ania92bis

Czyli dobrze wyczyściłam foldery Przywracania systemu, miałam pewne wątpliwości co do tego bo wydawało mi się to zbyt proste:D

Gra Toolbar usunięta!

Podsumowanie:

-W folderze C:\Documents and Settings\All Users\Dokumenty\Server już nic nie było, usunęłam go w całości.

-Odinstalowałam Kaspersky Virus Removal Tool

-wykonałam wszystkie zalecenia, chociaż nie jestem pewna co do tego czy prawidłowo wyczyściłam foldery Przywracania systemu

-jest problem z usunięciem gry Toolbar, wyskakuje komunikat że nie można otworzyć pliku

Aktualnie nie ma żadnych problemów z komputerem, chyba nigdy wcześniej nie chodził tak dobrze:), nawet nie ma problemu z grafiką co wcześniej objawiało się migającym czarnym ekranem i pikselami na kursorze myszki.

Chciałam pani bardzo, bardzo serdecznie podziękować za pomoc i za poświęcony czas!!! Jestem pod wrażeniem pani ogromnej wiedzy!

Troszke to trwało ale mam raport:

 

 

Automatyczne skanowanie: błąd (zdarzeń: 2, obiektów: 0, czas: Nieznany)

2011-05-31 05:18:16 Zagrożenie: Trojan-Dropper.Win32.Drooptroop.kko C:\Documents and Settings\All Users\Dokumenty\Server\hlp.dat

2011-05-31 05:16:43 Zadanie zostało uruchomione

Automatyczne skanowanie: zakończono 2 min temu (zdarzeń: 4, obiektów: 167052, czas: 01:09:42)

2011-05-31 06:36:40 Zadanie zostało zakończone

2011-05-31 05:31:26 Usunięty: Trojan-Dropper.Win32.Drooptroop.kko C:\Documents and Settings\All Users\Dokumenty\Server\hlp.dat

2011-05-31 05:28:33 Zagrożenie: Trojan-Dropper.Win32.Drooptroop.kko C:\Documents and Settings\All Users\Dokumenty\Server\hlp.dat

2011-05-31 05:26:58 Zadanie zostało uruchomione

log z z AD-Remover:

 

 

======= REPORT FROM AD-REMOVER 2.0.0.2,G | ONLY XP/VISTA/7 =======

 

Updated by TeamXscript on 12/04/11

Contact: AdRemover[DOT]contact[AT]gmail[DOT]com

website: http://www.teamxscript.org

 

C:\Program Files\Ad-Remover\main.exe (CLEAN [1]) -> Launched at 03:21:22 on 31/05/2011, Safeboot mode

 

Microsoft Windows XP Professional Dodatek Service Pack 2 (X86)

Ania@53CCD542F731494 ( )

 

============== ACTION(S) ==============

 

 

Folder deleted: C:\Documents and Settings\Ania\Dane aplikacji\Mozilla\FireFox\Profiles\ttr74es4.default\conduit

Folder deleted: C:\Documents and Settings\Ania\Ustawienia lokalne\Dane aplikacji\Conduit

Folder deleted: C:\Program Files\Conduit

Folder deleted: C:\Documents and Settings\Ania\Ustawienia lokalne\Dane aplikacji\OpenCandy

 

(!) -- Temporary files deleted.

 

 

-- File opened: C:\Documents and Settings\Ania\Dane aplikacji\Mozilla\FireFox\Profiles\ttr74es4.default\Prefs.js --

Line deleted: user_pref("CT1561552.SearchEngine", "Search||hxxp://search.conduit.com/Results.aspx?q=UCM_SEARCH_TER...

Line deleted: user_pref("CT1561552.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT156...

Line deleted: user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "chrome://browser-region/locale/region.pr...

Line deleted: user_pref("CommunityToolbar.ToolbarsList", "CT1561552");

Line deleted: user_pref("CommunityToolbar.ToolbarsList2", "CT1561552");

Line deleted: user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT1561552");

-- File closed --

 

 

Key deleted: HKLM\Software\Classes\Toolbar.CT1561552

Key deleted: HKLM\Software\Classes\Toolbar.CT2417076

Key deleted: HKLM\Software\Conduit

Key deleted: HKCU\Software\Conduit

 

 

============== ADDITIONNAL SCAN ==============

 

**** Mozilla Firefox Version [3.6.17 (pl)] ****

 

Plugins\npdnu.dll (AOL LLC)

Plugins\npdnupdater2.dll (AOL LLC)

Plugins\npwachk.dll (Nullsoft, Inc.)

