Wskakujące strony typu oczyszczaczkomputerza

Dla specjalistów Bezpieczeństwo
#1

Witam mam pewien problem z trojanami. Min gdy wlącze przeglądarke internetową, to co troche wchodza mi strony typu http://www.oczyszczaniekomputerza.pl proszą także abym zciagnolł program wtedy mi nie bdzie to wyskakiwało. Jeszcze mi wyskakuje z 3 inne tego samego typu strony.

Bardzo prosze o sprawdzenie loga

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:09:46, on 2008-05-21

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20772)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

D:\Program Files\Adobe\Acrobat\Acrotray.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Winamp\winamp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”

O4 - HKLM…\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot

O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM…\Run: [soundMAX] “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray

O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”

O4 - HKLM…\Run: [Acrobat Assistant 8.0] “D:\Program Files\Adobe\Acrobat\Acrotray.exe”

O4 - HKLM…\Run: [egui] “C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice

O4 - HKLM…\Run: [bearShare] “D:\Program Files\BearShare\BearShare.exe” /pause

O4 - HKLM…\Run: [d000ae61] rundll32.exe “C:\WINDOWS\system32\rppigajy.dll”,b

O4 - HKLM…\Run: [bMd3339dfd] Rundll32.exe “C:\WINDOWS\system32\ektkqoue.dll”,s

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe”

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-20…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS\S-1-5-18…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O4 - HKUS.DEFAULT…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘Default user’)

O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre … 586-jc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

End of file - 8736 bytes

#2

Gdzieś Ty się uczył pisać po polsku ???

#3

fix w hijackthis

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\system32\rppigajy.dll

C:\WINDOWS\system32\ektkqoue.dll

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

#4

dac loga ?

#5

Tak daj log z usuwania z combofix

#6

ComboFix 08-05-21.2 - Piotrek 2008-05-22 10:22:26.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.551 [GMT 2:00]

Running from: C:\Documents and Settings\Piotrek\Moje dokumenty\ComboFix.exe

Command switches used :: C:\Documents and Settings\Piotrek\Pulpit\CFScript.txt

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

C:\WINDOWS\system32\ektkqoue.dll

C:\WINDOWS\system32\rppigajy.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\BMd3339dfd.xml

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\ektkqoue.dll

.

((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))

.

2008-05-22 10:17 . 2008-05-22 10:17

2008-05-22 10:17 . 2008-05-22 10:17

2008-05-22 09:49 . 2008-05-22 09:49 86,860 --a------ C:\WINDOWS\system32\jkkLCtTk.dll

2008-05-22 09:49 . 2008-05-22 09:55 354 —hs---- C:\WINDOWS\system32\mxqrtoxy.ini

2008-05-22 09:43 . 2008-05-22 09:43

2008-05-22 09:43 . 2008-05-22 09:43

2008-05-22 09:43 . 2008-05-22 09:43

2008-05-22 09:43 . 2008-05-22 09:43

2008-05-22 08:15 . 2008-05-22 08:15 114,688 --a------ C:\WINDOWS\system32\yxotrqxm.dll

2008-05-22 08:10 . 2008-05-22 08:10 128,000 --a------ C:\WINDOWS\system32\haqoicfl.dll

2008-05-22 07:37 . 2008-05-22 07:37 128,000 --a------ C:\WINDOWS\system32\sbprbuou.dll

2008-05-21 20:38 . 2008-05-21 20:38 126,464 --a------ C:\WINDOWS\system32\xlmegwtr.dll

2008-05-21 20:37 . 2008-05-21 20:37 369,152 --a------ C:\WINDOWS\system32\jkkKaaay.dll

2008-05-21 17:25 . 2008-05-21 17:25 94,910 —h----- C:\treeinfo.wc

2008-05-21 17:24 . 2008-05-21 17:24

2008-05-21 17:24 . 2008-05-21 18:08 618 --a------ C:\WINDOWS\wincmd.ini

2008-05-21 17:24 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\UC.PIF

2008-05-21 17:24 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\RAR.PIF

2008-05-21 17:24 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\PKZIP.PIF

2008-05-21 17:24 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\PKUNZIP.PIF

