Wirusy, trojany jak się tego pozbyć?

Spider_MK · 19 Grudzień 2007 15:38

Nawchodziło mi syfu do kompa. jak mogę sie tego pozbyć ?

log z hijackthis

Logfile of HijackThis v1.99.1 Scan saved at 16:10, on 2007-12-19 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ArcaVir\Bin\NetMonSv.exe C:\Program Files\ArcaVir\Bin\avmonsv.exe C:\Program Files\ArcaVir\Bin\ABmenu.exe C:\Program Files\ArcaVir\Bin\ABregmon.exe C:\Program Files\Microsoft Security Adviser\msctrl.exe C:\Program Files\Microsoft Security Adviser\msavsc.exe C:\Program Files\Microsoft Security Adviser\msscan.exe C:\Program Files\Microsoft Security Adviser\msiemon.exe C:\Program Files\ArcaVir\Bin\arcascan.exe C:\Program Files\Microsoft Security Adviser\msfw.exe C:\Program Files\Microsoft Security Adviser\mssadv.exe D:\wwszystko co bylo na pulpicie\programy\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Programy\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [ABmenu] C:\Program Files\ArcaVir\Bin\ABmenu.exe O4 - HKLM…\Run: [ABREGMON] C:\Program Files\ArcaVir\Bin\ABregmon.exe O4 - HKLM…\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe O4 - HKLM…\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe O4 - HKLM…\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe O4 - HKLM…\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe O4 - HKLM…\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe O4 - HKLM…\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe O4 - HKCU…\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe O4 - HKCU…\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe O4 - HKCU…\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe O4 - HKCU…\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe O4 - HKCU…\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Download with GetRight - E:\Programy\GetRight\GRdownload.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - E:\Programy\GetRight\GRbrowse.htm O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/294f4c8dd02 … xIE601.cab O16 - DPF: {77829F14-D911-40FF-A2F0-D11DB8D6D0BC} - http://activex.microsoft.com/objects/ocget.dll O17 - HKLM\System\CCS\Services\Tcpip…{24B93D79-7375-4DBC-8A34-CB4BAF352054}: NameServer = 85.255.115.34,85.255.112.63 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63 O17 - HKLM\System\CS1\Services\Tcpip…{24B93D79-7375-4DBC-8A34-CB4BAF352054}: NameServer = 85.255.115.34,85.255.112.63 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63 O17 - HKLM\System\CS2\Services\Tcpip…{24B93D79-7375-4DBC-8A34-CB4BAF352054}: NameServer = 85.255.115.34,85.255.112.63 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63 O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - C:\Program Files\ArcaVir\Bin\NetMonSv.exe O23 - Service: ArcaVir Monitor (ArcaMonSvc) - ArcaBit - C:\Program Files\ArcaVir\Bin\avmonsv.exe O23 - Service: ArcaScan - ArcaBit - C:\Program Files\ArcaVir\Bin\arcascan.exe O23 - Service: arcaserv - ArcaBit Sp. z o. o. - C:\Program Files\ArcaVir\bin\arcaserv.exe O23 - Service: Us3uga inteligentnego transferu w tle BITSSCardSvr (BITSSCardSvr) - Unknown owner - C:\WINDOWS\System32\adsndsz.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