Searchplugins\allegro-pl.xml (hxxp://www.allegro.pl/search.php?string={searchTerms}&sourceid=Mozilla-search)

Searchplugins\fbc-pl.xml (hxxp://fbc.pionier.net.pl/owoc/results)

Searchplugins\merlin-pl.xml (hxxp://www.merlin.com.pl/frontend/search?sourceid=Mozilla-search&fraza={searchTerms}&skad=crhhxmkohb)

Searchplugins\pwn-pl.xml (hxxp://encyklopedia.pwn.pl/szukaj.php?co={searchTerms})

Searchplugins\wikipedia-pl.xml (hxxp://pl.wikipedia.org/wiki/Specjalna:Szukaj)

Searchplugins\wp-pl.xml (hxxp://szukaj.wp.pl/szukaj.html?z=T&r=T&szukaj={searchTerms})

 

-- C:\Documents and Settings\Ania\Dane aplikacji\Mozilla\FireFox\Profiles\ttr74es4.default --

Extensions\IplextoALL@ALLPlayer.org (Iplex to ALLPlayer)

Prefs.js - browser.download.lastDir, C:\\Documents and Settings\\Ania\\Pulpit

Prefs.js - browser.search.defaultenginename,

Prefs.js - browser.search.defaulturl,

Prefs.js - browser.search.selectedEngine, Google

Prefs.js - browser.startup.homepage, hxxp://pl.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:pl:official

Prefs.js - browser.startup.homepage_override.mstone, rv:1.9.2.17

Prefs.js - privacy.popups.showBrowserMessage, false

 

-- C:\Documents and Settings\anna lompa\Dane aplikacji\Mozilla\FireFox\Profiles\x71v7lrk.default --

Prefs.js - browser.download.lastDir, C:\\Documents and Settings\\anna lompa\\Pulpit

Prefs.js - browser.startup.homepage_override.mstone, rv:1.9.2.17

 

========================================

 

**** Google Chrome Version [11.0.696.71] ****

 

Extension\icmlaeflemplmjndnaapfdbbnpncnbda (C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx) (?)

 

-- C:\Documents and Settings\Ania\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default --

Preferences - default_search_provider: "Google" (Enabled: true) (?)

Plugin - "Picasa" (Enabled: true)

Plugin - "Winamp Application Detector" (Enabled: true)

 

========================================

 

**** Internet Explorer Version [7.0.5730.13] ****

 

HKCU_Main|Default_Page_URL - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

HKCU_Main|Default_Search_URL - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKCU_Main|Search bar - hxxp://go.microsoft.com/fwlink/?linkid=54896

HKCU_Main|Start Page - hxxp://fr.msn.com/

HKLM_Main|Default_Page_URL - hxxp://go.microsoft.com/fwlink/?LinkId=54896

HKLM_Main|Default_Search_URL - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKLM_Main|Search bar - hxxp://search.msn.com/spbasic.htm

HKLM_Main|Search Page - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKLM_Main|Start Page - hxxp://fr.msn.com/

HKLM_Toolbar|{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} (C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll)

HKLM_Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583} - "?" (?)

BHO\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - "avast! WebRep" (C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll)

BHO\{DF925EF3-7A87-44E4-9CAF-8D7B280BF616} - "IplexToALLPlayer" (C:\PROGRA~1\ALLPLA~1\Iplex\IPLEXT~1.DLL)

 

========================================

 

C:\Program Files\Ad-Remover\Quarantine: 16 File(s)

C:\Program Files\Ad-Remover\Backup: 16 File(s)

 

C:\Ad-Report-CLEAN[1].txt - 31/05/2011 03:22:07 (1544 Byte(s))

C:\Ad-Report-SCAN[1].txt - 31/05/2011 02:39:28 (7023 Byte(s))

C:\Ad-Report-SCAN[2].txt - 31/05/2011 02:42:46 (7088 Byte(s))

 

End at: 03:22:37, 31/05/2011

 

============== E.O.F ==============

Usunęłam Winamp Toolbar, ale miałam problem ze znalezieniem Hotspot Shield Toolbar.

