Witam, mam/mialem problem z jakims robactwem na kompie, oczywiscie standardowo HijackThis i Combofix polecialy w obroty, ale nie wiem czy do konca wszystko usunely, niby narazie nic wiecej sie nie dzieje zlego, ale chcial bym miec pewnosc. Przed rozpoczeciem zabawy w usuwanie byly 3 pliki na pulpicie"Spyware Protection (cos tam)", “Antyvirus scaner” oraz jakis jeszcze, nie pamietam, a nie zapisalem niestety.
Daje logi:
Logfile of HijackThis v1.99.1
Scan saved at 21:13:50, on 2007-11-16
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
F:\Alwil Software\Avast4\aswUpdSv.exe
F:\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
F:\Alwil Software\Avast4\ashMaiSv.exe
F:\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Zbigniew\Pulpit\a\HijackThis.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM…\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM…\Run: [sunJavaUpdateSched] “D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O17 - HKLM\System\CCS\Services\Tcpip…{6B72AE87-4593-4732-B285-05DE8B1B1E06}: NameServer = 192.168.0.1,82.160.204.3
O17 - HKLM\System\CCS\Services\Tcpip…{AF87A5DF-8C1D-452B-98E9-35C33AD1184B}: NameServer = 192.168.0.1,82.160.204.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: ddkret - {423C0B15-72E8-4598-BBB6-E13721CD95A7} - D:\WINDOWS\ddkret.dll
O21 - SSODL: nopctrl - {AC67FD10-DCF3-4E25-AAB2-7CF1EFD3201E} - D:\WINDOWS\nopctrl.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avant Service (AvantService) - Unknown owner - C:\Program Files\Avant Browser\asvc.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (Omega 1.6693) § (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe
ComboFix 07-11-08.1 - Zbigniew 2007-11-16 21:20:46.3 - FAT32 x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.432 [GMT 1:00]
Running from: D:\Documents and Settings\Zbigniew\Pulpit\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\WINDOWS\main_uninstaller.exe
D:\WINDOWS\msmdev.dll
D:\WINDOWS\msmhost.dll
D:\WINDOWS\nsduo.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.
2007-11-15 21:23 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-11-15 21:09
2007-11-15 20:13
2007-11-15 20:13
2007-11-15 20:13
2007-11-15 20:13
2007-11-15 20:13
2007-11-15 20:13
2007-11-15 20:13
2007-11-15 20:13
2007-11-15 14:47 344,064 --a------ D:\WINDOWS\nopctrl.dll
2007-11-15 14:47 266,240 --a------ D:\WINDOWS\ddkret.dll
2007-11-15 14:47 114,688 --a------ D:\WINDOWS\sawkip.exe
2007-11-15 14:45
2007-11-14 20:21
2007-11-10 01:35
2007-11-09 13:45
2007-11-09 13:44
2007-11-09 13:44
2007-11-01 12:35
2007-11-01 00:42
2007-11-01 00:42
2007-10-31 20:42
2007-10-24 10:42
2007-10-21 23:58
2007-10-17 18:56
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 14:34 21,840 ----a-w D:\WINDOWS\system32\SIntfNT.dll
2007-11-15 14:34 17,212 ----a-w D:\WINDOWS\system32\SIntf32.dll
2007-11-15 14:34 12,067 ----a-w D:\WINDOWS\system32\SIntf16.dll
2007-10-25 16:44 8,488,960 ----a-w D:\WINDOWS\system32\dllcache\shell32.dll
2007-08-22 13:58 96,768 ----a-w D:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:58 668,160 ----a-w D:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:58 619,008 ----a-w D:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:58 55,808 ----a-w D:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:58 532,480 ----a-w D:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:58 474,112 ----a-w D:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:58 449,024 ----a-w D:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:58 39,424 ----a-w D:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:58 357,888 ----a-w D:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:58 3,085,824 ----a-w D:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:58 251,904 ----a-w D:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:58 205,824 ----a-w D:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:58 16,384 ----a-w D:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:58 151,552 ----a-w D:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:58 146,432 ----a-w D:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:58 1,498,112 ----a-w D:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:58 1,055,744 ----a-w D:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:58 1,022,976 ----a-w D:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 11:19 18,432 ----a-w D:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 07:18 683,520 ----a-w D:\WINDOWS\system32\inetcomm.dll
2007-08-21 07:18 683,520 ----a-w D:\WINDOWS\system32\dllcache\inetcomm.dll
2006-09-21 09:23 4,766 ----a-w D:\Program Files\INSTALL.LOG
2001-05-24 11:59 162,304 ----a-w D:\Program Files\UNWISE.EXE
.
((((((((((((((((((((((((((((( snapshot@2007-11-15_21.42.13.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-13 09:57:12 163,328 ----a-w D:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
- 2007-11-14 19:27:04 4,212 —h–w D:\WINDOWS\system32\zllictbl.dat
- 2007-11-16 20:08:34 4,212 —h–w D:\WINDOWS\system32\zllictbl.dat
- 2007-11-14 19:05:42 6,706,762 ------w D:\WINDOWS\system32\ZoneLabs\spyware.dat
- 2007-11-16 20:09:54 6,735,429 ------w D:\WINDOWS\system32\ZoneLabs\spyware.dat
- 2007-11-14 19:05:42 6,706,762 ------w D:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
-
2007-11-16 20:09:54 6,735,429 ------w D:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
-
2007-11-16 20:24:44 16,384 ----a-w D:\WINDOWS\TEMP\Perflib_Perfdata_e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“D:\WINDOWS\system32\NvCpl.dll” [2004-10-29 22:50]
“Zone Labs Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2005-08-29 19:09]
“HPDJ Taskbar Utility”=“D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe” [2001-10-15 14:30]
“AtiPTA”=“atiptaxx.exe” [2006-02-22 02:05 D:\WINDOWS\system32\atiptaxx.exe]
“SunJavaUpdateSched”=“D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11]
[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“Nokia.PCSync”=F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoBandCustomize”=0 (0x0)
“NoToolbarCustomize”=0 (0x0)
R1 atitray;atitray;??\C:\Program Files\Radeon Omega Drivers\v3.8.360\ATI Tray Tools\atitray.sys
S3 AvantService;Avant Service;C:\Program Files\Avant Browser\asvc.exe
S3 usbscan;Sterownik skanera USB;D:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 USBSTOR;Sterownik magazynu masowego USB;D:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ba87f9b7-38d9-11db-b9c2-806d6172696f}]
\Shell\AutoRun\command - I:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{fc124090-84a0-11db-86a8-806d6172696f}]
\Shell\AutoRun\command - G:\SH-S182D(TS-H652D).exe
.
Contents of the ‘Scheduled Tasks’ folder
“2007-11-09 20:49:04 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job”
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 21:25:17
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-16 21:26:12 - machine was rebooted
D:\ComboFix3.txt … 2007-11-15 21:42
D:\ComboFix2.txt … 2007-11-16 20:52
.
— E O F —
Z gory dzieki za pomoc
Pozdrawiam