Skocz do zawartości

r   e   k   l   a   m   a

Zdjęcie

Zamulony komputer podejrzewam infekcje


  • Zaloguj się, aby dodać odpowiedź
6 odpowiedzi w tym temacie

#1 dawidek11

dawidek11
  • Użytkownicy
  • 481 postów

Napisano 24.12.2007 - 20:45

Witam,
Komputer kolegi chodzi bardzo wolno czasami nod32 wykrywa wirusy w jakimś folderze w program files czasami w grach itp. zarażony plik nazywa sie wsock32.dll
Podam logi do sprawdzenia :) ...
Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:19:55, on 2007-12-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Comodo\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Eset\nod32kui.exe
D:\Comodo\Firewall\CPF.exe
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe
D:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Documents and Settings\Radzio\Pulpit\Ares.exe
C:\Documents and Settings\Radzio\Pulpit\DAEMON Tools\daemon.exe
C:\Program Files\Labtec Laser Mouse Software\MulMouse.exe
C:\Program Files\Webshots\webshots.scr
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Program Files\Webshots\WSToolbar4IE.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [BearShare] "E:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O4 - HKLM\..\RunOnce: [My Global Search Uninstall] rundll32 C:\PROGRA~1\UNINST~2.DLL,O -2
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "D:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [InternetCalls] "C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe" -nosplash -minimized
O4 - HKCU\..\Run: [RocketDock] "D:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe
O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\Radzio\Pulpit\Ares.exe" -h
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Documents and Settings\Radzio\Pulpit\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Ustawienia myszy Labtec.lnk = C:\Program Files\Labtec Laser Mouse Software\MulMouse.exe
O8 - Extra context menu item: &Search - http://edits.mywebse... ... p=ZCfox000
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O15 - Trusted Zone: http://arcaonline.arcabit.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky... ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.ar.../ArcaOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac... ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Comodo\Firewall\cmdagent.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 7713 bytes



Silent Runners

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Start WingMan Profiler" = ""D:\Program Files\Logitech\Profiler\lwemon.exe" /noui" ["Logitech Inc."]
"InternetCalls" = ""C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe" -nosplash -minimized" ["InternetCalls"]
"RocketDock" = ""D:\Program Files\RocketDock\RocketDock.exe"" [null data]
"STYLEXP" = "C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide" [empty string]
"Creative WebCam Tray" = "C:\Program Files\Creative\Shared Files\CamTray.exe" ["Creative Technology Ltd"]
"ares" = ""C:\Documents and Settings\Radzio\Pulpit\Ares.exe" -h" ["Ares Development Group"]
"DAEMON Tools" = ""C:\Documents and Settings\Radzio\Pulpit\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"Orb" = ""C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background" ["Orb Networks"]
"Gadu-Gadu" = ""D:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [null data]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]
"C-Media Mixer" = "C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup" ["C-Media Electronic Inc."]
"COMODO Firewall Pro" = ""D:\Comodo\Firewall\CPF.exe" /background" ["COMODO"]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"WinampAgent" = ""D:\Program Files\Winamp\winampa.exe"" [null data]
"BearShare" = ""E:\Program Files\BearShare\BearShare.exe" /pause" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"MyWebSearch bar Uninstall" = "rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2" [MS]
"My Global Search Uninstall" = "rundll32 C:\PROGRA~1\UNINST~2.DLL,O -2" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"
-> {HKLM...CLSID} = "Skype add-on (mastermind)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}\(Default) = "Winamp Toolbar BHO"
-> {HKLM...CLSID} = "Winamp Toolbar BHO"
\InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
{C333CF63-767F-4831-94AC-E683D962C63C}\(Default) = "TGTSoft Explorer Toolbar Changer"
-> {HKLM...CLSID} = "CoTGT_BHO Class"
\InProcServer32\(Default) = "C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
"{51550900-DCAC-11d4-AA0F-0080C87C465B}" = "WayTech MultiMouse"
-> {HKLM...CLSID} = "WayTech MultiMouse Extension"
\InProcServer32\(Default) = "C:\Program Files\Labtec Laser Mouse Software\CPDll.dll" [null data]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{2F5AC606-70CF-461C-BFE1-734234536262}" = "WindowBlinds CPL Extension"
-> {HKLM...CLSID} = "DisplayCplExt Class"
\InProcServer32\(Default) = "D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbui.dll" ["Stardock.Net, Inc"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<> "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<> WBSrv\DLLName = "D:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll" ["Stardock"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoResolveTrack" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoResolveTrack" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Radzio\Dane aplikacji\Webshots\The Webshots Desktop\Webshots Wallpaper.bmp"


