Virus alert w trayu

Buko · 10 Październik 2008 11:27

Witam, przez nieuwagę kliknąłem na załącznik w poczcie i niestety chyba coś mi się zainstalowało niedobrego. Cały czas w zasobniku widnieje virys alert, nie działa antywirus, co chwilę uruchamia sie IE, poza tym muli niesamowicie cały system. Prosiłbym o sprawdzenie loga bo ja niestety nie wiem co usunąć i jak a nie chciałbym czegoś popsuć , mam dużo ważnych danych i nie chciałbym ich stracić.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:26: VIRUS ALERT!, on 2008-10-10 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\ERA\GlobeTrotter Connect\GtDetectSc.exe C:\WINDOWS\system32\HPZipm12.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\igfxsrvc.exe C:\DOCUME~1\Maciejka\USTAWI~1\Temp\video95.cfg.exe C:\Program Files\ERA\GlobeTrotter Connect\GlobeTrotter Connect.exe C:\DOCUME~1\Maciejka\USTAWI~1\Temp\c.exe C:\Program Files\Opera\Opera.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: dkwqgnbe - {DC51F59F-D0BA-4CE7-8CDB-15ABF290546E} - C:\WINDOWS\dkwqgnbe.dll O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [somefox] C:\DOCUME~1\Maciejka\USTAWI~1\Temp\video95.cfg.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: GlobeTrotter Connect.lnk = C:\Program Files\ERA\GlobeTrotter Connect\GlobeTrotter Connect.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (file missing) O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (file missing) O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_07) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL … 586-jc.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll athtxl.dll O21 - SSODL: neksolda - {418EB709-0FAD-4E7A-90EF-1D10E49EC531} - C:\WINDOWS\neksolda.dll O21 - SSODL: xgpsarbm - {8AEACAA6-4A20-4243-892B-E0213CD82AC8} - C:\WINDOWS\xgpsarbm.dll (file missing) O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: GtDetectSc - Option - C:\Program Files\ERA\GlobeTrotter Connect\GtDetectSc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe – End of file - 5982 bytes

huber2t · 10 Październik 2008 11:34

fix w hijakthis

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 O3 - Toolbar: dkwqgnbe - {DC51F59F-D0BA-4CE7-8CDB-15ABF290546E} - C:\WINDOWS\dkwqgnbe.dll O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (file missing) O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (file missing) O21 - SSODL: neksolda - {418EB709-0FAD-4E7A-90EF-1D10E49EC531} - C:\WINDOWS\neksolda.dll O21 - SSODL: xgpsarbm - {8AEACAA6-4A20-4243-892B-E0213CD82AC8} - C:\WINDOWS\xgpsarbm.dll (file missing)

