Win32.Winfixer-F prosba o pomoc w usunieciu

krucydeo · 6 Sierpień 2007 16:14

Witam.

Dorwalem jakiegos trojana o nazwie Win32.Winfixer-F i w zadewn sposob ani moj Avast ani Spybot nie radzi sobie z nim. Bardzo prosze o pomoc.

Ponizej wklejam log z hijacka.

Dzieki z gory.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:08:09, on 2007-08-06

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\bca2kcpan.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\WINDOWS\VM_STI.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

C:\Program Files\WinAlarm\WinAlarm.exe

C:\Program Files\D-Link\Air USB Utility\AirCFG.exe

C:\Program Files\mxClock\mxClock.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Skroter\Skroter.exe

C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum Suite\UIWatcher.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\HDD Thermometer\HDD Thermometer.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\TrayMan\ntstart.exe

C:\PROGRA~1\TrayMan\trayman.exe

C:\Program Files\WZCBDL Service\WZCBDLS.exe

C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {62cde4f9-4464-4800-bfcf-384e3ac5de49} - C:\WINDOWS\system32\maplse.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [bCA2000] %SystemRoot%\system32\bca2kcpan.exe

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [Acronis Scheduler2 Service] “C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe”

O4 - HKLM…\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x

O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM…\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

O4 - HKLM…\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM…\Run: [WinAlarm] C:\Program Files\WinAlarm\WinAlarm.exe

O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM…\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe

O4 - HKLM…\Run: [spybotSnD] “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe” /autoclose

O4 - HKCU…\Run: [mxClock] C:\Program Files\mxClock\mxClock.exe

O4 - HKCU…\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU…\Run: [skroter_0] C:\Program Files\Skroter\Skroter.exe

O4 - HKCU…\Run: [uIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum Suite\UIWatcher.exe

O4 - HKCU…\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup

O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU…\Run: [RSD_HDDThermo] C:\Program Files\HDD Thermometer\HDD Thermometer.exe

O4 - HKCU…\Run: [statBar] C:\Program Files\Globe Software\StatBar\StatBar.exe

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)

O4 - Startup: TClock.lnk = C:\Program Files\Tclock\TClock.exe

O4 - Startup: The Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe

O4 - Startup: ZEGARY~1.lnk = C:\Program Files\Zegarynka\Zegarynka.exe

O4 - Global Startup: mxClock.exe.lnk = C:\Program Files\mxClock\mxClock.exe

O4 - Global Startup: TClock.lnk = C:\Program Files\Tclock\TClock.exe

O4 - Global Startup: ZEGARY~1.lnk = C:\Program Files\Zegarynka\Zegarynka.exe

O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\maplse.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\maplse.dll

O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\WINDOWS\system32\maplse.dll

O9 - Extra ‘Tools’ menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\WINDOWS\system32\maplse.dll

O9 - Extra button: Add to Sitespector - {C3BE3168-04FB-439c-BCB7-29A29C3BB6C5} - C:\WINDOWS\system32\maplse.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\maplse.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Flash Hunter - {6163F81A-7F01-45E1-996C-EDCA4388941E} - C:\PROGRA~1\Leesoft\FLASHH~1\save.htm (HKCU)

O9 - Extra ‘Tools’ menuitem: &Flash Hunter - {6163F81A-7F01-45E1-996C-EDCA4388941E} - C:\PROGRA~1\Leesoft\FLASHH~1\save.htm (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\spamexpertslsp.dll

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stag … taller.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: c:\windows\system32\awtsssp.dll

O20 - Winlogon Notify: maplse - C:\WINDOWS\SYSTEM32\maplse.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TrayMan - Unknown owner - C:\PROGRA~1\TrayMan\ntstart.exe

O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

–

End of file - 10292 bytes

adam9870 · 6 Sierpień 2007 18:22

Złapałeś trojana Vundo:

O2 - BHO: (no name) - {62cde4f9-4464-4800-bfcf-384e3ac5de49} - C:\WINDOWS\system32\maplse.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\maplse.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\maplse.dll O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\WINDOWS\system32\maplse.dll O9 - Extra ‘Tools’ menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\WINDOWS\system32\maplse.dll O9 - Extra button: Add to Sitespector - {C3BE3168-04FB-439c-BCB7-29A29C3BB6C5} - C:\WINDOWS\system32\maplse.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\maplse.dll O20 - AppInit_DLLs: c:\windows\system32\awtsssp.dll O20 - Winlogon Notify: maplse - C:\WINDOWS\SYSTEM32\maplse.dll

Użyj VundoFix + FixVundo + VirtumundoBeGone. Wszystkie narzędzia należy uruchomić w trybie awaryjnym.

Czy sam instalowałeś ten program?

Po wykonaniu wklej log z ComboFix.

krucydeo · 7 Sierpień 2007 02:04

Witam.

Niestety moja walka pomimo ze jest 4 nad ranem nie przyniosla rezultatu. Dalej to samo. Probowaem roznych wariantow uruchomienia tych programikow leczacych i kicha.

