x-kom hosting

SINOWAL - jak usnuąć to dziadostwo?

wojtek.ziomek2
utworzono
utworzono

Witam, jak usunąć PSW.Sinowal.S ? Wklejam logi, proszę o dalszej instrukcje:

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:13:47, on 2009-05-11Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\FTRTSVC.exeC:\WINDOWS\system32\HASPSrv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exeC:\WINDOWS\RTHDCPL.EXEC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeD:\Program Files\Winamp\winampa.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\Onet.pl\AutoUpdate.exeC:\WINDOWS\system32\PnkBstrA.exeC:\PROGRA~1\NEOSTR~1\TaskBarIcon.exeC:\Program Files\Common Files\Protexis\License Service\PSIService.exeC:\WINDOWS\system32\RunDLL32.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Winamp Remote\bin\OrbTray.exeD:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exeC:\Program Files\Electronic Arts\EADM\Core.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXEC:\WINDOWS\system32\wbem\wmiapsrv.exeC:\Program Files\neostrada tp\neostradatp.exeC:\Program Files\neostrada tp\ComComp.exeC:\PROGRA~1\NEOSTR~1\Toaster.exeC:\PROGRA~1\NEOSTR~1\Inactivity.exeC:\PROGRA~1\NEOSTR~1\PollingModule.exeC:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXEC:\Program Files\neostrada tp\Watch.exeC:\Program Files\Mozilla Firefox\firefox.exeD:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nasza-klasa.plR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nasza-klasa.plR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Program Windows Internet Explorer dostarczony przez Nasza-Klasa.plR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaR3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLLO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exeO4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exeO4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exeO4 - HKLM\..\Run: [Onet.pl AutoUpdate] C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe /tsrO4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\VistaCodecPack\QT\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInitO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [AlcoholAutomount] "D:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automountO4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /backgroundO4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silentO4 - HKCU\..\Run: [Nowe Gadu-Gadu] "E:\Program Files\Nowe Gadu-Gadu\gg.exe"O4 - HKCU\..\Run: [Twoje TVN24] "D:\Program Files\Pasek TVN24\tvn-ustawienia.exe"O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Startup: Registration .LNK = F:\support\Registration.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - Global Startup: Logitech SetPoint.lnk = ?O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeO4 - Global Startup: uninstall.exeO8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.htmlO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cabO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/programs/OnlineScanner.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{38650B2E-A0E1-461C-B970-9B3C6892642C}: NameServer = 194.204.159.1 217.98.63.164O17 - HKLM\System\CS1\Services\Tcpip\..\{38650B2E-A0E1-461C-B970-9B3C6892642C}: NameServer = 194.204.159.1 217.98.63.164O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - D:\Program Files\Ares\chatServer.exe (file missing)O23 - Service: AshEvtSvc - Unknown owner - C:\WINDOWS\System32\AshEvtSvc.exe (file missing)O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: HASPSrv - COMARCH S.A. - C:\WINDOWS\system32\HASPSrv.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NBService - Nero AG - E:\Program files\Nero 7\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: FIM Speedway GP3 Drivers Auto Removal (pr2aq6eb) (pr2aq6eb) - Techland Sp.z o.o. - C:\WINDOWS\system32\pr2aq6eb.exeO23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exeO23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exeO23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe--End of file - 10184 bytes

Gość
komentarz
komentarz
O4 - Global Startup: uninstall.exeO8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >>Fix checked.

.

wojtek.ziomek2
komentarz
komentarz

Wykonałem, jak mówiłeś, ale on nie zamierza uciekać :huh:.