2008-05-21 17:24 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\NOCLOSE.PIF

2008-05-21 17:24 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\LHA.PIF

2008-05-21 17:24 . 2008-04-22 07:03 545 --a------ C:\WINDOWS\ARJ.PIF

2008-05-21 16:31 . 2008-05-21 16:31

2008-05-21 16:31 . 2008-05-22 09:59 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe

2008-05-21 16:31 . 2008-05-22 09:59 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

2008-05-21 16:31 . 2008-05-22 09:59 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-05-21 16:31 . 2008-05-21 16:31 22,328 --a------ C:\Documents and Settings\Piotrek\Dane aplikacji\PnkBstrK.sys

2008-05-21 16:31 . 2008-05-21 16:31 294 --a------ C:\WINDOWS\game.ini

2008-05-21 16:19 . 2008-05-21 16:19

2008-05-21 16:14 . 2008-05-21 16:14

2008-05-21 15:38 . 2008-05-21 15:38

2008-05-21 15:38 . 2007-04-24 17:30 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll

2008-05-21 15:38 . 2008-03-28 19:41 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll

2008-05-21 15:38 . 2007-07-10 18:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest

2008-05-21 13:01 . 2008-05-21 13:01

2008-05-20 22:36 . 2008-05-20 22:36 2,560 --a------ C:\WINDOWS_MSRSTRT.EXE

2008-05-20 20:19 . 2008-05-20 20:19

2008-05-20 20:19 . 2008-05-20 20:19

2008-05-20 18:24 . 2008-05-20 18:28

2008-05-20 08:02 . 2008-05-20 08:02

2008-05-20 07:57 . 2008-05-20 20:20

2008-05-20 07:57 . 2008-05-20 07:57

2008-05-19 21:44 . 2008-05-19 21:44 23 --a------ C:\WINDOWS\BlendSettings.ini

2008-05-19 21:42 . 2008-05-19 21:42

2008-05-19 20:50 . 2008-05-21 16:12 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-05-19 19:17 . 2008-05-19 19:17

2008-05-19 19:12 . 2008-05-19 19:12

2008-05-19 19:12 . 2008-05-19 19:12

2008-05-19 18:59 . 2008-05-19 18:59 58,880 --a------ C:\WINDOWS\system32\vtUmnkki.dll

2008-05-19 18:59 . 2008-05-19 18:59 58,880 --a------ C:\WINDOWS\system32\ssqqQkIC.dll

2008-05-19 18:59 . 2008-05-19 18:59 58,880 --a------ C:\WINDOWS\system32\rqRIxxvt.dll

2008-05-19 18:59 . 2008-05-19 18:59 58,880 --a------ C:\WINDOWS\system32\nnnnOiHy.dll

2008-05-19 18:59 . 2008-05-19 18:59 58,880 --a------ C:\WINDOWS\system32\ljJDSIxy.dll

2008-05-19 18:59 . 2008-05-19 18:59 58,880 --a------ C:\WINDOWS\system32\geBQggeC.dll

2008-05-19 18:59 . 2008-05-19 18:59 58,880 --a------ C:\WINDOWS\system32\cbXRJCvV.dll

2008-05-19 18:58 . 2008-05-19 18:58 58,880 --a------ C:\WINDOWS\system32\hgGvstUm.dll

2008-05-19 18:57 . 2008-05-19 18:57 58,880 --a------ C:\WINDOWS\system32\pmnmLbAS.dll

2008-05-19 18:57 . 2008-05-19 18:57 58,880 --a------ C:\WINDOWS\system32\mlJYPJcD.dll

2008-05-19 18:57 . 2008-05-19 18:57 58,880 --a------ C:\WINDOWS\system32\ljJdeBsR.dll

2008-05-19 18:57 . 2008-05-19 18:57 58,880 --a------ C:\WINDOWS\system32\khfGawxu.dll

2008-05-19 18:57 . 2008-05-19 18:57 58,880 --a------ C:\WINDOWS\system32\fcccdAPi.dll

