Virtumonde zaplenił sie... Please help

Dla specjalistów Bezpieczeństwo
#1

Witam, mam problem o którym już nie raz pisano na forum. Zrobiłem to co w poradach ale kompletnie nie umiem czytać logów, więc proszę o pomoc w ustaleniu czy problem rozwiązany.

A oto logi:

Hijack this:

Logfile of HijackThis v1.99.1

Scan saved at 19:33:09, on 2007-11-14

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\VoipCheapCom\VoipCheapCom.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isadd.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {B1AA631F-2A7D-42CB-BCF8-B6A60F63698A} - C:\WINDOWS\system32\gebya.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime

O4 - HKLM…\Run: [b04d05f5] rundll32.exe “C:\WINDOWS\system32\eoinvuok.dll”,b

O4 - HKCU…\Run: [VoipCheapCom] “C:\Program Files\VoipCheapCom\VoipCheapCom.exe” -nosplash -minimized

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip…{65952676-1B78-478C-8811-43D1657EFA25}: NameServer = 89.174.87.1 217.8.168.244

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: wincqt32 - C:\WINDOWS\SYSTEM32\wincqt32.dll

O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

LOG Z SILENT RUNNERS:

“Silent Runners.vbs”, revision RED (R28) (Echo output), launched at: 20:59

Operating System: Windows XP SP2

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

“VoipCheapCom” = ““C:\Program Files\VoipCheapCom\VoipCheapCom.exe” -nosplash -minimized” [“VoipCheapCom”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

“user32.dll” = “C:\Program Files\Video ActiveX Object\isamntr.exe” [file not found]

“rare” = “C:\Program Files\Video ActiveX Object\pmsnrr.exe” [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

“NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS]

“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS]

“Logitech Hardware Abstraction Layer” = “KHALMNPR.EXE” [“Logitech Inc.”]

“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]

“QuickTime Task” = ““C:\Program Files\QuickTime\QTTask.exe” -atboottime” [“Apple Inc.”]

“b04d05f5” = “rundll32.exe “C:\WINDOWS\system32\eoinvuok.dll”,b” [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\

“>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}(Default)” = “Microsoft Windows Media Player”

\StubPath = “C:\WINDOWS\inf\unregmp2.exe /ShowWMP” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = “Yahoo! Toolbar Helper”

-> resolves to: {CLSID}\InprocServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class”

-> resolves to: {CLSID}\InprocServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)

-> resolves to: {CLSID}\InprocServer32(Default) = “(no data)” [file not found]

{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D}(Default) = (no title provided)

-> resolves to: {CLSID}\InprocServer32(Default) = “C:\Program Files\Video ActiveX Object\isadd.dll” [file not found]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = “SSVHelper Class”

-> resolves to: {CLSID}\InprocServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”]

{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = “Google Toolbar Helper”

-> resolves to: {CLSID}\InprocServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]

{B1AA631F-2A7D-42CB-BCF8-B6A60F63698A}(Default) = (no title provided)

-> resolves to: {CLSID}\InprocServer32(Default) = “C:\WINDOWS\system32\gebya.dll” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

“PostBootReminder” = “{7849596a-48ea-486e-8937-a2a3009f31a9}”

-> resolves to: {CLSID}\InprocServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS]

“CDBurn” = “{fbeb8a05-beee-4442-804e-409d6c4515e9}”

-> resolves to: {CLSID}\InprocServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS]

“WebCheck” = “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”

-> resolves to: {CLSID}\InprocServer32(Default) = “C:\WINDOWS\system32\webcheck.dll” [MS]

“SysTray” = “{35CEC8A3-2BE6-11D2-8773-92E220524153}”

-> resolves to: {CLSID}\InprocServer32(Default) = “C:\WINDOWS\system32\stobject.dll” [MS]

“exemplars” = “{2acf3add-34a1-4f2f-99cf-cc69785d1e90}”

-> resolves to: {CLSID}\InprocServer32(Default) = ** WARNING – empty or invalid data! **

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! “wincqt32\DLLName” = “wincqt32.dll” [null data]

Startup items in “Grzegorz” & “All Users” startup folders:

C:\Documents and Settings\Grzegorz\Menu Start\Programy\Autostart

“Adobe Gamma” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”]

Enabled Scheduled Tasks:

“AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task” [“Apple Inc.”]