A tutaj nowa dostawa logów:

 

log powstały z usuwania OTL:

 

All processes killed

========== OTL ==========

HKU\S-1-5-21-1844237615-1177238915-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

Prefs.js: "AOL Web Search" removed from browser.search.defaultenginename

Prefs.js: "Hotspot Shield Customized Web Search" removed from browser.search.defaultthis.engineName

Prefs.js: "http://search.winamp.com/search/search?query={searchTerms}&invocationType=tb50-ff-winamp-chromesbox-en-us&tb_uuid=20110224194650156&tb_oid=24-02-2011&tb_mrud=24-02-2011&query=" removed from browser.search.defaulturl

Prefs.js: "http://search.conduit.com/?ctid=CT1561552&SearchSource=13" removed from browser.startup.homepage

Prefs.js: "http://slirsredirect.search.aol.com/redirector/sredir?sredir=2685&invocationType=tb50-ff-winamp-ab-en-us&tb_uuid=20110224194650156&tb_oid=24-02-2011&tb_mrud=24-02-2011&query=" removed from keyword.URL

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{37B85A29-692B-4205-9CAD-2626E4993404} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B85A29-692B-4205-9CAD-2626E4993404}\ deleted successfully.

Registry value HKEY_USERS\S-1-5-21-1844237615-1177238915-1801674531-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{37B85A29-692B-4205-9CAD-2626E4993404} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B85A29-692B-4205-9CAD-2626E4993404}\ not found.

Starting removal of ActiveX control {D27CDB6E-AE6D-11CF-96B8-444553540000}

C:\WINDOWS\Downloaded Program Files\swflash.inf moved successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found.

C:\Documents and Settings\Ania\Dane aplikacji\Mozilla\Firefox\Profiles\ttr74es4.default\searchplugins\aol-web-search.xml moved successfully.

C:\Documents and Settings\Ania\Dane aplikacji\Mozilla\Firefox\Profiles\ttr74es4.default\searchplugins\conduit.xml moved successfully.

C:\Documents and Settings\All Users\Dane aplikacji\308eb\SMESys folder moved successfully.

C:\Documents and Settings\All Users\Dane aplikacji\308eb\Quarantine Items folder moved successfully.

C:\Documents and Settings\All Users\Dane aplikacji\308eb\BackUp folder moved successfully.

C:\Documents and Settings\All Users\Dane aplikacji\308eb folder moved successfully.

C:\Documents and Settings\All Users\Dane aplikacji\308ebc folder moved successfully.

C:\Documents and Settings\All Users\Dane aplikacji\SMKSJWE folder moved successfully.

C:\Documents and Settings\Ania\Dane aplikacji\OpenCandy\OpenCandy_EF097B2A9E9146C2BC0504A8538F7192 folder moved successfully.

C:\Documents and Settings\Ania\Dane aplikacji\OpenCandy folder moved successfully.

========== COMMANDS ==========

Restore points cleared and new OTL Restore Point set!

 

[EMPTYFLASH]

 

User: Administrator

 

User: Administrator.53CCD542F731494

 

User: All Users

 

User: Ania

->Flash cache emptied: 4318 bytes

 

User: anna lompa

->Flash cache emptied: 904 bytes

 

User: Default User

 

User: Gość

 

User: LocalService

 

User: NetworkService

 

User: UpdatusUser

 

Total Flash Files Cleaned = 0,00 mb

 

 

[EMPTYTEMP]

 

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 111759 bytes

 

User: Administrator.53CCD542F731494

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->FireFox cache emptied: 3465364 bytes

 

User: All Users

 

User: Ania

->Temp folder emptied: 1225 bytes

->Temporary Internet Files folder emptied: 81902 bytes

->FireFox cache emptied: 111915663 bytes

->Google Chrome cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: anna lompa

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 78991 bytes

->FireFox cache emptied: 99421761 bytes

->Flash cache emptied: 0 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

 

User: Gość

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 78991 bytes

 

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32835 bytes

 

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

 

User: UpdatusUser

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2114584 bytes

%systemroot%\System32 .tmp files removed: 2596 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

 

Total Files Cleaned = 207,00 mb

 

 

OTL by OldTimer - Version 3.2.23.0 log created on 05312011_020047

 

Files\Folders moved on Reboot...

