Zablokowany menedzer programow

system · 16 Grudzień 2007 10:45

Witam,

złapałem jakiego syfa, który wyświetla komunikat, ze mam konia trojanskiego, który łamie moją prywatnośc wor.win32.netSky. laczy sie bezposrednio z jakimis programami ktore wykrywaja tysiace problemow na moim kompie i kaza placic za te programy. nie wiem co sie dzieje. Menedzer programow zablokowany, ciezko sie poruszac po kompie.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:44:50, on 2007-12-16 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\cFosSpeed\spd.exe C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\cFosSpeed\cFosSpeed.exe C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe c:\program files\panda software\panda antivirus 2007\WebProxy.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Common Files\PCSecureSystem\ugac.exe C:\Program Files\Common Files\PCSecureSystem\bm.exe C:\Program Files\PCSecureSystem\pgs.exe C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\WXEF45IN\Install1216[2].exe C:\Program Files\AdvancedCleaner Free\UADCcw.exe C:\Program Files\AdvancedCleaner Free\ian_monitor.exe C:\Program Files\AdvancedCleaner Free\UADC.exe C:\Program Files\SecurePCCleaner\UGDCcw.exe C:\Program Files\Common Files\SecurePCCleaner\mc.exe C:\Program Files\SecurePCCleaner\GDC.exe C:\Program Files\Opera\Opera.exe C:\Program Files\PCSecureSystem\Up\gup.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SearchPageURL.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BDEX System - {202EBB90-ABD4-46CC-BB5A-4F0ECC67B331} - C:\WINDOWS\ttvbonvgl.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: CIEIntegrator Object - {5C3F6257-3E00-45C2-88D5-CB0F3A17BF0E} - C:\Program Files\PCSecureSystem\Tools\pblock.dll O2 - BHO: IEFW Object - {6F87F145-DC2D-4766-AF03-3A3B96FFAD98} - C:\Program Files\PCSecureSystem\Tools\sbiebho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: The leosrv - {257F0149-3042-4F1E-97A1-7602460E97EE} - C:\WINDOWS\leosrv.dll O4 - HKLM…\Run: [skrót do strony właściwości High Definition Audio] HDAShCut.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay O4 - HKLM…\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe O4 - HKLM…\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1 O4 - HKLM…\Run: [APVXDWIN] “C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE” /s O4 - HKLM…\Run: [PCSecureSystem] C:\Program Files\PCSecureSystem\pgs.exe O4 - HKLM…\Run: [ugac] “C:\PROGRA~1\COMMON~1\PCSecureSystem\ugac.exe” -start O4 - HKLM…\Run: [bm] “C:\Program Files\Common Files\PCSecureSystem\bm.exe” dm=http://pcsecuresystem.com ad=http://pcsecuresystem.com sd=http://ykeeper.pcsecuresystem.com O4 - HKLM…\Run: [AdvancedCleaner Free] “C:\Program Files\AdvancedCleaner Free\UADC.exe” /min O4 - HKLM…\Run: [sM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor.exe O4 - HKLM…\Run: [uADC_1411279607] “C:\Program Files\AdvancedCleaner Free\UADCcw.exe” -c O4 - HKLM…\Run: [securePCCleaner] C:\Program Files\SecurePCCleaner\GDC.exe O4 - HKLM…\Run: [ugdccw] “C:\PROGRA~1\SecurePCCleaner\UGDCcw.exe” -start O4 - HKLM…\Run: [salestart] “C:\Program Files\Common Files\SecurePCCleaner\mc.exe” dm=http://securepccleaner.com ad=http://securepccleaner.com sd=http://ilp.securepccleaner.com O4 - HKLM…\Run: [ptask] C:\Program Files\PCSecureSystem\ptask.exe O4 - HKLM…\RunOnce: [overinstall] “C:\Program Files\PCSecureSystem\pgs.exe” /empty O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [AdwareRemover2007] C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O21 - SSODL: hjoqor - {79989877-C152-490C-981D-6CCCF1EF495B} - C:\WINDOWS\hjoqor.dll O21 - SSODL: xcvwer - {3AF1EAF2-D98B-4C65-9BFC-24F49E37EBE8} - C:\WINDOWS\xcvwer.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe – End of file - 7928 bytes

sirmacik · 16 Grudzień 2007 11:20

Cześć. Sam to wczoraj przerabiałem. Tu znajdziesz opis mojego problemu i podjęte prze ze mnie kroki… Teraz mój system jest już czysty.

viewtopic.php?f=16&t=209236&p=1394307#p1394307

W zasadzie to możesz usunąć wpisy:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2

O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SecurePCCleaner\mc.exe" dm=http://securepccleaner.com ad=http://securepccleaner.com sd=http://ilp.securepccleaner.com

Potem może przeskanuj go jeszcze ComboFix

system · 16 Grudzień 2007 14:22

udało sie odblokowac po radach z forum ale jeszcze nie wszystko jest w porzadku.

wklejam loga z combo

ComboFix 07-12-16.3 - Rafal 2007-12-16 15:11:33.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.626 [GMT 1:00]

Running from: C:\Documents and Settings\Rafal\Pulpit\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Rafal\ResErrors.log

.