Podaj log z Combofix

Buko · 10 Październik 2008 15:33

ComboFix 08-10-09.06 - Maciejka 2008-10-10 17:22:36.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.604 [GMT 2:00] Uruchomiony z: C:\Documents and Settings\Maciejka\Pulpit\ComboFix.exe UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Documents and Settings\Maciejka\Menu Start\Search Online.url C:\Documents and Settings\Maciejka\Menu Start\VIP Casino.url C:\Documents and Settings\Maciejka\Pulpit\Search Online.url C:\Documents and Settings\Maciejka\Ulubione\Search Online.url C:\Documents and Settings\Maciejka\Ulubione\VIP Casino.url C:\Program Files\VirusRemover2008 C:\WINDOWS\dkwqgnbe.dll C:\WINDOWS\eepa.exe C:\WINDOWS\fkebanrw.exe C:\WINDOWS\k.txt C:\WINDOWS\neksolda.dll C:\WINDOWS\nkefbltdvts.dll C:\WINDOWS\system32\athtxl.dll C:\WINDOWS\system32\c.ico C:\WINDOWS\system32\chfvfmhs.dll C:\WINDOWS\system32\drivers\beep.sys C:\WINDOWS\system32\geBtUnol.dll C:\WINDOWS\system32\jpvawsqk.ini C:\WINDOWS\system32\kqswavpj.dll C:\WINDOWS\system32\lonUtBeg.ini C:\WINDOWS\system32\lonUtBeg.ini2 C:\WINDOWS\system32\m.ico C:\WINDOWS\system32\nnnmklkI.dll C:\WINDOWS\system32\rgf.dll C:\WINDOWS\system32\s.ico C:\WINDOWS\system32\skwnqguh.dll C:\WINDOWS\system32\ssqPHWOg.dll C:\WINDOWS\system32\ssqQjGyy.dll C:\WINDOWS\system32\tdssadw.dll C:\WINDOWS\system32\TDSSerrors.log C:\WINDOWS\system32\tdssinit.dll C:\WINDOWS\system32\tdssl.dll C:\WINDOWS\system32\tdsslog.dll C:\WINDOWS\system32\tdssmain.dll C:\WINDOWS\system32\tdssserf.dll C:\WINDOWS\system32\tdssserf1.dll C:\WINDOWS\system32\tdssservers.dat C:\WINDOWS\system32\wvUoLfFw.dll . ((((((((((((((((((((((((( Pliki utworzone od 2008-09-10 do 2008-10-10 ))))))))))))))))))))))))))))))) . 2008-10-10 13:14 . 2008-10-10 13:14 2008-10-09 18:24 . 2008-10-09 18:24 120 —hs---- C:\WINDOWS\system32\hugqnwks.ini 2008-10-05 13:31 . 2008-10-05 13:31 2008-10-05 13:30 . 2008-10-05 13:30 2008-10-05 13:24 . 2008-10-05 13:29 2008-09-25 18:41 . 2008-09-25 18:41 2008-09-25 18:35 . 2008-10-04 11:30 488 --a------ C:\hpfr5550.xml 2008-09-25 18:34 . 2008-09-25 18:34 2008-09-25 18:27 . 2008-09-25 18:27 2008-09-25 18:26 . 2008-09-25 18:29 19,558 --a------ C:\WINDOWS\hpoins01.dat 2008-09-25 18:26 . 2003-04-23 01:45 16,606 --------- C:\WINDOWS\hpomdl01.dat 2008-09-25 18:24 . 2008-09-25 18:26 2008-09-25 18:24 . 2008-09-25 18:24 2008-09-25 18:08 . 2008-04-13 20:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2008-09-25 18:08 . 2008-04-13 20:47 25,856 --a–c— C:\WINDOWS\system32\dllcache\usbprint.sys 2008-09-25 18:07 . 2008-04-13 20:45 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2008-09-25 18:07 . 2008-04-13 20:45 32,128 --a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-09 18:41 --------- d-----w C:\Program Files\Opera 2008-10-09 17:03 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\avg8 2008-10-05 19:20 --------- d-----w C:\Documents and Settings\Maciejka\Dane aplikacji\uTorrent 2008-09-25 16:26 --------- d-----w C:\Program Files\Hewlett-Packard 2008-09-03 12:05 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-09-02 16:02 --------- d-----w C:\Documents and Settings\Kasia\Dane aplikacji\BearShare 2008-08-31 09:31 --------- d-----w C:\Documents and Settings\Maciejka\Dane aplikacji\BearShare 2008-08-27 19:08 --------- d-----w C:\Program Files\BearShare 2008-08-27 19:01 --------- d-----w C:\Program Files\BearShare Applications . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 15360] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search Destroy\TeaTimer.exe” [2008-01-28 2097488] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2008-03-20 2127296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-09-24 141848] “HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2007-09-24 166424] “Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [2007-09-24 137752] “AVG8_TRAY”=“C:\PROGRA~1\AVG\AVG8\avgtray.exe” [2008-10-04 1234712] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2008-04-14 15360] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ GlobeTrotter Connect.lnk - C:\Program Files\ERA\GlobeTrotter Connect\GlobeTrotter Connect.exe [2008-01-10 782336] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”=avgrsstx.dll athtxl.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “vidc.ffds”= ffdshow.ax “MSACM.CEGSM”= mobilev.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys] @=“beep” [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^hp psc 2000 Series.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\hp psc 2000 Series.lnk backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] --a------ 2008-07-21 14:28 8070584 C:\Program Files\BearShare\BearShare.