 

Registry entries deleted on Reboot...

OTL.Txt1.txt

Extras1.txt

Ad-Report-SCAN.txt

Nowy log ComboFixa:

llog ComboFixa..txt

Aktualnie stoje w miejscu, bo nie potrafię ręcznie zamienić poniższych plikówi z tymi z C:\Pliki:

 

c:\windows\system32\winlogon.exe

c:\windows\explorer.exe

Bardzo proszę o pomoc jak mam to zrobić

Kolejne logi:

avenger.txt

log Combofixx.txt

Avast dalej wykrywa infekcje w postaci Win32:Batimal-AE, w dalszym ciągu gdy wchodzę na stronę internetową zostaje przekierowana na google.

Tutaj podaje aktualny log z ComboFix

log CFix.txt

Nowe logi:

ComboFix.txt

OTL.Txt.txt

Dodatkowy log z ComboFixu

log ComboFix.txt

1.Problem:

- Avast co kilkadziesiąt minut wykrywa Win32:Bamital-AE jego lokalizacja to c:\windows\system32\winlogon.exe.

- często gdy chcę wejść na konkretną stronę internetową przeglądarka przekierowuje sie na google.pl

- od kilku dni mam problem z obrazem, na ekranie pojawia się czarny ekran a na kursorze myszki widać czarne piksele, prawdopodobnie siadła karta graficzna, chociaż przypuszczam ze w wyniku tej infekcji

- używałam różnych programów to usuwania infekcji minn. ComboFixa

2. Logi:

 

1.Gmer:

 

GMER 1.0.15.15627 - http://www.gmer.net

Rootkit scan 2011-05-29 01:31:15

Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3160811AS rev.3.AAE

Running: x7cj8jwm.exe; Driver: C:\DOCUME~1\Ania\USTAWI~1\Temp\ffpdiaoc.sys

 

 

---- User code sections - GMER 1.0.15 ----

 

.text C:\Program Files\Mozilla Firefox\firefox.exe[724] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

.text C:\Program Files\Mozilla Firefox\firefox.exe[724] WS2_32.dll!send 71A5428A 5 Bytes JMP 00165ACB

.text C:\Program Files\Mozilla Firefox\firefox.exe[724] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 00165CC8

.text C:\Program Files\Mozilla Firefox\firefox.exe[724] WS2_32.dll!gethostbyname 71A54FD4 5 Bytes JMP 00166224

.text C:\Program Files\Mozilla Firefox\firefox.exe[724] WS2_32.dll!recv 71A5615A 5 Bytes JMP 00165B3E

.text C:\Program Files\Mozilla Firefox\firefox.exe[724] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 00165C19

.text C:\Program Files\Mozilla Firefox\firefox.exe[724] WS2_32.dll!closesocket 71A59639 5 Bytes JMP 00165F43

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1432] USER32.dll!TrackPopupMenu 7E3B526E 5 Bytes JMP 1040C334 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\WINDOWS\Explorer.EXE[1980] kernel32.dll!CreateProcessInternalW 7C819724 5 Bytes JMP 00B78369

 

---- Devices - GMER 1.0.15 ----

 

AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)

 

---- EOF - GMER 1.0.15 ----

 

 

2.OTL w załączniku

 

3.OTL Extras w załączniku

 

3.Checkup:

 

Results of screen317's Security Check version 0.99.12

Windows XP Service Pack 2

Out of date service pack!!

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

avast! Free Antivirus

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

CCleaner

Driver Cleaner 3

Flash Player Out of Date!

Adobe Flash Player 10.2.153.1

Adobe Reader 9.4.0 - Polish

Out of date Adobe Reader installed!

Mozilla Firefox (3.6.17) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

 

 

 

 

Z góry dziękuję za rozpatrzenie mojego problemu.

OTL.Txt

Extras.Txt