oraz z silent runners

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “msctrl.exe” = “C:\Program Files\Microsoft Security Adviser\msctrl.exe” [null data] “msavsc.exe” = “C:\Program Files\Microsoft Security Adviser\msavsc.exe” [null data] “msscan.exe” = “C:\Program Files\Microsoft Security Adviser\msscan.exe” [null data] “msiemon.exe” = “C:\Program Files\Microsoft Security Adviser\msiemon.exe” [null data] “msfw.exe” = “C:\Program Files\Microsoft Security Adviser\msfw.exe” [null data] “mssadv.exe” = “(empty string)” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [file not found] “ABmenu” = “C:\Program Files\ArcaVir\Bin\ABmenu.exe” [“ArcaBit”] “ABREGMON” = “C:\Program Files\ArcaVir\Bin\ABregmon.exe” [“ArcaBit”] “mssadv.exe” = “*d” (unwritable string) [file not found] “msctrl.exe” = “C:\Program Files\Microsoft Security Adviser\msctrl.exe” [null data] “msavsc.exe” = “C:\Program Files\Microsoft Security Adviser\msavsc.exe” [null data] “msscan.exe” = “C:\Program Files\Microsoft Security Adviser\msscan.exe” [null data] “msiemon.exe” = “C:\Program Files\Microsoft Security Adviser\msiemon.exe” [null data] “msfw.exe” = “C:\Program Files\Microsoft Security Adviser\msfw.exe” [null data] “Microsoft security adviser” = “C:\Program Files\Microsoft Security Adviser\mssadv.exe” [“home”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {31FF080D-12A3-439A-A2EF-4BA95A3148E8}(Default) = (no title provided) -> {HKLM…CLSID} = “bho2gr Class” \InProcServer32(Default) = “E:\Programy\GetRight\xx2gr.dll” [“Headlight Software, Inc.”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRar\rarext.dll” [null data] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{9C0ADB68-353A-61DD-ED09-1D8003A61111}” = “*” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\kb1111p.dll” [null data] HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\ “load” = (value not set) “run” = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ <> “System” = “cslri.exe” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ArcaVir(Default) = “{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}” -> {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\Program Files\ArcaVir\Bin\ArcaShl.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRar\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRar\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ArcaVir(Default) = “{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}” -> {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\Program Files\ArcaVir\Bin\ArcaShl.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRar\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Spider_MK\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Spider_MK\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Leon1 · 19 Grudzień 2007 18:09

Pobierz Combofix http://www.searchengines.pl/index.php?showtopic=86306&st=0&p=395642entry395642

Otwórz notatnik i wklej

Folder::

C:\Program Files\Microsoft Security Adviser


Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 

"msctrl.exe"=-

"msavsc.exe"=-

"msscan.exe"=-

"msiemon.exe"=-

"msfw.exe"=-

"mssadv.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"mssadv.exe"=-

"msctrl.exe"=-

"msavsc.exe"=-

"msscan.exe"=-

"msiemon.exe"=-

"msfw.exe"=-

"Microsoft security adviser"=-

zapisz jako CFScript (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

na pytanie “1 or 2” - to wpisz 1 i naciśnij ENTER

Powinno rozpocząć się usuwanie

Daj log na forum

Potem usuń ręcznie folder C: \Qoobox

Daj również nowy log HijackThis

Maciej13 · 19 Grudzień 2007 18:53

Leon$ , to nie wszystko. Mamy również fałszywe adresy DNS (Ukraina):

Do użycia FixWareOut w Trybie Awaryjnym. Po pracy log do pokazania (lokalizacja: C:\fixwareout\ report.txt ). Wymienione wyżej wpisy fixujesz w Hjt.

Spider_MK · 19 Grudzień 2007 19:53

oto nowe logi

Hijckthis

Logfile of HijackThis v1.99.1 Scan saved at 20:39, on 2007-12-19 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ArcaVir\Bin\ABmenu.exe C:\Program Files\ArcaVir\Bin\ABregmon.exe C:\Program Files\ArcaVir\Bin\NetMonSv.exe C:\Program Files\ArcaVir\Bin\avmonsv.exe D:\wwszystko co bylo na pulpicie\programy\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Programy\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [ABmenu] C:\Program Files\ArcaVir\Bin\ABmenu.exe O4 - HKLM…\Run: [ABREGMON] C:\Program Files\ArcaVir\Bin\ABregmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Download with GetRight - E:\Programy\GetRight\GRdownload.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - E:\Programy\GetRight\GRbrowse.htm O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/294f4c8dd02 … xIE601.cab O16 - DPF: {77829F14-D911-40FF-A2F0-D11DB8D6D0BC} - http://activex.microsoft.com/objects/ocget.dll O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - C:\Program Files\ArcaVir\Bin\NetMonSv.exe O23 - Service: ArcaVir Monitor (ArcaMonSvc) - ArcaBit - C:\Program Files\ArcaVir\Bin\avmonsv.exe O23 - Service: ArcaScan - ArcaBit - C:\Program Files\ArcaVir\Bin\arcascan.exe O23 - Service: arcaserv - ArcaBit Sp. z o. o. - C:\Program Files\ArcaVir\bin\arcaserv.exe O23 - Service: Us3uga inteligentnego transferu w tle BITSSCardSvr (BITSSCardSvr) - Unknown owner - C:\WINDOWS\System32\adsndsz.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Fixwareout