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] --a------ 2008-03-20 12:04 2127296 C:\Program Files\Gadu-Gadu\gg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-07-23 13:34 155648 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] -ra------ 2007-03-28 01:07 593920 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] --a------ 2006-07-13 07:12 729088 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] --a------ 2007-01-05 16:36 872448 C:\Program Files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trans] --a------ 2008-07-10 10:06 2383800 C:\Program Files\Trans\trans.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2008-04-01 20:49 36352 C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] “UpdatesDisableNotify”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “C:\Program Files\AVG\AVG8\avgupd.exe”= “C:\Program Files\AVG\AVG8\avgemc.exe”= “C:\Program Files\uTorrent\uTorrent.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-03 97928] R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-03 875288] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-03 231704] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-21 76040] R2 GtDetectSc;GtDetectSc;C:\Program Files\ERA\GlobeTrotter Connect\GtDetectSc.exe [2007-11-05 204915] S3 GT72NDISIPXP;GT 72 IP NDIS;C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys [2007-07-09 95744] S3 GT72UBUS;GT 72 U BUS;C:\WINDOWS\system32\DRIVERS\gt72ubus.sys [2007-06-26 51968] S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-03-30 8064] S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 61536] S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se59mdfl.sys [2006-09-05 9360] S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se59mdm.sys [2006-09-05 97088] S3 se59mgmt;Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se59mgmt.sys [2006-09-05 88624] S3 se59nd5;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS);C:\WINDOWS\system32\DRIVERS\se59nd5.sys [2006-09-05 18704] S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se59obex.sys [2006-09-05 86432] S3 se59unic;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM);C:\WINDOWS\system32\DRIVERS\se59unic.sys [2006-09-05 90800] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d970260e-2dcf-11dd-88b4-00210004e23f}] \Shell\AutoRun\command - F:\setup.exe AUTORUN=1 . Zawartość folderu ‘Zaplanowane zadania’ 2008-10-04 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1222360163.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56] 2008-10-01 C:\WINDOWS\Tasks\FRU Task $ContextID$.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56] 2008-09-25 C:\WINDOWS\Tasks\WebReg 20080925183429.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-09 18:06] 2008-09-30 C:\WINDOWS\Tasks\WebReg 20080930163838.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-09 18:06] . - - - - USUNIĘTO PUSTE WPISY - - - - BHO-{062267E0-6564-46C7-ACFB-0459057B1E55} - (no file) BHO-{0F768086-710A-4F5D-95EA-158D3037BDB9} - C:\WINDOWS\system32\geBtUnol.dll BHO-{4ec005ec-57a3-4511-9baa-c31d1b6cbaaa} - C:\WINDOWS\system32\athtxl.dll BHO-{5851BBF6-26B7-434B-A4D1-B92A05913403} - C:\WINDOWS\nkefbltdvts.dll BHO-{6599A965-FA2D-41CD-95B1-13140F1CF8A3} - C:\WINDOWS\system32\rgf.dll BHO-{C7093DB8-D5FB-4FF9-851C-3E4C5C5BD4FD} - C:\WINDOWS\system32\ssqPHWOg.dll HKCU-Run-H/PC Connection Agent - C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE ShellExecuteHooks-{C7093DB8-D5FB-4FF9-851C-3E4C5C5BD4FD} - C:\WINDOWS\system32\ssqPHWOg.dll Notify-ssqPHWOg - ssqPHWOg.dll MSConfigStartUp-MSMSGS - C:\Program Files\Messenger\msmsgs.exe MSConfigStartUp-Somefox - C:\DOCUME~1\Maciejka\USTAWI~1\Temp\video95.cfg.exe . ------- Skan uzupełniający ------- . R0 -: HKCU-Main,Start Page = hxxp://softwarereferral.com/jump.php?wm … Ojg5lid=2 O8 -: Eksport do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O18 -: Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - %~$path:i O18 -: WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - %~$path:i O18 -: WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - %~$path:i O18 -: WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - %~$path:i O18 -: WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - %~$path:i O18 -: WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - %~$path:i O18 -: WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - %~$path:i . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-10 17:26:29 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . ------------------------ Pozostałe uruchomione procesy ------------------------ . C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Czas ukończenia: 2008-10-10 17:28:46 - komputer został uruchomiony ponownie [Maciejka] ComboFix-quarantined-files.txt 2008-10-10 15:28:41 Przed: 72,692,424,704 bajtów wolnych Po: 72,630,218,752 bajtów wolnych 219 — E O F — 2008-09-11 17:51:48 ok, tu jest log z combofixa a zaraz daję jeszcze raz po usunięciu tamtych wpisów z hijackthis.

