SYSTEM SECURITY FIREWALL ALERT

[WiZARD_]

Zdravim.
Včera se mi (ani nevim jak) dostal na můj pc účet program SYSTEM SECURITY FIREWALL ALERT, díky kterému nefunguje internet a neustále mi vyskakuje a rádoby skenuje počítač a přitom láká na koupení antivirového programu za několik desítek dolarů.

Naštěstí mám v počítači druhý účet a dostal jsem se na internet, kde jsem našel tento návod: http://www.ehow.com/how_5606824_remove- ... alert.html
Zaseknul jsem se ale u bodu č. 7, protože jsem tam zkrátka soubor systemsecurity nemám.

Prosím moc o radu, jak se tohoto otravného "programu" zbavit.

Díky předem všem.

[vyosek]

Zdravim a pekny den preji

Prihlaste se do nouzoveho rezimu (restart PC, mackat F8, zvolit Stav nouze s praci v siti)

Dejte log z RSIT - viz muj podpis

[WiZARD_]

není platná aplikace typu win32

co je zas tohle???

[vyosek]

Zkuste to tedy v normalnim rezimu, co mate za windows

[WiZARD_]

XP

[vyosek]

Zkuste tedy RSIT v beznem rezimu

[WiZARD_]

Ten program mi ale nejde otevřít, píše chyba aplikace win32 :-!

[vyosek]

Zkuste tedy DDS dle tohoto navodu http://www.viry.cz/forum/viewtopic.php?f=24&t=81946

[WiZARD_]

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Viti at 17:43:10,35 on źt 12.05.2011
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_20
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.420.1029.18.511.253 [GMT 2:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ICQ7.2\ICQ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
H:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
H:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
H:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Alů\Dokumenty\Stažené soubory\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.icq.com/
uSearch Page = hxxp://google.icq.com
uSearch Bar = hxxp://google.icq.com/search/search_frame.php
uDefault_Page_URL = hxxp://search.qip.ru
uDefault_Search_URL = hxxp://search.qip.ru
mStart Page = hxxp://www.windowsxlive.net
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
uURLSearchHooks: QIPBHO Class: {95289393-33ea-4f8d-b952-483415b9c955} - c:\documents and settings\viti\data aplikací\microsoft\internet explorer\qipsearchbar.dll
uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
uURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - h:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: QIPBHO Class: {95289393-33ea-4f8d-b952-483415b9c955} - c:\documents and settings\viti\data aplikací\microsoft\internet explorer\qipsearchbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - h:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Rightdown Software SearchBar: {d6f180cb-e683-41a3-8cd2-c53dbaa0530d} - c:\program files\rightdown software searchbar\rssb.dll
TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - h:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [FreeCall] "c:\program files\freecall.com\freecall\FreeCall.exe" -nosplash -minimized
uRun: [Start WingMan Profiler]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [mxClock] c:\docume~1\viti\locals~1\temp\rar$ex00.375\maydesign mxclock\mxClock.exe
uRun: [LClock] c:\program files\lclock\lclock.exe
uRun: [ViStart] c:\program files\vistart\ViStart.exe
uRun: [ViOrb] c:\program files\viorb\ViOrb.exe
uRun: [ICQ] "c:\program files\icq7.2\ICQ.exe" silent loginmode=4
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [365dní]
mRun: [365dni]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [WMC_AutoUpdate]
mRun: [Internet Connection Wizard Setup Tool] c:\program files\internet explorer\connection wizard\icwsetup.exe
mRun: [HP Software Update] h:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\applic~1\micros~1\shortc~1\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\applic~1\micros~1\shortc~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\applic~1\micros~1\shortc~1\hpdigi~1.lnk - h:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - c:\program files\icq7.2\ICQ.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - h:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: crypt - crypts.dll
Notify: cryptnet32 - cryptnet32.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\viti\dataap~1\mozilla\firefox\profiles\vt4rufzo.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.1.7&q=
FF - component: h:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: h:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: h:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: h:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: h:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: h:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: h:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: h:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: h:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: h:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: h:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: h:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\viti\data aplikacă­\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\viti\data aplikacă­\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [2006-7-5 63352]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-8-3 95896]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-11-18 810144]
R2 ICQ Service;ICQ Service;c:\program files\icq6toolbar\ICQ Service.exe [2010-11-1 247096]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2002-8-29 66048]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\elbyvcd.sys --> c:\windows\system32\drivers\ElbyVCD.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-11-29 1527900]
.
=============== Created Last 30 ================
.
2011-05-12 15:40:43 26624 ----a-w- c:\windows\system32\dll.dll
2011-05-08 09:25:12 344064 --sha-w- c:\docume~1\viti\locals~1\dataap~1\miu.exe
2011-05-08 09:23:36 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-08 09:23:36 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-08 09:23:32 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-08 09:23:32 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-08 09:23:32 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-08 09:23:30 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-08 09:23:30 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-08 09:23:29 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-08 09:09:57 344064 --sha-w- c:\docume~1\viti\locals~1\dataap~1\rfs.exe
.
==================== Find3M ====================
.
2011-05-08 08:23:44 297000 ----a-w- c:\windows\system32\shimg.dll
2011-03-06 07:01:31 49152 ----a-w- c:\windows\system32\cryptnet32.dll
.
============= FINISH: 17:43:45,43 ===============

[vyosek]

Stahnete a ulozte na plochu, ale nespoustejte Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  KillAll::
  
  DDS::
  uStart Page = hxxp://start.icq.com/
  uSearch Page = hxxp://google.icq.com
  uSearch Bar = hxxp://google.icq.com/search/search_frame.php
  uDefault_Page_URL = hxxp://search.qip.ru
  uDefault_Search_URL = hxxp://search.qip.ru
  mStart Page = hxxp://www.windowsxlive.net
  uInternet Settings,ProxyServer = 127.0.0.1:8080
  uSearchAssistant = hxxp://search.qip.ru/ie
  uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
  uURLSearchHooks: QIPBHO Class: {95289393-33ea-4f8d-b952-483415b9c955} - c:\documents and settings\viti\data aplikací\microsoft\internet explorer\qipsearchbar.dll
  uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
  uURLSearchHooks: H - No File
  TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
  TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
  TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
  EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
  
  Firefox::
  FF - ProfilePath - c:\docume~1\viti\dataap~1\mozilla\firefox\profiles\vt4rufzo.default\
  FF - prefs.js: browser.search.selectedEngine - ICQ Search
  FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... r=1.1.7&q=
  
  Driver::
  ICQ Service
  
  Folder::
  C:\Program Files\ICQ6Toolbar
  
  Reboot::

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

[WiZARD_]

Nevim sice jak, ale ten combofix chtěl stáhnout "něco", klikl jsem na ok, proběhnul autoscan a po restartu už všechno běží jako dřív. Takže MOC DĚKUJI!!! Ušetřil jste mě spoustu nervů a starostí! DÍKY

[vyosek]

No a mel by Vam vytvorit log s nazvem ComboFix.txt, mel by byt primo na disku c:\ - ten bych rad videl

[WiZARD_]

Vytvořila se tam pouze ikona "tento počítač" s názvem ComboFix, když na ní kliknu tak mě vrátí zpátky na disk C

[vyosek]

Prihlaste se do nouzoveho rezimu (restart PC, mackat F8, zvolit Stav nouze s praci v siti)

Opakujte krok s ComboFixem