Running Services (Display Name, Service Name, Path {Service DLL}):

Aktualizacje automatyczne, wuauserv, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\wuauserv.dll” [MS]}

Bufor wydruku, Spooler, “C:\WINDOWS\system32\spoolsv.exe” [MS]

Centrum zabezpieczeä, wscsvc, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\wscsvc.dll” [MS]}

Dziennik zdarzeä, Eventlog, “C:\WINDOWS\system32\services.exe” [MS]

Harmonogram zadaä, Schedule, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\schedsvc.dll” [MS]}

Instrumentacja zarzĄdzania Windows, winmgmt, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\wbem\WMIsvc.dll” [MS]}

Klient DHCP, Dhcp, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\dhcpcsvc.dll” [MS]}

Klient DNS, Dnscache, “C:\WINDOWS\system32\svchost.exe -k NetworkService” {“C:\WINDOWS\System32\dnsrslvr.dll” [MS]}

Klient ledzenia Ączy rozproszonych, TrkWks, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\trkwks.dll” [MS]}

Kompozycje, Themes, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\shsvcs.dll” [MS]}

Konfiguracja zerowej sieci bezprzewodowej, WZCSVC, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\wzcsvc.dll” [MS]}

Logowanie pomocnicze, seclogon, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\seclogon.dll” [MS]}

Magazyn chroniony, ProtectedStorage, “C:\WINDOWS\system32\lsass.exe” [MS]

Menedľer dysk˘w logicznych, dmserver, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\dmserver.dll” [“Microsoft Corp.”]}

Menedľer kont zabezpieczeä, SamSs, “C:\WINDOWS\system32\lsass.exe” [MS]

Menedľer poĄczeä usugi Dost©p zdalny, RasMan, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\rasmans.dll” [MS]}

NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "]

Plug and Play, PlugPlay, “C:\WINDOWS\system32\services.exe” [MS]

Pomoc i obsuga techniczna, helpsvc, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll” [MS]}

Pomoc TCP/IP NetBIOS, LmHosts, “C:\WINDOWS\system32\svchost.exe -k LocalService” {“C:\WINDOWS\System32\lmhsvc.dll” [MS]}

PoĄczenia sieciowe, Netman, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\netman.dll” [MS]}

Program uruchamiajĄcy proces serwera DCOM, DcomLaunch, “C:\WINDOWS\system32\svchost -k DcomLaunch” {“C:\WINDOWS\system32\rpcss.dll” [MS]}

PrzeglĄdarka komputera, Browser, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\browser.dll” [MS]}

Rejestr zdalny, RemoteRegistry, “C:\WINDOWS\system32\svchost.exe -k LocalService” {“C:\WINDOWS\system32\regsvc.dll” [MS]}

Routing i dost©p zdalny, RemoteAccess, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\mprdim.dll” [MS]}

Rozpoznawanie lokalizacji w sieci (NLA), Nla, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\mswsock.dll” [MS]}

Serwer, lanmanserver, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\srvsvc.dll” [MS]}

Stacja robocza, lanmanworkstation, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\wkssvc.dll” [MS]}

System zdarzeä COM+, EventSystem, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\es.dll” [MS]}

Telefonia, TapiSrv, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\tapisrv.dll” [MS]}

Usuga bramy warstwy aplikacji, ALG, “C:\WINDOWS\System32\alg.exe” [MS]

Usuga Czas systemu Windows, W32Time, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\w32time.dll” [MS]}

Usuga inteligentnego transferu w tle, BITS, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\qmgr.dll” [MS]}

Usuga odnajdywania SSDP, SSDPSRV, “C:\WINDOWS\system32\svchost.exe -k LocalService” {“C:\WINDOWS\System32\ssdpsrv.dll” [MS]}

Usuga przywracania systemu, srservice, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\srsvc.dll” [MS]}

Usuga raportowania b©d˘w, ERSvc, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ersvc.dll” [MS]}

Usugi IPSEC, PolicyAgent, “C:\WINDOWS\system32\lsass.exe” [MS]

