Komputer się muli, zacina

[mabara]

Witam, wykasowałam Sweet IM w dodaj/usuń programy, po czym komputer się zawiesił. Po restarcie odkryłam SweetPacksUpdate i dodatkowo yoayo.exe. Przeczytałam, że to wirus, ale nie mogę go wyłączyć, bo menadżer zadań nie reaguje. Proszę o pomoc.

 

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-11-08 22:39:13

Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-1f WDC_WD2500BB-22RDA0 rev.20.00K20

Running: vx7kv34t.exe; Driver: C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\kxacapog.sys

 

 

---- System - GMER 1.0.15 ----

 

SSDT \??\C:\WINDOWS\system32\drivers\avgtpx86.sys (AVG Technologies) ZwQueryValueKey [0xACF751EA]

 

INT 0x62 ? 8A534CC8

INT 0x73 ? 8A534CC8

INT 0x73 ? 8A534CC8

INT 0x73 ? 8A534CC8

INT 0x82 ? 8A534CC8

INT 0x83 ? 8A534CC8

INT 0x83 ? 8A534CC8

INT 0x83 ? 8A534CC8

INT 0xB4 ? 8A337CC8

INT 0xB4 ? 8A337CC8

INT 0xB4 ? 8A337CC8

INT 0xB4 ? 8A337CC8

 

---- Kernel code sections - GMER 1.0.15 ----

 

.text ntkrnlpa.exe!ZwCallbackReturn + 2E8C 805046F8 4 Bytes [EA, 51, F7, AC]

.sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xB9F8D346]

.text USBPORT.SYS!DllUnload B92ED62C 5 Bytes JMP 8A3371D8

 

---- User code sections - GMER 1.0.15 ----

 

.text C:\Program Files\NewSoftware's\Folder Lock\FLComServCtrl.exe[176] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\Program Files\NewSoftware's\Folder Lock\FLComServCtrl.exe[176] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\Program Files\NewSoftware's\Folder Lock\FLComServ.exe[220] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\Program Files\NewSoftware's\Folder Lock\FLComServ.exe[220] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\WINDOWS\system32\wuauclt.exe[440] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\WINDOWS\system32\wuauclt.exe[440] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\Documents and Settings\Owner.YOUR-4B5C888A65\My Documents\Pobieranie\vx7kv34t.exe[804] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\Documents and Settings\Owner.YOUR-4B5C888A65\My Documents\Pobieranie\vx7kv34t.exe[804] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\Program Files\Mozilla Firefox\firefox.exe[1588] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 01485B00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\firefox.exe[1588] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\Program Files\Mozilla Firefox\firefox.exe[1588] kernel32.dll!lstrlenW + 43 7C809A5C 7 Bytes JMP 016C7B58 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\firefox.exe[1588] kernel32.dll!MapViewOfFileEx + 6A 7C80B910 7 Bytes JMP 016C7B35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\firefox.exe[1588] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\Program Files\Mozilla Firefox\firefox.exe[1588] kernel32.dll!ValidateLocale + AFA8 7C8447E8 7 Bytes JMP 0148EF12 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\firefox.exe[1588] GDI32.dll!SetDIBitsToDevice + 20D 77F19A9C 7 Bytes JMP 016C7AB6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe[1756] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe[1756] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1780] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1780] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\Program Files\QuickTime\QTTask.exe[1820] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\Program Files\QuickTime\QTTask.exe[1820] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe[1868] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe[1868] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1888] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1888] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\Program Files\Gadu-Gadu 10\gg.exe[1912] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\Program Files\Gadu-Gadu 10\gg.exe[1912] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\Program Files\Gadu-Gadu 10\gg.exe[1912] USER32.dll!BeginPaint 77D4B609 5 Bytes JMP 106E3730 C:\Program Files\Gadu-Gadu 10\QtWebKit4.dll

.text C:\Program Files\Gadu-Gadu 10\gg.exe[1912] USER32.dll!EndPaint 77D4B61D 5 Bytes JMP 106E37A0 C:\Program Files\Gadu-Gadu 10\QtWebKit4.dll

.text C:\Program Files\Messenger\msmsgs.exe[1952] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\Program Files\Messenger\msmsgs.exe[1952] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\WINDOWS\system32\WinFLTray.exe[2028] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\WINDOWS\system32\WinFLTray.exe[2028] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\WINDOWS\system32\wbem\unsecapp.exe[3508] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\WINDOWS\system32\wbem\unsecapp.exe[3508] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

.text C:\Program Files\AVG Secure Search\vprot.exe[3960] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3]

.text C:\Program Files\AVG Secure Search\vprot.exe[3960] kernel32.dll!TerminateThread 7C81CE13 1 Byte [C3]

 

---- Kernel IAT/EAT - GMER 1.0.15 ----

 

IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [b9E93232] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)

IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [b9E92730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)

IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [b9E92F12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [b9E92730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [b9E92914] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [b9E92856] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [b9E930F0] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [b9E92F12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [b9EA6F1E] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)

 

---- Devices - GMER 1.0.15 ----

 

Device \FileSystem\Ntfs \Ntfs 8A5191F8

Device \FileSystem\Fastfat \FatCdrom 89FD4430

Device \Driver\usbstor \Device\0000008e 89C6A1F8

Device \Driver\usbohci \Device\USBPDO-0 8A3361F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{49D869A6-AF92-44E9-B6D6-607CED0CACF2} 8A20B430

