Konrad81
(K Liskowacki)
13 Listopad 2007 18:44
#1
Bardzo proszę o pomoc, bo zupełnie sobie nie mogę poradzić, a program antyspyware niewiele pomaga
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:27:38, on 2007-11-13 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Oxigen\bin\Oxigen.exe C:\Program Files\Oxigen\bin\OxiTray.exe C:\Program Files\Oxigen\bin\OxiPanel.exe E:\QuickTime 6.0\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\WINDOWS\System32\wdfmgr.exe C:\WINDOWS\System32\UAService.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\apvxdwin.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Upgrader.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searchxl.com/ie/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll F2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\System32\pavdr.exe,C:\WINDOWS\System32\userinit.exe, O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\System32\bgxstyjm.dll O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKLM…\Run: [OxigenClientAdmin] C:\Program Files\Oxigen\bin\Oxigen.exe O4 - HKLM…\Run: [OxigenTrayIcon] C:\Program Files\Oxigen\bin\OxiTray.exe O4 - HKLM…\Run: [OxigenDesktopPanel] C:\Program Files\Oxigen\bin\OxiPanel.exe O4 - HKLM…\Run: [QuickTime Task] “E:\QuickTime 6.0\qttask.exe” -atboottime O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [405517aa] rundll32.exe “C:\WINDOWS\System32\uqxddxdk.dll”,b O4 - HKLM…\Run: [sDTray] “C:\Program Files\Spyware Doctor\SDTrayApp.exe” O4 - HKCU…\Run: [usbdrv] servicetask.exe O4 - HKCU…\Run: [sSS6_Suite] “C:\Program Files\Steganos Security Suite 6\sss.exe” /booting O4 - HKCU…\Run: [sSS6_SAFE] “C:\Program Files\Steganos Security Suite 6\safe.exe” /booting O4 - HKCU…\Run: [sSS6_SPM] “C:\Program Files\Steganos Security Suite 6\spm.exe” /booting O4 - HKCU…\RunServices: [security Agent Manager] mssams.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-19…\Run: [sSS6_Suite] “C:\Program Files\Steganos Security Suite 6\sss.exe” /booting (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-19…\Run: [sSS6_SAFE] “C:\Program Files\Steganos Security Suite 6\safe.exe” /booting (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-19…\Run: [sSS6_SPM] “C:\Program Files\Steganos Security Suite 6\spm.exe” /booting (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS\S-1-5-18…\RunServices: [security Agent Manager] mssams.exe (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - HKUS.DEFAULT…\RunServices: [security Agent Manager] mssams.exe (User ‘Default user’) O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\JetCar.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\JetCar.exe O16 - DPF: {65D72393-E210-4A2A-B8E0-10AC45986770} (GWebInstallControl Object) - http://megapanel.gem.pl/WebInstaller.dll O17 - HKLM\System\CCS\Services\Tcpip…{DA6E5A0E-512B-4C01-8BA8-20EACB85BED9}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: usbdrv (…) - Unknown owner - C:\WINDOWS\System32\C:\WINDOWS\System32\servicetask.exe (file missing) O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - C:\WINDOWS\system\svchest.exe (file missing) O23 - Service: Indexing Helper (Indexingboxs) - Unknown owner - c:\temp\svchost.exe (file missing) O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\System32\UAService.exe – End of file - 10384 bytes
Konrad81
(K Liskowacki)
13 Listopad 2007 21:13
#3
Wykasowałem te zaznaczone, zrobiłem ComboFix. Przy dawaniu loga z ComboFix komputer się zawiesił, ale teraz internet działa normalnie. Nie wyskakują też żadne ostrzeżenia o spyware, trojanach itp. , a więc chyba coś pomogło. Tak czy inaczej - dziękuję.
Gutek
(Gutek)
13 Listopad 2007 22:43
#6
Konrad81
(K Liskowacki)
13 Listopad 2007 23:11
#7
Przeskanowanie tamtego pliku wykazało MALWARE.