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:28:06, on 2009-05-11Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\System32\FTRTSVC.exeC:\WINDOWS\system32\HASPSrv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exeC:\WINDOWS\RTHDCPL.EXEC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeD:\Program Files\Winamp\winampa.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\Onet.pl\AutoUpdate.exeC:\WINDOWS\system32\PnkBstrA.exeC:\PROGRA~1\NEOSTR~1\TaskBarIcon.exeC:\Program Files\Common Files\Protexis\License Service\PSIService.exeC:\WINDOWS\system32\RunDLL32.exeC:\WINDOWS\system32\ctfmon.exeD:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exeC:\Program Files\Electronic Arts\EADM\Core.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXEC:\WINDOWS\system32\wbem\wmiapsrv.exeC:\PROGRA~1\NEOSTR~1\Toaster.exeC:\PROGRA~1\NEOSTR~1\Inactivity.exeC:\PROGRA~1\NEOSTR~1\PollingModule.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\explorer.exeD:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\neostrada tp\neostradatp.exeC:\Program Files\neostrada tp\ComComp.exeC:\Program Files\neostrada tp\Watch.exeC:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXEC:\Program Files\Mozilla Firefox\firefox.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nasza-klasa.plR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nasza-klasa.plR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Program Windows Internet Explorer dostarczony przez Nasza-Klasa.plR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaR3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLLO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exeO4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exeO4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exeO4 - HKLM\..\Run: [Onet.pl AutoUpdate] C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe /tsrO4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\VistaCodecPack\QT\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInitO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [AlcoholAutomount] "D:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automountO4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /backgroundO4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silentO4 - HKCU\..\Run: [Nowe Gadu-Gadu] "E:\Program Files\Nowe Gadu-Gadu\gg.exe"O4 - HKCU\..\Run: [Twoje TVN24] "D:\Program Files\Pasek TVN24\tvn-ustawienia.exe"O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Startup: Registration .LNK = F:\support\Registration.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - Global Startup: Logitech SetPoint.lnk = ?O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeO4 - Global Startup: uninstall.exeO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cabO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/programs/OnlineScanner.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{38650B2E-A0E1-461C-B970-9B3C6892642C}: NameServer = 194.204.159.1 217.98.63.164O17 - HKLM\System\CS1\Services\Tcpip\..\{38650B2E-A0E1-461C-B970-9B3C6892642C}: NameServer = 194.204.159.1 217.98.63.164O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - D:\Program Files\Ares\chatServer.exe (file missing)O23 - Service: AshEvtSvc - Unknown owner - C:\WINDOWS\System32\AshEvtSvc.exe (file missing)O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: HASPSrv - COMARCH S.A. - C:\WINDOWS\system32\HASPSrv.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NBService - Nero AG - E:\Program files\Nero 7\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: FIM Speedway GP3 Drivers Auto Removal (pr2aq6eb) (pr2aq6eb) - Techland Sp.z o.o. - C:\WINDOWS\system32\pr2aq6eb.exeO23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exeO23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exeO23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe--End of file - 10003 bytes
Gość
komentarz
komentarz

Daj log z ComboFixa.

.