Skroter to taki progam wlasciwie do programow portable tu http://www.pess.pl jest opisany. Mam go juz bardzo dlugo i mysle ze nie jest grozny.

Wklejam log z ComboFixa a w nastepnym poscie ze skanera ktory niby usunal trojana a fycznie nic sie nie zadzialo.

ComboFix 07-08-04.3 - “Dakoz” 2007-08-07 3:13:07.1 [GMT 2:00] - NTFS

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.Prawda

* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Dakoz\DANEAP~1\tmpC8.tmp.exe

C:\DOCUME~1\Dakoz\DANEAP~1\tmpCD.tmp.exe

C:\WINDOWS\hosts

C:\WINDOWS\system32\dn5c4ff0aa.dat

C:\WINDOWS\system32\gebcb.exe

C:\WINDOWS\system32\hlinime.dll

C:\WINDOWS\system32\qwerty12.exe

C:\WINDOWS\system32\tmpCD.tmp.dll

((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))

2007-08-07 03:12 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-08-07 02:33 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-08-07 02:33

2007-08-06 20:59

2007-08-06 17:58

2007-08-05 03:17 131,448 --a------ C:\WINDOWS\ljifdb.dll

2007-08-05 00:23 92,730 --a------ C:\WINDOWS\system32\maplse.dll.vir

2007-08-05 00:22 13,380 --a------ C:\WINDOWS\system32\awtsssp.dll

2007-08-02 14:36 84,992 --a------ C:\WINDOWS\WebAssist.dll

2007-08-02 13:55 24,128 --a------ C:\WINDOWS\system32\cPmF8i5L.exe

2007-07-26 01:41

2007-07-09 21:07 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll

2007-07-09 21:07 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 03:20 105428 --a------ C:\WINDOWS\system32\gebcc.exe

2007-08-07 01:55 --------- d-------- C:\Program Files\eMule

2007-08-07 01:35 --------- d-------- C:\Program Files\Sitespector

2007-08-07 01:17 --------- d-------- C:\DOCUME~1\Dakoz\DANEAP~1\foobar2000

2007-08-06 21:20 --------- d-------- C:\DOCUME~1\Dakoz\DANEAP~1\Skype

2007-08-05 23:15 --------- d-------- C:\Program Files\Opera

2007-08-04 00:39 --------- d-------- C:\Program Files\40tude Dialog

2007-08-02 13:55 --------- d-------- C:\Program Files\WinAlarm

2007-08-01 18:53 --------- d-------- C:\DOCUME~1\Dakoz\DANEAP~1\OpenOffice.ux.pl2

2007-08-01 18:24 --------- d-------- C:\Program Files\NAPI-PROJEKT

2007-07-30 01:37 --------- d-------- C:\Program Files\DivX

2007-07-28 00:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe

2007-07-28 00:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys

2007-07-28 00:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys

2007-07-28 00:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2007-07-27 23:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys

2007-07-27 23:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys

2007-07-27 23:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr

2007-07-18 19:10 --------- d-------- C:\DOCUME~1\Dakoz\DANEAP~1\MyPhoneExplorer

2007-07-06 00:57 --------- d-------- C:\Program Files\Gadu-Gadu

2007-07-03 12:24 --------- d-------- C:\Program Files\MyPhoneExplorer

2007-06-30 17:54 --------- d-------- C:\Program Files\Tray Helper_Dakoz

2007-06-28 00:41 --------- d–h----- C:\Program Files\InstallShield Installation Information

2007-06-28 00:41 --------- d-------- C:\Program Files\Ontrack

2007-06-28 00:39 --------- d-------- C:\Program Files\chelloPL

2007-06-27 20:50 --------- d-------- C:\Program Files\PWN Wrapper

2007-06-26 01:54 --------- d-------- C:\Program Files\WZCBDL Service

2007-06-26 01:54 --------- d-------- C:\Program Files\NIOC Service

2007-06-26 01:54 --------- d-------- C:\Program Files\D-Link

2007-06-24 12:33 --------- d–h----- C:\Program Files\WindowsUpdate

2007-06-24 01:48 49492 --a------ C:\WINDOWS\system32\perfc015.dat

2007-06-24 01:48 355486 --a------ C:\WINDOWS\system32\perfh015.dat

2007-06-24 01:01 --------- d-------- C:\Program Files\Messenger

2007-06-24 01:00 --------- d-------- C:\Program Files\Movie Maker

2007-06-24 00:58 --------- d-------- C:\Program Files\Windows NT

2007-06-22 11:34 --------- d-------- C:\Program Files\MAILMOA

2007-06-19 10:46 --------- d-------- C:\Program Files\WinAVIVideoConverter

2007-06-18 00:47 --------- d-------- C:\Program Files\Audacity

2007-06-15 21:55 --------- d-------- C:\Program Files\miranda-im

2007-06-14 23:10 636416 --a------ C:\WINDOWS\system32\drivers\PRISMUSB.sys

2007-06-13 23:36 --------- d-------- C:\Program Files\Common Files\Skype

2007-06-13 19:08 --------- d-------- C:\DOCUME~1\Dakoz\DANEAP~1\DeepBurner

2007-06-11 23:30 --------- d-------- C:\DOCUME~1\Dakoz\DANEAP~1\Sync App Settings

