Wirus spowodował, że google przestało działać - log

[paszkjac]

Witam,
proszę o sprawdzenie loga. Jakiś wirus spowodował, żę google przestało działać. Po przeskanowaniu Kasperskim - usunęło wirusa, ale dalej nie działały google. Po sporządzeniu loga przez combofixa zaczęło działać lecz uruchomić chce bibliotekę luedqias.dll? Combofix zablokował ją.
Z góry dziękuję za pomoc


***

ComboFix 08-08-08.07 - USER 2008-08-09 15:39:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.465 [GMT 2:00]
Running from: C:\Documents and Settings\USER\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM535be7be.txt
C:\WINDOWS\BM535be7be.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cdexixlm.dll
C:\WINDOWS\system32\diiylyur.dll
C:\WINDOWS\system32\ktrjswyc.ini
C:\WINDOWS\system32\kwquprke.ini
C:\WINDOWS\system32\lbpxgvyu.dll
C:\WINDOWS\system32\luedqias.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nycjudsr.dll
C:\WINDOWS\system32\rscgejfv.ini
C:\WINDOWS\system32\rsdujcyn.ini
C:\WINDOWS\system32\TEMlSvut.ini
C:\WINDOWS\system32\TEMlSvut.ini2
C:\WINDOWS\system32\tuvSlMET.dll
C:\WINDOWS\system32\uyvgxpbl.ini
C:\WINDOWS\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-09 10:30 . 2008-08-09 10:30 2,048 --a------ C:\WINDOWS\system32\hmldpbtc.exe
2008-08-08 22:57 . 2008-08-08 22:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 21:56 . 2008-08-08 21:56 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-08 21:50 . 2008-08-08 21:50 <DIR> d-------- C:\Program Files\NOS
2008-08-08 21:50 . 2008-08-08 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\NOS
2008-08-08 18:43 . 2007-02-26 04:36 180,224 --a------ C:\WINDOWS\system32\igfxres.dll
2008-08-08 10:33 . 2008-08-08 10:33 2,048 --a------ C:\WINDOWS\system32\syynigld.exe
2008-08-08 00:36 . 2006-10-04 16:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-08-08 00:36 . 2006-10-04 16:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-08-08 00:36 . 2006-10-04 16:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-08-08 00:32 . 2008-08-08 00:33 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-07 23:56 . 2008-08-07 23:56 161 --a------ C:\Delme.bat
2008-08-07 23:11 . 2008-01-22 11:09 16,384 --a------ C:\WINDOWS\system32\WorkAfterReboot.exe
2008-08-07 21:39 . 2008-08-07 21:45 <DIR> d-------- C:\Program Files\RegCleaner
2008-08-07 10:29 . 2008-08-07 10:29 2,048 --a------ C:\WINDOWS\system32\sfkhagky.exe
2008-08-06 23:11 . 2008-08-08 18:44 <DIR> d-------- C:\Program Files\SkanerOnline
2008-08-06 10:30 . 2008-08-06 10:30 2,048 --a------ C:\WINDOWS\system32\uxviguve.exe
2008-08-05 18:10 . 2008-08-05 18:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-05 17:13 . 2008-08-08 23:02 <DIR> d-------- C:\Documents and Settings\USER\Dane aplikacji\Lavasoft
2008-08-05 17:11 . 2008-08-08 23:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-05 10:27 . 2008-08-05 10:27 2,048 --a------ C:\WINDOWS\system32\mbgiwnqi.exe
2008-08-04 19:51 . 2008-08-04 19:51 <DIR> d-------- C:\Documents and Settings\USER\Dane aplikacji\skypePM
2008-08-04 19:51 . 2008-08-04 19:51 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-08-04 19:47 . 2008-08-08 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-08-04 16:48 . 2008-08-04 16:48 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-08-04 09:35 . 2008-08-04 09:35 <DIR> d-------- C:\Program Files\piPOol
2008-08-03 12:33 . 2008-08-07 22:56 <DIR> d-------- C:\Program Files\BitComet
2008-07-31 20:05 . 2008-07-31 20:05 <DIR> d-------- C:\Program Files\Webteh