A oto log z ComboFix:
ComboFix 07-11-08.1 - Koniu 2007-11-13 23:53:51.2 - NTFSx86 Running from: C:\Downloads\ComboFix.exe . Unable to gain System Privileges ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Menu Start\Live Safety Center.lnk C:\Documents and Settings\All Users\Menu Start\Online Security Guide.lnk C:\Documents and Settings\Koniu\Pulpit\Live Safety Center.lnk C:\Documents and Settings\Koniu\Pulpit\Online Security Guide.lnk C:\Documents and Settings\Koniu\Ulubione\Online Security Guide.lnk C:\WINDOWS\System32\awtqo.dll C:\WINDOWS\system32\bgxstyjm.dllbox C:\WINDOWS\system32\oqtwa.ini C:\WINDOWS\system32\oqtwa.ini2 . ---- Previous Run ------- . C:\90842228.exe C:\Documents and Settings\All Users\Menu Start\Live Safety Center.lnk C:\Documents and Settings\All Users\Menu Start\Online Security Guide.lnk C:\Documents and Settings\Koniu\Pulpit\Live Safety Center.lnk C:\Documents and Settings\Koniu\Pulpit\Online Security Guide.lnk C:\Documents and Settings\Koniu\Ulubione\Online Security Guide.lnk C:\WINDOWS\cookies.ini C:\WINDOWS\system\cscript.exe C:\WINDOWS\system\hd.vbs C:\WINDOWS\system32\bgxstyjm.dllbox C:\WINDOWS\system32\ddcyv.dll C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\vycdd.bak1 C:\WINDOWS\system32\vycdd.bak2 C:\WINDOWS\system32\vycdd.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Indexingbox -------\Indexingboxs ((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 ))))))))))))))))))))))))))))))) . 2007-11-13 23:28 2007-11-13 21:21 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-13 19:27 2007-11-13 18:57 2007-11-13 18:57 2007-11-13 17:48 2007-11-13 17:48 2007-11-13 17:48 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-11-13 17:48 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-11-13 17:48 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-11-13 17:48 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-11-13 17:48 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-11-13 14:59 88,128 --a------ C:\WINDOWS\system32\uqxddxdk.dll 2007-11-13 14:57 144,480 --a------ C:\WINDOWS\system32\htejtfte.dll 2007-11-13 14:57 144,480 --a------ C:\WINDOWS\system32\bgxstyjm.dll 2007-11-13 14:51 80,448 --a------ C:\WINDOWS\system32\bjmrvldf.dll 2007-11-12 16:57 21,760 --a–c— C:\WINDOWS\system32\dllcache\usbstor.sys 2007-11-12 15:25 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-13 23:04 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2007-11-13 22:39 --------- d-----w C:\Program Files\Neostrada TP 2007-11-13 22:34 84 ----a-w C:\WINDOWS\system32\drivers\netfltConfig.dat 2007-11-13 22:24 --------- d-----w C:\Program Files\FlashGet 2007-11-13 14:50 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-15 10:12 --------- d-----w C:\Documents and Settings\Koniu\Dane aplikacji\uTorrent 2007-09-28 09:26 --------- d-----w C:\Program Files\uTorrent 2007-02-15 14:25 0 ----a-w C:\Documents and Settings\Koniu\WebExcl.dat 2007-01-08 14:28 14,413,968 ----a-w C:\Program Files\antivir_workstation_win7u_en_h.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}] 2006-11-12 18:33 35328 --a------ C:\WINDOWS\System32\ljjkiji.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}] 2007-11-13 14:57 144480 --a------ C:\WINDOWS\system32\bgxstyjm.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{d45445a6-71cd-46e9-a50b-abc57af3818f}] 2007-11-13 14:51 80448 --a------ C:\WINDOWS\System32\bjmrvldf.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{11A69AE4-FBED-4832-A2BF-45AF82825583}”= C:\WINDOWS\system32\bgxstyjm.dll [2007-11-13 14:57 144480] [HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 17:07] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 17:07] “WOOTASKBARICON”=“C:\Program Files\Neostrada TP\taskbaricon.exe” [2003-10-16 17:07] “avgnt”=“C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” [2007-10-11 12:43] “OxigenClientAdmin”=“C:\Program Files\Oxigen\bin\Oxigen.exe” [2005-09-08 13:50] “OxigenTrayIcon”=“C:\Program Files\Oxigen\bin\OxiTray.exe” [2005-08-23 13:52] “OxigenDesktopPanel”=“C:\Program Files\Oxigen\bin\OxiPanel.exe” [2006-03-31 14:58] “QuickTime Task”=“E:\QuickTime 6.0\qttask.exe” [2005-12-27 15:11] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-07-01 12:24] “SDTray”=“C:\Program Files\Spyware Doctor\SDTrayApp.exe” [2007-11-02 17:24] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SSS6_Suite”=“C:\Program Files\Steganos Security Suite 6\sss.exe” [] “SSS6_SAFE”=“C:\Program Files\Steganos Security Suite 6\safe.exe” [] “SSS6_SPM”=“C:\Program Files\Steganos Security Suite 6\spm.exe” [] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “SSS6_Suite”=“C:\Program Files\Steganos Security Suite 6\sss.exe” /booting “SSS6_SAFE”=“C:\Program Files\Steganos Security Suite 6\safe.exe” /booting “SSS6_SPM”=“C:\Program Files\Steganos Security Suite 6\spm.exe” /booting C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-07-06 10:13:51] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “EditLevel”=0 (0x0) “NoCommonGroups”=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}”= C:\WINDOWS\System32\ljjkiji.dll [2006-11-12 18:33 35328] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bgxstyjm] bgxstyjm.dll 2007-11-13 14:57 144480 C:\WINDOWS\system32\bgxstyjm.