2007-06-11 23:27 --------- d-------- C:\Program Files\Allway Sync

2007-06-11 20:22 --------- d-------- C:\Program Files\All Media Fixer

2006-01-03 01:05:06 56 --sh–r C:\WINDOWS\system32\E377CC80D8.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{181fc8e4-14be-4b30-a7c1-7f6b1d34c099}]

2007-08-07 03:20 92702 --a------ C:\WINDOWS\system32\kbdlpq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-07-28 00:03]

“BCA2000”=“C:\WINDOWS\system32\bca2kcpan.exe” [2006-09-17 16:03]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50]

“NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2003-09-23 09:51]

“nwiz”=“nwiz.exe” [2003-09-23 09:51 C:\WINDOWS\system32\nwiz.exe]

“SoundMan”=“SOUNDMAN.EXE” [2003-08-05 07:59 C:\WINDOWS\SOUNDMAN.EXE]

“Acronis Scheduler2 Service”=“C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe” [2006-01-08 18:26]

“BigDogPath”=“C:\WINDOWS\VM_STI.exe” [2003-01-21 09:19]

“InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2004-02-27 17:02]

“WinFast Schedule”=“C:\Program Files\WinFast\WFTVFM\WFWIZ.exe” [2005-05-04 18:51]

“Logitech Hardware Abstraction Layer”=“KHALMNPR.EXE” [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]

“WinAlarm”=“C:\Program Files\WinAlarm\WinAlarm.exe” [2006-11-08 17:20]

“D-Link Air USB Utility”=“C:\Program Files\D-Link\Air USB Utility\AirCFG.exe” [2003-07-23 08:21]

“SpybotSnD”=“C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe” [2005-05-31 02:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“mxClock”=“C:\Program Files\mxClock\mxClock.exe” [2006-03-08 01:34]

“LDM”=“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe” [2007-02-21 12:48]

“Skroter_0”=“C:\Program Files\Skroter\Skroter.exe” [2006-04-27 16:51]

“UIWatcher”=“C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum Suite\UIWatcher.exe” [2005-02-04 22:36]

“Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” []

“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2005-05-31 02:04]

“RSD_HDDThermo”=“C:\Program Files\HDD Thermometer\HDD Thermometer.exe” [2005-04-01 19:02]

“StatBar”=“C:\Program Files\Globe Software\StatBar\StatBar.exe” [2003-07-25 03:40]

C:\Documents and Settings\Dakoz\Menu Start\Programy\Autostart\

TClock.lnk - C:\Program Files\Tclock\TClock.exe [2005-12-19 22:50:26]

The Proxomitron.lnk - C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe [2003-06-01 18:03:48]

ZEGARY~1.lnk - C:\Program Files\Zegarynka\Zegarynka.exe [2005-12-29 04:38:52]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

mxClock.exe.lnk - C:\Program Files\mxClock\mxClock.exe [2006-04-02 18:27:29]

TClock.lnk - C:\Program Files\Tclock\TClock.exe [2005-12-19 22:50:26]

ZEGARY~1.lnk - C:\Program Files\Zegarynka\Zegarynka.exe [2005-12-29 04:38:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoLowDiskSpaceChecks”=1 (0x1)

“ClearRecentDocsOnExit”=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

“{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}”= C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll [2006-11-22 13:57 348160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbdlpq]

kbdlpq.dll 2007-08-07 03:20 92702 C:\WINDOWS\system32\kbdlpq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“appinit_dlls”=c:\windows\system32\awtsssp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

“Authentication Packages”= msv1_0 relog_ap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

“Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup

R0 BTHidMgr;Bluetooth HID Manager Service;C:\WINDOWS\system32\Drivers\BTHidMgr.sys

R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys

R0 hotcore2;hotcore2;C:\WINDOWS\system32\drivers\hotcore2.sys

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys

R0 timounter;Acronis TrueImage Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys

R0 Vax347b;Vax347b;C:\WINDOWS\system32\DRIVERS\Vax347b.sys

R0 Vax347s;Vax347s;C:\WINDOWS\system32\Drivers\Vax347s.sys

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys

R2 EDmjpg;EDmjpg, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\EDmjpg.sys

R2 NIOC;NIOC Service;??\C:\WINDOWS\system32\NIOC.SYS

R2 SVKP;SVKP;??\C:\WINDOWS\System32\SVKP.sys

R2 tifsfilter;Acronis TrueImage FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

R2 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;C:\WINDOWS\system32\drivers\wf88vcap.sys

R2 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;C:\WINDOWS\system32\drivers\WF88XBAR.sys

R2 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;C:\WINDOWS\system32\drivers\WF88TUNE.sys

R2 WZCBDLService;WZCBDL Service;“C:\Program Files\WZCBDL Service\WZCBDLS.exe”

