x-kom hosting

[Rozwiązany] Prosba o sprawdzenie loga

sseb
utworzono
utworzono

bardzo prosz eo pomoc. Virus Alert wyswietla mi sie przy godzinie oraz wyskakuje niby program Antispyware XP 2008. Jka wnosze to wirus udający program. ponizej log: Co mam usunąć?

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 13:27: VIRUS ALERT!, on 2008-08-07Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeD:\Program Files\PowerISO\PWRISOVM.EXEC:\Program Files\Spyware Doctor\pctsTray.exeD:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Microsoft ActiveSync\wcescomm.exeC:\Program Files\PeerGuardian2\pg2.exeD:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exeC:\PROGRA~1\MICROS~2\rapimgr.exeC:\Program Files\Gigabyte\Gigabyte GN-WI01GS Wireless Mini PCI Adapter\Installer\WINXP\GNConfig.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Common Files\Protexis\License Service\PSIService.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\PC Connectivity Solution\ServiceLayer.exeC:\WINDOWS\System32\alg.exeC:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeC:\Program Files\Gadu-Gadu\gg.exeC:\WINDOWS\explorer.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Opera\Opera.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\System32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: QXK Olive - {4A10BF18-AE42-4D89-8D72-0742D83AA2C6} - C:\WINDOWS\wnlmdakqqas.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO3 - Toolbar: bgrqfetx - {E0597566-BAA7-49B5-875B-5E203D363229} - C:\WINDOWS\bgrqfetx.dll (file missing)O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [PWRISOVM.EXE] d:\Program Files\PowerISO\PWRISOVM.EXEO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquietO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exeO4 - HKLM\..\RunOnce: [spybotDeletingA1335] command /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKLM\..\RunOnce: [spybotDeletingC1494] cmd /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exeO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\as2008xp.exe" /autorunO4 - HKCU\..\Run: [PC Suite Tray] "D:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytrayO4 - HKCU\..\RunOnce: [spybotDeletingB9041] command /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\RunOnce: [spybotDeletingD7593] cmd /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -pO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: GNConfig.lnk = C:\Program Files\Gigabyte\Gigabyte GN-WI01GS Wireless Mini PCI Adapter\Installer\WINXP\GNConfig.exeO4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Konwertuj do Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Konwertuj miejsce docelowe łącza do Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Konwertuj miejsce docelowe łącza do istniejącego pliku PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Konwertuj wybrane łącza do Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Konwertuj zaznaczenie do Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Konwertuj zaznaczenie do istniejącego pliku PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dllO9 - Extra 'Tools' menuitem: Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195211118900O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO21 - SSODL: tfnslopk - {03EF650A-2886-4D2F-B13D-1B892BC5132E} - C:\WINDOWS\tfnslopk.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: FrontLine Drivers Auto Removal (v2) (sfrem02) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem02.exe--End of file - 11266 bytes

snip91
komentarz
komentarz
O2 - BHO: QXK Olive - {4A10BF18-AE42-4D89-8D72-0742D83AA2C6} - C:\WINDOWS\wnlmdakqqas.dllO3 - Toolbar: bgrqfetx - {E0597566-BAA7-49B5-875B-5E203D363229} - C:\WINDOWS\bgrqfetx.dll (file missing)O4 - HKLM\..\RunOnce: [spybotDeletingA1335] command /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKLM\..\RunOnce: [spybotDeletingC1494] cmd /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\as2008xp.exe" /autorunO4 - HKCU\..\RunOnce: [spybotDeletingB9041] command /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\RunOnce: [spybotDeletingD7593] cmd /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O21 - SSODL: tfnslopk - {03EF650A-2886-4D2F-B13D-1B892BC5132E} - C:\WINDOWS\tfnslopk.dll

Dla tych wpisów FIX w HijackThis.

Pobierz program ComboFix.

Do notatnika wklej:

File::C:\WINDOWS\wnlmdakqqas.dllC:\WINDOWS\tfnslopk.dllFolder::C:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions

W notatniku zakładka Plik --> Zapisz jako --> zapisz pod nazwą CFScript.txt i zapisz go w tym samym katalogu, w którym jest ComboFix.

Wystartuj tryb awaryjny (F8 podczas ładowania systemu). Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt tak, jak na obrazku:

82650GIF.gif

Rozpocznie się usuwanie i powstanie log, który pokazujesz na forum.

Po restarcie usuń ręcznie folder C:\Qoobox.

