Virus Alert - gorsza mutacja - pomocy

SpiralSol · 29 Sierpień 2008 15:39

Witam i bardzo proszę o pomoc! Niedawno miałem już do czynienia z tym świństwem ale udało mi się zwalczyć go ComboFix’em. Miałem wtedy Antivirus XP2008. Teraz przyplątało się coś takiego: Error Cleaner, Privacy Protector, Spyware&Malware Protection. Standardowo niebieska tapeta i przy zegarze napis VIRUS ALERT! I teraz właśnie przy pierwszym uruchomieniu ComboFix’a niby szło pięknie, ale po ponownym uruchomieniu okazało się że nie naprawił nic. Ukazał aię też komunikat że “Rejestr został wyłączony przez administratora!” [jak zresztą cała reszta] Zniknęły ikony z pulpitu [poza koszem z którego mogę dostać się do Mój Komputer. S&D też nie działa. Jest jakaś możliwość zaradzeniu temu oprócz opcji ‘foramt’ ??

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 07:40: VIRUS ALERT!, on 2008-08-29

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Acer\eManager\anbmServ.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\keyhook.exe

C:\Program Files\Arcade\PCMService.exe

C:\Program Files\Launch Manager\QtZgAcer.EXE

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Colourificator\Colourificator.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\sistray.exe

C:\Program Files\OpenOffice.org1.0\program\soffice.exe

C:\Program Files\acer\eRecovery\Monitor.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66026

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_custo … TbId=66026

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.tekanet.pl:3128

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: qalkfxor - {E7115DAD-2300-42E9-9ABA-035637465E58} - C:\WINDOWS\qalkfxor.dll

O4 - HKLM…\Run: [LaunchApp] Alaunch

O4 - HKLM…\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM…\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe

O4 - HKLM…\Run: [PCMService] “C:\Program Files\Arcade\PCMService.exe”

O4 - HKLM…\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE

O4 - HKLM…\Run: [eRecoveryService] C:\Windows\System32\Check.exe

O4 - HKLM…\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM…\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM…\Run: [lphcrdbj0e9m5] C:\WINDOWS\system32\lphcrdbj0e9m5.exe

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - HKCU…\Run: [Colourificator] C:\Program Files\Colourificator\Colourificator.exe mini

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe

O4 - HKCU…\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun

O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O4 - Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O21 - SSODL: lVpUja - {095416DD-A3FE-BC77-B9A6-7B4A4E400E40} - C:\WINDOWS\system32\cpxk.dll

O21 - SSODL: pdoskegl - {1262C0C6-A404-4BCC-922B-FEBD36E862E4} - C:\WINDOWS\pdoskegl.dll

O21 - SSODL: rqbmvpso - {CE693904-70DE-4F6E-B69D-AC8480411315} - C:\WINDOWS\rqbmvpso.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

–

End of file - 7170 bytes

djarta · 29 Sierpień 2008 15:45

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked

Daj log z -----> ComboFix (niżej na stronie linku).

==================

K.

Gutek · 29 Sierpień 2008 16:32

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=253052

SpiralSol · 31 Sierpień 2008 13:19

dziękuję Wam za pomoc! Maszyna wróciła prawie do normy!

djarta · 31 Sierpień 2008 13:20

Daj log po usuwaniu ComboFixem.

===================

K.

SpiralSol · 31 Sierpień 2008 13:37

Oto świerzutki log z ComboFix [machineria jednak nie działa jak powinna]

ComboFix 08-08-27.06 - THC 2008-08-31 16:24:47.5 - FAT32 x86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.856 [GMT 3:00]

Running from: E:\Nowy folder\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\BHkQAcfe.ini

C:\WINDOWS\system32\BHkQAcfe.ini2

C:\WINDOWS\system32\ehwmupji.ini

C:\WINDOWS\system32\ijpumwhe.dll

C:\WINDOWS\system32\tdmkfvqx.dll

C:\WINDOWS\system32\xqvfkmdt.ini

.

((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 )))))))))))))))))))))))))))))))

.