R3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINDOWS\system32\drivers\ALCXSENS.SYS

R3 BlueletAudio;Bluetooth Audio Service;C:\WINDOWS\system32\DRIVERS\blueletaudio.sys

R3 BlueletSCOAudio;Bluetooth SCO Audio Service;C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys

R3 BT;Bluetooth PAN Network Adapter;C:\WINDOWS\system32\DRIVERS\btnetdrv.sys

R3 BTHidEnum;Bluetooth HID Enumerator;C:\WINDOWS\system32\DRIVERS\vbtenum.sys

R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys

R3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys

R3 ms_mpu401;Sterownik portu MIDI UART Microsoft MPU-401;C:\WINDOWS\system32\drivers\msmpu401.sys

R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys

R3 VComm;Virtual Serial port driver;C:\WINDOWS\system32\DRIVERS\VComm.sys

R3 VcommMgr;Bluetooth VComm Manager Service;C:\WINDOWS\system32\Drivers\VcommMgr.sys

R3 WFIOCTL;WFIOCTL;??\C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS

R3 ZSMC301b;VIMICRO USB PC Camera 301x;C:\WINDOWS\system32\Drivers\usbVM31b.sys

S2 NULOAD;Behringer BCA2000 Bootloader;C:\WINDOWS\system32\Drivers\bca2000ldr.sys

S2 OODefrag;O&O Defrag;C:\WINDOWS\System32\oodag.exe

S3 BCA2000;Behringer BCA2000 V2.1.0.6;C:\WINDOWS\system32\Drivers\bca2000.sys

S3 BCA2000WDM;Behringer BCA2000WDM V2.1.0.6;C:\WINDOWS\system32\Drivers\BCA2000WDM.SYS

S3 Btcsrusb;Bluetooth USB For Bluetooth Service;C:\WINDOWS\system32\Drivers\btcusb.sys

S3 BTNetFilter;Bluetooth Network Filter;??\C:\WINDOWS\system32\drivers\BTNetFilter.sys

S3 k750bus;Sony Ericsson 750 driver (WDM);C:\WINDOWS\system32\DRIVERS\k750bus.sys

S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k750mdfl.sys

S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k750mdm.sys

S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k750mgmt.sys

S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k750obex.sys

S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LHidKE.Sys

S3 MEMSWEEP2;MEMSWEEP2;??\C:\WINDOWS\System32\SophosMEMSWEEP.SYS

S3 NETMDUSB;Net MD;C:\WINDOWS\system32\Drivers\NETMDUSB.sys

S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\PRISMUSB.sys

S3 QCDonner;Logitech QuickCam Express;C:\WINDOWS\system32\DRIVERS\OVCD.sys

S3 RDID1027;EDIROL PCR;C:\WINDOWS\system32\Drivers\rdwm1027.sys

S3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys

Contents of the ‘Scheduled Tasks’ folder

2007-08-06 22:00:29 C:\WINDOWS\Tasks\At1.job

2007-08-02 11:55:16 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-02 11:55:16 C:\WINDOWS\Tasks\At11.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-06 09:00:30 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-06 10:00:30 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-06 11:00:30 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-06 12:00:31 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-06 13:00:30 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-06 14:00:30 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-06 15:00:30 C:\WINDOWS\Tasks\At18.job

2007-08-06 16:00:30 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-06 23:00:33 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-06 17:00:32 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-06 18:00:30 C:\WINDOWS\Tasks\At21.job

2007-08-06 19:00:32 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-06 20:00:30 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-06 21:00:30 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-07 00:00:31 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-05 01:00:31 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-02 11:55:16 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-02 11:55:16 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-02 11:55:16 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-02 11:55:16 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\cPmF8i5L.exe

2007-08-02 11:55:16 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\cPmF8i5L.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-07 03:18:51

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden registry entries …

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]

