...dlaczego tak się dzieje?

Dariusz_J · 2 Wrzesień 2007 22:05

Witam ponownie,

Po kilku dniach bezstresowej pracy w necie (komputer działa bez zarzutu dzieki Waszym poradom) postanowiłem przeskanować dysk NOD-em. Ku mojemu zdziwueniu, NOD wykrył 2 wirusy - w tym jeden w Virtmundo ?

C:\Documents and Settings\Daruś\Moje dokumenty\SDFix.exe »RAR »SDFix\apps\Process.exe - Win32/PrcView Program

C:\Documents and Settings\Daruś\Pulpit\VirtumundoBeGone.exe »NSIS »aaa - Win32/PrcView Program

Czy to możliwe, że nie wszystko zostało usunięte z dysku ? A może NOD32 jest tak nieskuteczny, że znów coś złapałem ?

Co gorsza, NOD nie może usunąć tych wirusów i mam w raporcie: liczba aktywnych wirusów: 2.

Dziękuję z góry za porady, pozdrawiam.

Gutek · 2 Wrzesień 2007 22:09

Daj log z HJT + Silent - http://forum.dobreprogramy.pl/viewtopic.php?t=36654

Dariusz_J · 2 Wrzesień 2007 22:36

Logfile of HijackThis v1.99.1 Scan saved at 00:26:44, on 2007-09-03 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\VTTimer.exe C:\WINDOWS\System32\VTtrayp.exe C:\WINDOWS\System32\FTRTSVC.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Eset\nod32krn.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\PROGRA~1\NEOSTR~1\neostradatp.exe C:\PROGRA~1\NEOSTR~1\ComComp.exe C:\PROGRA~1\NEOSTR~1\Toaster.exe C:\PROGRA~1\NEOSTR~1\Inactivity.exe C:\PROGRA~1\NEOSTR~1\PollingModule.exe C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE C:\PROGRA~1\NEOSTR~1\Watch.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\csrss.exe C:\DOCUME~1\DARU~1\USTAWI~1\Temp\1356818723.exe C:\DOCUME~1\DARU~1\USTAWI~1\Temp\1987824837.exe C:\Documents and Settings\Daruś\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [VTTimer] VTTimer.exe O4 - HKLM…\Run: [VTTrayp] VTtrayp.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKLM…\Run: [net64] C:\WINDOWS\svhoster.exe O4 - HKLM…\Run: [net32] C:\WINDOWS\svhost.exe O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/programs/ … canner.cab O17 - HKLM\System\CCS\Services\Tcpip…{A90F0EFB-1BF7-4C39-A361-DC5064A68205}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Menedżer sesji pomocy pulpitu zdalnego RDSessMgrRasAuto (RDSessMgrRasAuto) - Unknown owner - C:\WINDOWS\System32\accwizt.exe

“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Odkurzacz-MCD” = “C:\Program Files\Odkurzacz\odk_mcd.exe” [“Franmo Software”] HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “system” = “C:\WINDOWS\csrss.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “VTTimer” = “VTTimer.exe” [“S3 Graphics, Inc.”] “VTTrayp” = “VTtrayp.exe” [“S3 Graphics Co., Ltd.”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe” [“France Télécom R&D”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “Adobe Photo Downloader” = ““C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”” [“Adobe Systems Incorporated”] “Adobe Reader Speed Launcher” = ““C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”” [“Adobe Systems Incorporated”] “net64” = “C:\WINDOWS\svhoster.exe” [null data] “net32” = “C:\WINDOWS\svhost.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Unbind” -> {HKLM…CLSID} = “Microsoft Office Binder Unbind” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL” [MS] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“lsdelete” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Daruś” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] “VIA RAID TOOL” -> shortcut to: “C:\Program Files\VIA\RAID\raid_tool.exe” [“VIA Technologies”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 21 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 20 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ad-Aware 2007 Service, aawservice, “C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe” [“Lavasoft AB”] Canon Camera Access Library 8, CCALib8, “C:\Program Files\Canon\CAL\CALMAIN.exe” [“Canon Inc.”] France Telecom Routing Table Service, FTRTSVC, “C:\WINDOWS\System32\FTRTSVC.exe” [“France Telecom”] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] ---------- (launch time: 2007-09-03 00:33:33) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 82 seconds, including 12 seconds for message boxes)

Gutek · 2 Wrzesień 2007 22:47

Najpierw użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable. Po użyciu tego narzędzia wymagany jest reset sysa.