((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))

.

2007-12-16 11:33 . 2007-12-16 11:33

2007-12-16 11:28 . 2007-12-16 11:28

2007-12-16 11:27 . 2007-12-16 11:27

2007-12-16 11:16 . 2007-12-16 11:21

2007-12-16 11:05 . 2007-12-16 11:05

2007-12-16 11:04 . 2007-12-16 14:37

2007-12-16 11:04 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll

2007-12-16 09:46 . 2007-12-16 09:48

2007-12-15 22:24 . 2007-12-15 16:46 278,528 --a------ C:\WINDOWS\ttvbonvgl.dll

2007-12-15 22:24 . 2007-12-15 16:46 270,336 --a------ C:\WINDOWS\xcvwer.dll

2007-12-15 22:24 . 2007-12-15 16:46 253,952 --a------ C:\WINDOWS\hjoqor.dll

2007-12-15 22:24 . 2007-12-15 16:46 200,704 --a------ C:\WINDOWS\leosrv.dll

2007-12-15 22:24 . 2007-12-15 16:46 77,824 --a------ C:\WINDOWS\binret.exe

2007-12-15 22:15 . 2007-12-16 07:52

2007-12-15 21:56 . 2007-12-15 21:56

2007-12-08 18:36 . 2007-12-08 18:36

2007-12-07 19:46 . 2007-12-08 19:24

2007-12-07 19:37 . 2007-12-07 19:46

2007-11-28 23:30 . 2007-11-28 23:30

2007-11-27 15:47 . 2007-11-27 15:47

2007-11-27 15:47 . 1998-02-06 22:37 299,520 --a------ C:\WINDOWS\uninst.exe

2007-11-27 15:26 . 2007-12-01 22:43

2007-11-27 15:26 . 2004-03-09 01:00 132,880 --a------ C:\WINDOWS\system32\MSINET.OCX

2007-11-27 15:26 . 2001-01-11 21:52 75,264 --a------ C:\WINDOWS\system32\pkLink.ocx

2007-11-27 15:26 . 2002-09-03 16:46 36,864 --a------ C:\WINDOWS\system32\XPButton.ocx

2007-11-22 22:12 . 2007-11-22 22:13

2007-11-16 21:08 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-16 14:11 --------- d-----w C:\Program Files\cFosSpeed

2007-12-01 12:57 --------- d-----w C:\Program Files\vanBasco’s Karaoke Player

2007-11-22 21:24 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll

2007-11-21 18:26 --------- d-----w C:\Program Files\Opera

2007-11-16 20:08 --------- d-----w C:\Program Files\Java

2007-11-10 15:03 --------- d-----w C:\Program Files\AllerCalc

2007-11-03 21:22 --------- d-----w C:\Program Files\Real Alternative

2007-11-03 21:22 --------- d-----w C:\Program Files\Media Player Classic

2007-11-03 21:22 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Media Player Classic

2007-10-27 19:39 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Microsoft Help

2007-10-27 04:47 --------- d-----w C:\Program Files\Microsoft.NET

2007-10-27 04:47 --------- d-----w C:\Program Files\Microsoft Works

2007-10-25 23:07 20,152 ----a-w C:\WINDOWS\system32\drivers\INFCACHE.1

2007-10-25 20:49 --------- d–h--w C:\Program Files\InstallShield Installation Information

2007-10-25 20:49 --------- d-----w C:\Program Files\Panda Software

2007-10-25 06:39 --------- d-----w C:\Program Files\VIA

2007-10-25 06:36 15,600 ----a-w C:\WINDOWS\gdrv.sys

2007-10-25 06:36 --------- d-----w C:\Program Files\Yahoo!

2007-10-25 06:21 558,142 ----a-w C:\WINDOWS\java\Packages\2M53793H.ZIP

2007-10-25 06:21 155,995 ----a-w C:\WINDOWS\java\Packages\1BP3N13B.ZIP

2007-08-09 18:53 15,792 -c–a-w C:\Documents and Settings\Rafal\Dane aplikacji\GDIPFONTCACHEV1.DAT

2007-06-02 09:42 16,368 -c–a-w C:\Documents and Settings\Komp\Dane aplikacji\GDIPFONTCACHEV1.DAT

2007-08-14 13:45 23 -csha-w C:\WINDOWS\system32\bfedfbcd7_r.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{202EBB90-ABD4-46CC-BB5A-4F0ECC67B331}]

2007-12-15 16:46 278528 --a------ C:\WINDOWS\ttvbonvgl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{257F0149-3042-4F1E-97A1-7602460E97EE}

[HKEY_CLASSES_ROOT\clsid{257f0149-3042-4f1e-97a1-7602460e97ee}]

[HKEY_CLASSES_ROOT\leosrv.ToolBar.1]