Mateusz J.
komentarz
komentarz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: QXK Olive - {4A10BF18-AE42-4D89-8D72-0742D83AA2C6} - C:\WINDOWS\wnlmdakqqas.dllO3 - Toolbar: bgrqfetx - {E0597566-BAA7-49B5-875B-5E203D363229} - C:\WINDOWS\bgrqfetx.dll (file missing)O4 - HKLM\..\RunOnce: [spybotDeletingA1335] command /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKLM\..\RunOnce: [spybotDeletingC1494] cmd /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\as2008xp.exe" /autorunO4 - HKCU\..\RunOnce: [spybotDeletingB9041] command /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O4 - HKCU\..\RunOnce: [spybotDeletingD7593] cmd /c del "C:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_old"O21 - SSODL: tfnslopk - {03EF650A-2886-4D2F-B13D-1B892BC5132E} - C:\WINDOWS\tfnslopk.dll

Fix w HijackThis.

Pobierz program ComboFix.

Otwórz notatnik w wklej do niego:

File::C:\WINDOWS\wnlmdakqqas.dllC:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_oldC:\WINDOWS\tfnslopk.dllC:\WINDOWS\bgrqfetx.dllFolder::C:\Documents and Settings\All Users\Dane aplikacji\Secure SolutionsRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SpybotDeletingA1335"=-"SpybotDeletingC1494"=-[HKEY_current_Users\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"s9201"=-"SpybotDeletingB9041"=-"SpybotDeletingD7593"=-

W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix

wystartuj do trybu awaryjny. Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku:

82650GIF.gif

Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum.

Do tego proszę o nowy log z HiajckThis

sseb
komentarz
komentarz

dzieki za szybka pomoc. Oto nowy log:

ComboFix 08-08-06.02 - Pan 2008-08-07 15:03:02.1 - NTFSx86 MINIMALMicrosoft Windows XP Home Edition  5.1.2600.2.1250.1.1045.18.324 [GMT 2:00]Running from: C:\Documents and Settings\Pan\Pulpit\ComboFix.exeCommand switches used :: C:\Documents and Settings\Pan\Pulpit\CFScript.txt[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b]FILE ::C:\WINDOWS\bgrqfetx.dllC:\WINDOWS\bgrqfetx.dll_tobedeleted_tobedeleted_oldC:\WINDOWS\tfnslopk.dllC:\WINDOWS\wnlmdakqqas.dll.(((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\All Users\Dane aplikacji\Secure SolutionsC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\as2008xp.exeC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\LOG\20080806074719394.logC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\LOG\20080806100230366.logC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\LOG\20080806121508090.logC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\LOG\20080806185314042.logC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\LOG\20080806212946742.logC:\Documents and Settings\All Users\Dane aplikacji\Secure Solutions\Antispyware 2008 XP\LOG\20080807100804032.logC:\WINDOWS\enrp.exeC:\WINDOWS\g32.txtC:\WINDOWS\tfnslopk.dllC:\WINDOWS\wnlmdakqqas.dll.(((((((((((((((((((((((((   Files Created from 2008-07-07 to 2008-08-07  ))))))))))))))))))))))))))))))).2008-08-07 12:19 . 2008-08-07 12:19	<DIR>	d--------	C:\Program Files\Trend Micro2008-08-06 07:47 . 2008-08-06 07:47	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\services2008-08-06 07:47 . 2008-08-06 07:47	64,362	--a------	C:\WINDOWS\system32\rwcnqrffnabtgc.exe2008-08-06 07:45 . 2008-08-06 06:16	86,016	--a------	C:\WINDOWS\lnvegaow.exe2008-07-18 11:08 . 2004-08-04 08:38	14,848	--a------	C:\WINDOWS\system32\drivers\kbdhid.sys2008-07-18 11:08 . 2004-08-04 08:38	14,848	--a--c---	C:\WINDOWS\system32\dllcache\kbdhid.sys.((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-07 12:58	---------	d---a-w	C:\Documents and Settings\All Users\Dane aplikacji\TEMP2008-08-07 12:54	---------	d-----w	C:\Program Files\PeerGuardian22008-08-05 21:12	---------	d-----w	C:\Program Files\Opera2008-08-05 09:45	---------	d-----w	C:\Program Files\Spyware Doctor2008-07-25 07:14	---------	d-----w	C:\Documents and Settings\Pan\Dane aplikacji\uTorrent2008-07-15 18:58	---------	d--h--w	C:\Program Files\InstallShield Installation Information2008-07-15 18:33	---------	d-----w	C:\Program Files\AimOne Video Converter2008-07-10 19:31	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy2008-06-25 23:01	42,376	----a-w	C:\WINDOWS\system32\drivers\ikfilesec.sys2008-06-20 17:42	