2008-08-31 08:11 . 2008-08-31 08:11

2008-08-30 14:47 . 2008-08-30 14:47

2008-08-30 13:53 . 2008-08-30 13:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-08-30 13:53 . 2008-08-30 13:54 1,409 --a------ C:\WINDOWS\QTFont.for

2008-08-29 07:15 . 2008-08-29 07:15

2008-08-28 22:06 . 2008-08-28 22:06

2008-08-28 21:25 . 2008-08-28 21:25

2008-08-28 21:19 . 2008-08-28 21:19 326,656 --a------ C:\WINDOWS\system32\efcAQkHB.dll

2008-08-28 21:13 . 2008-08-28 19:40 380,928 --a------ C:\WINDOWS\rodqgpvlsrd.dll

2008-08-28 21:13 . 2008-08-28 19:40 290,816 --a------ C:\WINDOWS\pdoskegl.dll

2008-08-28 21:13 . 2008-08-28 19:40 266,240 --a------ C:\WINDOWS\rqbmvpso.dll

2008-08-28 21:13 . 2008-08-28 19:40 192,512 --a------ C:\WINDOWS\qalkfxor.dll

2008-08-28 21:13 . 2008-08-28 19:40 94,208 --a------ C:\WINDOWS\rvoelbxt.exe

2008-08-28 20:54 . 2008-08-28 20:54

2008-08-22 07:35 . 2008-08-22 07:35

2008-08-21 19:40 . 2008-08-21 19:40

2008-08-19 07:42 . 2008-08-19 07:42

2008-08-18 09:32 . 2008-08-18 09:32

2008-08-14 15:38 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys

2008-08-14 15:25 . 2008-08-14 15:25

2008-08-14 15:18 . 2008-08-14 15:18

2008-08-06 13:06 . 2008-08-06 13:06

2008-08-06 12:43 . 2008-08-06 12:43

2008-08-05 00:21 . 2008-08-05 00:21

2008-07-31 11:16 . 2008-07-31 11:16

2008-07-22 07:53 . 2008-07-22 07:53

2008-07-21 20:57 . 2008-07-21 20:57

2008-07-16 07:08 . 2008-07-16 07:08

2008-07-06 15:22 . 2008-07-06 15:22

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-28 17:54 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll

2008-08-28 17:54 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll

2008-07-18 19:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll

2008-07-18 19:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 19:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 19:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe

2008-07-18 19:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 19:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 19:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll

2008-07-18 19:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 19:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll

2008-07-18 19:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 19:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll

2008-07-18 19:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 19:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll

2008-07-18 19:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-18 19:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll

2008-06-24 07:42 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-06-23 09:23 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-06-23 09:23 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-06-22 17:33 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll

2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll

2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 17:42 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys

2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\dllcache\bthport.sys

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys

2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll

2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll

2008-05-04 09:28 60,273 ----a-w C:\WINDOWS\system32\pthreadGC2.dll

2008-05-01 14:33 331,776 ----a-w C:\WINDOWS\system32\dllcache\msadce.dll

2008-01-01 19:59 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2008-01-26 15:22 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

------- Sigcheck -------

md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied

2007-06-13 14:12 1034752 8db0650b211425b9cdb7d1c4a8f6b482 C:\WINDOWS$hf_mig$\KB938828\SP2QFE\explorer.exe

2004-08-04 20:00 1033728 379098a96e6c165b659de7e4328010ea C:\WINDOWS$NtUninstallKB938828$\explorer.exe

md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied

2005-06-11 00:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS$hf_mig$\KB896423\SP2QFE\spoolsv.exe

2004-08-04 20:00 57856 bebe8a85954ff460374fd5a0cd21e19b C:\WINDOWS$NtUninstallKB896423$\spoolsv.exe

.

((((((((((((((((((((((((((((( snapshot@2008-08-18_ 9.42.06.67 )))))))))))))))))))))))))))))))))))))))))

.

2005-12-29 16:16:18 16,384 ------w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

2008-08-28 13:08:30 16,384 ------w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

2005-12-29 16:16:18 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat

2008-08-28 13:08:30 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat

2005-12-29 16:16:18 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat

2008-08-28 13:08:30 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat

2008-08-01 06:11:44 889,312 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT

2008-08-23 04:20:54 888,520 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
2008-07-18 19:10:20 36,552 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
2008-07-18 19:10:40 45,768 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{4330BB3A-223E-41BA-B159-D9764245F616}]

2008-08-28 19:40 380928 --a------ C:\WINDOWS\rodqgpvlsrd.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{8D5F235C-7D9D-4FCB-A126-FEA39D7F4B09}]

2008-08-28 21:19 326656 --a------ C:\WINDOWS\system32\efcAQkHB.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{E7115DAD-2300-42E9-9ABA-035637465E58}”= “C:\WINDOWS\qalkfxor.dll” [2008-08-28 19:40 192512]