Startup items in "Radzio" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\Radzio\Menu Start\Programy\Autostart
"Webshots" -> shortcut to: "C:\Program Files\Webshots\Launcher.exe /t" ["Webshots.com"]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"ATI CATALYST System Tray" -> shortcut to: "C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]
"Ustawienia myszy Labtec" -> shortcut to: "C:\Program Files\Labtec Laser Mouse Software\MulMouse.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{C17590D2-ECB4-4B15-8820-F58798DCC118}"
-> {HKLM...CLSID} = "Webshots Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Webshots\WSToolbar4IE.dll" ["Webshots.com"]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"
-> {HKLM...CLSID} = "Winamp Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{C17590D2-ECB4-4B15-8820-F58798DCC118}" = (no title provided)
-> {HKLM...CLSID} = "Webshots Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Webshots\WSToolbar4IE.dll" ["Webshots.com"]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" = "Winamp Toolbar"
-> {HKLM...CLSID} = "Winamp Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{77BF5300-1474-4EC7-9980-D32B190E9B07}\
"ButtonText" = "Skype"
"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
-> {HKLM...CLSID} = "Skype add-on (button)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "*o" (unwritable string)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Comodo Application Agent, CmdAgent, "D:\Comodo\Firewall\cmdagent.exe" ["COMODO"]
NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]
StyleXPService, StyleXPService, ""C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe"" [empty string]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]


---------- (launch time: 2007-12-24 20:38:47)
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 113 seconds.
---------- (total run time: 173 seconds)


Log z ComboFix'a
http://wklej.org/id/488ab6b72c

Dzieki
Pozdrawiam ,Wszystkiego Najlepszego :) Wesołych Świąt

#2 Gutek

Gutek

    Uczestnik HotZlotu

  • Użytkownicy
  • 27006 postów

Napisano 26.12.2007 - 01:06

Wklej do Notatnika:

File::
C:\Program Files\Uninstall Fun Web Products.dll 
C:\Program Files\Uninstall My Global Search Bar.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 
"MyWebSearch bar Uninstall"=-
"My Global Search Uninstall"=-
>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe)
– podobnie jak na tym obrazku -->Dołączona grafika
(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: \Qoobox.
Po tym nowy log z Combo
Walka do końca, nie format :-)
Proszę nie pisać na PW odpowiem na forum - dziękuję :-)

#3 dawidek11

dawidek11
  • Użytkownicy
  • 481 postów

Napisano 26.12.2007 - 19:24

Dzięki za szybką odpowiedź :)

Log z ComboFix'a
http://wklej.org/id/1891a372a5

Pozdrawiam :)

PS. Nod32 wykrywa non stop tego wirusa on sie rozprzestrzenia po wszystkich dyskach ,teraz wyszukuje w wyszukiwarce pliki o nazwie wsock32.dll i je kasuje oprócz w system32 :) były też jakieś found'y na jednym z trzech dysków chyba na D to je skasowałem bo chyba to też są jakieś niepotrzebne śmiecie ... czekam na dalsze instrukcje :)
Ps2. musiałem wyłączyć chowanie systemowych plików żebym mógł zobaczyć te found'y i tego wirusa
Ps3. Pewnie nie widać infekcji bo ona jest już czerwca :(

#4 gervazy

gervazy
  • Użytkownicy
  • 1 postów

Napisano 27.12.2007 - 20:41

WITAM W TEJ SYTUŁACJI NAJ PEWNIEJ ZAINSTALOWĆ SYSTEM NA NOWO ( WIEM ZE TO ŻADNA RADA) A NA PRZYSZŁOŚĆ PO PIERWSZE UTWÓRZ DWA KONTA I NIE KORZYSTAJ W INTERNECIE Z KONTA ADMIN to konto ustaw z ograniczonymi uprawnieniami I WYBIERZ SYSTEM PLIKÓW NTFS jeśli masz przgladarke internet explorer zamien ja na np Firefoksa . Pozdrawiam

#5 dawidek11

dawidek11
  • Użytkownicy
  • 481 postów

Napisano 28.12.2007 - 17:12

Podam loga jeszcze log z SDFix'a ...