[HKEY_CLASSES_ROOT\TypeLib{5240BCA3-9F39-4D98-9F8C-8712CDAA194F}]

[HKEY_CLASSES_ROOT\leosrv.ToolBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24]

“AdwareRemover2007”=“C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe” [2007-12-16 11:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Skrót do strony właściwości High Definition Audio”=“HDAShCut.exe” [2005-01-07 16:07 C:\WINDOWS\system32\HdAShCut.exe]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11]

“ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2006-01-02 16:41]

“cFosSpeed”=“C:\Program Files\cFosSpeed\cFosSpeed.exe” [2007-07-09 16:10]

“HDAudDeck”=“C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe” [2007-05-11 08:47]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 13:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“DisableStatusMessages”= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoSMBalloonTip”= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

“hjoqor”= {79989877-C152-490C-981D-6CCCF1EF495B} - C:\WINDOWS\hjoqor.dll [2007-12-15 16:46 253952]

“xcvwer”= {3AF1EAF2-D98B-4C65-9BFC-24F49E37EBE8} - C:\WINDOWS\xcvwer.dll [2007-12-15 16:46 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

avldr.dll 2006-07-14 12:46 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]

C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-03-05 16:36 140976 C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“AppInit_DLLs”=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]

ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus D88 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P23 EPSON Stylus D88 Series /O6 USB001 /M Stylus D88

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

R0 ViBus;ViBus;C:\WINDOWS\system32\DRIVERS\ViBus.sys

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys

R0 ViPrt;VIA SATA IDE Device Driver;C:\WINDOWS\system32\DRIVERS\ViPrt.sys

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys

S3 AN983;Karta ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet;C:\WINDOWS\system32\DRIVERS\AN983.sys

S3 gdrv;gdrv;??\C:\WINDOWS\gdrv.sys

S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\system32\Drivers\mtk.sys

.

**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-16 15:17:29

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HDAudDeck = C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1???

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-12-16 15:21:35

C:\ComboFix2.txt … 2007-12-16 14:49

.

2007-10-27 19:45:38 — E O F —

LostWorld · 16 Grudzień 2007 15:26

Więc zaczynami , bo syfu trochę masz , na teraz proponuję automaty , bo widzę że pobrałeś na PC m.in trefny soft , a to źle.

Automaty

Pobierz narzędzie SDFix

*Klikamy 2 krotknie na ikonę SDFix.exe ,program wypakuje się domyślnie do lokalizacji C:\ SDFix

*Wchodzimy do trybu awaryjnego z obsługą sieci:

>>>>>> Jak wejść do trybu awaryjnego z obsługą sieci?

*F8 podczas bootowania systemu.

*Używamy narzędzia BootSafe.exezaznaczamy opcje Safe Mode- Networking i klikamy reboot

*Gdy już jesteśmy w trybie awaryjnym,wchodzimy do folderu SDFix i uruchamiamy narzędzie klikająć

2-krotnie na plik RunThis.bat lewym przyciskiem myszy.

*Wciskamy Y co uruchomi proces usuwania

*Kiedy proces usuwania się zakończy wciskamy dowolny klawisz>>nastąpi restart.

*Po restarcie SDFix dokończy proces usuwania,kiedy w oknie narzędzia SDFix pojawi się napis Finished

klikamy dowolny klawisz,narzędzie zakończy swoją pracę,na pulpicie załadują się ikony.

*Wchodzimy do folderu SDFix i kopiujemy zawartość pliku tekstowego Report.txt i wklejamy go na forum

Pobierz : SmitFraudFix

Tryb numer 2 i wklejasz raport **(C:\SmitfraudFix.txt).**Oczywiście w trybie awaryjnym.

Konfiguracja Seconfig XP

Pobierz WWDC

Wszystkie znaczki mają być na zielono (NetBIOS może być na żółto)

http://cybertrash.pl/images/tata/RogueR … mover.html <- Opis

I na końcu

Daj log z Combofix

Opis użycia ComboFix jest na tej stronie z linku.

Log może być długi, więc zapisz go sobie gdzieś, a potem wklej na http://wklej.org/, a tu daj tylko link.

Kolejność tak jak podałem…

@edit

Menedżer programów , nie wiem co to , ale…

Windows Registry Editor Version 5.00


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableTaskMgr"=dword:00000000


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableTaskMgr"=dword:00000000

"**del.DisableTaskMgr"=" "


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"DisableTaskMgr"=dword:00000000

Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG

W trybie awaryjnym odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa.

system · 16 Grudzień 2007 21:34

Dzięki,

wiele pracy ale miejmy nadzieję że profesjonalizm ludzi z forum pomoże.

