Wirus ktorego nie moge sie pozbyc

Dla specjalistów Bezpieczeństwo
#1

Hej,

Mam podobny problem jak tu: http://forum.idg.pl/lofiversion/index.php/t117248.html

Obecnie mam jednak juz biale tlo. Ale dalej jest zainfekowane. Ogolnie nie znam sie na tym, wiec prosze o wytlumaczenie krok po kroku co powinienem zrobic (tak dla poczatkujacego urzytkownika).

Z gory dzieki.

A oto log z HijackThis:

Logfile of HijackThis v1.99.1

Scan saved at 01:18:34, on 2008-05-05

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\ATK0100\HControl.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe

C:\Program Files\Wireless Console 2\wcourier.exe

C:\Program Files\Search Settings\SearchSettings.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\ATK0100\ATKOSD.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\gkopcza\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2

R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)

O4 - HKLM…\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe

O4 - HKLM…\Run: [Zshutdown] c:\sysprep\patch\sysprep.cmd

O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”

O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime

O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”

O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe”

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe

O4 - HKLM…\Run: [searchSettings] C:\Program Files\Search Settings\SearchSettings.exe

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun

O4 - HKCU…\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background

O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O21 - SSODL: tdomgafw - {C3ECBA78-A353-4B59-B2D4-86D136DFC3BC} - C:\WINDOWS\tdomgafw.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#2

fix w hijackthis

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\tdomgafw.dll


Folder::

C:\Program Files\Search Settings

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok

ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

#3

teraz jest biale tlo.

oto log z combofixa:

ComboFix 08-05-01.3 - gkopcza 2008-05-05 9:47:45.3 - FAT32 x86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.91 [GMT 1:00]

Running from: C:\Documents and Settings\gkopcza\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\gkopcza\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

C:\WINDOWS\tdomgafw.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\Search Settings

C:\Program Files\Search Settings\kb127\SearchSettingsRes409.dll

C:\Program Files\Search Settings\SearchSettings.exe

C:\WINDOWS\privacy_danger

C:\WINDOWS\privacy_danger\images\capt.gif

C:\WINDOWS\privacy_danger\images\danger.jpg

C:\WINDOWS\privacy_danger\images\down.gif

C:\WINDOWS\privacy_danger\images\spacer.gif

C:\WINDOWS\privacy_danger\index.htm

C:\WINDOWS\tdomgafw.dll

.

((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))

.

2008-05-05 00:42 . 2008-05-05 00:42

2008-05-05 00:04 . 2008-05-05 00:04 230 --a------ C:\WINDOWS\system32\spupdsvc.inf

2008-05-04 10:18 . 2008-05-04 10:18

2008-05-04 09:54 . 2008-05-04 09:54

2008-05-04 09:54 . 2008-05-04 09:54

2008-05-04 09:52 . 2008-05-04 09:52

2008-05-04 09:14 . 2008-05-04 09:14

2008-05-04 08:55 . 2008-05-04 08:55

2008-05-04 03:36 . 2008-05-04 01:07 94,208 --a------ C:\WINDOWS\svorbmke.exe

2008-05-04 03:36 . 2008-05-04 01:08 81,920 --a------ C:\WINDOWS\knxsrgte.exe

2008-04-22 20:09 . 2008-04-22 20:09

2008-04-22 15:05 . 2004-05-25 17:06 417,792 --a------ C:\WINDOWS\system32\ac3filter.ax

2008-04-22 15:05 . 2005-02-27 21:48 356,352 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax

2008-04-22 15:02 . 2008-04-22 15:02

2008-04-22 15:00 . 2008-04-22 15:00 38 --a------ C:\WINDOWS\avisplitter.INI

2008-04-22 14:48 . 2008-04-22 14:48

2008-04-22 14:39 . 2008-04-22 14:39

2008-04-18 17:14 . 2008-04-18 17:14

2008-04-18 17:14 . 2008-04-18 17:14

2008-04-12 10:47 . 2008-04-12 10:47

2008-04-10 18:20 . 2008-05-04 10:21 268 --ah----- C:\sqmdata19.sqm

2008-04-10 18:20 . 2008-05-04 10:21 244 --ah----- C:\sqmnoopt19.sqm

2008-04-10 15:29 . 2008-05-04 09:40 268 --ah----- C:\sqmdata18.sqm

2008-04-10 15:29 . 2008-05-04 09:40 244 --ah----- C:\sqmnoopt18.sqm

2008-04-10 13:44 . 2008-05-03 17:34 268 --ah----- C:\sqmdata17.sqm

2008-04-10 13:44 . 2008-05-03 17:34 244 --ah----- C:\sqmnoopt17.sqm

2008-04-10 12:19 . 2008-05-03 11:30 268 --ah----- C:\sqmdata16.sqm

2008-04-10 12:19 . 2008-05-03 11:30 244 --ah----- C:\sqmnoopt16.sqm

2008-04-10 10:01 . 2008-04-10 10:01 335 --a------ C:\WINDOWS\mozregistry.dat

2008-04-10 09:57 . 2008-05-03 00:08 268 --ah----- C:\sqmdata15.sqm

2008-04-10 09:57 . 2008-05-03 00:08 244 --ah----- C:\sqmnoopt15.sqm

2008-04-10 09:26 . 2008-05-02 15:59 268 --ah----- C:\sqmdata14.sqm

2008-04-10 09:26 . 2008-05-02 15:59 244 --ah----- C:\sqmnoopt14.sqm

2008-04-09 22:44 . 2008-05-02 09:53 268 --ah----- C:\sqmdata13.sqm

2008-04-09 22:44 . 2008-05-02 09:53 244 --ah----- C:\sqmnoopt13.sqm

2008-04-09 07:34 . 2008-04-09 07:34

2008-04-07 14:07 . 2008-04-07 14:08

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-31 22:25 682,496 ----a-w C:\WINDOWS\system32\divx.dll

2008-03-28 18:41 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll

2008-03-21 21:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2008-03-21 21:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2008-03-20 10:10 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-03-20 09:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-20 09:09 1,845,504 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys

2008-03-15 16:33 --------- d-----w C:\Program Files\SopCast

2008-03-10 14:50 --------- d-----w C:\Program Files\F1 Challenge 2007

2008-03-01 14:02 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll

2008-03-01 14:02 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll

2008-03-01 14:02 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-03-01 14:02 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-03-01 14:02 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-03-01 14:02 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll

2008-02-22 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-02-20 07:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 07:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll

2008-02-20 06:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-20 06:38 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll

2008-02-20 06:38 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-02-18 10:23 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll

2008-02-18 10:23 2,272 ----a-w C:\WINDOWS\system32\w95inf16.dll

2008-02-16 14:46 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00 15360]

“DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” [2008-02-14 00:09 486856]

“msnmsgr”=“C:\Program Files\MSN Messenger\msnmsgr.exe” [2007-01-19 12:54 5674352]

“Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2008-02-04 18:13 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“HControl”=“C:\WINDOWS\ATK0100\HControl.exe” [2006-04-17 02:24 110592]

“Zshutdown”=“c:\sysprep\patch\sysprep.cmd” []

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 04:25 144784]

“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2008-01-31 23:13 385024]

“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2008-02-04 14:18 267048]

“RemoteControl”=“C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe” [2005-01-12 03:01 32768]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2006-01-12 16:40 155648]

“Wireless Console 2”=“C:\Program Files\Wireless Console 2\wcourier.exe” [2005-10-17 17:09 987136]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-04-26 19:48 7561216]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 13:00 15360]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= file:///C:\WINDOWS\privacy_danger\index.htm

FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

“tdomgafw”= {D9351C96-12FB-4B9A-9232-FCEEC79A70D1} - C:\WINDOWS\tdomgafw.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“VIDC.ACDV”= ACDV.dll

“vidc.asv2”= asusasv2.dll

“VIDC.YV12”= yv12vfw.dll

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\DSLMON.lnk

backup=C:\WINDOWS\pss\DSLMON.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\05663211184888321335963662509937]

C:\Program Files\XP Antivirus\xpa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

–a------ 2005-05-03 03:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus]

C:\Program Files\Antivirus 2008\Antvrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update]

–a------ 2006-02-21 15:20 180224 C:\Program Files\ASUS\ASUS Live Update\ALU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e©ůýůüűďţóÎŃřřÁřôÄĘýÜńűĘŢó]

C:\Program Files\XP Antivirus\xpa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

–a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

–a------ 2006-04-26 19:48 7561216 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

–a------ 2006-04-26 19:48 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

–a------ 2006-04-26 19:48 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

–a------ 2005-12-18 23:52 15797248 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

–a------ 2006-01-19 21:34 544768 C:\WINDOWS\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

–a------ 2005-10-20 23:26 761945 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