Po tym automat - Daj log z ComboFix oraz użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym

Dariusz_J · 2 Wrzesień 2007 23:18

ComboFix 07-08-30.3 - “Daru” 2007-09-03 1:03:46.2 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.307 [GMT 2:00] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\csrss.exe C:\WINDOWS\svhost.exe ((((((((((((((((((((((((( Files Created from 2007-08-02 to 2007-09-02 ))))))))))))))))))))))))))))))) 2007-09-03 00:51 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-09-03 00:22 204,173 --ahs---- C:\WINDOWS\svhoster.exe 2007-09-02 23:14 47,727 -r-hs---- C:\WINDOWS\system32\accwizt.exe 2007-09-02 23:14 252 --ahs---- C:\WINDOWS\system32\3637441342.dat 2007-08-29 01:25 2007-08-28 22:18 2007-08-28 19:15 2007-08-28 02:43 2007-08-28 02:31 2007-08-28 01:22 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe 2007-08-28 01:22 9,006 --a------ C:\clean.bat 2007-08-19 23:31 2007-08-19 23:29 974,848 --a------ C:\WINDOWS\system32\mfc70.dll 2007-08-19 23:29 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-08-19 23:29 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll 2007-08-19 23:29 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll 2007-08-19 23:29 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-08-19 23:29 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-08-19 23:29 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll 2007-08-19 23:29 2007-08-19 23:29 2007-08-19 22:48 2007-08-19 22:48 2007-08-19 22:39 2007-08-19 19:26 2007-08-19 19:25 2007-08-19 19:20 2007-08-19 19:18 2007-08-19 19:09 2007-08-19 03:58 2007-08-19 00:22 2007-08-18 22:37 2007-08-18 22:37 2007-08-18 21:43 2007-08-18 21:43 2007-08-18 21:43 2007-08-18 21:13 2007-08-18 21:13 2007-08-18 12:17 2007-08-17 20:38 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-08-17 20:38 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-08-17 20:38 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-08-15 14:49 2007-08-15 14:48 94,208 --a------ C:\WINDOWS\system32\W32n50.dll 2007-08-15 14:48 40,960 --a------ C:\WINDOWS\system32\FTRTSVC.exe 2007-08-15 14:48 36,864 --a------ C:\WINDOWS\system32\IfHelper.dll 2007-08-15 14:48 16,128 --------- C:\WINDOWS\system32\PCANDIS5.SYS 2007-08-15 14:48 2007-08-15 13:30 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll 2007-08-15 13:24 41,068 --------- C:\WINDOWS\system32\ActPanel.dll 2007-08-15 13:24 2007-08-15 13:23 2007-08-15 13:23 2007-08-14 23:53 73,216 --a------ C:\WINDOWS\ST6UNST.EXE 2007-08-14 23:53 249,856 --------- C:\WINDOWS\Setup1.exe 2007-08-14 23:53 2007-08-14 19:16 2007-08-14 19:16 2007-08-14 19:12 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-08-14 19:12 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll 2007-08-14 19:12 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-08-14 19:12 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL 2007-08-14 19:12 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll 2007-08-14 19:04 2007-08-14 18:40 143,872 --a------ C:\WINDOWS\system32\iacenc.dll 2007-08-14 18:39 204,857 --a------ C:\WINDOWS\system32\InstallHelp.dll 2007-08-14 18:39 107,293 --a------ C:\WINDOWS\system32\GMTUninstall.exe 2007-08-14 18:39 2007-08-14 18:05 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll 2007-08-14 18:05 146,944 --a------ C:\WINDOWS\system32\ptpusd.dll 2007-08-14 18:05 13,824 --a–c— C:\WINDOWS\system32\dllcache\usbscan.sys 2007-08-14 18:05 13,824 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-08-14 17:46 2007-08-14 17:45 2007-08-14 17:45 2007-08-14 16:11 2007-08-14 16:11 2007-08-14 16:10 39,424 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys 2007-08-14 16:10 2007-08-14 16:10 2007-08-14 16:08 53,248 -ra------ C:\WINDOWS\system32\VTTimer.exe 2007-08-14 16:08 487,424 -ra------ C:\WINDOWS\system32\VTDisply.dll 2007-08-14 16:08 389,120 -ra------ C:\WINDOWS\system32\VTovrlay.dll 2007-08-14 16:08 360,448 -ra------ C:\WINDOWS\system32\VTGamma2.dll 2007-08-14 16:08 3,453,824 -ra------ C:\WINDOWS\system32\vtdisp.dll 2007-08-14 16:08 253,952 -ra------ C:\WINDOWS\system32\VTInfo2.dll 2007-08-14 16:08 172,544 -ra------ C:\WINDOWS\system32\drivers\vtmini.sys 2007-08-14 16:08 143,360 -ra------ C:\WINDOWS\system32\VTTrayp.exe 2007-08-14 16:08 1,871,872 -ra------ C:\WINDOWS\system32\vticd.dll 2007-08-14 16:08 2007-08-14 16:08 2007-08-14 16:07 6,144 -ra------ C:\WINDOWS\system32\drivers\viaidexp.sys 2007-08-14 16:07 36,224 --a–c— C:\WINDOWS\system32\dllcache\isapnp.sys 2007-08-14 16:07 36,224 --a------ C:\WINDOWS\system32\drivers\isapnp.sys 2007-08-14 16:07 27,904 -ra------ C:\WINDOWS\system32\drivers\VIAAGP1.SYS 2007-08-14 16:06 306,688 --a------ C:\WINDOWS\IsUninst.exe 2007-08-14 14:33 2007-08-14 14:32 2007-08-14 12:33 2007-08-14 11:19 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-23 02:05 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys 2007-08-23 02:05 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys 2007-08-15 14:49 33 --a------ C:\WINDOWS\system32\drivers\adidsl.cfg 2007-08-02 18:11 253952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll 2007-08-02 18:11 241664 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll 2007-07-27 15:49 225355 --a------ C:\WINDOWS\system32\lnod32apiW.dll 2007-07-27 15:49 196683 --a------ C:\WINDOWS\system32\lnod32apiA.dll 2007-06-13 11:10 77824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe 2007-06-07 21:10 20480 --a------ C:\WINDOWS\system32\ac3config.exe --------- C:\Program Files\Usługi online ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “VTTimer”=“VTTimer.exe” [2005-03-07 21:33 C:\WINDOWS\system32\VTTimer.exe] “VTTrayp”=“VTtrayp.exe” [2005-01-11 01:33 C:\WINDOWS\system32\VTTrayp.exe] “SoundMan”=“SOUNDMAN.EXE” [2004-12-22 11:09 C:\WINDOWS\SOUNDMAN.EXE] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 14:49] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\GestMaj.exe” [2004-10-14 16:55] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-08-17 20:36] “Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” [2007-03-09 11:09] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06] “net64”=“C:\WINDOWS\svhoster.exe” [2007-09-03 00:22] “net32”=“C:\WINDOWS\svhost.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2007-05-03 10:02] R0 viamraid;viamraid;C:\WINDOWS\System32\DRIVERS\viamraid.sys S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\System32\Drivers\e4ldr.sys S2 RDSessMgrRasAuto;Menedżer sesji pomocy pulpitu zdalnego RDSessMgrRasAuto;C:\WINDOWS\System32\accwizt.exe srv S3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\System32\DRIVERS\e4usbaw.sys S3 NTSIM;NTSIM;??\C:\WINDOWS\System32\ntsim.sys ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-03 01:04:45 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-09-03 1:05:17 C:\ComboFix-quarantined-files.txt … 2007-09-03 01:05 — E O F —

