sseb utworzono 7 sierpnia 2008 utworzono 7 sierpnia 2008 bardzo prosz eo pomoc. Virus Alert wyswietla mi sie przy godzinie oraz wyskakuje niby program Antispyware XP 2008. Jka wnosze to wirus udający program. ponizej log: Co mam usunąć? Logfile of Trend Micro HijackThis v2.0.2Scan saved at 13:27: VIRUS ALERT!, on 2008-08-07Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeD:\Program Files\PowerISO\PWRISOVM.EXEC:\Program Files\Spyware Doctor\pctsTray.exeD:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Microsoft ActiveSync\wcescomm.exeC:\Program Files\PeerGuardian2\pg2.exeD:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exeC:\PROGRA~1\MICROS~2\rapimgr.exeC:\Program Files\Gigabyte\Gigabyte GN-WI01GS Wireless Mini PCI Adapter\Installer\WINXP\GNConfig.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Common Files\Protexis\License Service\PSIService.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\PC Connectivity Solution\ServiceLayer.exeC:\WINDOWS\System32\alg.exeC:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeC:\Program Files\Gadu-Gadu\gg.exeC:\WINDOWS\explorer.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Opera\Opera.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\System32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: QXK Olive - {4A10BF18-AE42-4D89-8D72-0742D83AA2C6} - C:\WINDOWS\wnlmdakqqas.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO3 - Toolbar: bgrqfetx - {E0597566-BAA7-49B5-875B-5E203D363229} - C:\WINDOWS\bgrqfetx.dll (file missing)O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [PWRISOVM.EXE] d:\Program Files\PowerISO\PWRISOVM.EXEO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquietO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exeO4 - HKLM\..\RunOnce: [spybotDeletingA1335] command /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKLM\..\RunOnce: [spybotDeletingC1494] cmd /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exeO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\as2008xp.exe" /autorunO4 - HKCU\..\Run: [PC Suite Tray] "D:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytrayO4 - HKCU\..\RunOnce: [spybotDeletingB9041] command /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\RunOnce: [spybotDeletingD7593] cmd /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -pO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: GNConfig.lnk = C:\Program Files\Gigabyte\Gigabyte GN-WI01GS Wireless Mini PCI Adapter\Installer\WINXP\GNConfig.exeO4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Konwertuj do Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Konwertuj miejsce docelowe łącza do Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Konwertuj miejsce docelowe łącza do istniejącego pliku PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Konwertuj wybrane łącza do Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Konwertuj zaznaczenie do Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Konwertuj zaznaczenie do istniejącego pliku PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dllO9 - Extra 'Tools' menuitem: Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195211118900O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO21 - SSODL: tfnslopk - {03EF650A-2886-4D2F-B13D-1B892BC5132E} - C:\WINDOWS\tfnslopk.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: FrontLine Drivers Auto Removal (v2) (sfrem02) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem02.exe--End of file - 11266 bytes
snip91 komentarz 7 sierpnia 2008 komentarz 7 sierpnia 2008 O2 - BHO: QXK Olive - {4A10BF18-AE42-4D89-8D72-0742D83AA2C6} - C:\WINDOWS\wnlmdakqqas.dllO3 - Toolbar: bgrqfetx - {E0597566-BAA7-49B5-875B-5E203D363229} - C:\WINDOWS\bgrqfetx.dll (file missing)O4 - HKLM\..\RunOnce: [spybotDeletingA1335] command /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKLM\..\RunOnce: [spybotDeletingC1494] cmd /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\as2008xp.exe" /autorunO4 - HKCU\..\RunOnce: [spybotDeletingB9041] command /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\RunOnce: [spybotDeletingD7593] cmd /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O21 - SSODL: tfnslopk - {03EF650A-2886-4D2F-B13D-1B892BC5132E} - C:\WINDOWS\tfnslopk.dll Dla tych wpisów FIX w HijackThis. Pobierz program ComboFix. Do notatnika wklej: File::C:\WINDOWS\wnlmdakqqas.dllC:\WINDOWS\tfnslopk.dllFolder::C:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions W notatniku zakładka Plik --> Zapisz jako --> zapisz pod nazwą CFScript.txt i zapisz go w tym samym katalogu, w którym jest ComboFix. Wystartuj tryb awaryjny (F8 podczas ładowania systemu). Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt tak, jak na obrazku: Rozpocznie się usuwanie i powstanie log, który pokazujesz na forum. Po restarcie usuń ręcznie folder C:\Qoobox.