246,784	----a-w	C:\WINDOWS\system32\mswsock.dll2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys2008-06-19 14:15	---------	d-----w	C:\Documents and Settings\Pan\Dane aplikacji\ScannerData2008-06-15 19:50	---------	d-----w	C:\Program Files\directx2008-06-14 18:01	273,024	------w	C:\WINDOWS\system32\drivers\bthport.sys2008-06-14 00:40	---------	d-----w	C:\Program Files\Eidos Interactive2008-06-13 19:17	---------	d-----w	C:\Documents and Settings\Pan\Dane aplikacji\Ulead Systems2008-06-13 19:15	---------	d-----w	C:\Program Files\Common Files\Ulead Systems2008-06-13 19:14	---------	d-----w	C:\Program Files\Ulead Systems2008-06-13 19:14	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Ulead Systems2008-05-23 07:06	685,576	----a-w	C:\WINDOWS\unins000.exe2008-05-07 05:16	1,291,264	----a-w	C:\WINDOWS\system32\quartz.dll2008-03-20 10:19	18,840	----a-w	C:\Documents and Settings\Pan\Dane aplikacji\GDIPFONTCACHEV1.DAT2008-01-04 18:19	88	--sh--r	C:\WINDOWS\system32\A2887D7729.sys2008-01-04 18:19	2,828	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys.(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:44 15360]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 16:57 1289000]"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-08-09 15:28 1961984]"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-11-18 13:19 1457152]"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]"PC Suite Tray"="D:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 11:12 695808][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]"SpybotDeletingB9041"="command" [X]"SpybotDeletingD7593"="del" [X]"FlashPlayerUpdate"="C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe" [2007-11-15 13:37 190696][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="NvQTwk" [X]"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 20:59 266497]"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 17:15 221184]"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15 81920]"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]"PWRISOVM.EXE"="d:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 09:05 217088]"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-06-26 01:01 1107848]"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]"Ulead Photo Express Calendar Checker"="C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 20:40 69632]"nwiz"="nwiz.exe" [2002-04-19 15:13 364544 C:\WINDOWS\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:44 15360]"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]GNConfig.lnk - C:\Program Files\Gigabyte\Gigabyte GN-WI01GS Wireless Mini PCI Adapter\Installer\WINXP\GNConfig.exe [2007-12-04 21:30:56 716800]Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.X264"= x264vfw.dll[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Macromedia\\Contribute 3\\Contribute.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"D:\\totalcmd\\TOTALCMD.EXE"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync ServiceR0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2008-04-14 19:46]R0 sfsync05;FrontLine Synchronization Driver (v5);C:\WINDOWS\system32\drivers\sfsync05.sys [2006-12-21 17:11]R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 21:27]R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-07-17 20:59]S2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-02 11:16]S2 sfrem02;FrontLine Drivers Auto Removal (v2);C:\WINDOWS\system32\sfrem02.exe svc []S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 13:12]S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 13:12]S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 13:12]S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 13:12]S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-05-11 13:12]*Newly Created Service* - CATCHME.- - - - ORPHANS REMOVED - - - -Toolbar-{E0597566-BAA7-49B5-875B-5E203D363229} - C:\WINDOWS\bgrqfetx.dll**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-07 15:05:40Windows 5.1.2600 Dodatek Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-08-07 15:08:31ComboFix-quarantined-files.txt  2008-08-07 13:07:36Pre-Run: 2,613,387,264 bajtów wolnychPost-Run: 2,932,523,008 bajtów wolnych148	--- E O F ---	2008-07-10 16:39:31
Mateusz J.
komentarz
komentarz