2007-07-08 21:23 15399 --a------ C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir 2007-09-03 00:20 32143 --a------ C:\Qoobox\Quarantine\C\WINDOWS\csrss.exe.vir 2007-09-03 00:25 205461 --a------ C:\Qoobox\Quarantine\C\WINDOWS\svhost.exe.vir 2007-09-03 00:51 0 --a------ C:\Qoobox\BackEnv\MY PICTURES.folder.cf 2007-09-03 00:51 0 --a------ C:\Qoobox\BackEnv\STARTUP.folder.cf 2007-09-03 00:51 108 --a------ C:\Qoobox\BackEnv\LOCAL SETTINGS.folder.cf 2007-09-03 00:51 135 --a------ C:\Qoobox\BackEnv\LOCAL APPDATA.folder.cf 2007-09-03 00:51 139 --a------ C:\Qoobox\BackEnv\APPDATA.folder.cf 2007-09-03 00:51 3172 --a------ C:\Qoobox\BackEnv\setpath.bat 2007-09-03 00:51 37 --a------ C:\Qoobox\BackEnv\profiles.folder.cf 2007-09-03 00:51 44 --a------ C:\Qoobox\BackEnv\DESKTOP.folder.cf 2007-09-03 00:51 46 --a------ C:\Qoobox\BackEnv\FAVORITES.folder.cf 2007-09-03 00:51 46 --a------ C:\Qoobox\BackEnv\PERSONAL.folder.cf 2007-09-03 00:51 46 --a------ C:\Qoobox\BackEnv\START MENU.folder.cf 2007-09-03 00:51 46 --a------ C:\Qoobox\BackEnv\TEMPLATES.folder.cf 2007-09-03 00:51 55 --a------ C:\Qoobox\BackEnv\PROGRAMS.folder.cf 2007-09-03 00:51 80 --a------ C:\Qoobox\BackEnv\CACHE.folder.cf 2007-09-03 01:04 370515 --a------ C:\Qoobox\snapshot_2007-09-03_ 10458.95.cf Zmienna PATH folderu Numer seryjny woluminu: 71F5E346 D8CE:F33E C:\QOOBOX | snapshot_2007-09-03_ 10458.95.cf | ±–BackEnv | APPDATA.folder.cf | CACHE.folder.cf | DESKTOP.folder.cf | FAVORITES.folder.cf | LOCAL APPDATA.folder.cf | LOCAL SETTINGS.folder.cf | MY PICTURES.folder.cf | PERSONAL.folder.cf | profiles.folder.cf | PROGRAMS.folder.cf | setpath.bat | START MENU.folder.cf | STARTUP.folder.cf | TEMPLATES.folder.cf | —Quarantine ±–C | ±–ComboFix | | FProps.vbs.vir | | | —WINDOWS | csrss.exe.vir | svhost.exe.vir | —Registry_backups