Mateusz J. komentarz 7 sierpnia 2008 komentarz 7 sierpnia 2008 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: QXK Olive - {4A10BF18-AE42-4D89-8D72-0742D83AA2C6} - C:\WINDOWS\wnlmdakqqas.dllO3 - Toolbar: bgrqfetx - {E0597566-BAA7-49B5-875B-5E203D363229} - C:\WINDOWS\bgrqfetx.dll (file missing)O4 - HKLM\..\RunOnce: [spybotDeletingA1335] command /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKLM\..\RunOnce: [spybotDeletingC1494] cmd /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\as2008xp.exe" /autorunO4 - HKCU\..\RunOnce: [spybotDeletingB9041] command /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\RunOnce: [spybotDeletingD7593] cmd /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O21 - SSODL: tfnslopk - {03EF650A-2886-4D2F-B13D-1B892BC5132E} - C:\WINDOWS\tfnslopk.dll Fix w HijackThis. Pobierz program ComboFix. Otwórz notatnik w wklej do niego: File::C:\WINDOWS\wnlmdakqqas.dllC:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_oldC:\WINDOWS\tfnslopk.dllC:\WINDOWS\bgrqfetx.dllFolder::C:\Documents and Settings\All Users\Dane aplikacji\Secure SolutionsRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SpybotDeletingA1335"=-"SpybotDeletingC1494"=-[HKEY_current_Users\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"s9201"=-"SpybotDeletingB9041"=-"SpybotDeletingD7593"=- W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix wystartuj do trybu awaryjny. Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum. Do tego proszę o nowy log z HiajckThis
sseb komentarz 7 sierpnia 2008 Autor komentarz 7 sierpnia 2008 dzieki za szybka pomoc. Oto nowy log: ComboFix 08-08-06.02 - Pan 2008-08-07 15:03:02.1 - NTFSx86 MINIMALMicrosoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.324 [GMT 2:00]Running from: C:\Documents and Settings\Pan\Pulpit\ComboFix.exeCommand switches used :: C:\Documents and Settings\Pan\Pulpit\CFScript.txt[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b]FILE ::C:\WINDOWS\bgrqfetx.dllC:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_oldC:\WINDOWS\tfnslopk.dllC:\WINDOWS\wnlmdakqqas.dll.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\All Users\Dane aplikacji\Secure SolutionsC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\as2008xp.exeC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\LOG\20080806074719394.logC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\LOG\20080806100230366.logC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\LOG\20080806121508090.logC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\LOG\20080806185314042.logC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\LOG\20080806212946742.logC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\LOG\20080807100804032.logC:\WINDOWS\enrp.exeC:\WINDOWS\g32.txtC:\WINDOWS\tfnslopk.dllC:\WINDOWS\wnlmdakqqas.dll.((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 ))))))))))))))))))))))))))))))).2008-08-07 12:19 . 2008-08-07 12:19 <DIR> d-------- C:\Program Files\Trend Micro2008-08-06 07:47 . 2008-08-06 07:47 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\services2008-08-06 07:47 . 2008-08-06 07:47 64,362 --a------ C:\WINDOWS\system32\rwcnqrffnabtgc.exe2008-08-06 07:45 . 2008-08-06 06:16 86,016 --a------ C:\WINDOWS\lnvegaow.exe2008-07-18 11:08 . 2004-08-04 08:38 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys2008-07-18 11:08 . 2004-08-04 08:38 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-07 12:58 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP2008-08-07 12:54 --------- d-----w C:\Program Files\PeerGuardian22008-08-05 21:12 --------- d-----w C:\Program Files\Opera2008-08-05 09:45 --------- d-----w C:\Program Files\Spyware Doctor2008-07-25 07:14 --------- d-----w C:\Documents and Settings\Pan\Dane aplikacji\uTorrent2008-07-15 18:58 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-07-15 18:33 --------- d-----w C:\Program Files\AimOne Video Converter2008-07-10 19:31 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy2008-06-25 23:01 42,376 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys2008-06-19 14:15 --------- d-----w C:\Documents and Settings\Pan\Dane aplikacji\ScannerData2008-06-15 19:50 --------- d-----w C:\Program Files\directx2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys2008-06-14 00:40 --------- d-----w