djarta · 10 Październik 2008 15:45

Wklej do Notatnika:

File::

C:\WINDOWS\system32\hugqnwks.ini


Folder::

C:\Documents and Settings\Maciejka\Dane aplikacji\VirusRemover2008


Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]

>>Plik>>Zapisz jako… >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

–>

Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.

Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:** Qoobox.**

============================

K.

Buko · 10 Październik 2008 19:33

ok, zrobiłem. Daję loga

ComboFix 08-10-10.01 - Maciejka 2008-10-10 21:23:27.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.617 [GMT 2:00] Uruchomiony z: C:\Documents and Settings\Maciejka\Pulpit\ComboFix.exe Użyto następujących komend :: C:\Documents and Settings\Maciejka\Pulpit\CFScript.txt * Utworzono nowy punkt przywracania UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA FILE :: C:\WINDOWS\system32\hugqnwks.ini . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Maciejka\Dane aplikacji\VirusRemover2008 C:\Documents and Settings\Maciejka\Dane aplikacji\VirusRemover2008\Logs\scns.log C:\WINDOWS\system32\hugqnwks.ini . ((((((((((((((((((((((((( Pliki utworzone od 2008-09-10 do 2008-10-10 ))))))))))))))))))))))))))))))) . 2008-10-10 21:21 . 2008-10-10 21:21 2008-10-10 17:49 . 2008-10-10 17:49 2008-10-10 13:14 . 2008-10-10 13:14 2008-10-05 13:30 . 2008-10-05 13:30 2008-09-25 18:41 . 2008-09-25 18:41 2008-09-25 18:35 . 2008-10-04 11:30 488 --a------ C:\hpfr5550.xml 2008-09-25 18:34 . 2008-09-25 18:34 2008-09-25 18:27 . 2008-09-25 18:27 2008-09-25 18:26 . 2008-09-25 18:29 19,558 --a------ C:\WINDOWS\hpoins01.dat 2008-09-25 18:26 . 2003-04-23 01:45 16,606 --------- C:\WINDOWS\hpomdl01.dat 2008-09-25 18:24 . 2008-09-25 18:26 2008-09-25 18:24 . 2008-09-25 18:24 2008-09-25 18:08 . 2008-04-13 20:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2008-09-25 18:08 . 2008-04-13 20:47 25,856 --a–c— C:\WINDOWS\system32\dllcache\usbprint.sys 2008-09-25 18:07 . 2008-04-13 20:45 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2008-09-25 18:07 . 2008-04-13 20:45 32,128 --a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-10 15:37 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\avg8 2008-10-09 18:41 --------- d-----w C:\Program Files\Opera 2008-10-05 19:20 --------- d-----w C:\Documents and Settings\Maciejka\Dane aplikacji\uTorrent 2008-09-25 16:26 --------- d-----w C:\Program Files\Hewlett-Packard 2008-09-02 16:02 --------- d-----w C:\Documents and Settings\Kasia\Dane aplikacji\BearShare 2008-08-31 09:31 --------- d-----w C:\Documents and Settings\Maciejka\Dane aplikacji\BearShare 2008-08-27 19:08 --------- d-----w C:\Program Files\BearShare 2008-08-27 19:01 --------- d-----w C:\Program Files\BearShare Applications 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 15360] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search Destroy\TeaTimer.exe” [2008-01-28 2097488] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2008-03-20 2127296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-09-24 141848] “HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2007-09-24 166424] “Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [2007-09-24 137752] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-07-19 78008] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2008-04-14 15360] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ GlobeTrotter Connect.lnk - C:\Program Files\ERA\GlobeTrotter Connect\GlobeTrotter Connect.exe [2008-01-10 782336] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”=athtxl.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “vidc.ffds”= ffdshow.ax “MSACM.CEGSM”= mobilev.acm [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^hp psc 2000 Series.