No więc wykonałem wszystko co miałem i oto rezultaty

1.log z SDFix

SDFix: Version 1.118 Run by Administrator on 07-12-16 at 21:53 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-16 21:56:46 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:0f,fe,7f,b7,d7,d5,97,89,27,6e,70,9b,b3,02,ac,04,56,44,d6,ba,d3,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,57,1c,1b,1f,83,c6,db,22,1b,96,7e,a6,68,84,e5,f8,… “khjeh”=hex:b2,4d,96,3f,f3,03,84,01,c7,80,7e,f7,65,49,38,59,95,8a,c2,6b,e7,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:9f,0e,7a,9f,87,98,ec,be,42,ce,79,7c,e3,18,14,12,da,54,5e,97,8c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:0e,bc,39,0e,d0,f9,8a,54,f0,b1,b1,59,46,78,af,59,4d,22,9e,d8,bd,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,57,1c,1b,1f,83,c6,db,22,1b,96,7e,a6,68,84,e5,f8,… “khjeh”=hex:76,67,99,f2,e5,4d,f0,34,42,6f,0f,8b,3b,23,4f,3c,40,72,02,98,c4,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:9f,0e,7a,9f,87,98,ec,be,42,ce,79,7c,e3,18,14,12,da,54,5e,97,8c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:9f,0e,7a,9f,87,98,ec,be,42,ce,79,7c,e3,18,14,12,da,54,5e,97,8c,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:0f,fe,7f,b7,d7,d5,97,89,27,6e,70,9b,b3,02,ac,04,56,44,d6,ba,d3,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,57,1c,1b,1f,83,c6,db,22,1b,96,7e,a6,68,84,e5,f8,… “khjeh”=hex:b2,4d,96,3f,f3,03,84,01,c7,80,7e,f7,65,49,38,59,95,8a,c2,6b,e7,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:81,57,b7,d5,da,20,5e,8a,67,c0,8f,8c,11,31,8b,8a,a4,96,ff,b7,5c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:0f,fe,7f,b7,d7,d5,97,89,27,6e,70,9b,b3,02,ac,04,56,44,d6,ba,d3,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,57,1c,1b,1f,83,c6,db,22,1b,96,7e,a6,68,84,e5,f8,… “khjeh”=hex:b2,4d,96,3f,f3,03,84,01,c7,80,7e,f7,65,49,38,59,95,8a,c2,6b,e7,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:81,57,b7,d5,da,20,5e,8a,67,c0,8f,8c,11,31,8b,8a,a4,96,ff,b7,5c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:0f,fe,7f,b7,d7,d5,97,89,27,6e,70,9b,b3,02,ac,04,56,44,d6,ba,d3,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,57,1c,1b,1f,83,c6,db,22,1b,96,7e,a6,68,84,e5,f8,… “khjeh”=hex:b2,4d,96,3f,f3,03,84,01,c7,80,7e,f7,65,49,38,59,95,8a,c2,6b,e7,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:81,57,b7,d5,da,20,5e,8a,67,c0,8f,8c,11,31,8b,8a,a4,96,ff,b7,5c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:0f,fe,7f,b7,d7,d5,97,89,27,6e,70,9b,b3,02,ac,04,56,44,d6,ba,d3,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,57,1c,1b,1f,83,c6,db,22,1b,96,7e,a6,68,84,e5,f8,… “khjeh”=hex:b2,4d,96,3f,f3,03,84,01,c7,80,7e,f7,65,49,38,59,95,8a,c2,6b,e7,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:81,57,b7,d5,da,20,5e,8a,67,c0,8f,8c,11,31,8b,8a,a4,96,ff,b7,5c,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Tue 4 Sep 2007 0 A.SH. — “C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp” Sun 16 Dec 2007 0 A…H. — “C:\Documents and Settings\Rafal\Ustawienia lokalne\Temp\BIT1.tmp” Sun 16 Dec 2007 0 A…H. — “C:\Documents and Settings\Rafal\Ustawienia lokalne\Temp\BIT69.tmp” Sun 16 Dec 2007 0 A…H. — “C:\Documents and Settings\Rafal\Ustawienia lokalne\Temp\BIT82E.tmp” Sun 16 Dec 2007 0 A…H. — “C:\Documents and Settings\Rafal\Ustawienia lokalne\Temp\BIT8CD.tmp” Finished!