C:\Program Files\Eidos Interactive2008-06-13 19:17 --------- d-----w C:\Documents and Settings\Pan\Dane aplikacji\Ulead Systems2008-06-13 19:15 --------- d-----w C:\Program Files\Common Files\Ulead Systems2008-06-13 19:14 --------- d-----w C:\Program Files\Ulead Systems2008-06-13 19:14 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Ulead Systems2008-05-23 07:06 685,576 ----a-w C:\WINDOWS\unins000.exe2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll2008-03-20 10:19 18,840 ----a-w C:\Documents and Settings\Pan\Dane aplikacji\GDIPFONTCACHEV1.DAT2008-01-04 18:19 88 --sh--r C:\WINDOWS\system32\A2887D7729.sys2008-01-04 18:19 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:44 15360]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 16:57 1289000]"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-08-09 15:28 1961984]"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-11-18 13:19 1457152]"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]"PC Suite Tray"="D:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 11:12 695808][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]"SpybotDeletingB9041"="command" [X]"SpybotDeletingD7593"="del" [X]"FlashPlayerUpdate"="C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe" [2007-11-15 13:37 190696][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="NvQTwk" [X]"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 20:59 266497]"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 17:15 221184]"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15 81920]"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]"PWRISOVM.EXE"="d:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 09:05 217088]"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-06-26 01:01 1107848]"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]"Ulead Photo Express Calendar Checker"="C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 20:40 69632]"nwiz"="nwiz.exe" [2002-04-19 15:13 364544 C:\WINDOWS\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:44 15360]"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]GNConfig.lnk - C:\Program Files\Gigabyte\Gigabyte GN-WI01GS Wireless Mini PCI Adapter\Installer\WINXP\GNConfig.exe [2007-12-04 21:30:56 716800]Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.X264"= x264vfw.dll[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Macromedia\\Contribute 3\\Contribute.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"D:\\totalcmd\\TOTALCMD.EXE"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync ServiceR0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2008-04-14 19:46]R0 sfsync05;FrontLine Synchronization Driver (v5);C:\WINDOWS\system32\drivers\sfsync05.sys [2006-12-21 17:11]R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 21:27]R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-07-17 20:59]S2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-02 11:16]S2 sfrem02;FrontLine Drivers Auto Removal (v2);C:\WINDOWS\system32\sfrem02.exe svc []S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 13:12]S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 13:12]S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 13:12]S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 13:12]S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-05-11 13:12]*Newly Created Service* - CATCHME.- - - - ORPHANS REMOVED - - - -Toolbar-{E0597566-BAA7-49B5-875B-5E203D363229} - C:\WINDOWS\bgrqfetx.dll**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-07 15:05:40Windows 5.1.2600 Dodatek Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-08-07 15:08:31ComboFix-quarantined-files.txt 2008-08-07 13:07:36Pre-Run: 2,613,387,264 bajtów wolnychPost-Run: 2,932,523,008 bajtów wolnych148 --- E O F --- 2008-07-10 16:39:31
Mateusz J. komentarz 7 sierpnia 2008 komentarz 7 sierpnia 2008 Tym razem do notatnika wklej: File::C:\WINDOWS\system32\rwcnqrffnabtgc.exeC:\WINDOWS\lnvegaow.exeFolder::C:\Documents and Settings\All Users\Dane aplikacji\services W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix wystartuj do trybu awaryjny. Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum. Po restarcie usuń ręcznie folder C: \Qoobox. Opróżnij katalogi TEMP Do czyszczenie tych katalogów użyj programu Atf Celaner. Napisz, czy jest poprawa.