Device \Driver\usbohci \Device\USBPDO-1 8A3361F8

Device \Driver\usbehci \Device\USBPDO-2 8A31E1F8

Device \Driver\Cdrom \Device\CdRom0 8A30E1F8

Device \Driver\atapi \Device\Ide\IdePort0 8A5341F8

Device \Driver\atapi \Device\Ide\IdePort1 8A5341F8

Device \Driver\atapi \Device\Ide\IdePort2 8A5341F8

Device \Driver\atapi \Device\Ide\IdePort3 8A5341F8

Device \Driver\atapi \Device\Ide\IdePort4 8A5341F8

Device \Driver\atapi \Device\Ide\IdePort5 8A5341F8

Device \Driver\atapi \Device\Ide\IdeDeviceP5T1L0-14 8A5341F8

Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-c 8A5341F8

Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-1f 8A5341F8

Device \Driver\Cdrom \Device\CdRom1 8A30E1F8

Device \Driver\usbstor \Device\00000090 89C6A1F8

Device \Driver\NetBT \Device\NetBt_Wins_Export 8A20B430

Device \Driver\usbstor \Device\00000091 89C6A1F8

Device \Driver\usbstor \Device\00000092 89C6A1F8

Device \Driver\NetBT \Device\NetbiosSmb 8A20B430

Device \Driver\usbstor \Device\00000093 89C6A1F8

Device \Driver\usbohci \Device\USBFDO-0 8A3361F8

Device \Driver\usbohci \Device\USBFDO-1 8A3361F8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A070430

Device \Driver\usbehci \Device\USBFDO-2 8A31E1F8

Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A070430

Device \FileSystem\Fastfat \Fat 89FD4430

 

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

 

Device \FileSystem\Cdfs \Cdfs 8A04E430

 

---- EOF - GMER 1.0.15 ---

 

 

OTL.Txt

Extras.Txt

[Landuss]

1. Uruchom OTL i w oknie Własne opcje skanowania/Skrypt wklej następujący tekst:

 

:OTL
SRV - File not found [Auto | Stopped] -- C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\hpdj.exe -- (hpdj)
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = "http://search.sweetim.com/search.asp?src=6&crg=3.1010000&st=18&q={searchTerms}&barid={CAAA2054-A7D6-11E1-B2EC-00161769E01E}"
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = "http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4026E"
IE - HKU\.DEFAULT\..\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}: "URL" = "http://www.questbasic.com/?prt=QUESTBASIC115&keywords={searchTerms}"
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = "http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4026E"
IE - HKU\S-1-5-18\..\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}: "URL" = "http://www.questbasic.com/?prt=QUESTBASIC115&keywords={searchTerms}"
IE - HKU\S-1-5-21-249921751-2533082550-296318474-1006\..\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}: "URL" = "http://start.facemoods.com/?a=w7th2&s={searchTerms}&f=4"
IE - HKU\S-1-5-21-249921751-2533082550-296318474-1006\..\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}: "URL" = "http://www.questbasic.com/?prt=QstbscWD3&keywords={searchTerms}"
IE - HKU\S-1-5-21-249921751-2533082550-296318474-1006\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}:
IE - HKU\S-1-5-21-249921751-2533082550-296318474-1006\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = "http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468"
IE - HKU\S-1-5-21-249921751-2533082550-296318474-1006\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = "http://search.sweetim.com/search.asp?src=6&crg=3.1010000&st=18&q={searchTerms}&barid={CAAA2054-A7D6-11E1-B2EC-00161769E01E}"
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O4 - HKU\.DEFAULT..\Run: [Power2GoExpress] NA File not found
O4 - HKU\S-1-5-18..\Run: [Power2GoExpress] NA File not found
O4 - HKU\S-1-5-21-249921751-2533082550-296318474-1006..\Run: [yoayo] C:\Documents and Settings\Owner.YOUR-4B5C888A65\yoayo.exe ()
[2012-07-20 22:53:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-4B5C888A65\Application Data\xmwdygnkhyygwlho3iwevbhuzyzjtfs1
 
:Files
netsh firewall reset /C
 
:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[HKEY_USERS\S-1-5-21-249921751-2533082550-296318474-1006\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"
 
:Commands
[emptytemp]

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Kliknij w Wykonaj skrypt. Zatwierdź restart komputera.

 

2. Przez Panel sterowania odinstaluj: Facemoods Toolbar / uTorrentControl_v2 Toolbar / Winamp Toolbar

 

Wyczyść Firefox: menu Pomoc > Informacje dla pomocy technicznej > Zresetuj program Firefox.

 

3. Uruchom AdwCleaner z opcji Delete

 

4. Uruchamiasz OTL ponownie, tym razem wywołujesz opcję Skanuj. Pokazujesz nowy log z OTL (bez extras)

[mabara]

Wszystko wykonane, załączam nowy OTL log i jeszcze z AdwCleanera. Nie wymagany, ale moze potrzebny.]

OTL.Txt

AdwCleanerS1.txt

[Landuss]

Skrypt poprawnie wykonany i wszystko zostało usunięte. Przejdź do zakończenia.

 

1. Wklej do OTL skrypt poprawkowy o takiej treści:

 

:OTL
O4 - HKCU..\Run: [yoayo] C:\Documents and Settings\Owner.YOUR-4B5C888A65\yoayo.exe File not found

 

Klik w Wykonaj skrypt. Logów nie pokazujesz już żadnych. Użyj opcji Sprzątanie z OTL.

 

2. Opróżnij przywracanie systemu: KLIK

 

3. Zaktualizuj system do Service Pack 3 oraz wymienione programy do najnowszych wersji:

 

Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

 

Internet Explorer (Version = 6.0.2900.2180)

"{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java 6 Update 37

"{AC76BA86-7AD7-1045-7B44-A95000000001}" = Adobe Reader 7.0 - Polish

 

Szczegóły aktualizacyjne: KLIK

[mabara]

Teraz już wszystko gra. Bardzo dziękuję za pomoc.