Witam mój brat który na swoim kompie nie miał żadnego antyvirusa ani firewalla (gdy chciałem mu je zainstalować to nie chciał) zwrócił się do mnie o pomoc bo pojawiło mu się privacy danger i pełno alertów o robakach. Usunąłem mu to. Zainstalował on fałszywego antyvirusa. Zrobiłem mu skan f-secure antivirus i wykrył 25 virusów (głównie downloadery) 18 szpiegów i adware i 5 ryzykownych oprogramowań. Wykrył też 3 trojany i virtumonde ktorych nie mógł usunąć. Proszę o pomoc bo jeszcze coś zostało :mrgreen:
…
Sorka że log nie jest na wklej.org ale nie mogłem tam wejśc.
ComboFix 08-03-23.5 - Łukasz 2008-03-24 11:41:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.615 [GMT 1:00]
Running from: C:\Documents and Settings\Łukasz\Pulpit\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Łukasz\Dane aplikacji\Install.dat
C:\WINDOWS\dwnrpofk.dll
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\awtutus.dll
C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\rtstv.ini2
.
((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.
2008-03-24 11:16 . 2008-03-24 11:28 515 --a------ C:\WINDOWS\wininit.ini
2008-03-24 10:58 . 2008-03-24 10:58
2008-03-24 10:58 . 2008-03-24 11:22
2008-03-24 10:44 . 2008-03-24 10:44
2008-03-24 09:18 . 2008-03-24 11:22 1,548,501 —hs---- C:\WINDOWS\system32\nlabqkyu.ini
2008-03-23 20:18 . 2008-03-23 20:18
2008-03-23 20:16 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-03-23 20:10 . 2008-03-23 20:10 29 --a------ C:\WINDOWS\system32\sgprwtrp.tmp
2008-03-23 19:58 . 2008-03-23 19:58
2008-03-23 19:58 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-03-23 19:58 . 2004-10-07 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-23 19:58 . 2007-02-13 08:09 388,126 --a------ C:\WINDOWS\system32\sqlite3.dll
2008-03-23 19:58 . 2004-10-07 13:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-23 19:11 . 2008-03-23 19:11 0 --a------ C:\WINDOWS\s3.cookingluck.htm
2008-03-23 17:35 . 2008-03-23 17:35
2008-03-23 17:34 . 2008-03-23 09:04 290,816 --a------ C:\WINDOWS\kdftlboeslg.dll
2008-03-23 17:34 . 2008-03-23 09:04 233,472 --a------ C:\WINDOWS\vbgtorfd.dll
2008-03-23 17:34 . 2008-03-23 09:04 98,304 --a------ C:\WINDOWS\norlatmx.exe
2008-03-23 12:31 . 2008-03-23 12:32
2008-03-23 12:31 . 2008-03-23 12:31 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-23 12:31 . 2008-03-23 12:31 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-23 12:31 . 2008-03-23 12:31 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-23 10:50 . 1999-10-04 21:41 8,110 --a------ C:\WINDOWS\Espa_SP.gpl
2008-03-23 10:35 . 2004-03-08 23:00 1,081,616 --a------ C:\WINDOWS\system32\mscomctl.ocx
2008-03-23 10:35 . 2000-05-22 16:58 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx
2008-03-23 10:35 . 2001-04-26 21:12 57,399 --a------ C:\WINDOWS\system32\Registry.ocx
2008-03-23 10:34 . 2008-03-23 10:50 796,672 --a------ C:\WINDOWS\GPInstall.exe
2008-03-23 10:01 . 2007-05-25 14:09 58,128 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-03-23 10:01 . 2007-05-25 14:09 37,008 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-03-23 10:00 . 2008-03-23 11:31
2008-03-22 19:24 . 2008-03-22 19:24
2008-03-22 16:54 . 2008-03-23 11:19
2008-03-22 14:32 . 2008-03-22 14:32 45,768 --a------ C:\WINDOWS\system32\drivers\MiniIcpt.sys
2008-03-22 11:31 . 2008-03-24 11:42
2008-03-22 11:31 . 2008-03-21 11:44
2008-03-22 11:31 . 2008-03-21 11:37
2008-03-22 11:31 . 2008-03-21 12:31
2008-03-22 11:31 . 2008-03-24 10:26
2008-03-22 11:31 . 2008-03-21 12:31
2008-03-22 11:31 . 2008-03-21 11:44
2008-03-21 14:02 . 2008-03-21 14:02
