"Your computer is infected!" Prosze o pomoc daje l

biterman · 12 Czerwiec 2007 20:40

Mam problem z tym głupim okienkiem że niby mój komputer jest zainfekowany, znaczy sie jest ale jak go wyleczyć? żaden program nie pomaga…

A tutaj log

Logfile of HijackThis v1.99.1

Scan saved at 22:35:11, on 2007-06-12

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\AOL\Active Virus Shield\avp.exe

C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe

C:\Program Files\AOL\Active Virus Shield\avp.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

C:\WINDOWS\System32\svchost.exe

C:\Windows\xpupdate.exe

C:\WINDOWS\twain_32\ScanWiz5\SDII.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\wuauclt.exe

C:\DOCUME~1\ZAJC~1\USTAWI~1\Temp\Rar$EX00.218\KillBox.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\ZAJC~1\USTAWI~1\Temp\Rar$EX00.578\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\SERVICES.EXE

O2 - BHO: H - {040FA520-78C6-41ce-81D0-9E733ABC1A29} - C:\WINDOWS\System32\comi2.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe

O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"

O4 - HKCU\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe

O4 - HKCU\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe

O4 - HKCU\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe

O4 - HKCU\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe

O4 - HKCU\..\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe

O4 - HKCU\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe

O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{26B4FF0C-6637-49AC-BBE2-85A0F56A648A}: NameServer = 85.255.116.162,85.255.112.92

O17 - HKLM\System\CCS\Services\Tcpip\..\{6E7DF200-D1EC-405E-A74A-D5B3C628707E}: NameServer = 85.255.116.162,85.255.112.92

O17 - HKLM\System\CCS\Services\Tcpip\..\{AC9E34CF-9BDB-4D37-8311-B7848048FE55}: NameServer = 85.255.116.162,85.255.112.92

O17 - HKLM\System\CCS\Services\Tcpip\..\{D5418C4A-EC49-41AB-8919-CC18AD69D10B}: NameServer = 85.255.116.162,85.255.112.92

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.162 85.255.112.92

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.162 85.255.112.92

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.162 85.255.112.92

O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll

O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Bcgbpq32.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

qrczak13 · 12 Czerwiec 2007 21:19

Pobierz Windows Worms Doors Cleaner, ustaw znaczki na zielono, Netbios może być na żółto.

Po użyciu narzędzia wymagany jest restart.

Zastosuj SimtFraudFix, opcja 2 w trybie awaryjnym.

Użyj FixWareOut

Po tym daj log z ComboFix oraz zawartość pliku c:\rapport.txt

biterman · 12 Czerwiec 2007 21:46

Zrobiłem, znikła już ta nie dobra i zarazem wstrętna ikonka. Poniżej dodaje logi:

ComboFix:

ComboFix 07-06-13 - C:\Documents and Settings\ZajĄc\Pulpit\ComboFix.exe

"ZajĄc" - 2007-06-12 23:38:42 - Dodatek Service Pack. 1 NTFS  



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



C:\Documents and Settings\ZAJC~1\~tmp0374.exe

C:\WINDOWS\services.dll

C:\WINDOWS\system32.dll

C:\WINDOWS\system32\alt.exe.exe

C:\WINDOWS\system32\dlh9jkd1q2.exe

C:\WINDOWS\system32\dlh9jkd1q6.exe

C:\WINDOWS\system32\dlh9jkd1q7.exe

C:\WINDOWS\system32\dlh9jkd1q8.exe

C:\WINDOWS\system32\max1d1641.exe



((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))



-------\xpdx



((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 )))))))))))))))))))))))))))))))



2007-06-12 23:38	49,152	--a------	C:\WINDOWS\nircmd.exe

2007-06-12 23:32	8,090	--a------	C:\dnsbak.reg

2007-06-12 23:31	2,246	--a------	C:\WINDOWS\system32\tmp.reg

2007-06-12 23:30	53,248	--a------	C:\WINDOWS\system32\Process.exe

2007-06-12 23:30	51,200	--a------	C:\WINDOWS\system32\dumphive.exe

2007-06-12 23:30	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe

2007-06-12 22:49	60,273	--a------	C:\WINDOWS\system32\pthreadGC2.dll

2007-06-12 22:49	10,752	--a------	C:\WINDOWS\system32\ff_vfw.dll

2007-06-12 22:49	






A tu rapports:

[code] SmitFraudFix v2.195 Scan done at 23:31:07,51, 2007-06-12 Run from C:\Documents and Settings\ZajĄc\Pulpit\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

qrczak13 · 13 Czerwiec 2007 18:11

Ściągnij The Avenger,

wypakuj > uruchom > Input script manually > klikasz w lupkę > w nowo otwartym oknie wklejasz:

Files to delete: C:\WINDOWS\system32\csrnv.exe C:\WINDOWS\mssadv.dll C:\WINDOWS\msscan.dll C:\WINDOWS\msiemon.dll C:\WINDOWS\msfw.dll C:\WINDOWS\msctrl.dll C:\WINDOWS\msavsc.dll C:\WINDOWS\system32\ps.dat Registry keys to delete: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{040FA520-78C6-41ce-81D0-9E733ABC1A29} HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipmon HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft security adviser HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msavsc.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msctrl.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msfw.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msiemon.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msscan.exe Registry values to delete: “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “mssadv.exe” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “Steam” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “mssadv.exe” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msavsc.exe” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msctrl.exe” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msfw.exe” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msiemon.exe” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “Microsoft security adviser” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “msscan.exe” “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “Brave-Sentry”

Po wklejeniu > Done > klik na zielone światło > ok i będzie restart. Po restarcie wchodzisz gdzie masz The Avenger i wklejasz raport C:\avenger.txt

Przeskanuj i wklej raport > http://www.virustotal.com/en/indexf.html

Po wykonaniu w/w daj log z ComboFix.