qSmitFraudFix v2.219 Scan done at 1:06:34,65, 2007-09-03 Run from C:\Documents and Settings\Daru\Pulpit\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» DNS »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End Złączono Posta: 03.09.2007 (Pon) 1:36 …przeskanowałem ponownie NOD-em po tych operacjach i teraz mam 4 wirusy…2 doszły z Smitfraud w nazwie… Pozdrawiam

jessica · 3 Wrzesień 2007 08:01

SDFix, Virtumondo i SmitfraudFix są narzędziami wykrywającymi i usuwającymi, a więc mają w sobie moduł bazy wirusów, co jest odczytywane przez niektóre Antivirusy jako “wirus”. Jednym słowem: fałszywy alarm.

Ustaw w NOD, by te narzędzia po prostu omijał przy skanowaniu.

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Jeśli sam nie stworzyłeś tej usługi (to nie jest standartowa usługa, choć jej nazwa jest trochę podobna!), to zrób tak:

>>Start >>> Uruchom >>> wybierz (lub wpisz) cmd >> zastosować te komendy (po każdej wciśnij “ENTER”):

Potem opróżnij foldery TEMP.

Potem daj nowe logi z Hijacka i ComboFixa.

jessi

Dariusz_J · 3 Wrzesień 2007 18:26

Dzieki, Jessi.