log z

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-16 21:56:46 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:0f,fe,7f,b7,d7,d5,97,89,27,6e,70,9b,b3,02,ac,04,56,44,d6,ba,d3,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,57,1c,1b,1f,83,c6,db,22,1b,96,7e,a6,68,84,e5,f8,… “khjeh”=hex:b2,4d,96,3f,f3,03,84,01,c7,80,7e,f7,65,49,38,59,95,8a,c2,6b,e7,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:9f,0e,7a,9f,87,98,ec,be,42,ce,79,7c,e3,18,14,12,da,54,5e,97,8c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:0e,bc,39,0e,d0,f9,8a,54,f0,b1,b1,59,46,78,af,59,4d,22,9e,d8,bd,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,57,1c,1b,1f,83,c6,db,22,1b,96,7e,a6,68,84,e5,f8,… “khjeh”=hex:76,67,99,f2,e5,4d,f0,34,42,6f,0f,8b,3b,23,4f,3c,40,72,02,98,c4,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:9f,0e,7a,9f,87,98,ec,be,42,ce,79,7c,e3,18,14,12,da,54,5e,97,8c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:9f,0e,7a,9f,87,98,ec,be,42,ce,79,7c,e3,18,14,12,da,54,5e,97,8c,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:0f,fe,7f,b7,d7,d5,97,89,27,6e,70,9b,b3,02,ac,04,56,44,d6,ba,d3,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,57,1c,1b,1f,83,c6,db,22,1b,96,7e,a6,68,84,e5,f8,… “khjeh”=hex:b2,4d,96,3f,f3,03,84,01,c7,80,7e,f7,65,49,38,59,95,8a,c2,6b,e7,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:81,57,b7,d5,da,20,5e,8a,67,c0,8f,8c,11,31,8b,8a,a4,96,ff,b7,5c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:0f,fe,7f,b7,d7,d5,97,89,27,6e,70,9b,b3,02,ac,04,56,44,d6,ba,d3,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,57,1c,1b,1f,83,c6,db,22,1b,96,7e,a6,68,84,e5,f8,… “khjeh”=hex:b2,4d,96,3f,f3,03,84,01,c7,80,7e,f7,65,49,38,59,95,8a,c2,6b,e7,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:81,57,b7,d5,da,20,5e,8a,67,c0,8f,8c,11,31,8b,8a,a4,96,ff,b7,5c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:0f,fe,7f,b7,d7,d5,97,89,27,6e,70,9b,b3,02,ac,04,56,44,d6,ba,d3,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,57,1c,1b,1f,83,c6,db,22,1b,96,7e,a6,68,84,e5,f8,… “khjeh”=hex:b2,4d,96,3f,f3,03,84,01,c7,80,7e,f7,65,49,38,59,95,8a,c2,6b,e7,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:81,57,b7,d5,da,20,5e,8a,67,c0,8f,8c,11,31,8b,8a,a4,96,ff,b7,5c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:0f,fe,7f,b7,d7,d5,97,89,27,6e,70,9b,b3,02,ac,04,56,44,d6,ba,d3,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,57,1c,1b,1f,83,c6,db,22,1b,96,7e,a6,68,84,e5,f8,… “khjeh”=hex:b2,4d,96,3f,f3,03,84,01,c7,80,7e,f7,65,49,38,59,95,8a,c2,6b,e7,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:81,57,b7,d5,da,20,5e,8a,67,c0,8f,8c,11,31,8b,8a,a4,96,ff,b7,5c,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0