–a------ 2006-11-21 18:38 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wireless Console 2]

–a------ 2005-10-17 17:09 987136 C:\Program Files\Wireless Console 2\wcourier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusOverride”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Bonjour\mDNSResponder.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\Program Files\Gadu-Gadu\gg.exe”=

“C:\Program Files\uTorrent\utorrent.exe”=

“C:\Program Files\MSN Messenger\msnmsgr.exe”=

“C:\Program Files\MSN Messenger\livecall.exe”=

“C:\Program Files\SopCast\SopCast.exe”=

“C:\Program Files\SopCast\adv\SopAdver.exe”=

“C:\Program Files\iTunes\iTunes.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]

R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54]

R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-06 14:49]

R3 SynMini;USB2.0 1.3M Web Cam;C:\WINDOWS\system32\Drivers\SynMini.sys [2005-10-03 10:26]

R3 SynScan;USB2.0 1.3M Web Cam Still Image;C:\WINDOWS\system32\Drivers\SynScan.sys [2005-10-03 10:26]

S2 ELOADER;General Purpose USB Driver (adildr.sys);C:\WINDOWS\system32\Drivers\adildr.sys [2007-02-07 16:50]

.

Contents of the ‘Scheduled Tasks’ folder

“2008-04-22 14:43:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-05 09:50:50

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE

C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE

C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE

C:\PROGRAM FILES\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE

C:\WINDOWS\SYSTEM32\NVSVC32.EXE

C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE

C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE

C:\WINDOWS\ATK0100\ATKOSD.exe

C:\Program Files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2008-05-05 9:52:48 - machine was rebooted

ComboFix2.txt 2008-05-05 00:04:20

ComboFix-quarantined-files.txt 2008-05-05 08:52:38

Pre-Run: 2,278,768,640 bajtów wolnych

Post-Run: 2,269,888,512 bajt˘w wolnych

217 — E O F — 2008-05-05 08:43:53

#4

Wklej do Notatnika :

File::

C:\WINDOWS\svorbmke.exe

C:\WINDOWS\knxsrgte.exe


Folder::

C:\Documents and Settings\gkopcza\Dane aplikacji\Search Settings


Registry::

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\*0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"tdomgafw"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\05663211184888321335963662509937]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e©ůýůüűďţóÎŃřřÁřôÄĘýÜńűĘŢó]

Uwaga: Po wklejeniu do Notatnika usuń * gwiazdkę z tekstu!

>>Plik>>Zapisz jako… >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

–>CFScript3.gif

Ma się rozpocząć usuwanie. (i powstanie log).

Daj ten log, który powstanie w trakcie usuwania.

Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:** Qoobox**.

EDIT:

Ale logu nie wklejaj do postu, tylko wklej na http://wklej.org/, a w poście daj tylko link.(czyli skopiuj adres z paska adresów).

jessi

#5

hej,

dzieki. sorki za ten kod.

Oto ten log z combofix:

http://wklej.org/id/e16b5c5a80

Teraz juz normalne tlo mam, wiec chyba juz wszystko ok.

Jeszcze raz dzieki.

pozdrawiam,

kopeer

#6

Tak, wg mnie - jest już OK!

EDIT:

Sprawdź któryś z tych plików na --> http://virusscan.jotti.org/

albo na http://www.virustotal.com/en/indexf.html.

Jakoś nigdzie nie mogę się dowiedzieć, co to za pliki.

Najedź też myszką na jeden z nich i zobacz, co tam pisze.

Napisz o tym - może w końcu się dowiem, co to jest?

Na większości zagranicznych i polskich for te pliki nie są usuwane , ale na niektórych forach są usuwane, choć nie wiem dlaczego, bo nie znalazłam ich w żadnym opisie “wirusów”.

jessi

#7

hej,

jeszcze raz dzieki. sprawdzam te pliki i wynika z tego, ze jest ok. jak najezdzam myszka to tylko pisze Plik SQM.

myslisz, ze lepiej jak je usune recznie?

kopeer

#8

Jeśli są OK, to nie musisz usuwać. Pliki te pojawiają się w logach od dawna i gdyby były szkodliwe, to JOTTI lub VIRUSTOTAL natychmiast by dały znać, że są złe.

Ale z drugiej strony - po co one w ogóle są - to nie sa pliki Systemu.

jessi

#9

Ok. to je zostawie. jeszcze raz dzieki za pomoc. w koncu jest ok :slight_smile:

pozdrawiam

kopeer