Oto logi:

Logfile of HijackThis v1.99.1 Scan saved at 20:24:25, on 2007-09-03 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\VTTimer.exe C:\WINDOWS\System32\VTtrayp.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe C:\WINDOWS\System32\FTRTSVC.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\PROGRA~1\NEOSTR~1\neostradatp.exe C:\PROGRA~1\NEOSTR~1\ComComp.exe C:\PROGRA~1\NEOSTR~1\Toaster.exe C:\PROGRA~1\NEOSTR~1\Inactivity.exe C:\PROGRA~1\NEOSTR~1\PollingModule.exe C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE C:\PROGRA~1\NEOSTR~1\Watch.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Daruś\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [VTTimer] VTTimer.exe O4 - HKLM…\Run: [VTTrayp] VTtrayp.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKLM…\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/programs/ … canner.cab O17 - HKLM\System\CCS\Services\Tcpip…{A90F0EFB-1BF7-4C39-A361-DC5064A68205}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

ComboFix 07-08-30.3 - “Daru” 2007-09-03 20:25:08.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.201 [GMT 2:00] ((((((((((((((((((((((((( Files Created from 2007-08-03 to 2007-09-03 ))))))))))))))))))))))))))))))) 2007-09-03 20:03 2007-09-03 01:06 2,240 --a------ C:\WINDOWS\system32\tmp.reg 2007-09-03 00:51 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-09-03 00:22 204,173 --ahs---- C:\WINDOWS\svhoster.exe 2007-09-02 23:14 47,727 -r-hs---- C:\WINDOWS\system32\accwizt.exe 2007-09-02 23:14 252 --ahs---- C:\WINDOWS\system32\3637441342.dat 2007-08-29 01:25 2007-08-28 22:18 2007-08-28 19:15 2007-08-28 02:43 2007-08-28 02:31 2007-08-28 01:22 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe 2007-08-28 01:22 9,006 --a------ C:\clean.bat 2007-08-19 23:31 2007-08-19 23:29 974,848 --a------ C:\WINDOWS\system32\mfc70.dll 2007-08-19 23:29 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-08-19 23:29 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll 2007-08-19 23:29 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll 2007-08-19 23:29 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-08-19 23:29 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-08-19 23:29 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll 2007-08-19 23:29 2007-08-19 23:29 2007-08-19 22:48 2007-08-19 22:48 2007-08-19 22:39 2007-08-19 19:26 2007-08-19 19:25 2007-08-19 19:20 2007-08-19 19:18 2007-08-19 19:09 2007-08-19 03:58 2007-08-19 00:22 2007-08-18 22:37 2007-08-18 22:37 2007-08-18 21:43 2007-08-18 21:43 2007-08-18 21:43 2007-08-18 21:13 2007-08-18 21:13 2007-08-18 12:17 2007-08-17 20:38 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-08-17 20:38 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-08-17 20:38 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-08-15 14:49 2007-08-15 14:48 94,208 --a------ C:\WINDOWS\system32\W32n50.dll 2007-08-15 14:48 40,960 --a------ C:\WINDOWS\system32\FTRTSVC.exe 2007-08-15 14:48 36,864 --a------ C:\WINDOWS\system32\IfHelper.dll 2007-08-15 14:48 16,128 --------- C:\WINDOWS\system32\PCANDIS5.SYS 2007-08-15 14:48 2007-08-15 13:30 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll 2007-08-15 13:24 41,068 --------- C:\WINDOWS\system32\ActPanel.dll 2007-08-15 13:24 2007-08-15 13:23 2007-08-15 13:23 2007-08-14 23:53 73,216 --a------ C:\WINDOWS\ST6UNST.EXE 2007-08-14 23:53 249,856 --------- C:\WINDOWS\Setup1.exe 2007-08-14 23:53 2007-08-14 19:16 2007-08-14 19:16 2007-08-14 19:12 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-08-14 19:12 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll 2007-08-14 19:12 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-08-14 19:12 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL 2007-08-14 19:12 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll 2007-08-14 19:04 2007-08-14 18:40 143,872 --a------ C:\WINDOWS\system32\iacenc.dll 2007-08-14 18:39 204,857 --a------ C:\WINDOWS\system32\InstallHelp.dll 2007-08-14 18:39 107,293 --a------ C:\WINDOWS\system32\GMTUninstall.exe 2007-08-14 18:39 2007-08-14 18:05 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll 2007-08-14 18:05 146,944 --a------ C:\WINDOWS\system32\ptpusd.dll 2007-08-14 18:05 13,824 --a–c— C:\WINDOWS\system32\dllcache\usbscan.sys 2007-08-14 18:05 13,824 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-08-14 17:46 2007-08-14 17:45 2007-08-14 17:45 2007-08-14 16:11 2007-08-14 16:11 2007-08-14 16:10 39,424 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys 2007-08-14 16:10 2007-08-14 16:10 2007-08-14 16:08 53,248 -ra------ C:\WINDOWS\system32\VTTimer.exe 2007-08-14 16:08 487,424 -ra------ C:\WINDOWS\system32\VTDisply.dll 2007-08-14 16:08 389,120 -ra------ C:\WINDOWS\system32\VTovrlay.dll 2007-08-14 16:08 360,448 -ra------ C:\WINDOWS\system32\VTGamma2.dll 2007-08-14 16:08 3,453,824 -ra------ C:\WINDOWS\system32\vtdisp.dll 2007-08-14 16:08 253,952 -ra------ C:\WINDOWS\system32\VTInfo2.dll 2007-08-14 16:08 172,544 -ra------ C:\WINDOWS\system32\drivers\vtmini.sys 2007-08-14 16:08 143,360 -ra------ C:\WINDOWS\system32\VTTrayp.exe 2007-08-14 16:08 1,871,872 -ra------ C:\WINDOWS\system32\vticd.dll 2007-08-14 16:08 2007-08-14 16:08 2007-08-14 16:07 6,144 -ra------ C:\WINDOWS\system32\drivers\viaidexp.sys 2007-08-14 16:07 36,224 --a–c— C:\WINDOWS\system32\dllcache\isapnp.sys 2007-08-14 16:07 36,224 --a------ C:\WINDOWS\system32\drivers\isapnp.sys 2007-08-14 16:07 27,904 -ra------ C:\WINDOWS\system32\drivers\VIAAGP1.SYS 2007-08-14 16:06 306,688 --a------ C:\WINDOWS\IsUninst.exe 2007-08-14 14:33 2007-08-14 14:32 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-23 02:05 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys 2007-08-23 02:05 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys 2007-08-15 14:49 33 --a------ C:\WINDOWS\system32\drivers\adidsl.cfg 2007-08-02 18:11 253952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll 2007-08-02 18:11 241664 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll 2007-07-27 15:49 225355 --a------ C:\WINDOWS\system32\lnod32apiW.dll 2007-07-27 15:49 196683 --a------ C:\WINDOWS\system32\lnod32apiA.dll 2007-06-13 11:10 77824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe 2007-06-07 21:10 20480 --a------ C:\WINDOWS\system32\ac3config.exe --------- C:\Program Files\Usługi online ((((((((((((((((((((((((((((( snapshot_2007-09-03_ 10458.95 ))))))))))))))))))))))))))))))))))))))))) ----a-w 370,688 2006-11-29 15:21:29 C:\WINDOWS\system32\swsc.exe ----a-w 40,960 2005-11-25 15:48:28 C:\WINDOWS\system32\swsc.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “VTTimer”=“VTTimer.exe” [2005-03-07 21:33 C:\WINDOWS\system32\VTTimer.exe] “VTTrayp”=“VTtrayp.exe” [2005-01-11 01:33 C:\WINDOWS\system32\VTTrayp.exe] “SoundMan”=“SOUNDMAN.EXE” [2004-12-22 11:09 C:\WINDOWS\SOUNDMAN.EXE] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 14:49] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\GestMaj.exe” [2004-10-14 16:55] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-08-17 20:36] “Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” [2007-03-09 11:09] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06] “LWBMOUSE”=“C:\Program Files\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE” [2001-11-09 08:47] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2007-05-03 10:02] R0 viamraid;viamraid;C:\WINDOWS\System32\DRIVERS\viamraid.sys R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\System32\DRIVERS\e4usbaw.sys S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\System32\Drivers\e4ldr.sys S3 NTSIM;NTSIM;??\C:\WINDOWS\System32\ntsim.sys ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-03 20:25:33 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-09-03 20:26:02 C:\ComboFix-quarantined-files.txt … 2007-09-03 20:25 C:\ComboFix2.txt … 2007-09-03 01:05 — E O F —