2008-03-21 14:02 . 2008-03-21 14:02
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 08:49 --------- d-----w C:\Program Files\Usługi online
2008-03-23 16:34 16,604 --sh–r C:\Program Files\tmp3.0xe
2008-03-23 16:34 16,604 --sh–r C:\Program Files\tmp2.0xe
2008-03-23 16:34 16,604 --sh–r C:\Program Files\tmp1.0xe
2008-03-23 16:34 16,604 --sh–r C:\Program Files\tmp0.0xe
2008-03-23 09:01 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\F-Secure
2008-03-23 09:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\fssg
2008-03-22 13:32 --------- d–h--w C:\Program Files\InstallShield Installation Information
2008-03-21 11:30 --------- d-----w C:\Program Files\CCleaner
2008-03-21 11:16 --------- d-----w C:\Program Files\Opera
2008-03-21 10:58 --------- d-----w C:\Program Files\Agnitum
2008-03-21 10:58 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Agnitum
2008-03-21 10:57 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2008-03-21 10:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-21 10:56 --------- d-----w C:\Program Files\ATI Technologies
2008-03-21 10:51 --------- d-----w C:\Program Files\Realtek
2008-03-21 10:44 --------- d-----w C:\Program Files\microsoft frontpage
2008-02-27 17:47 446,976 ----a-w C:\WINDOWS\system32\drivers\SandBox.sys
2008-02-27 17:28 206,352 ----a-w C:\WINDOWS\system32\drivers\afw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{350E96CA-EFDA-4DED-8EB1-AF6ACFFD84A8}]
C:\WINDOWS\system32\vtstr.dll
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{D1FCF9F3-4CF9-420C-8718-937352D780A7}]
2008-03-23 09:04 290816 --a------ C:\WINDOWS\kdftlboeslg.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SkyTel”=“SkyTel.EXE” [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
“RTHDCPL”=“RTHDCPL.EXE” [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.EXE]
“ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2005-08-12 14:43 45056]
“DefragTaskBar”=“C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe” [2007-08-28 16:31 169312]
“F-Secure Manager”=“C:\Program Files\F-Secure Internet Security\Common\FSM32.exe” [2007-05-25 14:12 183208]
“F-Secure TNB”=“C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe” [2007-05-25 14:11 740208]
“OutpostMonitor”=“C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe” [2008-03-03 13:08 1013248]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 13:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
“6foGMTG8is”= C:\Documents and Settings\All Users\Dane aplikacji\udsvgpwn\qferwbuz.exe
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
“SrvMon”= {cf8b0741-eaf7-48d3-87e6-979f72923281} - C:\WINDOWS\Installer{cf8b0741-eaf7-48d3-87e6-979f72923281}\SrvMon.dll []
“zip”= {68dacd6f-5477-45f3-80e0-3e5ff9d51ca5} - C:\WINDOWS\Installer{68dacd6f-5477-45f3-80e0-3e5ff9d51ca5}\zip.dll [2008-03-23 20:20 23234]
“vbgtorfd”= {3EA01AB5-E951-4440-94E8-329EA5B53CBA} - C:\WINDOWS\vbgtorfd.dll [2008-03-23 09:04 233472]
“dwnrpofk”= {383A7B1E-2299-4CA8-A96E-BD3F66260E58} - C:\WINDOWS\dwnrpofk.dll []
“MonSys”= {bd952729-9fe3-4102-931e-d500c54af2a8} - C:\WINDOWS\Installer{bd952729-9fe3-4102-931e-d500c54af2a8}\MonSys.dll []
“RamComponent”= {d2ddd8d7-c8ce-4f9c-9cbf-c9da5b859913} - C:\WINDOWS\Installer{d2ddd8d7-c8ce-4f9c-9cbf-c9da5b859913}\RamComponent.dll []
“AvpKbd”= {d3ea3fda-8a2c-4a7d-8a75-2a070096ca4e} - C:\WINDOWS\Installer{d3ea3fda-8a2c-4a7d-8a75-2a070096ca4e}\AvpKbd.dll []
“RunOnceRunOnce”= {f8680102-2305-48bf-ae72-17695b61ff6f} - C:\WINDOWS\Installer{f8680102-2305-48bf-ae72-17695b61ff6f}\RunOnceRunOnce.dll []