sseb komentarz 7 sierpnia 2008 Autor komentarz 7 sierpnia 2008 No teraz jest tak: Czy juz ok? ComboFix 08-08-06.02 - Pan 2008-08-07 17:22:31.2 - NTFSx86 MINIMALMicrosoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.338 [GMT 2:00]Running from: C:\Documents and Settings\Pan\Pulpit\ComboFix.exeCommand switches used :: C:\Documents and Settings\Pan\Pulpit\CFScript.txt[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b]FILE ::C:\WINDOWS\lnvegaow.exeC:\WINDOWS\system32\rwcnqrffnabtgc.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\All Users\Dane aplikacji\servicesC:\Documents and Settings\All Users\Dane aplikacji\services\services.dllC:\WINDOWS\lnvegaow.exeC:\WINDOWS\system32\rwcnqrffnabtgc.exe.((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 ))))))))))))))))))))))))))))))).2008-08-07 12:19 . 2008-08-07 12:19 <DIR> d-------- C:\Program Files\Trend Micro2008-07-18 11:08 . 2004-08-04 08:38 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys2008-07-18 11:08 . 2004-08-04 08:38 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-07 15:19 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP2008-08-07 15:11 --------- d-----w C:\Program Files\PeerGuardian22008-08-05 21:12 --------- d-----w C:\Program Files\Opera2008-08-05 09:45 --------- d-----w C:\Program Files\Spyware Doctor2008-07-25 07:14 --------- d-----w C:\Documents and Settings\Pan\Dane aplikacji\uTorrent2008-07-15 18:58 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-07-15 18:33 --------- d-----w C:\Program Files\AimOne Video Converter2008-07-10 19:31 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy2008-06-25 23:01 42,376 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys2008-06-19 14:15 --------- d-----w C:\Documents and Settings\Pan\Dane aplikacji\ScannerData2008-06-15 19:50 --------- d-----w C:\Program Files\directx2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys2008-06-14 00:40 --------- d-----w C:\Program Files\Eidos Interactive2008-06-13 19:17 --------- d-----w C:\Documents and Settings\Pan\Dane aplikacji\Ulead Systems2008-06-13 19:15 --------- d-----w C:\Program Files\Common Files\Ulead Systems2008-06-13 19:14 --------- d-----w C:\Program Files\Ulead Systems2008-06-13 19:14 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Ulead Systems2008-05-23 07:06 685,576 ----a-w C:\WINDOWS\unins000.exe2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll2008-03-20 10:19 18,840 ----a-w C:\Documents and Settings\Pan\Dane aplikacji\GDIPFONTCACHEV1.DAT2008-01-04 18:19 88 --sh--r C:\WINDOWS\system32\A2887D7729.sys2008-01-04 18:19 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:44 15360]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 16:57 1289000]"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-08-09 15:28 1961984]"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-11-18 13:19 1457152]"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]"PC Suite Tray"="D:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 11:12 695808][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="NvQTwk" [X]"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 20:59 266497]"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 17:15 221184]"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15 81920]"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]"PWRISOVM.EXE"="d:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 09:05 217088]"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-06-26 01:01 1107848]"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]"Ulead Photo Express Calendar Checker"="C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 20:40 69632]"nwiz"="nwiz.exe" [2002-04-19 15:13 364544 C:\WINDOWS\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:44 15360]"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]GNConfig.lnk - C:\Program Files\Gigabyte\Gigabyte GN-WI01GS Wireless Mini PCI Adapter\Installer\WINXP\GNConfig.exe [2007-12-04 21:30:56 716800]Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.X264"= x264vfw.dll[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Macromedia\\Contribute 3\\Contribute.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"D:\\totalcmd\\TOTALCMD.EXE"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync ServiceR0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2008-04-14 19:46]R0 sfsync05;FrontLine Synchronization Driver (v5);C:\WINDOWS\system32\drivers\sfsync05.sys [2006-12-21 17:11]R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 21:27]R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-07-17 20:59]S2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-02 11:16]S2 sfrem02;FrontLine Drivers Auto Removal (v2);C:\WINDOWS\system32\sfrem02.exe svc []S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 13:12]S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 13:12]S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 13:12]S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 13:12]S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-05-11 13:12].**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-07 17:24:59Windows 5.1.2600 Dodatek Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-08-07 17:27:49ComboFix-quarantined-files.txt 2008-08-07 15:26:52ComboFix2.txt 2008-08-07 13:08:32Pre-Run: 2,958,315,520 bajtów wolnychPost-Run: 2,950,483,968 bajtów wolnych129 --- E O F --- 2008-07-10 16:39:31
sseb komentarz 7 sierpnia 2008 Autor komentarz 7 sierpnia 2008 Tak jest ok. Super - wielkie dzieki ze jestescie )
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.