:53 --------- d-----w C:\Documents and Settings\RENATKA\Dane aplikacji\Gadu-Gadu

2008-07-07 07:51 --------- d-----w C:\Program Files\Gadu-Gadu

2008-07-07 07:47 --------- d-----w C:\Program Files\Avant Browser

2008-07-07 07:42 --------- d-----w C:\Program Files\Thomson

2008-07-07 07:41 --------- d-----w C:\Program Files\Java Web Start

2008-07-07 07:38 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-07-07 07:30 --------- d-----w C:\Program Files\microsoft frontpage

2008-07-07 07:29 --------- d-----w C:\Program Files\Usługi online

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-23 16:42 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 09:44 15360]

“AutoConnect”=“C:\Program Files\AutoConnect\AutoConnect.exe” [2004-08-28 20:27 295424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2004-11-15 15:17 4624384]

“NvMediaCenter”=“C:\WINDOWS\System32\NvMcTray.dll” [2004-11-15 15:17 86016]

“WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 18:07 24576]

“SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 12:38 866816]

“WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 18:07 20480]

“WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 18:07 53248]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 04:27 144784]

“nForce Tray Options”=“sstray.exe” [2002-11-13 09:34 73728 C:\WINDOWS\system32\sstray.exe]

“nwiz”=“nwiz.exe” [2004-11-15 15:17 921600 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 09:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“VIDC.YV12”= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\uTorrent\utorrent.exe”=

“C:\Program Files\WapSter\AQQ\AQQ.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files\Kaspersky Internet Security 7.0.1.325\Polish\setup.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\PROGRA~1\WapSter\AQQ\AQQ.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

.

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.google.pl/

O8 -: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 -: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 -: Eksport do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 -: Otwórz wszystkie adresy z tej strony… - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 -: Podświetl - C:\Program Files\Avant Browser\Highlight.htm

O8 -: Szukaj - C:\Program Files\Avant Browser\Search.htm

O17 -: HKLM\CCS\Interface{E7D079CB-5C1E-4EF1-ABB2-0EA569D1EAAE}: NameServer = 194.204.159.1 217.98.63.164

O16 -: {1E53EA77-34F2-474E-9046-B2B0C86F1821} - hxxp://www.eska.pl/streamplayers/OggX.ocx

C:\WINDOWS\Downloaded Program Files\OggX.ocx

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-25 14:00:32

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2008-08-25 14:04:49 - machine was rebooted [RENATKA]

ComboFix-quarantined-files.txt 2008-08-25 12:04:41

Pre-Run: 9,986,166,784 bajtów wolnych

Post-Run: 9,959,243,776 bajt˘w wolnych

195 — E O F — 2008-08-13 06:52:21

#4

Ja nie widzę tu nic podejrzanego, oprócz tego co usunął ComboFix.

Usuń ręcznie folder C:** Qoobox**,

Usuń instalkę ComboFix z dysku.

Wykonaj optymalizację autostartu

Przeczyść komputer Ccleanerem

Wyłącz i włącz przywracanie systemu na wszystkich dyskach.Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html ( uruchom przez IE ) Daj raport z niego na forum.

lub

Dr.WEB CureIt!.

=================

K.

#5

Nic mi nie znalazlo takze wszystko jest okej:)

dzieki za pomoc:)

nie bylo mnie w domu dlatego dopiero teraz pisze. sorka