wojtek.ziomek2
komentarz
komentarz
ComboFix 09-05-11.01 - Właściciel 2009-05-11 21:26.7 - NTFSx86Microsoft Windows XP Home Edition  5.1.2600.2.1250.48.1045.18.1023.461 [GMT 2:00]Uruchomiony z: c:\documents and settings\Właściciel\Pulpit\ComboFix.exeAV: AVG 7.5.557 *On-access scanning enabled* (Outdated)FW: AVG Firewall 7.5.475 *enabled*.(((((((((((((((((((((((((   Pliki utworzone od 2009-04-11 do 2009-05-11  ))))))))))))))))))))))))))))))).Nie utworzono żadnych nowych plików w tym okresie.((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-05-11 19:26 . 2007-07-31 14:44	--------	d-----w	c:\program files\neostrada tp2009-05-02 18:21 . 2009-01-20 18:59	--------	d-----r	c:\program files\CDN OPT!MA2009-04-24 17:48 . 2006-03-02 12:00	85266	----a-w	c:\windows\system32\perfc015.dat2009-04-24 17:48 . 2006-03-02 12:00	475568	----a-w	c:\windows\system32\perfh015.dat2009-04-01 11:20 . 2009-04-03 13:02	58880	----a-w	c:\windows\system32\826.tmp2009-03-31 12:16 . 2009-04-01 11:20	58880	----a-w	c:\windows\system32\800.tmp2009-03-26 14:49 . 2009-04-01 14:55	38496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys2009-03-26 14:49 . 2009-04-01 14:55	15504	----a-w	c:\windows\system32\drivers\mbam.sys2009-03-08 02:34 . 2006-03-02 12:00	914944	----a-w	c:\windows\system32\wininet.dll2009-03-08 02:34 . 2006-03-02 12:00	43008	----a-w	c:\windows\system32\licmgr10.dll2009-03-08 02:33 . 2006-03-02 12:00	18944	----a-w	c:\windows\system32\corpol.dll2009-03-08 02:33 . 2006-03-02 12:00	420352	----a-w	c:\windows\system32\vbscript.dll2009-03-08 02:32 . 2006-03-02 12:00	72704	----a-w	c:\windows\system32\admparse.dll2009-03-08 02:32 . 2006-03-02 12:00	71680	----a-w	c:\windows\system32\iesetup.dll2009-03-08 02:31 . 2006-03-02 12:00	34816	----a-w	c:\windows\system32\imgutil.dll2009-03-08 02:31 . 2006-03-02 12:00	48128	----a-w	c:\windows\system32\mshtmler.dll2009-03-08 02:31 . 2006-03-02 12:00	45568	----a-w	c:\windows\system32\mshta.exe2009-03-08 02:22 . 2006-03-02 12:00	156160	----a-w	c:\windows\system32\msls31.dll2009-03-06 14:47 . 2006-03-02 12:00	285184	----a-w	c:\windows\system32\pdh.dll2008-11-19 16:05 . 2007-09-25 17:03	168	--sh--r	c:\windows\system32\39785E14CB.sys2008-11-19 16:05 . 2007-09-25 15:55	5852	--sha-w	c:\windows\system32\KGyGaAvL.sys.(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360]"AlcoholAutomount"="d:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2007-07-02 219008]"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992]"Nowe Gadu-Gadu"="e:\program files\Nowe Gadu-Gadu\gg.exe" [2009-02-06 9302632][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]"WinampAgent"="d:\program files\Winamp\winampa.exe" [2009-03-09 37888]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-25 136600]"WOOWATCH"="c:\progra~1\NEOSTR~1\Watch.exe" [2004-08-23 20480]"WOOTASKBARICON"="c:\progra~1\NEOSTR~1\GestMaj.exe" [2004-10-14 32768]"Onet.pl AutoUpdate"="c:\program files\Common Files\Onet.pl\AutoUpdate.exe" [2006-02-08 260096]"QuickTime Task"="d:\program files\VistaCodecPack\QT\QTTask.exe" [2008-05-27 413696]"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-30 16269312]"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-06-01 1519616]"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-23 101136]"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-06-01 86016][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-25 219136]c:\documents and settings\W?a?ciciel\Menu Start\Programy\Autostart\OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-7-31 67128]Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-7-31 688128]Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]uninstall.exe [2009-5-11 0][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]@=""[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="d:\\Program Files\\Gadu-Gadu\\gg.exe"="c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="d:\\Program Files\\EA Sports\\FIFA 08\\FIFA08.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="d:\\Program Files\\Techland\\FIM Speedway GP3\\sgp3.exe"="c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="d:\\Program Files\\FIFA 2009\\FIFA 09\\FIFA09.exe"="e:\\Program files\\Nowe Gadu-Gadu\\gg.