Usugi terminalowe, TermService, “C:\WINDOWS\System32\svchost -k DComLaunch” {“C:\WINDOWS\System32\termsrv.dll” [MS]}

WebClient, WebClient, “C:\WINDOWS\system32\svchost.exe -k LocalService” {“C:\WINDOWS\System32\webclnt.dll” [MS]}

Windows Audio, AudioSrv, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\audiosrv.dll” [MS]}

Windows Image Acquisition (WIA), stisvc, “C:\WINDOWS\system32\svchost.exe -k imgsvc” {“C:\WINDOWS\system32\wiaservc.dll” [MS]}

Wykrywanie sprz©tu powoki, ShellHWDetection, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\shsvcs.dll” [MS]}

Zapora systemu Windows/Udost©pnianie poĄczenia internetowego, SharedAccess, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ipnathlp.dll” [MS]}

Zawiadomienie o zdarzeniu systemowym, SENS, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\sens.dll” [MS]}

Zdalne wywoywanie procedur (RPC), RpcSs, “C:\WINDOWS\system32\svchost -k rpcss” {“C:\WINDOWS\system32\rpcss.dll” [MS]}

Zgodno† szybkiego przeĄczania uľytkownik˘w, FastUserSwitchingCompatibility, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\shsvcs.dll” [MS]}

No i log z COMBOFIX

ComboFix 07-11-08.1 - Grzegorz 2007-11-14 21:05:32.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1489 [GMT 1:00]

Running from: C:\Documents and Settings\Grzegorz\Pulpit\ADWARE vs ME\Do sporządzania logów\ComboFix.exe

* Created a new restore point

.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Grzegorz\Dane aplikacji\macromedia\Flash Player#SharedObjects\WBABU7C9\www.broadcaster.com

C:\Documents and Settings\Grzegorz\Dane aplikacji\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#www.broadcaster.com

C:\Documents and Settings\Grzegorz\Dane aplikacji\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#www.broadcaster.com\settings.sol

C:\Program Files\video activex object

C:\WINDOWS\system32\aybeg.bak1

C:\WINDOWS\system32\aybeg.ini

C:\WINDOWS\system32\gebya.dll

C:\WINDOWS\system32\wincqt32.dll

.

((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))

.

2007-11-14 21:03 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-11-14 09:09 85,056 --a------ C:\WINDOWS\system32\eoinvuok.dll

2007-11-13 20:15

2007-11-13 20:13 37,376 --a------ C:\WINDOWS\system32\opnmlll.dll

2007-11-13 20:12 37,376 --a------ C:\WINDOWS\system32\nnnkjjk.dll.vir

2007-11-13 20:10

2007-11-13 15:50

2007-11-13 15:50

2007-11-06 11:49 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

2007-11-03 17:05

2007-11-03 16:58

2007-10-31 15:42 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys

2007-10-31 15:42 270,336 --a------ C:\WINDOWS\system32\imon.dll

2007-10-28 20:33

2007-10-28 20:32

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-14 16:17 --------- d-----w C:\Program Files\VoipCheapCom

2007-11-14 15:21 --------- d-----w C:\Documents and Settings\Grzegorz\Dane aplikacji\foobar2000

2007-11-14 15:16 --------- d-----w C:\Documents and Settings\Grzegorz\Dane aplikacji\Skype

2007-11-13 19:11 --------- d-----w C:\Program Files\Common Files\Adobe

2007-11-13 19:08 --------- d-----w C:\Documents and Settings\Grzegorz\Dane aplikacji\Azureus

2007-11-11 17:26 --------- d-----w C:\Program Files\NAPI-PROJEKT

2007-11-09 15:00 --------- d-----w C:\Documents and Settings\Grzegorz\Dane aplikacji\Loop Terminarz

2007-11-03 16:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer

2007-11-03 15:58 --------- d-----w C:\Program Files\Apple Software Update

2007-10-08 16:17 --------- d-----w C:\Program Files\Azureus

2007-09-26 15:26 --------- d–h--w C:\Program Files\InstallShield Installation Information

2007-09-26 15:26 --------- d-----w C:\Program Files\Logitech

2007-09-26 15:26 --------- d-----w C:\Documents and Settings\Grzegorz\Dane aplikacji\Logitech