[HKEY_CLASSES_ROOT\clsid{e7115dad-2300-42e9-9aba-035637465e58}]

[HKEY_CLASSES_ROOT\qalkfxor.1]

[HKEY_CLASSES_ROOT\TypeLib{2034AE1E-3C5E-4D42-B09D-532035623118}]

[HKEY_CLASSES_ROOT\qalkfxor]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 16:24 1694208]

“Colourificator”=“C:\Program Files\Colourificator\Colourificator.exe” [2003-01-26 19:06 233472]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-12-12 15:23 21686568]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 10:54 2131392]

“Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2008-03-03 14:44 266240]

“DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” [2008-04-01 12:39 486856]

“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2007-06-01 10:21 153136]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 20:00 15360]

“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search Destroy\TeaTimer.exe” [2008-01-28 11:43 2097488]

“µTorrent”=“C:\Program Files\uTorrent\utorrent.exe” [2007-02-14 22:46 176640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“LaunchApp”=“Alaunch” [X]

“SiS Windows KeyHook”=“C:\WINDOWS\system32\keyhook.exe” [2005-03-04 13:13 32768]

“PCMService”=“C:\Program Files\Arcade\PCMService.exe” [2005-03-09 18:59 49152]

“LManager”=“C:\Program Files\Launch Manager\QtZgAcer.EXE” [2005-03-28 12:30 315392]

“eRecoveryService”=“C:\Windows\System32\Check.exe” [2005-03-23 10:01 245760]

“MSPY2002”=“C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe” [2004-08-04 20:00 59392]

“PWRISOVM.EXE”=“C:\Program Files\PowerISO\PWRISOVM.EXE” [2007-08-07 03:05 200704]

“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-01 15:57 153136]

“SiSPower”=“SiSPower.dll” [2005-02-25 19:35 49152 C:\WINDOWS\system32\SiSPower.dll]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 20:00 15360]

C:\Documents and Settings\THC\Menu Start\Programy\Autostart\

OpenOffice.org 1.0.lnk - C:\Program Files\OpenOffice.org1.0\program\quickstart.exe [2002-05-11 06:00:00 61440]

Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-03-07 20:56:20 331776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “C:\Program Files\SUPERAntiSpyware\SASSEH.DLL” [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

“lVpUja”= {095416DD-A3FE-BC77-B9A6-7B4A4E400E40} - C:\WINDOWS\system32\cpxk.dll [2007-04-16 16:54 32768]

“rqbmvpso”= {C6ECABCD-90B7-414B-A8FB-E7DFC256AF87} - C:\WINDOWS\rqbmvpso.dll [2008-08-28 19:40 266240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]

2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“vidc.DIV3”= APmpg4v1.dll

“vidc.DIV4”= APmpg4v1.dll

“msacm.divxa32”= divxa32.acm

“VIDC.AP41”= APmpg4v1.dll

“vidc.mp43”= APmpg4v1.dll

“VIDC.MPG4”= APmpg4v1.dll

“VIDC.MP42”= APmpg4v1.dll

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\uTorrent\utorrent.exe”=

“C:\Program Files\Autodesk\Backburner\monitor.exe”=

“C:\Program Files\Autodesk\Backburner\manager.exe”=

“C:\Program Files\Autodesk\Backburner\server.exe”=

“C:\Program Files\iTunes\iTunes.exe”=

“C:\Program Files\Opera\Opera.exe”=

“C:\Program Files\Soulseek-Test\slsk.exe”=

“C:\Program Files\Neo\Rune\System\Rune.exe”=

“C:\Program Files\Mozilla Firefox\firefox.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]

R3 int15.sys;int15.sys;C:\Program Files\acer\eRecovery\int15.sys [2005-01-13 14:46]

R3 PAC207;CIF USB Camera;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-05-26 23:57]

R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 01:43]

R3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 20:00]

S1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 16:02]

S3 FGUARD32;FGUARD32;C:\Program Files\Folder Guard Pro\FGUARD32.SYS [2007-02-25 00:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7aa9f76a-a9b5-11dc-ab50-00c09fc8172b}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f895fef7-ada4-11dc-ab53-0014a42fbdc5}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

“C:\Program Files\Common Files\LightScribe\LSRunOnce.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{F62g62BC-4266-43f0-B6ED-9D76C4202C7E}]

C:\Program Files\Common Files\mscome.exe

.