log z combo fix

ComboFix 07-12-16.3 - Rafal 2007-12-16 22:30:50.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.634 [GMT 1:00] Running from: C:\Documents and Settings\Rafal\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 ))))))))))))))))))))))))))))))) . 2007-12-16 22:22 . 2007-12-16 22:23 2007-12-16 22:09 . 2007-12-16 22:09 944 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-16 21:52 . 2007-12-16 21:52 2007-12-16 11:33 . 2007-12-16 11:33 2007-12-16 11:28 . 2007-12-16 11:28 2007-12-16 11:05 . 2007-12-16 11:05 2007-12-16 11:04 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll 2007-12-16 09:46 . 2007-12-16 09:48 2007-12-15 22:24 . 2007-12-15 16:46 278,528 --a------ C:\WINDOWS\ttvbonvgl.dll 2007-12-15 22:24 . 2007-12-15 16:46 270,336 --a------ C:\WINDOWS\xcvwer.dll 2007-12-15 22:24 . 2007-12-15 16:46 253,952 --a------ C:\WINDOWS\hjoqor.dll 2007-12-15 22:24 . 2007-12-15 16:46 200,704 --a------ C:\WINDOWS\leosrv.dll 2007-12-15 22:24 . 2007-12-15 16:46 77,824 --a------ C:\WINDOWS\binret.exe 2007-12-15 22:15 . 2007-12-16 07:52 2007-12-15 21:56 . 2007-12-15 21:56 2007-12-08 18:36 . 2007-12-08 18:36 2007-12-07 19:46 . 2007-12-08 19:24 2007-11-28 23:30 . 2007-11-28 23:30 2007-11-27 15:47 . 2007-11-27 15:47 2007-11-27 15:47 . 1998-02-06 22:37 299,520 --a------ C:\WINDOWS\uninst.exe 2007-11-27 15:26 . 2007-12-01 22:43 2007-11-27 15:26 . 2004-03-09 01:00 132,880 --a------ C:\WINDOWS\system32\MSINET.OCX 2007-11-27 15:26 . 2001-01-11 21:52 75,264 --a------ C:\WINDOWS\system32\pkLink.ocx 2007-11-27 15:26 . 2002-09-03 16:46 36,864 --a------ C:\WINDOWS\system32\XPButton.ocx 2007-11-22 22:12 . 2007-11-22 22:13 2007-11-16 21:08 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-16 21:31 --------- d-----w C:\Program Files\cFosSpeed 2007-12-01 12:57 --------- d-----w C:\Program Files\vanBasco’s Karaoke Player 2007-11-22 21:24 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll 2007-11-21 18:26 --------- d-----w C:\Program Files\Opera 2007-11-16 20:08 --------- d-----w C:\Program Files\Java 2007-11-10 15:03 --------- d-----w C:\Program Files\AllerCalc 2007-11-03 21:22 --------- d-----w C:\Program Files\Real Alternative 2007-11-03 21:22 --------- d-----w C:\Program Files\Media Player Classic 2007-11-03 21:22 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Media Player Classic 2007-10-27 19:39 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Microsoft Help 2007-10-27 04:47 --------- d-----w C:\Program Files\Microsoft.NET 2007-10-27 04:47 --------- d-----w C:\Program Files\Microsoft Works 2007-10-25 23:07 20,152 ----a-w C:\WINDOWS\system32\drivers\INFCACHE.1 2007-10-25 20:49 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-25 20:49 --------- d-----w C:\Program Files\Panda Software 2007-10-25 06:39 --------- d-----w C:\Program Files\VIA 2007-10-25 06:36 15,600 ----a-w C:\WINDOWS\gdrv.sys 2007-10-25 06:21 558,142 ----a-w C:\WINDOWS\java\Packages\2M53793H.ZIP 2007-10-25 06:21 155,995 ----a-w C:\WINDOWS\java\Packages\1BP3N13B.ZIP 2007-08-09 18:53 15,792 -c–a-w C:\Documents and Settings\Rafal\Dane aplikacji\GDIPFONTCACHEV1.DAT 2007-06-02 09:42 16,368 -c–a-w C:\Documents and Settings\Komp\Dane aplikacji\GDIPFONTCACHEV1.DAT 2007-08-14 13:45 23 -csha-w C:\WINDOWS\system32\bfedfbcd7_r.dll . ((((((((((((((((((((((((((((( snapshot@2007-12-16_15.17.51,09 ))))))))))))))))))))))))))))))))))))))))) . + 2007-12-13 12:23:35 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2007-12-16 20:52:48 442,368 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2007-12-16 20:52:48 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2007-12-13 12:23:35 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2007-12-16 20:52:47 442,368 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT + 2007-12-16 20:52:47 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{202EBB90-ABD4-46CC-BB5A-4F0ECC67B331}] 2007-12-15 16:46 278528 --a------ C:\WINDOWS\ttvbonvgl.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {257F0149-3042-4F1E-97A1-7602460E97EE} [HKEY_CLASSES_ROOT\clsid{257f0149-3042-4f1e-97a1-7602460e97ee}] [HKEY_CLASSES_ROOT\leosrv.ToolBar.1] [HKEY_CLASSES_ROOT\TypeLib{5240BCA3-9F39-4D98-9F8C-8712CDAA194F}] [HKEY_CLASSES_ROOT\leosrv.ToolBar] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24] “AdwareRemover2007”=“C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe” [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Skrót do strony właściwości High Definition Audio”=“HDAShCut.exe” [2005-01-07 16:07 C:\WINDOWS\system32\HdAShCut.exe] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11] “ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2006-01-02 16:41] “cFosSpeed”=“C:\Program Files\cFosSpeed\cFosSpeed.exe” [2007-07-09 16:10] “HDAudDeck”=“C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe” [2007-05-11 08:47] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 13:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] “DisableStatusMessages”= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSMBalloonTip”= 0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] “hjoqor”= {79989877-C152-490C-981D-6CCCF1EF495B} - C:\WINDOWS\hjoqor.dll [2007-12-15 16:46 253952] “xcvwer”= {3AF1EAF2-D98B-4C65-9BFC-24F49E37EBE8} - C:\WINDOWS\xcvwer.dll [2007-12-15 16:46 270336] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] avldr.dll 2006-07-14 12:46 45056 C:\WINDOWS\system32\avldr.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-03-05 16:36 140976 C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\WbSrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”=wbsys.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd] ALCWZRD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] C:\Program Files\DAEMON Tools\daemon.exe -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus D88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P23 EPSON Stylus D88 Series /O6 USB001 /M Stylus D88 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE R0 ViBus;ViBus;C:\WINDOWS\system32\DRIVERS\ViBus.sys R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys R0 ViPrt;VIA SATA IDE Device Driver;C:\WINDOWS\system32\DRIVERS\ViPrt.sys R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys S3 AN983;Karta ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet;C:\WINDOWS\system32\DRIVERS\AN983.sys S3 gdrv;gdrv;??\C:\WINDOWS\gdrv.sys S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\system32\Drivers\mtk.sys . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-16 22:32:16 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … HKLM\Software\Microsoft\Windows\CurrentVersion\Run HDAudDeck = C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1??? scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180] -> C:\WINDOWS\hjoqor.dll . Completion time: 2007-12-16 22:32:58 C:\ComboFix2.txt … 2007-12-16 21:38 C:\ComboFix3.txt … 2007-12-16 15:21 . 2007-12-16 14:42:15 — E O F —

mam nadzieje ze wszystko sie udało

system · 16 Grudzień 2007 21:41

Oczywiście maneger programów to maneger zadań, pomyliłem sie na poczatku

Gutek · 17 Grudzień 2007 20:43

Użyj http://home.hetnet.nl/~stefsmeenk/RVAXO.exe i po tym nowy log z Combo

system · 18 Grudzień 2007 21:03

Witam,

Mam problem z tym samym wirusem co autor tematu , postępuje zgodnie z opisem jaki przedstawiliście powyżej , mam kilka logów z działania programów skanujących o których pisaliście .