2007-09-26 15:25 --------- d-----w C:\Program Files\Common Files\Logitech

2007-09-26 15:24 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Logitech

2007-09-21 11:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-09-21 11:01 --------- d-----w C:\Program Files\AGEIA Technologies

2007-09-15 07:29 --------- d-----w C:\Program Files\VideoLAN

2007-09-15 07:15 --------- d-----w C:\Program Files\Attack on Pearl Harbor

2007-09-15 07:14 --------- d-----w C:\Program Files\123 DVD Clone

2007-09-14 11:33 --------- d-----w C:\Program Files\Loop Terminarz

2006-12-25 19:43 49,152 ----a-r C:\Documents and Settings\Grzegorz\Dane aplikacji\Odinstaluj.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D}]

C:\Program Files\Video ActiveX Object\isadd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{84938242-5C5B-4A55-B6B9-A1507543B418}”= C:\Program Files\Video ActiveX Object\iesplugin.dll []

[HKEY_CLASSES_ROOT\CLSID{84938242-5C5B-4A55-B6B9-A1507543B418}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

“{84938242-5C5B-4A55-B6B9-A1507543B418}”= C:\Program Files\Video ActiveX Object\iesplugin.dll []

[HKEY_CLASSES_ROOT\CLSID{84938242-5C5B-4A55-B6B9-A1507543B418}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2005-06-15 10:20]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-06-15 10:20]

“Logitech Hardware Abstraction Layer”=“KHALMNPR.EXE” [2007-01-23 14:44 C:\WINDOWS\KHALMNPR.Exe]

“nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-10-31 15:41]

“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2007-06-29 06:24]

“b04d05f5”=“C:\WINDOWS\system32\eoinvuok.dll” [2007-11-14 09:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“VoipCheapCom”=“C:\Program Files\VoipCheapCom\VoipCheapCom.exe” [2007-02-20 13:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoThumbnailCache”=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

“Authentication Packages”= msv1_0 C:\WINDOWS\system32\gebya.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Logitech SetPoint.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Logitech SetPoint.lnk

backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Archivarius 3000]

C:\Program Files\Archivarius 3000\Archivarius3000.exe -AutoStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]

“C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

“C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]

“C:\Program Files\DAP\DAP.EXE” /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

“C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Loop Terminarz]

C:\Program Files\Loop Terminarz\Loop Terminarz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

“C:\Program Files\QuickTime\qttask.exe” -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

“Pml Driver HPZ12”=2 (0x2)

“ose”=3 (0x3)

“NVSvc”=2 (0x2)

.

Contents of the ‘Scheduled Tasks’ folder

“2007-11-14 12:32:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-14 21:10:49

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-11-14 21:11:22 - machine was rebooted

.

— E O F —

Zaraz włącze awaryjny i pojadę go automatami:

VundoFIX,

FIXVundo

f-vmonde

oraz

VirtumundoBeGone

Ale mam PytaNIE:

cZY to wystarczy by go wywalic?

#2

Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym nowy log z Combofix(najpierw automat)

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

#3

Zrobiłem w awaryjnym scana automatami po czym COMBOFIXEM

Oto log:

CODE:

ComboFix 07-11-08.1 - Grzegorz 2007-11-14 22:14:55.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1639 [GMT 1:00]

Running from: C:\Documents and Settings\Grzegorz\Pulpit\ADWARE vs ME\Do sporządzania logów\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))

.

2007-11-14 22:06 1,940 --a------ C:\WINDOWS\system32\tmp.reg

2007-11-14 22:01

2007-11-14 21:03 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-11-14 09:09 85,056 --a------ C:\WINDOWS\system32\eoinvuok.dll

2007-11-13 20:15

2007-11-13 20:13 37,376 --a------ C:\WINDOWS\system32\opnmlll.dll

2007-11-13 20:12 37,376 --a------ C:\WINDOWS\system32\nnnkjjk.dll.vir

2007-11-13 20:10

2007-11-13 15:50

2007-11-13 15:50

2007-11-06 11:49 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

2007-11-03 17:05

2007-11-03 16:58

2007-10-31 15:42 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys

2007-10-31 15:42 270,336 --a------ C:\WINDOWS\system32\imon.dll

2007-10-28 20:33

2007-10-28 20:32

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-14 16:17 --------- d-----w C:\Program Files\VoipCheapCom