2008-05-19 18:57 . 2008-05-19 18:57 58,880 --a------ C:\WINDOWS\system32\ddcAqqQG.dll

2008-05-19 18:57 . 2008-05-19 18:57 58,880 --a------ C:\WINDOWS\system32\byXRkKef.dll

2008-05-19 18:56 . 2008-05-22 10:23

2008-05-19 18:56 . 2008-05-17 20:59

2008-05-19 18:56 . 2008-05-17 19:05

2008-05-19 18:56 . 2008-05-17 20:59

2008-05-19 18:56 . 2008-05-17 20:59

2008-05-19 18:56 . 2008-05-17 20:59

2008-05-19 18:56 . 2008-05-17 20:59

2008-05-19 18:56 . 2008-05-19 18:56

2008-05-19 15:28 . 2008-05-19 15:28

2008-05-19 15:27 . 2008-05-22 10:23

2008-05-19 15:27 . 2008-05-21 21:35

2008-05-19 15:27 . 2008-05-17 19:05

2008-05-19 15:27 . 2008-05-17 20:59

2008-05-19 15:27 . 2008-05-19 15:28

2008-05-19 15:27 . 2008-05-17 20:59

2008-05-19 15:27 . 2008-05-19 15:32

2008-05-19 15:27 . 2008-05-21 21:40

2008-05-19 15:27 . 2004-08-04 04:44 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2008-05-19 15:05 . 2008-05-22 08:04

2008-05-19 15:05 . 2008-05-19 15:05 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat

2008-05-19 15:04 . 2008-05-22 09:56

2008-05-19 15:03 . 2008-05-19 15:03

2008-05-19 15:03 . 2008-05-19 15:03

2008-05-19 15:03 . 2008-05-19 15:03

2008-05-18 21:39 . 2008-05-18 21:39

2008-05-18 21:39 . 2008-05-18 21:41

2008-05-18 21:38 . 2008-05-18 21:38

2008-05-18 21:38 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-05-18 21:37 . 2008-05-18 21:37

2008-05-18 19:07 . 2008-05-18 19:07

2008-05-18 16:38 . 2008-05-18 16:45

2008-05-18 16:38 . 2008-05-19 12:36

2008-05-18 16:37 . 2008-05-19 19:14

2008-05-18 15:40 . 2004-08-04 00:44 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll

2008-05-18 15:40 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys

2008-05-18 15:40 . 2001-10-26 17:29 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

2008-05-18 15:25 . 2008-05-21 18:33 116 --a------ C:\WINDOWS\NeroDigital.ini

2008-05-18 14:46 . 2008-05-18 16:15

2008-05-18 14:46 . 2008-05-22 09:25

2008-05-18 13:47 . 2008-05-18 13:47

2008-05-18 13:47 . 2008-05-18 15:26

2008-05-18 09:46 . 2008-05-19 19:13

2008-05-18 09:44 . 2008-05-18 09:44

2008-05-18 09:44 . 2008-05-18 09:44

2008-05-18 09:44 . 2008-05-18 09:45

2008-05-18 09:44 . 2008-05-18 09:48

2008-05-18 09:41 . 2008-05-18 09:41

2008-05-18 09:40 . 2008-05-18 09:40 0 --a------ C:\WINDOWS\nsreg.dat

2008-05-18 09:35 . 2008-05-22 10:23

2008-05-18 09:35 . 2008-05-22 09:32

2008-05-18 09:35 . 2008-05-17 19:05

2008-05-18 09:35 . 2008-05-22 10:22

2008-05-18 09:35 . 2008-05-22 10:17

2008-05-18 09:35 . 2008-05-18 09:44

2008-05-18 09:35 . 2008-05-18 09:35

2008-05-18 09:35 . 2008-05-21 16:31

2008-05-18 09:35 . 2008-05-22 10:17

2008-05-17 21:03 . 2001-08-17 23:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys

2008-05-17 21:03 . 2001-08-17 23:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys

2008-05-17 21:02 . 2008-05-17 21:02

2008-05-17 21:02 . 2004-08-04 02:35 58,624 --a------ C:\WINDOWS\system32\drivers\redbook.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-21 14:31 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-05-17 18:50 --------- d-----w C:\Program Files\Analog Devices

2008-05-17 18:44 --------- d-----w C:\Program Files\Intel

2008-05-17 18:40 --------- d-----w C:\Documents and Settings\tomek\Dane aplikacji\ATI

2008-05-17 18:36 --------- d-----w C:\Program Files\My Company Name

2008-05-17 18:36 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-05-17 18:35 --------- d-----w C:\Program Files\ATI Technologies

2008-05-17 18:34 --------- d-----w C:\Program Files\Common Files\ATI Technologies

2008-05-17 17:07 --------- d-----w C:\Program Files\Usługi online

2008-05-17 17:05 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll

2008-03-25 04:52 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll

2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-25 04:52 178,976 ------w C:\WINDOWS\system32\dllcache\msjint40.dll

2008-03-20 08:01 1,846,144 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-20 08:01 1,846,144 ------w C:\WINDOWS\system32\dllcache\win32k.sys

2008-03-05 14:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll

2008-03-05 14:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll

2008-03-05 14:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll

2008-03-05 13:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll

2008-03-05 13:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll

2008-02-22 09:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-02-22 09:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-02-22 09:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe

.

------- Sigcheck -------

2007-07-10 15:06 642560 ce594e18fe0d0af804f1f3694921ce62 C:\WINDOWS\system32\user32.dll

2007-10-19 00:19 2145280 6c264e21d3bd7082b43fc016d760c1d1 C:\WINDOWS\system32\ntoskrnl.exe

.

((((((((((((((((((((((((((((( snapshot@2008-05-22_ 9.52.27.53 )))))))))))))))))))))))))))))))))))))))))

.

  • 2008-05-22 07:43:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
  • 2008-05-22 07:54:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{522E0112-EDD9-413D-A99E-C311A54B6676}]

2008-05-19 18:57 58880 --a------ C:\WINDOWS\system32\byXRkKef.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 04:44 15360]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2008-03-20 12:04 2127296]

“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe” [2005-09-03 15:18 94208]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2008-04-23 17:45 22058792]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2008-05-18 21:41 171448]

“DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” []

“AlcoholAutomount”=“C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” [2008-03-20 18:46 217544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe” [2006-05-10 11:12 90112]

“JMB36X Configure”=“C:\WINDOWS\system32\JMRaidTool.exe” [2006-06-02 10:45 385024]

“SoundMAXPnP”=“C:\Program Files\Analog Devices\Core\smax4pnp.exe” [2006-05-01 12:07 843776]

“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792]

“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2008-04-01 20:49 36352]

“NWEReboot”="" []

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 04:25 144784]

“Acrobat Assistant 8.0”=“D:\Program Files\Adobe\Acrobat\Acrotray.exe” [2007-05-10 22:46 624248]

“egui”=“C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” [2008-03-13 16:48 1443072]

“BearShare”=“D:\Program Files\BearShare\BearShare.exe” []

“BMd3339dfd”=“C:\WINDOWS\system32\haqoicfl.dll” [2008-05-22 08:10 128000]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 04:44 15360]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

“nltide_2”=“regsvr32 /s /n /i:U shell32” []

“nltide_3”=“advpack.dll” [2008-03-01 14:35 124928 C:\WINDOWS\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“DisableStatusMessages”= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoSMMyPictures”= 1 (0x1)

“NoSMConfigurePrograms”= 1 (0x1)

“NoSMHelp”= 1 (0x1)

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]

“NoSMMyPictures”= 1 (0x1)

“NoSMConfigurePrograms”= 1 (0x1)

“NoSMHelp”= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

“{522E0112-EDD9-413D-A99E-C311A54B6676}”= C:\WINDOWS\system32\byXRkKef.dll [2008-05-19 18:57 58880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXRkKef]

byXRkKef.dll 2008-05-19 18:57 58880 C:\WINDOWS\system32\byXRkKef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“AntiVirusOverride”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\uTorrent\uTorrent.exe”=

“C:\WINDOWS\system32\PnkBstrA.exe”=

“C:\WINDOWS\system32\PnkBstrB.exe”=

“D:\Call of Duty 4 - Modern Warfare\iw3mp.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-10-17 20:21]

S3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys [2004-05-14 02:00]

S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

*Newly Created Service* - PNKBSTRA

*Newly Created Service* - PNKBSTRK

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-22 10:23:40

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe

  • C:\WINDOWS\system32\byXRkKef.dll

.