Tym razem do notatnika wklej:

File::C:\WINDOWS\system32\rwcnqrffnabtgc.exeC:\WINDOWS\lnvegaow.exeFolder::C:\Documents and Settings\All Users\Dane aplikacji\services

W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix

wystartuj do trybu awaryjny. Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku:

82650GIF.gif

Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum.

Po restarcie usuń ręcznie folder C: \Qoobox.

Opróżnij katalogi TEMP

Do czyszczenie tych katalogów użyj programu Atf Celaner.

Napisz, czy jest poprawa.

sseb
komentarz
komentarz

No teraz jest tak: Czy juz ok?

ComboFix 08-08-06.02 - Pan 2008-08-07 17:22:31.2 - NTFSx86 MINIMALMicrosoft Windows XP Home Edition  5.1.2600.2.1250.1.1045.18.338 [GMT 2:00]Running from: C:\Documents and Settings\Pan\Pulpit\ComboFix.exeCommand switches used :: C:\Documents and Settings\Pan\Pulpit\CFScript.txt[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b]FILE ::C:\WINDOWS\lnvegaow.exeC:\WINDOWS\system32\rwcnqrffnabtgc.exe.(((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\All Users\Dane aplikacji\servicesC:\Documents and Settings\All Users\Dane aplikacji\services\services.dllC:\WINDOWS\lnvegaow.exeC:\WINDOWS\system32\rwcnqrffnabtgc.exe.(((((((((((((((((((((((((   Files Created from 2008-07-07 to 2008-08-07  ))))))))))))))))))))))))))))))).2008-08-07 12:19 . 2008-08-07 12:19	<DIR>	d--------	C:\Program Files\Trend Micro2008-07-18 11:08 . 2004-08-04 08:38	14,848	--a------	C:\WINDOWS\system32\drivers\kbdhid.sys2008-07-18 11:08 . 2004-08-04 08:38	14,848	--a--c---	C:\WINDOWS\system32\dllcache\kbdhid.sys.((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-07 15:19	---------	d---a-w	C:\Documents and Settings\All Users\Dane aplikacji\TEMP2008-08-07 15:11	---------	d-----w	C:\Program Files\PeerGuardian22008-08-05 21:12	---------	d-----w	C:\Program Files\Opera2008-08-05 09:45	---------	d-----w	C:\Program Files\Spyware Doctor2008-07-25 07:14	---------	d-----w	C:\Documents and Settings\Pan\Dane aplikacji\uTorrent2008-07-15 18:58	---------	d--h--w	C:\Program Files\InstallShield Installation Information2008-07-15 18:33	---------	d-----w	C:\Program Files\AimOne Video Converter2008-07-10 19:31	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy2008-06-25 23:01	42,376	----a-w	C:\WINDOWS\system32\drivers\ikfilesec.sys2008-06-20 17:42	246,784	----a-w	C:\WINDOWS\system32\mswsock.dll2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys2008-06-19 14:15	---------	d-----w	C:\Documents and Settings\Pan\Dane aplikacji\ScannerData2008-06-15 19:50	---------	d-----w	C:\Program Files\directx2008-06-14 18:01	273,024	------w	C:\WINDOWS\system32\drivers\bthport.sys2008-06-14 00:40	---------	d-----w	C:\Program Files\Eidos Interactive2008-06-13 19:17	---------	d-----w	C:\Documents and Settings\Pan\Dane aplikacji\Ulead Systems2008-06-13 19:15	---------	d-----w	C:\Program Files\Common Files\Ulead Systems2008-06-13 19:14	---------	d-----w	C:\Program Files\Ulead Systems2008-06-13 19:14	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Ulead Systems2008-05-23 07:06	685,576	----a-w	C:\WINDOWS\unins000.exe2008-05-07 05:16	1,291,264	----a-w	C:\WINDOWS\system32\quartz.dll2008-03-20 10:19	18,840	----a-w	C:\Documents and Settings\Pan\Dane aplikacji\GDIPFONTCACHEV1.DAT2008-01-04 18:19	88	--sh--r	C:\WINDOWS\system32\A2887D7729.sys2008-01-04 18:19	2,828	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys.(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:44 15360]"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39 2119104]"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 16:57 1289000]"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-08-09 15:28 1961984]"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-11-18 13:19 1457152]"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]"PC Suite Tray"="D:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 11:12 695808][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="NvQTwk" [X]"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 20:59 266497]"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 17:15 221184]"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15 81920]"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]"PWRISOVM.EXE"="d:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 09:05 217088]"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-06-26 01:01 1107848]"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]"Ulead Photo Express Calendar Checker"="C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 20:40 69632]"nwiz"="nwiz.exe" [2002-04-19 15:13 364544 C:\WINDOWS\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:44 15360]"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]GNConfig.lnk - C:\Program Files\Gigabyte\Gigabyte GN-WI01GS Wireless Mini PCI Adapter\Installer\WINXP\GNConfig.exe [2007-12-04 21:30:56 716800]Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.X264"= x264vfw.dll[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Macromedia\\Contribute 3\\Contribute.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"D:\\totalcmd\\TOTALCMD.EXE"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync ServiceR0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2008-04-14 19:46]R0 sfsync05;FrontLine Synchronization Driver (v5);C:\WINDOWS\system32\drivers\sfsync05.sys [2006-12-21 17:11]R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 21:27]R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-07-17 20:59]S2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-02 11:16]S2 sfrem02;FrontLine Drivers Auto Removal (v2);C:\WINDOWS\system32\sfrem02.exe svc []S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 13:12]S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 13:12]S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 13:12]S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 13:12]S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-05-11 13:12].**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-07 17:24:59Windows 5.1.2600 Dodatek Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-08-07 17:27:49ComboFix-quarantined-files.txt  2008-08-07 15:26:52ComboFix2.txt  2008-08-07 13:08:32Pre-Run: 2,958,315,520 bajtów wolnychPost-Run: 2,950,483,968 bajtów wolnych129	--- E O F ---	2008-07-10 16:39:31
Mateusz J.
komentarz
komentarz

Tak jest ok.

sseb
komentarz
komentarz
Tak jest ok.

Super - wielkie dzieki ze jestescie :))

Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!

Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.

×
×
  • Dodaj nową pozycję...

Powiadomienie o plikach cookie

Strona wykorzystuje pliki cookies w celu prawidłowego świadczenia usług i wygody użytkowników. Warunki przechowywania i dostępu do plików cookies możesz zmienić w ustawieniach przeglądarki.