Wirusy których nie można usunąć, b.wolny komp


(Binkiewicz) #1

Witam mój brat który na swoim kompie nie miał żadnego antyvirusa ani firewalla (gdy chciałem mu je zainstalować to nie chciał) zwrócił się do mnie o pomoc bo pojawiło mu się privacy danger i pełno alertów o robakach. Usunąłem mu to. Zainstalował on fałszywego antyvirusa. Zrobiłem mu skan f-secure antivirus i wykrył 25 virusów (głównie downloadery) 18 szpiegów i adware i 5 ryzykownych oprogramowań. Wykrył też 3 trojany i virtumonde ktorych nie mógł usunąć. Proszę o pomoc bo jeszcze coś zostało :mrgreen:


(Binkiewicz) #2

Acha zapomniałbym o logach :glupek1:

HijackThis:http://wklej.org/id/c610c3c9ad

Z combo zaraz zrobię


(Longhorn2009) #3

...


(Binkiewicz) #4

Sorka że log nie jest na wklej.org ale nie mogłem tam wejśc.

ComboFix 08-03-23.5 - Łukasz 2008-03-24 11:41:39.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.615 [GMT 1:00]

Running from: C:\Documents and Settings\Łukasz\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Łukasz\Dane aplikacji\Install.dat

C:\WINDOWS\dwnrpofk.dll

C:\WINDOWS\rs.txt

C:\WINDOWS\system32\awtutus.dll

C:\WINDOWS\system32\rtstv.ini

C:\WINDOWS\system32\rtstv.ini2

.

((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))

.

2008-03-24 11:16 . 2008-03-24 11:28 515 --a------ C:\WINDOWS\wininit.ini

2008-03-24 10:58 . 2008-03-24 10:58

2008-03-24 10:58 . 2008-03-24 11:22

2008-03-24 10:44 . 2008-03-24 10:44

2008-03-24 09:18 . 2008-03-24 11:22 1,548,501 ---hs---- C:\WINDOWS\system32\nlabqkyu.ini

2008-03-23 20:18 . 2008-03-23 20:18

2008-03-23 20:16 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll

2008-03-23 20:10 . 2008-03-23 20:10 29 --a------ C:\WINDOWS\system32\sgprwtrp.tmp

2008-03-23 19:58 . 2008-03-23 19:58

2008-03-23 19:58 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll

2008-03-23 19:58 . 2004-10-07 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll

2008-03-23 19:58 . 2007-02-13 08:09 388,126 --a------ C:\WINDOWS\system32\sqlite3.dll

2008-03-23 19:58 . 2004-10-07 13:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll

2008-03-23 19:11 . 2008-03-23 19:11 0 --a------ C:\WINDOWS\s3.cookingluck.htm

2008-03-23 17:35 . 2008-03-23 17:35

2008-03-23 17:34 . 2008-03-23 09:04 290,816 --a------ C:\WINDOWS\kdftlboeslg.dll

2008-03-23 17:34 . 2008-03-23 09:04 233,472 --a------ C:\WINDOWS\vbgtorfd.dll

2008-03-23 17:34 . 2008-03-23 09:04 98,304 --a------ C:\WINDOWS\norlatmx.exe

2008-03-23 12:31 . 2008-03-23 12:32

2008-03-23 12:31 . 2008-03-23 12:31 30,590 --a------ C:\WINDOWS\system32\pavas.ico

2008-03-23 12:31 . 2008-03-23 12:31 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-03-23 12:31 . 2008-03-23 12:31 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-03-23 10:50 . 1999-10-04 21:41 8,110 --a------ C:\WINDOWS\Espa_SP.gpl

2008-03-23 10:35 . 2004-03-08 23:00 1,081,616 --a------ C:\WINDOWS\system32\mscomctl.ocx

2008-03-23 10:35 . 2000-05-22 16:58 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx

2008-03-23 10:35 . 2001-04-26 21:12 57,399 --a------ C:\WINDOWS\system32\Registry.ocx

2008-03-23 10:34 . 2008-03-23 10:50 796,672 --a------ C:\WINDOWS\GPInstall.exe

2008-03-23 10:01 . 2007-05-25 14:09 58,128 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys

2008-03-23 10:01 . 2007-05-25 14:09 37,008 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys

2008-03-23 10:00 . 2008-03-23 11:31

2008-03-22 19:24 . 2008-03-22 19:24

2008-03-22 16:54 . 2008-03-23 11:19

2008-03-22 14:32 . 2008-03-22 14:32 45,768 --a------ C:\WINDOWS\system32\drivers\MiniIcpt.sys

2008-03-22 11:31 . 2008-03-24 11:42

2008-03-22 11:31 . 2008-03-21 11:44

2008-03-22 11:31 . 2008-03-21 11:37

2008-03-22 11:31 . 2008-03-21 12:31

2008-03-22 11:31 . 2008-03-24 10:26

2008-03-22 11:31 . 2008-03-21 12:31

2008-03-22 11:31 . 2008-03-21 11:44

2008-03-21 14:02 . 2008-03-21 14:02

2008-03-21 14:02 . 2008-03-21 14:02

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-24 08:49 --------- d-----w C:\Program Files\Usługi online

2008-03-23 16:34 16,604 --sh--r C:\Program Files\tmp3.0xe

2008-03-23 16:34 16,604 --sh--r C:\Program Files\tmp2.0xe

2008-03-23 16:34 16,604 --sh--r C:\Program Files\tmp1.0xe

2008-03-23 16:34 16,604 --sh--r C:\Program Files\tmp0.0xe

2008-03-23 09:01 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\F-Secure

2008-03-23 09:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\fssg

2008-03-22 13:32 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-03-21 11:30 --------- d-----w C:\Program Files\CCleaner

2008-03-21 11:16 --------- d-----w C:\Program Files\Opera

2008-03-21 10:58 --------- d-----w C:\Program Files\Agnitum

2008-03-21 10:58 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Agnitum

2008-03-21 10:57 --------- d-----w C:\Program Files\Common Files\ATI Technologies

2008-03-21 10:56 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-03-21 10:56 --------- d-----w C:\Program Files\ATI Technologies

2008-03-21 10:51 --------- d-----w C:\Program Files\Realtek

2008-03-21 10:44 --------- d-----w C:\Program Files\microsoft frontpage

2008-02-27 17:47 446,976 ----a-w C:\WINDOWS\system32\drivers\SandBox.sys

2008-02-27 17:28 206,352 ----a-w C:\WINDOWS\system32\drivers\afw.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{350E96CA-EFDA-4DED-8EB1-AF6ACFFD84A8}]

C:\WINDOWS\system32\vtstr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{D1FCF9F3-4CF9-420C-8718-937352D780A7}]

2008-03-23 09:04 290816 --a------ C:\WINDOWS\kdftlboeslg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.EXE]

"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43 45056]

"DefragTaskBar"="C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2007-08-28 16:31 169312]

"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 14:12 183208]

"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 14:11 740208]

"OutpostMonitor"="C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" [2008-03-03 13:08 1013248]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"6foGMTG8is"= C:\Documents and Settings\All Users\Dane aplikacji\udsvgpwn\qferwbuz.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= file:///C:\WINDOWS\privacy_danger\index.htm

FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"SrvMon"= {cf8b0741-eaf7-48d3-87e6-979f72923281} - C:\WINDOWS\Installer{cf8b0741-eaf7-48d3-87e6-979f72923281}\SrvMon.dll []

"zip"= {68dacd6f-5477-45f3-80e0-3e5ff9d51ca5} - C:\WINDOWS\Installer{68dacd6f-5477-45f3-80e0-3e5ff9d51ca5}\zip.dll [2008-03-23 20:20 23234]

"vbgtorfd"= {3EA01AB5-E951-4440-94E8-329EA5B53CBA} - C:\WINDOWS\vbgtorfd.dll [2008-03-23 09:04 233472]

"dwnrpofk"= {383A7B1E-2299-4CA8-A96E-BD3F66260E58} - C:\WINDOWS\dwnrpofk.dll []

"MonSys"= {bd952729-9fe3-4102-931e-d500c54af2a8} - C:\WINDOWS\Installer{bd952729-9fe3-4102-931e-d500c54af2a8}\MonSys.dll []

"RamComponent"= {d2ddd8d7-c8ce-4f9c-9cbf-c9da5b859913} - C:\WINDOWS\Installer{d2ddd8d7-c8ce-4f9c-9cbf-c9da5b859913}\RamComponent.dll []

"AvpKbd"= {d3ea3fda-8a2c-4a7d-8a75-2a070096ca4e} - C:\WINDOWS\Installer{d3ea3fda-8a2c-4a7d-8a75-2a070096ca4e}\AvpKbd.dll []