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"8461:TCP"= 8461:TCP:GoD High Port"8462:TCP"= 8462:TCP:GoD Low Port"11510:TCP"= 11510:TCP:BitComet 11510 TCP"11510:UDP"= 11510:UDP:BitComet 11510 UDPR0 pe3aq6eb;FIM Speedway GP3 Environment Driver (pe3aq6eb);c:\windows\system32\drivers\pe3aq6eb.sys [2008-04-03 69248]R0 ps7aq6eb;FIM Speedway GP3 Synchronization Driver (ps7aq6eb);c:\windows\system32\drivers\ps7aq6eb.sys [2008-04-03 68744]R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-10-13 35328]R2 HASPSrv;HASPSrv;c:\windows\system32\HASPSrv.exe [2009-01-20 684032]R2 MSSQL$CDN_OPTIMA;MSSQL$CDN_OPTIMA;c:\program files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe -sCDN_OPTIMA --> c:\program files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe -sCDN_OPTIMA [?]R3 Stmatm;ATM/ADSL miniport;c:\windows\system32\drivers\stmatm.sys [2007-07-31 60255]R3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\drivers\torususb.sys [2007-07-31 684265]S2 AshEvtSvc;AshEvtSvc;c:\windows\System32\AshEvtSvc.exe -k netsvcs --> c:\windows\System32\AshEvtSvc.exe -k netsvcs [?]S2 pr2aq6eb;FIM Speedway GP3 Drivers Auto Removal (pr2aq6eb);c:\windows\system32\pr2aq6eb.exe svc --> c:\windows\system32\pr2aq6eb.exe svc [?]S3 SQLAgent$CDN_OPTIMA;SQLAgent$CDN_OPTIMA;c:\program files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlagent.EXE -i CDN_OPTIMA --> c:\program files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlagent.EXE -i CDN_OPTIMA [?].Zawartość folderu 'Zaplanowane zadania'2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 15:57]2009-05-11 c:\windows\Tasks\User_Feed_Synchronization-{9DC51EAA-3EF0-4651-A7B4-80A668337A11}.job- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31].- - - - USUNIĘTO PUSTE WPISY - - - -HKCU-Run-Twoje TVN24 - d:\program files\Pasek TVN24\tvn-ustawienia.exe.------- Skan uzupełniający -------.uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7uStart Page = hxxp://www.nasza-klasa.pluInternet Connection Wizard,ShellNext = iexploreIE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllDPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} - hxxp://arcaonline.arcabit.com/ArcaOnline.cabFF - ProfilePath - c:\documents and settings\Właściciel\Dane aplikacji\Mozilla\Firefox\Profiles\dzmmyv91.Domyślny użytkownik\FF - prefs.js: browser.startup.homepage - wyborcza.pl/0,0.html?p=017FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npwmsdrm.dllFF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dllFF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dllFF - plugin: d:\program files\Opera\program\plugins\npdsplay.dllFF - plugin: d:\program files\Opera\program\plugins\NPOFF12.DLLFF - plugin: d:\program files\Opera\program\plugins\NPSWF32.dllFF - plugin: d:\program files\Opera\program\plugins\npwmsdrm.dllFF - plugin: d:\program files\VistaCodecPack\QT\Plugins\npqtplugin.dllFF - plugin: d:\program files\VistaCodecPack\QT\Plugins\npqtplugin2.dllFF - plugin: d:\program files\VistaCodecPack\QT\Plugins\npqtplugin3.dllFF - plugin: d:\program files\VistaCodecPack\QT\Plugins\npqtplugin4.dllFF - plugin: d:\program files\VistaCodecPack\QT\Plugins\npqtplugin5.dllFF - plugin: d:\program files\VistaCodecPack\QT\Plugins\npqtplugin6.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-05-11 21:28Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ...  skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ...  skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (LocalSystem)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,84,13,ed,10,67,eb,ae,4e,8d,64,8a,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,84,13,ed,10,67,eb,ae,4e,8d,64,8a,\[HKEY_USERS\S-1-5-21-1202660629-1004336348-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode)[HKEY_USERS\S-1-5-21-1202660629-1004336348-725345543-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]@Allowed: (Read) (S-1-5-21-1202660629-1004336348-725345543-1003)@Allowed: (Read) (S-1-5-21-1202660629-1004336348-725345543-1003)@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode).--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'explorer.exe'(3668)c:\program files\Logitech\SetPoint\lgscroll.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.Czas ukończenia: 2009-05-11 21:29ComboFix-quarantined-files.txt  2009-05-11 19:29Przed: 3 475 763 200 bajtów wolnychPo: 7 167 647 744 bajtów wolnychWindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer194	--- E O F ---	2009-04-16 12:14
Gość
komentarz
komentarz