“OODEFRAG04.00.00.01SERVER”=“1678E7DED8826840B172BC11275FE9A0FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A6A0AC4980AC7933A6171C11EC38DE3DBA7FD869164D6794E015AE4F3D7E7329C9E31E36A99B2B40140A9715F97B5808202C5B2903701D608F4577CE18DF241680DBA475112D05CA668BAAF46DDCABA86ADF542475215C67DE7AF8C9FA22BF213F8C91D2A3A400F4479E60653EF2FC7C0D2B263AB12782134003E7C7F8321DE36089C9422A43F75416BC6E670FF4C6B7138BF59555CC4AD007017B414611D9271FBAB4AA916087B09B318F6CA62D46BDEB536F571FF332C2ECEB70233B53D56D1F5ABF63ED661086001E805B70FB7E286C28C0137390FC400E0F85CD552334E764FA5CBCF3D3B7075476828FFA5435C449849C5258AAB35469887E9836BD5D00D8FD7D777DB9E6160984DBD879BDF4961F35BA8FFCDD1FBCE44A23492174FE50481C9DCA88BE4C4C75E4D5F842530C51EDDBD33AB05CD06BC71DBE1FFE2C0728E661385E379DD5F55388BEA7D1C30BDE99EF27B7E4E71A09401AA14ADEDEAB8BC8ADCD544FA5BB94C0B36811C4D3495D67B8F8DF33DA12EDDC311EEFEE19E331E633E33ABA3676DB417E275260D8621E05D50E7ED6A0952993248DA9067CEA869EFB031908C8C2B43C57D57E09BF312600B7B15430B8C27EBA0B4B049B3E43A8326237E967E5A0BBF87D519ECB065B304D26B21344B97C6311CE367F4E27AF6CC716121A302BD7C0A7077C2C55C1C328C3B8E265B8496A02B52F31125D163859E51BA68D5C4C6FC8DA5C3B957B9717B09E5E1A67DBA5F63AAD40A6A42F7AA8AAFB4A0F98888F368C0939784033C3C29F7CD833269A1E521D60E57F93CB5A9350DB4D6705784E3B788BB02280979577FBE13E8B280C17EEF11ADD2DAFDF4F4A6DB926501311F754ACA1252823E7F0AD87B6F786E5658804328C36A2BFBC86E559AE276F72DA0D9C7E6E5082E5064C9EAFC4C28A4984800E8ECCCFD6FA5740C2A03A796B4A86A56EF5F53FA8FC7AB2C71DBCB182B3689CC9E7D0E2C610C85401813C97F1B464EA6DCEA5511A0F70446C27322A5C78B5133CD5767A719ECCA8857079D0353E6A1CFC7BC9BDD6B7B4B492DB1B660C61332AAB217D755A3CC5BC76941D4BE6EBB20BC61F958B65053BC882FDD3F308284D41A34B8A0609F0B7A0C1C9337C42307A9C38121E184FF99A5E4D819BB349FD14C5728327328ABBCC7B979EAD3003F7A44D82E06014A28D8F64C291965CD0863B3EAC32BD56EB0CCF04EA5762086820B62B1A4DB883F0ABF55C7A894AF81F5A9A4129712120C347B28A74EB897739FADA5639CA6AC04F33525FCD7CA4633C052EFA028F8213A7478BEDB1074144BD4DDD87DB031BF6D7F5CC185AB072513207162D1710”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]

“DisplayName”=“Alcohol 120”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]

“Order”=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{2B7DE781-77BE-76BB-EE32-B0A7B95E562E}]

“naeakomjmiamonmpilkgphefcbpi”=hex:6b,61,66,6f,6a,68,67,6a,66,62,6f,6b,68,6f,62,62,6b,6c,61,6a,63,…

“maeakomjmiameoondfllaiflek”=hex:6b,61,66,6f,6a,68,67,6a,66,62,6f,6b,68,6f,63,62,6c,67,67,64,6f,…

scanning hidden files …

C:\WINDOWS\system32\kbdlpq.dll

C:\WINDOWS\system32\dn5c4ff0aa.dat

scan completed successfully

hidden files: 2

**************************************************************************

Completion time: 2007-08-07 3:21:53 - machine was rebooted

C:\ComboFix-quarantined-files.txt … 2007-08-07 03:21

— E O F —

Złączono Posta : 07.08.2007 (Wto) 4:08

Jedynie ten programik cos wykryl ale nie wyleczyl tak faktycznie. Pozostale pokazuja ze jest czysto a nie jest bo dalej laduje mi sie stronka z ErrorSafe i Avast pokazuje trojana jako NetInstaler.exe. Fakt ze byc moze te pliki blokuje Spybot i Avast ale przeciez dzialalem w awaryjnym i tez kicha.

Bardzo prosze i jakies inne sugestie jak sobie z tym syfem poradzic.

Pozdrawiam.

[08/07/2007, 3:05:33] - VirtumundoBeGone v1.5

[08/07/2007, 3:05:41] - Detected System Information:

[08/07/2007, 3:05:41] - Windows Version: 5.1.2600, Dodatek Service Pack 2

[08/07/2007, 3:05:41] - Current Username: Administrator (Admin)

[08/07/2007, 3:05:41] - Windows is in SAFE mode with Networking.

[08/07/2007, 3:05:41] - Searching for Browser Helper Objects:

[08/07/2007, 3:05:41] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[08/07/2007, 3:05:41] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()

[08/07/2007, 3:05:41] - WARNING: BHO has no default name. Checking for Winlogon reference.

[08/07/2007, 3:05:41] - Checking for HKLM…\Winlogon\Notify\SDHelper

[08/07/2007, 3:05:41] - Key not found: HKLM…\Winlogon\Notify\SDHelper, continuing.

[08/07/2007, 3:05:41] - BHO 3: {62cde4f9-4464-4800-bfcf-384e3ac5de49} ()

[08/07/2007, 3:05:41] - WARNING: BHO has no default name. Checking for Winlogon reference.

[08/07/2007, 3:05:41] - Checking for HKLM…\Winlogon\Notify\maplse

[08/07/2007, 3:05:41] - Found: HKLM…\Winlogon\Notify\maplse - This is probably Virtumundo.