Username “Spider_MK” - 2007-12-19 20:29:28 [Fixwareout edited 2007/07/05] »»»»»Prerun check Service: “Windows Management Service” = C:\WINDOWS\System32\dmmkj.exe Pomyslnie oprózniono pamiec podreczna programu rozpoznawania nazw DNS. »»»»» Postrun check HKLM\SOFTWARE~\Winlogon\ “system”="" … HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}59D4B30F3C94-D119-7CB4-0FCB-95CD2712{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}CACED0E6B0D9-9809-6D04-4BE3-BAD4CC1A{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “xsjmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}9928430A97A7-3EAB-B9C4-AC4D-64FE8BFC{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “dphmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “huymd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “qpemd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “hicmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “atlmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “qljmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “eqnmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “mavmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “lqcmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “mndmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “xjpmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “xapmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “lgpmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “hiomd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “ecfmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “kakmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “wlrmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “lelmd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “jkmmd” Deleted … »»»»» Misc files. … »»»»» Checking for older varients. … Search five digit cs, dm, kd, jb, other, files. The following files NEED TO BE SUBMITTED to one of the following URL’S for further inspection. C:\WINDOWS\system32\dmcih.exe 63042 2002-09-28 Click browse, find the file then click submit. http://www.virustotal.com/flash/index_en.html Or http://virusscan.jotti.org/ »»»»» Other C:\WINDOWS\TEMP\dmmkj.ren 63042 2002-09-28 »»»»» Current runs (hklm hkcu “run” Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] “SpeedTouch USB Diagnostics”="“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon" “ABmenu”=“C:\Program Files\ArcaVir\Bin\ABmenu.exe” “ABREGMON”=“C:\Program Files\ArcaVir\Bin\ABregmon.exe” [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” … Hosts file was reset, If you use a custom hosts file please replace it »»»»» End report »»»»»