Wklej do Notatnika:

File::c:\windows\system32\826.tmpc:\windows\system32\800.tmpc:\windows\System32\AshEvtSvc.exeNetSvc::AshEvtSvcDriver::AshEvtSvc

>>Plik>>Zapisz jako... >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

-->cfscriptb5b4me3.gif

Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.

Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.

.

wojtek.ziomek2
komentarz
komentarz (edytowane)
ComboFix 09-05-11.01 - Właściciel 2009-05-13 20:53.9 - NTFSx86Microsoft Windows XP Home Edition  5.1.2600.2.1250.48.1045.18.1023.542 [GMT 2:00]Uruchomiony z: c:\documents and settings\Właściciel\Pulpit\ComboFix.exeUżyto następujących komend :: c:\documents and settings\Właściciel\Pulpit\CFScript.exe.txtAV: AVG 7.5.557 *On-access scanning enabled* (Outdated)FW: AVG Firewall 7.5.475 *enabled*FILE ::c:\windows\system32\800.tmpc:\windows\system32\826.tmpc:\windows\System32\AshEvtSvc.exe.(((((((((((((((((((((((((   Pliki utworzone od 2009-04-13 do 2009-05-13  ))))))))))))))))))))))))))))))).Nie utworzono żadnych nowych plików w tym okresie.((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-05-13 18:51 . 2007-07-31 14:44	--------	d-----w	c:\program files\neostrada tp2009-05-02 18:21 . 2009-01-20 18:59	--------	d-----r	c:\program files\CDN OPT!MA2009-04-24 17:48 . 2006-03-02 12:00	85266	----a-w	c:\windows\system32\perfc015.dat2009-04-24 17:48 . 2006-03-02 12:00	475568	----a-w	c:\windows\system32\perfh015.dat2009-03-26 14:49 . 2009-04-01 14:55	38496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys2009-03-26 14:49 . 2009-04-01 14:55	15504	----a-w	c:\windows\system32\drivers\mbam.sys2009-03-08 02:34 . 2006-03-02 12:00	914944	----a-w	c:\windows\system32\wininet.dll2009-03-08 02:34 . 2006-03-02 12:00	43008	----a-w	c:\windows\system32\licmgr10.dll2009-03-08 02:33 . 2006-03-02 12:00	18944	----a-w	c:\windows\system32\corpol.dll2009-03-08 02:33 . 2006-03-02 12:00	420352	----a-w	c:\windows\system32\vbscript.dll2009-03-08 02:32 . 2006-03-02 12:00	72704	----a-w	c:\windows\system32\admparse.dll2009-03-08 02:32 . 2006-03-02 12:00	71680	----a-w	c:\windows\system32\iesetup.dll2009-03-08 02:31 . 2006-03-02 12:00	34816	----a-w	c:\windows\system32\imgutil.dll2009-03-08 02:31 . 2006-03-02 12:00	48128	----a-w	c:\windows\system32\mshtmler.dll2009-03-08 02:31 . 2006-03-02 12:00	45568	----a-w	c:\windows\system32\mshta.exe2009-03-08 02:22 . 2006-03-02 12:00	156160	----a-w	c:\windows\system32\msls31.dll2009-03-06 14:47 . 2006-03-02 12:00	285184	----a-w	c:\windows\system32\pdh.dll2008-11-19 16:05 . 2007-09-25 17:03	168	--sh--r	c:\windows\system32\39785E14CB.sys2008-11-19 16:05 . 2007-09-25 15:55	5852	--sha-w	c:\windows\system32\KGyGaAvL.sys.(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360]"AlcoholAutomount"="d:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2007-07-02 219008]"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992]"Nowe Gadu-Gadu"="e:\program files\Nowe Gadu-Gadu\gg.exe" [2009-02-06 9302632][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]"WinampAgent"="d:\program files\Winamp\winampa.exe" [2009-03-09 37888]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-25 136600]"WOOWATCH"="c:\progra~1\NEOSTR~1\Watch.exe" [2004-08-23 20480]"WOOTASKBARICON"="c:\progra~1\NEOSTR~1\GestMaj.exe" [2004-10-14 32768]"Onet.pl AutoUpdate"="c:\program files\Common Files\Onet.pl\AutoUpdate.exe" [2006-02-08 260096]"QuickTime Task"="d:\program files\VistaCodecPack\QT\QTTask.exe" [2008-05-27 413696]"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-30 16269312]"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-06-01 1519616]"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-23 101136]"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-06-01 86016][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-25 219136]c:\documents and settings\Wˆa˜ciciel\Menu Start\Programy\Autostart\OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-7-31 67128]Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-7-31 688128]Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]uninstall.exe [2009-5-13 0][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]@=""[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="d:\\Program Files\\Gadu-Gadu\\gg.exe"="c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="d:\\Program Files\\EA Sports\\FIFA 08\\FIFA08.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="d:\\Program Files\\Techland\\FIM Speedway GP3\\sgp3.exe"="c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="d:\\Program Files\\FIFA 2009\\FIFA 09\\FIFA09.exe"="e:\\Program files\\Nowe Gadu-Gadu\\gg.