Wklejam je poniżej i proszę o informację co mam usunąć lub jakiego programu jeszcze użyć .

z góry dzięki za pomoc

log z SDFix :

SDFix: Version 1.118 Run by krzysiek on 2007-12-18 at 15:19 Microsoft Windows XP [Wersja 5.1.2600] Running From: c:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\Documents and Settings\krzysiek\Ulubione\Error Cleaner.url - Deleted C:\Documents and Settings\krzysiek\Ulubione\Privacy Protector.url - Deleted C:\Documents and Settings\krzysiek\Ulubione\Spyware&Malware Protection.url - Deleted C:\DOCUME~1\krzysiek\USTAWI~1\Temp\ac8zt2.dat - Deleted C:\WINDOWS\dat.txt - Deleted C:\WINDOWS\rs.txt - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-18 15:28:41 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:54,f9,79,48,4e,96,cb,94,a8,f1,a2,5f,75,41,d7,f6,4f,2d,9b,36,bc,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “khjeh”=hex:70,83,b9,cd,fc,ea,5d,ef,26,fa,44,e9,8b,19,5a,e4,42,4c,74,f9,28,… “d0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:45,0e,88,aa,ed,da,5c,df,96,53,ed,07,e8,78,fa,bd,af,54,5a,ce,c2,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:54,f9,79,48,4e,96,cb,94,a8,f1,a2,5f,75,41,d7,f6,4f,2d,9b,36,bc,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “khjeh”=hex:70,83,b9,cd,fc,ea,5d,ef,26,fa,44,e9,8b,19,5a,e4,42,4c,74,f9,28,… “d0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:45,0e,88,aa,ed,da,5c,df,96,53,ed,07,e8,78,fa,bd,af,54,5a,ce,c2,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:54,f9,79,48,4e,96,cb,94,a8,f1,a2,5f,75,41,d7,f6,4f,2d,9b,36,bc,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “khjeh”=hex:70,83,b9,cd,fc,ea,5d,ef,26,fa,44,e9,8b,19,5a,e4,42,4c,74,f9,28,… “d0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:45,0e,88,aa,ed,da,5c,df,96,53,ed,07,e8,78,fa,bd,af,54,5a,ce,c2,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “C:\j2sdk1.4.2_01\jre\bin\java.exe”=“C:\j2sdk1.4.2_01\jre\bin\java.exe:*:Enabled:java” “C:\Program Files\eMule\emule.exe”=“C:\Program Files\eMule\emule.exe:*:Enabled:eMule” “D:\Aplikacje\BitComet\BitComet.exe”=“D:\Aplikacje\BitComet\BitComet.exe:*:Disabled:BitComet - a BitTorrent Client” “C:\usr\SMTP Server\localsrv.exe”=“C:\usr\SMTP Server\localsrv.exe:*:Disabled:localsrv” “C:\usr\apache\Apache.exe”=“C:\usr\apache\Apache.exe:*:Enabled:Apache” “C:\WINDOWS\system32\sessmgr.exe”=“C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019” “C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program glowny” “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “C:\Program Files\Tlen.pl\tlen.exe”=“C:\Program Files\Tlen.pl\tlen.exe:*:Enabled:Komunikator Tlen.pl” “C:\Program Files\Apache Group\Apache2\bin\Apache.exe”=“C:\Program Files\Apache Group\Apache2\bin\Apache.exe:*:Enabled:Apache HTTP Server” “C:\totalcmd\TOTALCMD.EXE”=“C:\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows” “C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe”=“C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe:*:Enabled:Java 2 Platform Standard Edition binary” “C:\WINDOWS\system32\javaw.exe”=“C:\WINDOWS\system32\javaw.exe:*:Enabled:Java 2 Platform Standard Edition binary” “D:\Aplikacje\pando\pando.exe”=“D:\Aplikacje\pando\pando.exe:*:Enabled:pando” “C:\WINDOWS\system32\dpvsetup.exe”=“C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test” “C:\WINDOWS\system32\rundll32.exe”=“C:\WINDOWS\system32\rundll32.exe:*:Enabled:Uruchamia plik DLL jako aplikacj©” “C:\Program Files\Local SMTP Relay Server\SMTPServer.exe”=“C:\Program Files\Local SMTP Relay Server\SMTPServer.exe:*:Enabled:SMTPServer” “C:\Program Files\SopCast\SopCast.exe”=“C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application” “C:\Documents and Settings\krzysiek\Dane aplikacji\SopCast\adv\SopAdver.exe”=“C:\Documents and Settings\krzysiek\Dane aplikacji\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver” “C:\Program Files\Bonjour\mDNSResponder.exe”=“C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour” “D:\Aplikacje\eMule\emule.exe”=“D:\Aplikacje\eMule\emule.exe:*:Enabled:eMule” “C:\WINDOWS\system32\LEXPPS.EXE”=“C:\WINDOWS\system32\LEXPPS.EXE:*:Disabled:LEXPPS” “C:\Program Files\Skype\Phone\Skype.exe”=“C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Fri 7 Dec 2007 321 …SH. — “C:\BOOT.BAK” Wed 13 Sep 2006 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Tue 18 Dec 2007 85,946 A…H. — “C:\Documents and Settings\krzysiek\Ustawienia lokalne\Temp\BIT1.tmp” Tue 18 Dec 2007 0 A…H. — “C:\Documents and Settings\krzysiek\Ustawienia lokalne\Temp\BIT2.tmp” Tue 18 Dec 2007 85,946 A…H. — “C:\Documents and Settings\krzysiek\Ustawienia lokalne\Temp\BIT3.tmp” Tue 18 Dec 2007 85,946 A…H. — “C:\Documents and Settings\krzysiek\Ustawienia lokalne\Temp\BIT53.tmp” Mon 6 Nov 2006 32,768 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Szablony~WRL0001.tmp” Fri 6 Oct 2006 31,744 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Szablony~WRL0002.tmp” Sun 15 Oct 2006 33,280 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Szablony~WRL0003.tmp” Sat 18 Nov 2006 32,768 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Szablony~WRL0004.tmp” Thu 16 Nov 2006 32,768 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Szablony~WRL3281.tmp” Sun 21 Jan 2007 255,488 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Word~WRL1125.tmp” Sun 21 Jan 2007 259,072 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Word~WRL1221.tmp” Mon 2 Jul 2007 338,432 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Word~WRL1827.tmp” Mon 22 Jan 2007 259,584 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Word~WRL2204.tmp” Sun 21 Jan 2007 252,928 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Word~WRL2260.tmp” Tue 14 Nov 2006 196,096 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Word~WRL2499.tmp” Sun 21 Jan 2007 255,488 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Word~WRL2784.tmp” Tue 14 Nov 2006 254,976 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Word~WRL2983.tmp” Tue 14 Nov 2006 88,576 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Word~WRL3315.tmp” Thu 11 Jan 2007 19,456 …H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\Microsoft\Word~WRL3974.tmp” Wed 4 Oct 2006 3,072,000 A…H. — “C:\Documents and Settings\krzysiek\Dane aplikacji\U3\temp\Launchpad Removal.exe” Finished!