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\hp psc 2000 Series.lnk backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup [HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] --a------ 2008-07-21 14:28 8070584 C:\Program Files\BearShare\BearShare.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] --a------ 2008-03-20 12:04 2127296 C:\Program Files\Gadu-Gadu\gg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-07-23 13:34 155648 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] -ra------ 2007-03-28 01:07 593920 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] --a------ 2006-07-13 07:12 729088 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] --a------ 2007-01-05 16:36 872448 C:\Program Files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trans] --a------ 2008-07-10 10:06 2383800 C:\Program Files\Trans\trans.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2008-04-01 20:49 36352 C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] “UpdatesDisableNotify”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “C:\Program Files\uTorrent\uTorrent.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560] R2 GtDetectSc;GtDetectSc;C:\Program Files\ERA\GlobeTrotter Connect\GtDetectSc.exe [2007-11-05 204915] S3 GT72NDISIPXP;GT 72 IP NDIS;C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys [2007-07-09 95744] S3 GT72UBUS;GT 72 U BUS;C:\WINDOWS\system32\DRIVERS\gt72ubus.sys [2007-06-26 51968] S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-03-30 8064] S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 61536] S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se59mdfl.sys [2006-09-05 9360] S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se59mdm.sys [2006-09-05 97088] S3 se59mgmt;Sony Ericsson Device 089 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se59mgmt.sys [2006-09-05 88624] S3 se59nd5;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (NDIS);C:\WINDOWS\system32\DRIVERS\se59nd5.sys [2006-09-05 18704] S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se59obex.sys [2006-09-05 86432] S3 se59unic;Sony Ericsson Device 089 USB Ethernet Emulation SEMC59 (WDM);C:\WINDOWS\system32\DRIVERS\se59unic.sys [2006-09-05 90800] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d970260e-2dcf-11dd-88b4-00210004e23f}] \Shell\AutoRun\command - F:\setup.exe AUTORUN=1 *Newly Created Service* - AAVMKER4 *Newly Created Service* - ASWFSBLK *Newly Created Service* - ASWMON2 *Newly Created Service* - ASWRDR *Newly Created Service* - ASWSP *Newly Created Service* - ASWTDI *Newly Created Service* - ASWUPDSV *Newly Created Service* - AVAST!_ANTIVIRUS *Newly Created Service* - AVAST!_MAIL_SCANNER *Newly Created Service* - AVAST!_WEB_SCANNER . Zawartość folderu ‘Zaplanowane zadania’ 2008-10-04 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1222360163.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56] 2008-10-01 C:\WINDOWS\Tasks\FRU Task $ContextID$.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56] 2008-09-25 C:\WINDOWS\Tasks\WebReg 20080925183429.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-09 18:06] 2008-09-30 C:\WINDOWS\Tasks\WebReg 20080930163838.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-09 18:06] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-10 21:24:37 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . Czas ukończenia: 2008-10-10 21:25:26 Przed: 72 586 649 600 bajtów wolnych Po: 72,589,041,664 bajtów wolnych 160 — E O F — 2008-09-11 17:51:48

huber2t · 10 Październik 2008 19:50

W logu nic nie widzę

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar całego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!