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"8461:TCP"= 8461:TCP:GoD High Port"8462:TCP"= 8462:TCP:GoD Low Port"11510:TCP"= 11510:TCP:BitComet 11510 TCP"11510:UDP"= 11510:UDP:BitComet 11510 UDPR0 pe3aq6eb;FIM Speedway GP3 Environment Driver (pe3aq6eb);c:\windows\system32\drivers\pe3aq6eb.sys [2008-04-03 69248]R0 ps7aq6eb;FIM Speedway GP3 Synchronization Driver (ps7aq6eb);c:\windows\system32\drivers\ps7aq6eb.sys [2008-04-03 68744]R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-10-13 35328]R2 HASPSrv;HASPSrv;c:\windows\system32\HASPSrv.exe [2009-01-20 684032]R2 MSSQL$CDN_OPTIMA;MSSQL$CDN_OPTIMA;c:\program files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe -sCDN_OPTIMA --> c:\program files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe -sCDN_OPTIMA [?]R3 Stmatm;ATM/ADSL miniport;c:\windows\system32\drivers\stmatm.sys [2007-07-31 60255]R3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\drivers\torususb.sys [2007-07-31 684265]S2 pr2aq6eb;FIM Speedway GP3 Drivers Auto Removal (pr2aq6eb);c:\windows\system32\pr2aq6eb.exe svc --> c:\windows\system32\pr2aq6eb.exe svc [?]S3 SQLAgent$CDN_OPTIMA;SQLAgent$CDN_OPTIMA;c:\program files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlagent.EXE -i CDN_OPTIMA --> c:\program files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlagent.EXE -i CDN_OPTIMA [?].Zawartość folderu 'Zaplanowane zadania'2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 15:57]2009-05-13 c:\windows\Tasks\User_Feed_Synchronization-{9DC51EAA-3EF0-4651-A7B4-80A668337A11}.job- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]..------- Skan uzupełniający -------.uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7uStart Page = hxxp://www.nasza-klasa.pluInternet Connection Wizard,ShellNext = iexploreIE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllDPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} - hxxp://arcaonline.arcabit.com/ArcaOnline.cabFF - ProfilePath - c:\documents and settings\Właściciel\Dane aplikacji\Mozilla\Firefox\Profiles\dzmmyv91.Domyślny użytkownik\FF - prefs.js: browser.startup.homepage - wyborcza.pl/0,0.html?p=017FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npwmsdrm.dllFF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dllFF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dllFF - plugin: d:\program files\Opera\program\plugins\npdsplay.dllFF - plugin: d:\program files\Opera\program\plugins\NPOFF12.DLLFF - plugin: d:\program files\Opera\program\plugins\NPSWF32.dllFF - plugin: d:\program files\Opera\program\plugins\npwmsdrm.dllFF - plugin: d:\program files\VistaCodecPack\QT\Plugins\npqtplugin.dllFF - plugin: d:\program files\VistaCodecPack\QT\Plugins\npqtplugin2.dllFF - plugin: d:\program files\VistaCodecPack\QT\Plugins\npqtplugin3.dllFF - plugin: d:\program files\VistaCodecPack\QT\Plugins\npqtplugin4.dllFF - plugin: d:\program files\VistaCodecPack\QT\Plugins\npqtplugin5.dllFF - plugin: d:\program files\VistaCodecPack\QT\Plugins\npqtplugin6.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-05-13 20:54Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ...  skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ...  skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (LocalSystem)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,84,13,ed,10,67,eb,ae,4e,8d,64,8a,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,84,13,ed,10,67,eb,ae,4e,8d,64,8a,\[HKEY_USERS\S-1-5-21-1202660629-1004336348-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode)[HKEY_USERS\S-1-5-21-1202660629-1004336348-725345543-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]@Allowed: (Read) (S-1-5-21-1202660629-1004336348-725345543-1003)@Allowed: (Read) (S-1-5-21-1202660629-1004336348-725345543-1003)@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode).--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'explorer.exe'(3852)c:\program files\Logitech\SetPoint\lgscroll.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.Czas ukończenia: 2009-05-13 20:56ComboFix-quarantined-files.txt  2009-05-13 18:55Przed: 7 062 777 856 bajtów wolnychPo: 7 052 242 944 bajtów wolnych187	--- E O F ---	2009-05-13 11:49
Gość
komentarz
komentarz

Czysto.

Posprzątaj po ComboFixie i różnych narzędziach >>> OTCleanIt.

I to na tyle.

.

  • 3 miesiące później...
tarlaf
komentarz
komentarz (edytowane)

Narzędzie Windows do usuwania... raportuje mi

Found malware: PWS:Win32/Sinowal.gen!M in file://C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\uninstall.exeQuick Scan Removal Results----------------Start 'remove' for file://\\?\C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\uninstall.exeOperation succeeded !Start 'remove' for startup://\\?\C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\uninstall.exeOperation succeeded !

Niestety ten plik wciąż się tam znajduje, nawet po usunięciu Avengerem. W załączeniu raport z CF. Czy mogę prosić o instrukcje? :niepewny: Z góry dziękuję.

----

@KamilJB zrobiłem

ComboFix.txt

ComboFix.txt

Gość
komentarz
komentarz

@tarlaf zrób własny temat, nie podpinaj się pod cudze.

.

Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!

Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.

×
×
  • Dodaj nową pozycję...

Powiadomienie o plikach cookie

Strona wykorzystuje pliki cookies w celu prawidłowego świadczenia usług i wygody użytkowników. Warunki przechowywania i dostępu do plików cookies możesz zmienić w ustawieniach przeglądarki.