2007-11-14 15:21 --------- d-----w C:\Documents and Settings\Grzegorz\Dane aplikacji\foobar2000

2007-11-14 15:16 --------- d-----w C:\Documents and Settings\Grzegorz\Dane aplikacji\Skype

2007-11-13 19:11 --------- d-----w C:\Program Files\Common Files\Adobe

2007-11-13 19:08 --------- d-----w C:\Documents and Settings\Grzegorz\Dane aplikacji\Azureus

2007-11-11 17:26 --------- d-----w C:\Program Files\NAPI-PROJEKT

2007-11-09 15:00 --------- d-----w C:\Documents and Settings\Grzegorz\Dane aplikacji\Loop Terminarz

2007-11-03 16:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer

2007-11-03 15:58 --------- d-----w C:\Program Files\Apple Software Update

2007-10-08 16:17 --------- d-----w C:\Program Files\Azureus

2007-09-26 15:26 --------- d–h--w C:\Program Files\InstallShield Installation Information

2007-09-26 15:26 --------- d-----w C:\Program Files\Logitech

2007-09-26 15:26 --------- d-----w C:\Documents and Settings\Grzegorz\Dane aplikacji\Logitech

2007-09-26 15:25 --------- d-----w C:\Program Files\Common Files\Logitech

2007-09-26 15:24 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Logitech

2007-09-21 11:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-09-21 11:01 --------- d-----w C:\Program Files\AGEIA Technologies

2007-09-15 07:29 --------- d-----w C:\Program Files\VideoLAN

2007-09-15 07:15 --------- d-----w C:\Program Files\Attack on Pearl Harbor

2007-09-15 07:14 --------- d-----w C:\Program Files\123 DVD Clone

2007-09-14 11:33 --------- d-----w C:\Program Files\Loop Terminarz

2007-09-09 17:58 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2007-08-21 06:18 683,520 ------w C:\WINDOWS\system32\inetcomm.dll

2006-12-25 19:43 49,152 ----a-r C:\Documents and Settings\Grzegorz\Dane aplikacji\Odinstaluj.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2005-06-15 10:20]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-06-15 10:20]

“Logitech Hardware Abstraction Layer”=“KHALMNPR.EXE” [2007-01-23 14:44 C:\WINDOWS\KHALMNPR.Exe]

“nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-10-31 15:41]

“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2007-06-29 06:24]

“b04d05f5”=“C:\WINDOWS\system32\eoinvuok.dll” [2007-11-14 09:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“VoipCheapCom”=“C:\Program Files\VoipCheapCom\VoipCheapCom.exe” [2007-02-20 13:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoThumbnailCache”=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Logitech SetPoint.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Logitech SetPoint.lnk

backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Archivarius 3000]

C:\Program Files\Archivarius 3000\Archivarius3000.exe -AutoStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]

“C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

“C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]

“C:\Program Files\DAP\DAP.EXE” /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

“C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Loop Terminarz]

C:\Program Files\Loop Terminarz\Loop Terminarz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

“C:\Program Files\QuickTime\qttask.exe” -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

“Pml Driver HPZ12”=2 (0x2)

“ose”=3 (0x3)

“NVSvc”=2 (0x2)

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys

R0 xmasbus;xmasbus;C:\WINDOWS\system32\DRIVERS\xmasbus.sys

S0 xmasscsi;xmasscsi;C:\WINDOWS\system32\Drivers\xmasscsi.sys

S3 ctlsb16;Sterownik Creative SB16/AWE32/AWE64 (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys

S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys

.

Contents of the ‘Scheduled Tasks’ folder

“2007-11-14 12:32:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-14 22:16:31

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-11-14 22:16:57

C:\ComboFix2.txt … 2007-11-14 21:11

.

— E O F —

Czy to wystarczy i czy już go nie ma?

#4

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

Wklej do Notatnika:

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

#5

Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Co to znaczy obejmij go znacznikiem?

Chętnie to zrobię ale nie bardzo wiem jak:)

Więc improwizuje

Co dalej?

#6

Już czysto obok b i u masz

#7

dzięki za pomoc

Pozdrawiam