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjkiji] ljjkiji.dll 2006-11-12 18:33 35328 C:\WINDOWS\system32\ljjkiji.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “Authentication Packages”= msv1_0 C:\WINDOWS\System32\awtqo.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiware] C:\windows\system32\eliteetf32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avserve2.exe] C:\WINDOWS\avserve2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\def_bundle.exe] C:\DOCUME~1\Koniu\USTAWI~1\Temp\EACDownload\def_bundle.exe ezskins3 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DEF_BU~1.EXE] C:\DOCUME~1\Koniu\USTAWI~1\Temp\EACDownload\DEF_BU~1.EXE ezskins3 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] “C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Services] msnmgrme.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Inet Xp…] teekids.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update] wuamgrd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PayTime] C:\WINDOWS\System32\paytime.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “E:\QuickTime 6.0\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHBundle] C:\DOCUME~1\Koniu\USTAWI~1\Temp\bundle.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Security Agent Manager] mssams.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sf] C:\Program Files\sf\sf.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpoolSrv] uninst.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Service] C:\WINDOWS\System32\msrexe.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemSearch] C:/WINDOWS/REGEDIT.EXE -s C:/WINDOWS/system.reg [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater] C:\Program Files\Common files\updater\wupdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2 Divice] servicelog.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\usbdrv] servicetask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] “C:\Program Files\Winamp3\winampa.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update] msblast.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Automation] mslaugh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Update] C:\WINDOWS\System32\glihei.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\www.hidro.4t.com ] enbiei.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messenger] YPager.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zrmm] C:\PROGRA~1\COMMON~1\zrmm\zrmmm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg_Cat3] C:\WINDOWS\msmsgrxp.exe R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\drivers\avgntmgr.sys R0 netflt;Panda Preventium Driver.;C:\WINDOWS\System32\Drivers\netflt.sys R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\System32\drivers\ShldDrv.sys R2 cpoint;Panda CPoint Driver;C:\WINDOWS\System32\Drivers\cpoint.sys R2 PavProc;Panda Process Protection Driver;??\C:\WINDOWS\System32\DRIVERS\PavProc.sys S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\System32\drivers\av5flt.sys S3 ComFiltr;Panda Anti-Dialer;??\C:\WINDOWS\System32\DRIVERS\COMFiltr.sys . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-14 00:03:51 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS detected NTDLL code modification: ZwEnumerateKey, ZwQueryKey, ZwOpenKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile scanning hidden processes … scanning hidden autostart entries … scanning hidden files … C:\WINDOWS\system32\bgxstyjm.dllbox 96 bytes scan completed successfully hidden files: 1 ************************************************************************** . Completion time: 2007-11-14 0:08:11 - machine was rebooted . — E O F —
Gutek
(Gutek)
13 Listopad 2007 23:27
#8
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo
Konrad81
(K Liskowacki)
13 Listopad 2007 23:49
#9
Wszystko zrobiłem. Usunąłem C: \Qoobox.Wydaje się, że już jest chyba wszystko w porządku, ale jako laik nie mam pewności. Oto log
ComboFix 07-11-08.1 - Koniu 2007-11-14 0:33:22.3 - NTFSx86 Running from: C:\Downloads\ComboFix.exe Command switches used :: C:\Downloads\CFScript.txt * Created a new restore point FILE C:\DOCUME~1\Koniu\USTAWI~1\Temp\bundle.exe C:\WINDOWS\avserve2.exe C:\WINDOWS\msmsgrxp.exe C:\WINDOWS\system32\bgxstyjm.dll C:\WINDOWS\system32\bjmrvldf.dll C:\windows\system32\eliteetf32.exe C:\WINDOWS\System32\glihei.exe C:\WINDOWS\system32\htejtfte.dll C:\WINDOWS\System32\ljjkiji.dll C:\WINDOWS\System32\paytime.exe C:\WINDOWS\system32\uqxddxdk.dll . Unable to gain System Privileges ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\PROGRA~1\COMMON~1\zrmm C:\PROGRA~1\COMMON~1\zrmm\zrmma.lck C:\PROGRA~1\COMMON~1\zrmm\zrmmh C:\PROGRA~1\COMMON~1\zrmm\zrmml.lck C:\PROGRA~1\COMMON~1\zrmm\zrmmm.lck C:\Program Files\sf C:\WINDOWS\system32\bgxstyjm.dll C:\WINDOWS\system32\bgxstyjm.dllbox C:\WINDOWS\system32\bjmrvldf.dll C:\WINDOWS\system32\htejtfte.dll C:\WINDOWS\System32\ljjkiji.dll C:\WINDOWS\system32\uqxddxdk.dll . ((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 ))))))))))))))))))))))))))))))) . 