log z combo fix :

http://wklej.org/id/81e9885166

log z Hijack

Logfile of HijackThis v1.99.1 Scan saved at 22:00:28, on 2007-12-18 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Apache Group\Apache2\bin\Apache.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\Program Files\Apache Group\Apache2\bin\Apache.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Tlen.pl\tlen.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\totalcmd\TOTALCMD.EXE C:\DOCUME~1\krzysiek\USTAWI~1\Temp_tc\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 O2 - BHO: BDEX System - {0B241FD4-1EA1-4238-B505-07A484C49D1A} - C:\WINDOWS\ttvbonsmf.dll (file missing) O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Aplikacje\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Aplikacje\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: The leosrv - {8B6860DE-2CFA-4713-B42F-DC06D008DC54} - C:\WINDOWS\leosrv.dll (file missing) O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKLM…\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Konwertuj do Adobe PDF - res://D:\Aplikacje\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Konwertuj do istniejącego pliku PDF - res://D:\Aplikacje\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Konwertuj miejsce docelowe łącza do Adobe PDF - res://D:\Aplikacje\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Konwertuj miejsce docelowe łącza do istniejącego pliku PDF - res://D:\Aplikacje\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Konwertuj wybrane łącza do Adobe PDF - res://D:\Aplikacje\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Konwertuj wybrane łącza do istniejącego pliku PDF - res://D:\Aplikacje\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Konwertuj zaznaczenie do Adobe PDF - res://D:\Aplikacje\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Konwertuj zaznaczenie do istniejącego pliku PDF - res://D:\Aplikacje\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra ‘Tools’ menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: MySQL5 - Unknown owner - C:\Program.exe (file missing)

Gutek · 18 Grudzień 2007 21:28

Wklej do Notatnika:

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

system · 18 Grudzień 2007 22:04

dzięki za info , wklejam link do loga z combo :

http://wklej.org/id/8d3c75ea21

Gutek · 19 Grudzień 2007 19:51

Optymalizacja XP: viewtopic.php?t=76580

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

możesz rejestr przelecieć albo

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509

Opis RegCleaner - http://www.agavk.p9.pl/strony/progra_regcleaner.php

Zobacz - Obsługa jv16 PowerTools