“BootAlrt”= {2f2047da-584e-4732-9605-c301b6e8d91c} - C:\WINDOWS\Installer{2f2047da-584e-4732-9605-c301b6e8d91c}\BootAlrt.dll []
“DriveUnknown”= {ec60dc18-68ad-4d0f-8387-d01451db9b73} - C:\WINDOWS\Installer{ec60dc18-68ad-4d0f-8387-d01451db9b73}\DriveUnknown.dll []
“ServiceComponent”= {0288dd87-050e-493b-8ec9-1de23cc13dc9} - C:\WINDOWS\Installer{0288dd87-050e-493b-8ec9-1de23cc13dc9}\ServiceComponent.dll []
“PrxKernel”= {53821377-cbf0-4644-969f-c2048ec0f842} - C:\WINDOWS\Installer{53821377-cbf0-4644-969f-c2048ec0f842}\PrxKernel.dll []
“SysAlrt”= {1b08e22d-c0ae-40c7-854b-e3f2ba068494} - C:\WINDOWS\Installer{1b08e22d-c0ae-40c7-854b-e3f2ba068494}\SysAlrt.dll []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtutus]
awtutus.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=c:\progra~1\agnitum\outpos~1\wl_hook.dll
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-05-25 14:09]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys [2007-05-25 14:12]
R1 SandBox;SandBox;C:\WINDOWS\system32\DRIVERS\SandBox.sys [2008-02-27 18:47]
R2 acssrv;Agnitum Client Security Service;C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe [2008-02-29 15:52]
R3 afw;Agnitum firewall driver;C:\WINDOWS\system32\DRIVERS\afw.sys [2008-02-27 18:28]
R3 ASWFilt;ASWFilt;C:\WINDOWS\system32\Filt\ASWFilt.dll [2008-02-27 18:48]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 14:08]
R3 usbstor;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2006-03-02 13:00]
S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys []
S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 14:09]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 14:09]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 11:44:16
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
C:\WINDOWS\system32\drivers\grande48.sys 167936 bytes executable
C:\WINDOWS\system32\drivers\Kqa38.sys 167936 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Kqa38]
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\PROGRA~1\Ashampoo\ASHAMP~1\bin\DEFRAG~3.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\PROGRA~1\Ashampoo\ASHAMP~1\bin\defragActivityMonitor.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Completion time: 2008-03-24 11:46:04 - machine was rebooted [ťukasz]
ComboFix-quarantined-files.txt 2008-03-24 10:46:01
.
2008-03-21 16:28:04 — E O F —
Wklej do Notatnika:
File::
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\nlabqkyu.ini
C:\WINDOWS\kdftlboeslg.dll
C:\WINDOWS\vbgtorfd.dll
C:\WINDOWS\norlatmx.exe
C:\Program Files\tmp3.0xe
C:\Program Files\tmp2.0xe
C:\Program Files\tmp1.0xe
C:\Program Files\tmp0.0xe
Folder::
C:\Documents and Settings\All Users\Dane aplikacji\udsvgpwn
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{350E96CA-EFDA-4DED-8EB1-AF6ACFFD84A8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1FCF9F3-4CF9-420C-8718-937352D780A7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"6foGMTG8is"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SrvMon"=-
"zip"=-
"vbgtorfd"=-
"dwnrpofk"=-
"MonSys"=-
"RamComponent"=-
"AvpKbd"=-
"RunOnceRunOnce"=-
"BootAlrt"=-
"DriveUnknown"=-
"ServiceComponent"=-
"PrxKernel"=-
"SysAlrt"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtutus]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"=-
"FriendlyName"=-
"Source"=""
"FriendlyName"=""
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: ** Qoobox**.
Po tym nowy log z Combo
Zmiana zasad wklejania logów na forum - viewtopic.php?f=16t=213350
Dzięki za pomoc ale nastąpił już format :? bo komp nie chciał się włączyć. Pisało że nie można załadować bibliotek DLL. Pozdrawiam i dzieki za fatygę.