"RunOnceRunOnce"= {f8680102-2305-48bf-ae72-17695b61ff6f} - C:\WINDOWS\Installer{f8680102-2305-48bf-ae72-17695b61ff6f}\RunOnceRunOnce.dll []

"BootAlrt"= {2f2047da-584e-4732-9605-c301b6e8d91c} - C:\WINDOWS\Installer{2f2047da-584e-4732-9605-c301b6e8d91c}\BootAlrt.dll []

"DriveUnknown"= {ec60dc18-68ad-4d0f-8387-d01451db9b73} - C:\WINDOWS\Installer{ec60dc18-68ad-4d0f-8387-d01451db9b73}\DriveUnknown.dll []

"ServiceComponent"= {0288dd87-050e-493b-8ec9-1de23cc13dc9} - C:\WINDOWS\Installer{0288dd87-050e-493b-8ec9-1de23cc13dc9}\ServiceComponent.dll []

"PrxKernel"= {53821377-cbf0-4644-969f-c2048ec0f842} - C:\WINDOWS\Installer{53821377-cbf0-4644-969f-c2048ec0f842}\PrxKernel.dll []

"SysAlrt"= {1b08e22d-c0ae-40c7-854b-e3f2ba068494} - C:\WINDOWS\Installer{1b08e22d-c0ae-40c7-854b-e3f2ba068494}\SysAlrt.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtutus]

awtutus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\agnitum\outpos~1\wl_hook.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-05-25 14:09]

R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys [2007-05-25 14:12]

R1 SandBox;SandBox;C:\WINDOWS\system32\DRIVERS\SandBox.sys [2008-02-27 18:47]

R2 acssrv;Agnitum Client Security Service;C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe [2008-02-29 15:52]

R3 afw;Agnitum firewall driver;C:\WINDOWS\system32\DRIVERS\afw.sys [2008-02-27 18:28]

R3 ASWFilt;ASWFilt;C:\WINDOWS\system32\Filt\ASWFilt.dll [2008-02-27 18:48]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 14:08]

R3 usbstor;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2006-03-02 13:00]

S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys []

S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []

S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 14:09]

S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 14:09]

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-24 11:44:16

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\grande48.sys 167936 bytes executable

C:\WINDOWS\system32\drivers\Kqa38.sys 167936 bytes executable

scan completed successfully

hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Kqa38]

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE

C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE

C:\PROGRA~1\Ashampoo\ASHAMP~1\bin\DEFRAG~3.EXE

C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE

C:\PROGRA~1\Ashampoo\ASHAMP~1\bin\defragActivityMonitor.exe

C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe

C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE

C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe

C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe

C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe

C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe

.

**************************************************************************

.

Completion time: 2008-03-24 11:46:04 - machine was rebooted [ťukasz]

ComboFix-quarantined-files.txt 2008-03-24 10:46:01

.

2008-03-21 16:28:04 --- E O F ---


(Gutek) #5

Wklej do Notatnika:

File::

C:\WINDOWS\system32\vtstr.dll

C:\WINDOWS\system32\nlabqkyu.ini

C:\WINDOWS\kdftlboeslg.dll

C:\WINDOWS\vbgtorfd.dll

C:\WINDOWS\norlatmx.exe

C:\Program Files\tmp3.0xe

C:\Program Files\tmp2.0xe

C:\Program Files\tmp1.0xe

C:\Program Files\tmp0.0xe


Folder::

C:\Documents and Settings\All Users\Dane aplikacji\udsvgpwn


Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{350E96CA-EFDA-4DED-8EB1-AF6ACFFD84A8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1FCF9F3-4CF9-420C-8718-937352D780A7}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"6foGMTG8is"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"SrvMon"=-

"zip"=-

"vbgtorfd"=-

"dwnrpofk"=-

"MonSys"=-

"RamComponent"=-

"AvpKbd"=-

"RunOnceRunOnce"=-

"BootAlrt"=-

"DriveUnknown"=-

"ServiceComponent"=-

"PrxKernel"=-

"SysAlrt"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtutus]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"=-

"FriendlyName"=-

"Source"=""

"FriendlyName"=""

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po tym nowy log z Combo

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16t=213350


(Binkiewicz) #6

Dzięki za pomoc ale nastąpił już format :? bo komp nie chciał się włączyć. Pisało że nie można załadować bibliotek DLL. Pozdrawiam i dzieki za fatygę.