[08/07/2007, 3:05:41] - Assigning {62cde4f9-4464-4800-bfcf-384e3ac5de49} MSEvents Object

[08/07/2007, 3:05:41] - BHO list has been changed! Starting over…

[08/07/2007, 3:05:41] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[08/07/2007, 3:05:41] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()

[08/07/2007, 3:05:41] - WARNING: BHO has no default name. Checking for Winlogon reference.

[08/07/2007, 3:05:41] - Checking for HKLM…\Winlogon\Notify\SDHelper

[08/07/2007, 3:05:41] - Key not found: HKLM…\Winlogon\Notify\SDHelper, continuing.

[08/07/2007, 3:05:41] - BHO 3: {62cde4f9-4464-4800-bfcf-384e3ac5de49} (MSEvents Object)

[08/07/2007, 3:05:41] - ALERT: Found MSEvents Object!

[08/07/2007, 3:05:41] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[08/07/2007, 3:05:41] - Finished Searching Browser Helper Objects

[08/07/2007, 3:05:41] - *** Detected MSEvents Object

[08/07/2007, 3:05:41] - Trying to remove MSEvents Object…

[08/07/2007, 3:05:42] - Terminating Process: IEXPLORE.EXE

[08/07/2007, 3:05:42] - Terminating Process: RUNDLL32.EXE

[08/07/2007, 3:05:42] - Disabling Automatic Shell Restart

[08/07/2007, 3:05:42] - Terminating Process: EXPLORER.EXE

[08/07/2007, 3:05:42] - Suspending the NT Session Manager System Service

[08/07/2007, 3:05:42] - Terminating Windows NT Logon/Logoff Manager

[08/07/2007, 3:05:42] - Re-enabling Automatic Shell Restart

[08/07/2007, 3:05:42] - File to disable: C:\WINDOWS\system32\maplse.dll

[08/07/2007, 3:05:42] - Renaming C:\WINDOWS\system32\maplse.dll -> C:\WINDOWS\system32\maplse.dll.vir

[08/07/2007, 3:05:43] - File successfully renamed!

[08/07/2007, 3:05:43] - Removing HKLM…\Browser Helper Objects{62cde4f9-4464-4800-bfcf-384e3ac5de49}

[08/07/2007, 3:05:43] - Removing HKCR\CLSID{62cde4f9-4464-4800-bfcf-384e3ac5de49}

[08/07/2007, 3:05:43] - Adding Kill Bit for ActiveX for GUID: {62cde4f9-4464-4800-bfcf-384e3ac5de49}

[08/07/2007, 3:05:43] - Deleting ATLEvents/MSEvents Registry entries

[08/07/2007, 3:05:43] - Removing HKLM…\Winlogon\Notify\maplse

[08/07/2007, 3:05:43] - Searching for Browser Helper Objects:

[08/07/2007, 3:05:43] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[08/07/2007, 3:05:43] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()

[08/07/2007, 3:05:43] - WARNING: BHO has no default name. Checking for Winlogon reference.

[08/07/2007, 3:05:43] - Checking for HKLM…\Winlogon\Notify\SDHelper

[08/07/2007, 3:05:43] - Key not found: HKLM…\Winlogon\Notify\SDHelper, continuing.

[08/07/2007, 3:05:43] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[08/07/2007, 3:05:43] - Finished Searching Browser Helper Objects

[08/07/2007, 3:05:43] - Finishing up…

[08/07/2007, 3:05:43] - A restart is needed.

[08/07/2007, 3:06:12] - Attempting to Restart via STOP error (Blue Screen!)

[08/07/2007, 3:35:28] - VirtumundoBeGone v1.5 ( “E:\Downloads\File\Soft\Do Testow\Winf\VirtumundoBeGone.exe” )

[08/07/2007, 3:35:45] - Detected System Information:

[08/07/2007, 3:35:45] - Windows Version: 5.1.2600, Dodatek Service Pack 2

[08/07/2007, 3:35:45] - Current Username: Administrator (Admin)

[08/07/2007, 3:35:45] - Windows is in SAFE mode with Networking.

[08/07/2007, 3:35:45] - Searching for Browser Helper Objects:

[08/07/2007, 3:35:45] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[08/07/2007, 3:35:45] - BHO 2: {181fc8e4-14be-4b30-a7c1-7f6b1d34c099} ()

[08/07/2007, 3:35:45] - WARNING: BHO has no default name. Checking for Winlogon reference.

[08/07/2007, 3:35:45] - Checking for HKLM…\Winlogon\Notify\kbdlpq

[08/07/2007, 3:35:45] - Found: HKLM…\Winlogon\Notify\kbdlpq - This is probably Virtumundo.

[08/07/2007, 3:35:45] - Assigning {181fc8e4-14be-4b30-a7c1-7f6b1d34c099} MSEvents Object

[08/07/2007, 3:35:45] - BHO list has been changed! Starting over…

[08/07/2007, 3:35:45] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[08/07/2007, 3:35:45] - BHO 2: {181fc8e4-14be-4b30-a7c1-7f6b1d34c099} (MSEvents Object)

[08/07/2007, 3:35:45] - ALERT: Found MSEvents Object!