SDFix: Version 1.120

Run by Radzio on 2007-12-28 at 16:45

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 16:53:08
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Documents and Settings\Radzio\Pulpit\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:6d,c9,db,be,03,36,41,cd,1d,d3,02,92,64,f3,df,a7,90,f0,0b,c5,45,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,29,18,48,76,e6,df,51,cb,c9,cd,7a,56,97,84,ad,f2,1f,..
"khjeh"=hex:b3,9f,97,74,56,7b,21,83,47,36,8b,cb,8a,3e,f3,0d,4d,e5,4a,03,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:e6,fe,ad,dc,02,81,f3,f4,f5,81,49,76,3d,e0,10,7a,51,19,b1,80,54,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:3a,e2,0a,9d,ef,de,09,fc,84,2c,0c,25,4f,71,5f,10,29,75,1f,99,68,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:03,65,7b,77,a2,83,a0,76,8b,67,c5,5e,32,20,50,cd,6a,2c,15,63,33,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:03,65,7b,77,a2,83,a0,76,8b,67,c5,5e,32,20,50,cd,6a,2c,15,63,33,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Documents and Settings\Radzio\Pulpit\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:6d,c9,db,be,03,36,41,cd,1d,d3,02,92,64,f3,df,a7,90,f0,0b,c5,45,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,29,18,48,76,e6,df,51,cb,c9,cd,7a,56,97,84,ad,f2,1f,..
"khjeh"=hex:b3,9f,97,74,56,7b,21,83,47,36,8b,cb,8a,3e,f3,0d,4d,e5,4a,03,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:e6,fe,ad,dc,02,81,f3,f4,f5,81,49,76,3d,e0,10,7a,51,19,b1,80,54,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:3a,e2,0a,9d,ef,de,09,fc,84,2c,0c,25,4f,71,5f,10,29,75,1f,99,68,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:03,65,7b,77,a2,83,a0,76,8b,67,c5,5e,32,20,50,cd,6a,2c,15,63,33,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:03,65,7b,77,a2,83,a0,76,8b,67,c5,5e,32,20,50,cd,6a,2c,15,63,33,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,66,10,00,00,01,00,00,00,21,00,00,00,50,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\InternetCalls.com\\InternetCalls\\InternetCalls.exe"="C:\\Program Files\\InternetCalls.com\\InternetCalls\\InternetCalls.exe:*:Enabled:InternetCalls"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Fri 20 Jul 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 20 Jul 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv16.bak"
Wed 14 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1738c621b33e51e95e7a1d6339d42049\BITE.tmp"
Thu 6 Dec 2007 25,802,312 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\510fd197909dd722575ec6e361c56938\BIT22C6.tmp"
Thu 29 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf80e29263dc9f4910f39b0a56f8e418\BIT63.tmp"
Tue 30 Nov 2004 253,952 A..HR --- "C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\PocketCache Trial Version\BackupRestoreBus.dll"
Thu 26 Apr 2007 20,480 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\Pawˆa MEmerka\~WRL0002.tmp"
Wed 21 Nov 2007 473 A..HR --- "C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\PocketCache Trial Version\BackupStorage\config.bak"
Wed 18 May 2005 53,248 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\SecurDataStorRM\Files\CopyFile.exe"
Wed 18 May 2005 30,354 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\SecurDataStorRM\Files\msghxx.dllz"
Wed 18 May 2005 180,700 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\SecurDataStorRM\Files\MSVCR71.DLLz"
Wed 18 May 2005 1,900,544 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\SecurDataStorRM\Files\SecurDataStor.exe"
Wed 18 May 2005 84,634 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\SecurDataStorRM\Files\Viewer.exez"
Thu 6 Jul 2006 49,152 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\97s+.dll"
Sun 17 Aug 2003 122,940 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\mfsvc2.dll"
Sun 7 Oct 2001 49,152 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\mumsg.dll"
Tue 23 Oct 2001 36,864 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\muplayer.exe"
Fri 22 Oct 2004 53,248 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\ogg.dll"
Fri 22 Oct 2004 999,424 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\vorbisfile.dll"
Fri 24 Aug 2001 45,056 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\wsctlc.dll"
Fri 15 Sep 2000 229,432 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\wsctlcd.dll"
Fri 22 Oct 2004 212,992 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\wzAudio.dll"
Mon 20 Nov 2006 53,248 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\wzcipher.dll"
Tue 10 Sep 2002 381,010 A..H. --- "C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\wz_zp.dll"

Finished!



#6 Gutek

Gutek

    Uczestnik HotZlotu

  • Użytkownicy
  • 27006 postów

Napisano 28.12.2007 - 20:33

Nic nie widzę
Walka do końca, nie format :-)
Proszę nie pisać na PW odpowiem na forum - dziękuję :-)

#7 dawidek11

dawidek11
  • Użytkownicy
  • 481 postów

Napisano 29.12.2007 - 01:41

Dzięki , przeskanowałem kompa Kasperskim on-line i wykrył 2 wirusy jeden jakiś z rodziny " WMF " a drugi jakiś trojan-downolader ... jeszcze przeskanuje jakimiś skanerami on-line może bitdefender'em itp. , ale komputer chodzi znaczniej lepiej .
Jeszcze raz dziękuje za sprawdzenie logów i w ogóle :)
Pozdrawiam