Completion time: 2008-05-22 10:24:24

ComboFix-quarantined-files.txt 2008-05-22 08:24:19

ComboFix2.txt 2008-05-22 07:52:55

Pre-Run: 6,689,116,160 bajtów wolnych

Post-Run: 6,696,767,488 bajtów wolnych

270 — E O F — 2008-05-17 19:02:37

#7

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\system32\jkkLCtTk.dll

C:\WINDOWS\system32\mxqrtoxy.ini

C:\WINDOWS\system32\yxotrqxm.dll

C:\WINDOWS\system32\haqoicfl.dll

C:\WINDOWS\system32\sbprbuou.dll

C:\WINDOWS\system32\xlmegwtr.dll

C:\WINDOWS\system32\jkkKaaay.dll

C:\WINDOWS\system32\vtUmnkki.dll

C:\WINDOWS\system32\ssqqQkIC.dll

C:\WINDOWS\system32\rqRIxxvt.dll

C:\WINDOWS\system32\nnnnOiHy.dll

C:\WINDOWS\system32\ljJDSIxy.dll

C:\WINDOWS\system32\geBQggeC.dll

C:\WINDOWS\system32\cbXRJCvV.dll

C:\WINDOWS\system32\hgGvstUm.dll

C:\WINDOWS\system32\pmnmLbAS.dll

C:\WINDOWS\system32\mlJYPJcD.dll

C:\WINDOWS\system32\ljJdeBsR.dll

C:\WINDOWS\system32\khfGawxu.dll

C:\WINDOWS\system32\fcccdAPi.dll

C:\WINDOWS\system32\ddcAqqQG.dll

C:\WINDOWS\system32\byXRkKef.dll

C:\WINDOWS\system32\byXRkKef.dll

C:\WINDOWS\system32\haqoicfl.dll


Folder::

C:\Documents and Settings\tomek\Dane aplikacji\OczyszczaczKomputerza

C:\Program Files\Common Files\OczyszczaczKomputerza

C:\Documents and Settings\All Users\Dane aplikacji\OczyszczaczKomputerza


Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{522E0112-EDD9-413D-A99E-C311A54B6676}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"=-

"WinampAgent"=-

"NWEReboot"=-

"NeroFilterCheck"=-

"SunJavaUpdateSched"=-

"Acrobat Assistant 8.0"=-

"BMd3339dfd"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{522E0112-EDD9-413D-A99E-C311A54B6676}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXRkKef]

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

W dniu 22.05.2008 , o godzinie 11:43 został dopisany post przez huber2t

Logi dajesz na http://www.wklej.org

#8

http://www.wklej.org/id/e0a4c6a4f1

#9

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\system32\uxsrxjhb.ini 

C:\WINDOWS\system32\bhjxrsxu.dll 

C:\WINDOWS\system32\hoajoybi.dll


Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"d000ae61"=-

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

#10

http://www.wklej.org/id/2c39cc5f8f

#11

Log wyglada na czysty

Usuń ręcznie folder C:\Qoobox,usuń instalkę Combofix z dysku

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

Włącz przywracanie systemu.

#12

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

#13

Ok juz wszystko chodzi poprawnie. A teraz co do wirusów. Czy to moze byc przyczyną zainstalowania programu bearshare. bo przed nim nie mialem tych wirusów gdy go zainstalowalem zaczelo się to pojawiac ?

#14

pewnie sciągnołeśjakis syf przy jego pomocy

#15

Mozliwe. Wielkie dzieki za pomoc. Temat mozna zamknąc