[08/07/2007, 3:35:45] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()

[08/07/2007, 3:35:45] - WARNING: BHO has no default name. Checking for Winlogon reference.

[08/07/2007, 3:35:45] - Checking for HKLM…\Winlogon\Notify\SDHelper

[08/07/2007, 3:35:45] - Key not found: HKLM…\Winlogon\Notify\SDHelper, continuing.

[08/07/2007, 3:35:45] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[08/07/2007, 3:35:45] - Finished Searching Browser Helper Objects

[08/07/2007, 3:35:45] - *** Detected MSEvents Object

[08/07/2007, 3:35:45] - Trying to remove MSEvents Object…

[08/07/2007, 3:35:46] - Terminating Process: IEXPLORE.EXE

[08/07/2007, 3:35:47] - Terminating Process: RUNDLL32.EXE

[08/07/2007, 3:35:47] - Disabling Automatic Shell Restart

[08/07/2007, 3:35:47] - Terminating Process: EXPLORER.EXE

[08/07/2007, 3:35:47] - Suspending the NT Session Manager System Service

[08/07/2007, 3:35:47] - Terminating Windows NT Logon/Logoff Manager

[08/07/2007, 3:35:47] - Re-enabling Automatic Shell Restart

[08/07/2007, 3:35:47] - File to disable: C:\WINDOWS\system32\kbdlpq.dll

[08/07/2007, 3:35:47] - Renaming C:\WINDOWS\system32\kbdlpq.dll -> C:\WINDOWS\system32\kbdlpq.dll.vir

[08/07/2007, 3:35:47] - File successfully renamed!

[08/07/2007, 3:35:47] - Removing HKLM…\Browser Helper Objects{181fc8e4-14be-4b30-a7c1-7f6b1d34c099}

[08/07/2007, 3:35:47] - Removing HKCR\CLSID{181fc8e4-14be-4b30-a7c1-7f6b1d34c099}

[08/07/2007, 3:35:47] - Adding Kill Bit for ActiveX for GUID: {181fc8e4-14be-4b30-a7c1-7f6b1d34c099}

[08/07/2007, 3:35:47] - Deleting ATLEvents/MSEvents Registry entries

[08/07/2007, 3:35:47] - Removing HKLM…\Winlogon\Notify\kbdlpq

[08/07/2007, 3:35:47] - Searching for Browser Helper Objects:

[08/07/2007, 3:35:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[08/07/2007, 3:35:47] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()

[08/07/2007, 3:35:47] - WARNING: BHO has no default name. Checking for Winlogon reference.

[08/07/2007, 3:35:47] - Checking for HKLM…\Winlogon\Notify\SDHelper

[08/07/2007, 3:35:47] - Key not found: HKLM…\Winlogon\Notify\SDHelper, continuing.

[08/07/2007, 3:35:47] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[08/07/2007, 3:35:47] - Finished Searching Browser Helper Objects

[08/07/2007, 3:35:47] - Finishing up…

[08/07/2007, 3:35:47] - A restart is needed.

[08/07/2007, 3:35:59] - Attempting to Restart via STOP error (Blue Screen!)

[08/07/2007, 3:49:06] - VirtumundoBeGone v1.5 ( “E:\Downloads\File\Soft\Do Testow\Winf\VirtumundoBeGone.exe” )

[08/07/2007, 3:49:13] - Detected System Information:

[08/07/2007, 3:49:13] - Windows Version: 5.1.2600, Dodatek Service Pack 2

[08/07/2007, 3:49:13] - Current Username: Dakoz (Admin)

[08/07/2007, 3:49:13] - Windows is in NORMAL mode.

[08/07/2007, 3:49:13] - Searching for Browser Helper Objects:

[08/07/2007, 3:49:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[08/07/2007, 3:49:13] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()

[08/07/2007, 3:49:13] - WARNING: BHO has no default name. Checking for Winlogon reference.

[08/07/2007, 3:49:13] - Checking for HKLM…\Winlogon\Notify\SDHelper

[08/07/2007, 3:49:13] - Key not found: HKLM…\Winlogon\Notify\SDHelper, continuing.

[08/07/2007, 3:49:13] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[08/07/2007, 3:49:13] - BHO 4: {e2c226e6-18d8-4ba1-b13d-b787b6dce425} ()

[08/07/2007, 3:49:13] - WARNING: BHO has no default name. Checking for Winlogon reference.

[08/07/2007, 3:49:13] - Checking for HKLM…\Winlogon\Notify\dmbs32

[08/07/2007, 3:49:13] - Found: HKLM…\Winlogon\Notify\dmbs32 - This is probably Virtumundo.

[08/07/2007, 3:49:13] - Assigning {e2c226e6-18d8-4ba1-b13d-b787b6dce425} MSEvents Object

[08/07/2007, 3:49:13] - BHO list has been changed! Starting over…

[08/07/2007, 3:49:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[08/07/2007, 3:49:13] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()

[08/07/2007, 3:49:13] - WARNING: BHO has no default name. Checking for Winlogon reference.