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 09:18 --------- d-----w C:\Program Files\Windows Desktop Search
2008-08-08 12:09 --------- d-----w C:\Documents and Settings\USER\Dane aplikacji\Tlen.pl
2008-08-07 22:35 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-08-07 22:18 --------- d-----w C:\Program Files\TC PowerPack
2008-08-07 22:16 --------- d-----w C:\Program Files\Real
2008-08-07 22:16 --------- d-----w C:\Program Files\Common Files\Real
2008-08-07 22:08 --------- d-----w C:\Program Files\Common Files\Ahead
2008-08-07 22:01 --------- d-----w C:\Program Files\Dear Camy
2008-08-07 21:56 --------- d-----w C:\Program Files\SubEdit-Player
2008-08-07 20:57 --------- d-----w C:\Program Files\PCDR5
2008-08-07 17:18 --------- d-----w C:\Documents and Settings\USER\Dane aplikacji\Lenovo
2008-08-07 09:15 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-07-04 11:00 --------- d-----w C:\Program Files\iPlus
2008-06-29 10:57 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar
2008-06-27 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-23 11:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-23 11:19 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Symantec
2008-06-23 11:17 --------- d-----w C:\Program Files\Wings of Honor - Red Baron
2008-06-20 10:44 360,960 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2007-11-08 17:38 32,768 --sh--w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Feeds Cache\index.dat
2007-12-03 19:32 32,768 --sh--w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012007120320071204\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-12-01 11:46 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-17 18:16 200704]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-17 18:16 208896]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 20:03 58416]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 07:49 66176]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2007-03-05 15:27 172032]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 19:32 243248]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 14:19 536576]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-02-02 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 12:51 91688]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 19:02 120368]
"AMSG"="C:\PROGRA~1\THINKV~1\AMSG\amsg.exe" [2007-02-01 20:00 419376]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 17:24 196696]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 15:58 413696]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2007-01-30 20:01 2618944]
"iPlusManager"="C:\Program Files\iPlus\iPlusChecker.exe" [2008-01-03 11:59 389120]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-02-26 04:34 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-02-26 04:34 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-02-26 04:33 131072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2004-09-02 13:03 538112]
"TpShocks"="TpShocks.exe" [2007-03-29 19:40 181808 C:\WINDOWS\system32\TpShocks.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00 15360]

C:\Documents and Settings\USER\Menu Start\Programy\Autostart\
Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 18:43:30 561213]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-11-08 19:34:08 50688]
Wyszukiwanie z pulpitu systemu Windows.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 16:40:46 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 16:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-14 23:17 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 09:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 04:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 15:52 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Tlen.pl\\tlen.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 18:49]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 18:47]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 10:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 12:24]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-06-17 18:16]
R2 GtDetectSc;GtDetectSc Service;C:\Program Files\iPlus\Drivers\driver2k\GTMax\GtDetectSc.exe [2007-10-02 15:04]
R2 GtFlashSwitch;GtFlashSwitch Service;C:\Program Files\iPlus\Drivers\driver2k\GTMax\GtFlashSwitch.exe [2007-10-02 15:04]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-03-14 23:10]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 14:11]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2006-09-13 13:42]
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 10:24]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 23:10]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14ec530f-61ae-11dd-a2fb-001e3715234b}]
\Shell\AutoRun\command - E:\memotropil.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c3d5fb5-1b4b-11dd-a28d-001e3715234b}]
\Shell\AutoRun\command - E:\jfvkcsy.bat
\Shell\explore\Command - E:\jfvkcsy.bat
\Shell\open\Command - E:\jfvkcsy.bat
.
Contents of the 'Scheduled Tasks' folder

2008-08-09 C:\WINDOWS\Tasks\PMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-06-17 18:16]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BM535be7be - C:\WINDOWS\system32\cdexixlm.dll
Notify-pmnnOfCR - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\USER\Dane aplikacji\Mozilla\Firefox\Profiles\hns6m3zs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.pl/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 15:56:29
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-08-09 16:00:01 - machine was rebooted [USER]
ComboFix-quarantined-files.txt 2008-08-09 13:59:57

Pre-Run: 111,112,994,816 bajtów wolnych
Post-Run: 111,009,337,344 bajt˘w wolnych

239 --- E O F --- 2008-07-29 14:05:59

[huber2t]

Do wyleczenia pendrive z wirusów użyj
Perlovga Removal Tool
Flash Disinfector
lub format

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko

File::
C:\Delme.bat
C:\WINDOWS\system32\hmldpbtc.exe
C:\WINDOWS\system32\sfkhagky.exe
C:\WINDOWS\system32\uxviguve.exe
C:\WINDOWS\system32\mbgiwnqi.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14ec530f-61ae-11dd-a2fb-001e3715234b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c3d5fb5-1b4b-11dd-a28d-001e3715234b}]


Plik zapisz jako CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

Logi dajesz na http://www.wklej.eu/ a w poście dajesz tylko link