ComboFix

ComboFix 07-12-19.2 - Spider_MK 2007-12-19 20:06:56.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1250.48.1045.18.208 [GMT 1:00] Running from: C:\Documents and Settings\Spider_MK\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Spider_MK\Pulpit\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf C:\Program Files\Microsoft Security Adviser C:\Program Files\Microsoft Security Adviser\msavsc.exe C:\Program Files\Microsoft Security Adviser\msctrl.exe C:\Program Files\Microsoft Security Adviser\msfw.exe C:\Program Files\Microsoft Security Adviser\msiemon.exe C:\Program Files\Microsoft Security Adviser\mssadv.exe C:\Program Files\Microsoft Security Adviser\msscan.exe C:\svchost2.exe C:\WINDOWS\msavsc.dll C:\WINDOWS\msctrl.dll C:\WINDOWS\msfw.dll C:\WINDOWS\msiemon.dll C:\WINDOWS\mssadv.dll C:\WINDOWS\msscan.dll C:\WINDOWS\system32\kb1111p.dll D:\Autorun.inf E:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_RUNTIME -------\LEGACY_RUNTIME2 ((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 ))))))))))))))))))))))))))))))) . 2007-11-24 07:55 . 2007-11-24 07:55 12,400 --a------ C:\WINDOWS\system32\drivers\SECDRV.SYS 2007-11-22 16:55 . 2007-11-22 16:55 2007-11-22 13:47 . 2007-11-22 13:47 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-19 19:05 --------- d-----w C:\Program Files\Neostrada TP 2007-10-17 18:39 7,680 ----a-w C:\Documents and Settings\Spider_MK\ie_update3r.exe 2006-12-15 18:54 20 —h–w C:\Documents and Settings\All Users\Dane aplikacji\PKP_DLec.DAT 2005-03-31 20:17 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2001-11-23 10:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 185,896 2006-10-29 20:08:56 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe ----a-w 24,576 2003-10-16 16:07:10 C:\Program Files\Neostrada TP\bak\CnxMon.exe ----a-w 53,248 2003-10-16 16:07:12 C:\Program Files\Neostrada TP\bak\TaskbarIcon.exe ----a-w 20,480 2003-10-16 16:07:12 C:\Program Files\Neostrada TP\bak\Watch.exe ----a-w 878,080 2003-09-05 04:59:20 C:\Program Files\Thomson\SpeedTouch USB\bak\Dragdiag.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [] “ABmenu”=“C:\Program Files\ArcaVir\Bin\ABmenu.exe” [2005-12-31 15:01] “ABREGMON”=“C:\Program Files\ArcaVir\Bin\ABregmon.exe” [2005-12-31 15:02] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] “system”=“cslri.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcaCheck] C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] 2006-05-10 10:12 90112 --a------ C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] 2002-09-28 23:00 13312 --a------ C:\WINDOWS\System32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] E:\Programy\D-Tools\daemon.exe -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Directx click] directxclick.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Security] C:\WINDOWS\System32\drivers\mssec.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvcc25] svcchost.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mysvcig38] mysvcc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2003-12-08 16:35 32768 --a------ C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2006-12-15 02:23 75520 --a------ C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Task Manager Win32] C:\WINDOWS\System32\taskmngr32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates Security System] kavsvc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “Ati HotKey Poller”=2 (0x2) “ArcaBit.Core.LoggingService”=3 (0x3) “ArcaBit.Core.Configurator”=3 (0x3) “Messenger”=2 (0x2) R1 ABTDI;ABTDI;C:\Program Files\ArcaVir\Bin\ABTDI.sys [2005-12-31 14:57] R1 atitray;atitray;C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys [2006-11-30 09:05] R2 ArcaMonSvc;ArcaVir Monitor;C:\Program Files\ArcaVir\Bin\avmonsv.exe [2005-12-31 15:02] S2 BITSSCardSvr;Usługa inteligentnego transferu w tle BITSSCardSvr;C:\WINDOWS\System32\adsndsz.exe srv [] S3 arcaen;ArcaMon Kernel Engine;C:\Program Files\ArcaVir\Bin\arcaen.sys [2005-12-31 15:03] S3 arcaev;ArcaMon Kernel Events;C:\Program Files\ArcaVir\Bin\arcaev.sys [2005-12-31 14:57] S3 arcafd;ArcaMon Kernel Filter Driver;C:\Program Files\ArcaVir\Bin\arcafd.sys [2005-12-31 14:57] S3 ArcaScan;ArcaScan;C:\Program Files\ArcaVir\Bin\arcascan.exe [2005-12-31 15:02] S3 arcaserv;arcaserv;C:\Program Files\ArcaVir\bin\arcaserv.exe [2005-12-31 14:57] S3 msdirectxclick;msdirectxclick;C:\Documents and Settings\Spider_MK\msdirectxclk.sys [] S4 Windows Management Service;Windows Management Service;C:\WINDOWS\System32\dmmkj.exe -service [] . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-19 20:12:22 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-19 20:15:00 - machine was rebooted [spider_MK]

Gutek · 19 Grudzień 2007 20:53

porzede wszystkim gubisz wpisy:

Wklej do Notatnika:

Driver:: “Windows Management Service” Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] “System”=- “System”="" [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvcc25] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mysvcig38] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Directx click] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Security] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Task Manager Win32] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates Security System]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Pobierz program SDFix