[08/07/2007, 3:49:13] - Checking for HKLM…\Winlogon\Notify\SDHelper

[08/07/2007, 3:49:14] - Key not found: HKLM…\Winlogon\Notify\SDHelper, continuing.

[08/07/2007, 3:49:14] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[08/07/2007, 3:49:14] - BHO 4: {e2c226e6-18d8-4ba1-b13d-b787b6dce425} (MSEvents Object)

[08/07/2007, 3:49:14] - ALERT: Found MSEvents Object!

[08/07/2007, 3:49:14] - Finished Searching Browser Helper Objects

[08/07/2007, 3:49:14] - *** Detected MSEvents Object

[08/07/2007, 3:49:14] - Trying to remove MSEvents Object…

[08/07/2007, 3:49:15] - Terminating Process: IEXPLORE.EXE

[08/07/2007, 3:49:15] - Terminating Process: RUNDLL32.EXE

[08/07/2007, 3:49:15] - Disabling Automatic Shell Restart

[08/07/2007, 3:49:15] - Terminating Process: EXPLORER.EXE

[08/07/2007, 3:49:15] - Suspending the NT Session Manager System Service

[08/07/2007, 3:49:15] - Terminating Windows NT Logon/Logoff Manager

[08/07/2007, 3:49:16] - Re-enabling Automatic Shell Restart

[08/07/2007, 3:49:16] - File to disable: C:\WINDOWS\system32\dmbs32.dll

[08/07/2007, 3:49:16] - Renaming C:\WINDOWS\system32\dmbs32.dll -> C:\WINDOWS\system32\dmbs32.dll.vir

[08/07/2007, 3:49:16] - ! File rename was unsucessful.

[08/07/2007, 3:49:16] - Attempting to Deny Access to C:\WINDOWS\system32\dmbs32.dll

[08/07/2007, 3:49:16] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.

[08/07/2007, 3:49:16] - ERROR: Nie zosta

[08/07/2007, 3:49:16] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.

[08/07/2007, 3:49:16] - Removing HKLM…\Browser Helper Objects{e2c226e6-18d8-4ba1-b13d-b787b6dce425}

[08/07/2007, 3:49:16] - Removing HKCR\CLSID{e2c226e6-18d8-4ba1-b13d-b787b6dce425}

[08/07/2007, 3:49:16] - Adding Kill Bit for ActiveX for GUID: {e2c226e6-18d8-4ba1-b13d-b787b6dce425}

[08/07/2007, 3:49:16] - Deleting ATLEvents/MSEvents Registry entries

[08/07/2007, 3:49:16] - Removing HKLM…\Winlogon\Notify\dmbs32

[08/07/2007, 3:49:16] - Searching for Browser Helper Objects:

[08/07/2007, 3:49:16] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[08/07/2007, 3:49:16] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()

[08/07/2007, 3:49:16] - WARNING: BHO has no default name. Checking for Winlogon reference.

[08/07/2007, 3:49:16] - Checking for HKLM…\Winlogon\Notify\SDHelper

[08/07/2007, 3:49:16] - Key not found: HKLM…\Winlogon\Notify\SDHelper, continuing.

[08/07/2007, 3:49:16] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[08/07/2007, 3:49:16] - Finished Searching Browser Helper Objects

[08/07/2007, 3:49:16] - Finishing up…

[08/07/2007, 3:49:16] - A restart is needed.

[08/07/2007, 3:49:28] - Attempting to Restart via STOP error (Blue Screen!)

jessica · 7 Sierpień 2007 06:47

Wklej do Notatnika :

File::

C:\WINDOWS\ljifdb.dll 

C:\WINDOWS\system32\maplse.dll.vir 

C:\WINDOWS\system32\awtsssp.dll 

C:\WINDOWS\WebAssist.dll 

C:\WINDOWS\system32\cPmF8i5L.exe

C:\WINDOWS\system32\gebcc.exe

C:\WINDOWS\system32\kbdlpq.dll


Registry::

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{181fc8e4-14be-4b30-a7c1-7f6b1d34c099}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbdlpq]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] 

"appinit_dlls"=""

>>Plik>>Zapisz jako… >>> ComboFix-Do (najwygodniej będzie,

jeśli zapiszesz w takiej lokalizacji, by ikonka ComboFix-Do znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik ComboFix-Do.txt na plik ComboFix.exe

(czyli ikonkę ComboFix-Do.txt na ikonkę ComboFix.exe )

– tak jak na tym obrazku -->http://i12.tinypic.com/4l761r5.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Potem:

>>Start>>Panel Sterowania>>Zaplanowane Zadania>>usuń wszystkie zadania podobne do tego “At10” (jest ich 24 sztuk).

Nie wiem, co to jest - nie mogę znaleźć tego “CLSID” w internecie, co tym bardziej jest podejrzane.

.Potem daj nowy log z ComboFixa.

.

EDIT:

To nie moja wina, że ten post jest tak “rozjechany”!

.