qrczak13 · 3 Wrzesień 2007 18:39

Ściągnij OTMoveIt. W okienko po lewej Paste List of Files/Folders to be Moved wklej:

C:\WINDOWS\svhoster.exe

C:\WINDOWS\system32\accwizt.exe

C:\WINDOWS\system32\3637441342.dat

zapodaj Move It , zgadzasz się na restart.

Po restarcie usuń folder C:_OTMoveIt.

Nowy log z combo po tym.

Dariusz_J · 3 Wrzesień 2007 19:03

Dzięki, Qrczak.

Nowy log z Combo:

ComboFix 07-08-30.3 - “Daru” 2007-09-03 21:01:40.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.206 [GMT 2:00] ((((((((((((((((((((((((( Files Created from 2007-08-03 to 2007-09-03 ))))))))))))))))))))))))))))))) 2007-09-03 20:03 2007-09-03 01:06 2,240 --a------ C:\WINDOWS\system32\tmp.reg 2007-09-03 00:51 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-29 01:25 2007-08-28 22:18 2007-08-28 19:15 2007-08-28 02:43 2007-08-28 02:31 2007-08-28 01:22 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe 2007-08-28 01:22 9,006 --a------ C:\clean.bat 2007-08-19 23:31 2007-08-19 23:29 974,848 --a------ C:\WINDOWS\system32\mfc70.dll 2007-08-19 23:29 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-08-19 23:29 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll 2007-08-19 23:29 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll 2007-08-19 23:29 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-08-19 23:29 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-08-19 23:29 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll 2007-08-19 23:29 2007-08-19 23:29 2007-08-19 22:48 2007-08-19 22:48 2007-08-19 22:39 2007-08-19 19:26 2007-08-19 19:25 2007-08-19 19:20 2007-08-19 19:18 2007-08-19 19:09 2007-08-19 03:58 2007-08-19 00:22 2007-08-18 22:37 2007-08-18 22:37 2007-08-18 21:43 2007-08-18 21:43 2007-08-18 21:43 2007-08-18 21:13 2007-08-18 21:13 2007-08-18 12:17 2007-08-17 20:38 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-08-17 20:38 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-08-17 20:38 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-08-15 14:49 2007-08-15 14:48 94,208 --a------ C:\WINDOWS\system32\W32n50.dll 2007-08-15 14:48 40,960 --a------ C:\WINDOWS\system32\FTRTSVC.exe 2007-08-15 14:48 36,864 --a------ C:\WINDOWS\system32\IfHelper.dll 2007-08-15 14:48 16,128 --------- C:\WINDOWS\system32\PCANDIS5.SYS 2007-08-15 14:48 2007-08-15 13:30 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll 2007-08-15 13:24 41,068 --------- C:\WINDOWS\system32\ActPanel.dll 2007-08-15 13:24 2007-08-15 13:23 2007-08-15 13:23 2007-08-14 23:53 73,216 --a------ C:\WINDOWS\ST6UNST.EXE 2007-08-14 23:53 249,856 --------- C:\WINDOWS\Setup1.exe 2007-08-14 23:53 2007-08-14 19:16 2007-08-14 19:16 2007-08-14 19:12 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-08-14 19:12 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll 2007-08-14 19:12 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-08-14 19:12 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL 2007-08-14 19:12 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll 2007-08-14 19:04 2007-08-14 18:40 143,872 --a------ C:\WINDOWS\system32\iacenc.dll 2007-08-14 18:39 204,857 --a------ C:\WINDOWS\system32\InstallHelp.dll 2007-08-14 18:39 107,293 --a------ C:\WINDOWS\system32\GMTUninstall.exe 2007-08-14 18:39 2007-08-14 18:05 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll 2007-08-14 18:05 146,944 --a------ C:\WINDOWS\system32\ptpusd.dll 2007-08-14 18:05 13,824 --a–c— C:\WINDOWS\system32\dllcache\usbscan.sys 2007-08-14 18:05 13,824 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-08-14 17:46 2007-08-14 17:45 2007-08-14 17:45 2007-08-14 16:11 2007-08-14 16:11 2007-08-14 16:10 39,424 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys 2007-08-14 16:10 2007-08-14 16:10 2007-08-14 16:08 53,248 -ra------ C:\WINDOWS\system32\VTTimer.exe 