Contents of the ‘Scheduled Tasks’ folder

2008-08-19 C:\WINDOWS\Tasks\XoftSpySE.job

E:\SE\XoftSpySE\XoftSpy.exe [2008-08-16 22:53]

2008-08-31 C:\WINDOWS\Tasks\XoftSpySE 2.job

E:\SE\XoftSpySE\XoftSpy.exe [2008-08-16 22:53]

.

- - - ORPHANS REMOVED - - - -

HKLM-Run-09541673 - C:\WINDOWS\system32\ijpumwhe.dll

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\THC\Dane aplikacji\Mozilla\Firefox\Profiles\hbtgv09s.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.pl

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-31 16:29:53

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\ACER\EMANAGER\ANBMSERV.EXE

C:\WINDOWS\SYSTEM32\CRYPSERV.EXE

C:\PROGRAM FILES\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE

C:\WINDOWS\SYSTEM32\PASTISVC.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SYSTEM32\RUNDLL32.EXE

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\PROGRAM FILES\OPENOFFICE.ORG1.0\PROGRAM\SOFFICE.EXE

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\acer\eRecovery\Monitor.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2008-08-31 16:33:38 - machine was rebooted

ComboFix-quarantined-files.txt 2008-08-31 13:33:36

ComboFix3.txt 2008-08-18 06:42:34

ComboFix2.txt 2008-08-30 10:32:30

Pre-Run: 14,339,899,392 bajtów wolnych

Post-Run: 14,337,474,560 bajt˘w wolnych

253 — E O F — 2008-08-14 06:18:08

djarta · 31 Sierpień 2008 13:40

Wklej do Notatnika :

File::

C:\WINDOWS\system32\efcAQkHB.dll

C:\WINDOWS\rodqgpvlsrd.dll

C:\WINDOWS\pdoskegl.dll

C:\WINDOWS\rqbmvpso.dll

C:\WINDOWS\qalkfxor.dll

C:\WINDOWS\rvoelbxt.exe


Folder::

C:\FOUND.017

C:\FOUND.016

C:\FOUND.015

C:\FOUND.014

C:\FOUND.013

C:\FOUND.012

C:\FOUND.011


Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4330BB3A-223E-41BA-B159-D9764245F616}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D5F235C-7D9D-4FCB-A126-FEA39D7F4B09}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{E7115DAD-2300-42E9-9ABA-035637465E58}"=-

[-HKEY_CLASSES_ROOT\clsid\{e7115dad-2300-42e9-9aba-035637465e58}]

[-HKEY_CLASSES_ROOT\qalkfxor.1]

[-HKEY_CLASSES_ROOT\TypeLib\{2034AE1E-3C5E-4D42-B09D-532035623118}]

[-HKEY_CLASSES_ROOT\qalkfxor]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"lVpUja"=-

"rqbmvpso"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7aa9f76a-a9b5-11dc-ab50-00c09fc8172b}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f895fef7-ada4-11dc-ab53-0014a42fbdc5}]

>>Plik>>Zapisz jako… >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

–>

Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.

Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:** Qoobox.**

======================

K.

SpiralSol · 31 Sierpień 2008 14:05

zrobiłem tak jak mi doradziłeś djarta - dzięki

oto co wyszło

ComboFix 08-08-27.06 - THC 2008-08-31 16:53:13.6 - FAT32 x86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.927 [GMT 3:00]

Running from: C:\Documents and Settings\THC\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\THC\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::

C:\WINDOWS\pdoskegl.dll

C:\WINDOWS\qalkfxor.dll

C:\WINDOWS\rodqgpvlsrd.dll

C:\WINDOWS\rqbmvpso.dll

C:\WINDOWS\rvoelbxt.exe

C:\WINDOWS\system32\efcAQkHB.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\FOUND.011

C:\FOUND.012

C:\FOUND.013

C:\FOUND.014

C:\FOUND.015

C:\FOUND.015\FILE0011.CHK

C:\FOUND.015\FILE0012.CHK

C:\FOUND.016

C:\FOUND.017

C:\WINDOWS\pdoskegl.dll

C:\WINDOWS\qalkfxor.dll

C:\WINDOWS\rodqgpvlsrd.dll

C:\WINDOWS\rqbmvpso.dll

C:\WINDOWS\rvoelbxt.exe

C:\WINDOWS\system32\BHkQAcfe.ini

C:\WINDOWS\system32\BHkQAcfe.ini2

C:\WINDOWS\system32\efcAQkHB.dll

C:\WINDOWS\system32\hepohyer.ini

C:\WINDOWS\system32\reyhopeh.dll