2007-11-13 23:28 2007-11-13 21:21 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-13 19:27 2007-11-13 18:57 2007-11-13 18:57 2007-11-13 17:48 2007-11-13 17:48 2007-11-13 17:48 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-11-13 17:48 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-11-13 17:48 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-11-13 17:48 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-11-13 17:48 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-11-12 16:57 21,760 --a–c— C:\WINDOWS\system32\dllcache\usbstor.sys 2007-11-12 15:25 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-13 23:42 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2007-11-13 23:09 --------- d-----w C:\Program Files\Neostrada TP 2007-11-13 23:07 84 ----a-w C:\WINDOWS\system32\drivers\netfltConfig.dat 2007-11-13 22:24 --------- d-----w C:\Program Files\FlashGet 2007-11-13 14:50 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-15 10:12 --------- d-----w C:\Documents and Settings\Koniu\Dane aplikacji\uTorrent 2007-09-28 09:26 --------- d-----w C:\Program Files\uTorrent 2007-02-15 14:25 0 ----a-w C:\Documents and Settings\Koniu\WebExcl.dat 2007-01-08 14:28 14,413,968 ----a-w C:\Program Files\antivir_workstation_win7u_en_h.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 17:07] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 17:07] “WOOTASKBARICON”=“C:\Program Files\Neostrada TP\taskbaricon.exe” [2003-10-16 17:07] “avgnt”=“C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” [2007-10-11 12:43] “OxigenClientAdmin”=“C:\Program Files\Oxigen\bin\Oxigen.exe” [2005-09-08 13:50] “OxigenTrayIcon”=“C:\Program Files\Oxigen\bin\OxiTray.exe” [2005-08-23 13:52] “OxigenDesktopPanel”=“C:\Program Files\Oxigen\bin\OxiPanel.exe” [2006-03-31 14:58] “QuickTime Task”=“E:\QuickTime 6.0\qttask.exe” [2005-12-27 15:11] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-07-01 12:24] “SDTray”=“C:\Program Files\Spyware Doctor\SDTrayApp.exe” [2007-11-02 17:24] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SSS6_Suite”=“C:\Program Files\Steganos Security Suite 6\sss.exe” [] “SSS6_SAFE”=“C:\Program Files\Steganos Security Suite 6\safe.exe” [] “SSS6_SPM”=“C:\Program Files\Steganos Security Suite 6\spm.exe” [] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “SSS6_Suite”=“C:\Program Files\Steganos Security Suite 6\sss.exe” /booting “SSS6_SAFE”=“C:\Program Files\Steganos Security Suite 6\safe.exe” /booting “SSS6_SPM”=“C:\Program Files\Steganos Security Suite 6\spm.exe” /booting C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-07-06 10:13:51] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “EditLevel”=0 (0x0) “NoCommonGroups”=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\def_bundle.exe] C:\DOCUME~1\Koniu\USTAWI~1\Temp\EACDownload\def_bundle.exe ezskins3 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DEF_BU~1.EXE] C:\DOCUME~1\Koniu\USTAWI~1\Temp\EACDownload\DEF_BU~1.EXE ezskins3 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] “C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update] wuamgrd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “E:\QuickTime 6.0\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemSearch] C:/WINDOWS/REGEDIT.EXE -s C:/WINDOWS/system.reg [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater] C:\Program Files\Common files\updater\wupdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2 Divice] servicelog.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\usbdrv] servicetask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] “C:\Program Files\Winamp3\winampa.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Automation] mslaugh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\www.hidro.4t.com ] enbiei.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messenger] YPager.EXE R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\drivers\avgntmgr.sys R0 netflt;Panda Preventium Driver.;C:\WINDOWS\System32\Drivers\netflt.sys R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\System32\drivers\ShldDrv.sys R2 cpoint;Panda CPoint Driver;C:\WINDOWS\System32\Drivers\cpoint.sys R2 PavProc;Panda Process Protection Driver;??\C:\WINDOWS\System32\DRIVERS\PavProc.sys S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\System32\drivers\av5flt.sys S3 ComFiltr;Panda Anti-Dialer;??\C:\WINDOWS\System32\DRIVERS\COMFiltr.sys . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-14 00:42:08 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS detected NTDLL code modification: ZwEnumerateKey, ZwQueryKey, ZwOpenKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-14 0:45:50 - machine was rebooted C:\ComboFix2.txt … 2007-11-14 00:08 . — E O F —
Złączono Posta : 14.11.2007 (Sro) 13:27
Jak dotąd wszystko działa dobrze, internet funkcjonuje jak należy. Serdecznie dziękuję za pomoc.