2007-08-14 16:08 487,424 -ra------ C:\WINDOWS\system32\VTDisply.dll 2007-08-14 16:08 389,120 -ra------ C:\WINDOWS\system32\VTovrlay.dll 2007-08-14 16:08 360,448 -ra------ C:\WINDOWS\system32\VTGamma2.dll 2007-08-14 16:08 3,453,824 -ra------ C:\WINDOWS\system32\vtdisp.dll 2007-08-14 16:08 253,952 -ra------ C:\WINDOWS\system32\VTInfo2.dll 2007-08-14 16:08 172,544 -ra------ C:\WINDOWS\system32\drivers\vtmini.sys 2007-08-14 16:08 143,360 -ra------ C:\WINDOWS\system32\VTTrayp.exe 2007-08-14 16:08 1,871,872 -ra------ C:\WINDOWS\system32\vticd.dll 2007-08-14 16:08 2007-08-14 16:08 2007-08-14 16:07 6,144 -ra------ C:\WINDOWS\system32\drivers\viaidexp.sys 2007-08-14 16:07 36,224 --a–c— C:\WINDOWS\system32\dllcache\isapnp.sys 2007-08-14 16:07 36,224 --a------ C:\WINDOWS\system32\drivers\isapnp.sys 2007-08-14 16:07 27,904 -ra------ C:\WINDOWS\system32\drivers\VIAAGP1.SYS 2007-08-14 16:06 306,688 --a------ C:\WINDOWS\IsUninst.exe 2007-08-14 14:33 2007-08-14 14:32 2007-08-14 12:33 2007-08-14 11:19 2007-08-14 11:19 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-23 02:05 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys 2007-08-23 02:05 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys 2007-08-15 14:49 33 --a------ C:\WINDOWS\system32\drivers\adidsl.cfg 2007-08-02 18:11 253952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll 2007-08-02 18:11 241664 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll 2007-07-27 15:49 225355 --a------ C:\WINDOWS\system32\lnod32apiW.dll 2007-07-27 15:49 196683 --a------ C:\WINDOWS\system32\lnod32apiA.dll 2007-06-13 11:10 77824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe 2007-06-07 21:10 20480 --a------ C:\WINDOWS\system32\ac3config.exe --------- C:\Program Files\Usługi online ((((((((((((((((((((((((((((( snapshot_2007-09-03_ 10458.95 ))))))))))))))))))))))))))))))))))))))))) ----a-w 370,688 2006-11-29 15:21:29 C:\WINDOWS\system32\swsc.exe ----a-w 40,960 2005-11-25 15:48:28 C:\WINDOWS\system32\swsc.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “VTTimer”=“VTTimer.exe” [2005-03-07 21:33 C:\WINDOWS\system32\VTTimer.exe] “VTTrayp”=“VTtrayp.exe” [2005-01-11 01:33 C:\WINDOWS\system32\VTTrayp.exe] “SoundMan”=“SOUNDMAN.EXE” [2004-12-22 11:09 C:\WINDOWS\SOUNDMAN.EXE] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 14:49] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\GestMaj.exe” [2004-10-14 16:55] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-08-17 20:36] “Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” [2007-03-09 11:09] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06] “LWBMOUSE”=“C:\Program Files\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE” [2001-11-09 08:47] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2007-05-03 10:02] R0 viamraid;viamraid;C:\WINDOWS\System32\DRIVERS\viamraid.sys R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\System32\DRIVERS\e4usbaw.sys S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\System32\Drivers\e4ldr.sys S3 NTSIM;NTSIM;??\C:\WINDOWS\System32\ntsim.sys ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-03 21:02:28 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-09-03 21:02:56 C:\ComboFix-quarantined-files.txt … 2007-09-03 21:02 C:\ComboFix2.txt … 2007-09-03 20:26 C:\ComboFix3.txt … 2007-09-03 01:05 — E O F —

adam9870 · 3 Wrzesień 2007 20:14

Log czysty.

Możesz usunąć katalog C:\VundoFix Backups , ponieważ nie jest już do niczego potrzebny.

Drobna kosmetyka:

Start => uruchom => msconfig => zakładka Uruchamianie => możesz odznaczyć w/w.

Dodatkowo proponuję usunąć aplikację dostępową neostrady, a połączenie skonfigurować ręcznie: http://forum.dobreprogramy.pl/viewtopic.php?t=91864

Dariusz_J · 3 Wrzesień 2007 20:37

OK, dziękuję wszystkim za pomoc. Jesteście super !

Pozdrawiam,