Dziwne programy wyszukujące trojany


(@ro) #1

Przy uruchomieniu systemu włączają mi się jakieś programy wyświetlające informację o zainfekowaniu systemu przez trojany. System wolniej działa niż zwykle.

Proszę o sprawdzenie loga.

Logfile of HijackThis v1.99.1

Scan saved at 14:18:09, on 2008-06-25

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Gadu-Gadu\gg.exe

C:\DOCUME~1\Arek\USTAWI~1\Temp\Katalog tymczasowy 2 dla hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot

O4 - HKLM..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU..\Run: [AQQ] C:\PROGRA~1\WapSter\AQQ\AQQ.exe

O4 - HKCU..\Run: [Antivirus] C:\Program Files\Antivirus2008\Antvrs.exe

O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O15 - Trusted Zone: www.mks.com.pl

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip..{5C49EA34-820A-4F84-86A5-755FAFFBB4BA}: NameServer = 85.255.116.162,85.255.112.110

O17 - HKLM\System\CCS\Services\Tcpip..{9DCEDCA8-8144-404D-9071-6A41A7ED8E3A}: NameServer = 85.255.116.162,85.255.112.110

O17 - HKLM\System\CCS\Services\Tcpip..{B8B53BEC-E3DE-4141-AC8E-527EC6A58E61}: NameServer = 85.255.116.162,85.255.112.110

O17 - HKLM\System\CCS\Services\Tcpip..{C5F78C5C-A691-4B1D-9A74-CB0FE071CA8A}: NameServer = 85.255.116.162,85.255.112.110


(Kambor4) #2

To nie jest CAŁY LOG!

Daj log z Combofix


(@ro) #3

Combofix:

ComboFix 08-06-20.4 - Arek 2008-06-25 14:32:23.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.2572 [GMT 2:00]

Running from: C:\Documents and Settings\Arek\Pulpit\ComboFix.exe

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\Antivirus2008

C:\Program Files\Antivirus2008\Antvrs.exe

C:\WINDOWS\adaway.lic

C:\WINDOWS\system32\Dvbpws.dll

C:\WINDOWS\system32\kdzao.exe

.

((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))

.

2008-06-03 13:18 . 2004-08-04 00:44 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

2008-06-03 13:18 . 2004-08-04 00:38 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys

2008-06-03 13:18 . 2004-08-04 00:38 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys

2008-05-28 15:01 . 2008-05-28 15:01

2008-05-28 15:01 . 2003-03-18 22:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll

2008-05-25 21:00 . 2008-05-25 21:00

2008-05-25 20:56 . 2008-06-05 23:07

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-25 12:24 --------- d-----w C:\Program Files\Mozilla Thunderbird

2008-06-25 07:07 --------- d-----w C:\Program Files\SkanerOnline

2008-06-24 20:38 --------- d-----w C:\Documents and Settings\Arek\Dane aplikacji\uTorrent

2008-06-22 22:24 --------- d-----w C:\Documents and Settings\Arek\Dane aplikacji\skypePM

2008-06-22 22:24 --------- d-----w C:\Documents and Settings\Arek\Dane aplikacji\Skype

2008-06-02 12:01 --------- d-----w C:\Documents and Settings\Arek\Dane aplikacji\BitTorrent

2008-05-25 14:52 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-05-22 09:55 --------- d-----w C:\Documents and Settings\Arek\Dane aplikacji\MyPhoneExplorer

2008-05-16 22:48 --------- d-----w C:\Documents and Settings\Arek\Dane aplikacji\Hamachi

2008-05-11 20:03 --------- d-----w C:\Program Files\EA SPORTS

2008-05-08 22:33 --------- d-----w C:\Program Files\Pinnacle

2008-05-08 22:24 --------- d-----w C:\Program Files\IrfanView

2008-05-08 21:53 --------- d-----w C:\Program Files\DC++

2008-05-08 21:46 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-05-08 21:45 --------- d-----w C:\Program Files\ArcSoft

2008-05-08 21:44 --------- d-----w C:\Program Files\Common Files\element5 Shared

2007-12-31 21:35 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe

2007-12-09 20:36 8 --sh--r C:\WINDOWS\system32\71A717C793.sys

2007-12-09 20:57 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]

2007-10-04 22:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 22:06 1135968]

[HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AQQ"="C:\PROGRA~1\WapSter\AQQ\AQQ.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]

"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-30 23:38 949376]

"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 10:45 385024]

"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [2007-02-12 16:22 397312]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.ACDV"= ACDV.dll

"VIDC.YV12"= yv12vfw.dll

"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

"msacm.mpegacm"= mpegacm.acm

"msacm.ulmp3acm"= ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Arek^Menu Start^Programy^Autostart^Adobe Gamma.lnk]

path=C:\Documents and Settings\Arek\Menu Start\Programy\Autostart\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Arek^Menu Start^Programy^Autostart^hamachi.lnk]

path=C:\Documents and Settings\Arek\Menu Start\Programy\Autostart\hamachi.lnk

backup=C:\WINDOWS\pss\hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]

--a------ 2006-07-29 03:48 9887744 D:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-09-20 16:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]

D:\Program Files\BitComet\BitComet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]

--a------ 2008-04-01 12:11 288576 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2006-11-12 12:48 157592 D:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

--a------ 2008-03-20 12:04 2127296 D:\Program Files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

--a------ 2007-09-20 10:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 16:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2007-10-04 18:14 8491008 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-10-04 18:14 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2007-12-12 16:23 21686568 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

--a------ 2006-04-10 10:19 729088 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

-ra------ 2006-05-01 12:07 843776 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TV Watcher]

--------- 2007-08-23 13:36 1006592 C:\Program Files\TV Watcher\TV Watcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2007-10-10 07:28 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"D:\Program Files\Gadu-Gadu\gg.exe"=

"C:\Program Files\Bonjour\mDNSResponder.exe"=

"D:\Program Files\BearShare\BearShare.exe"=

"D:\Program Files\totalcmd\TOTALCMD.EXE"=

"C:\Program Files\uTorrent\uTorrent.exe"=

"C:\Program Files\DNA\btdna.exe"=

"C:\Program Files\BitTorrent\bittorrent.exe"=

"C:\Program Files\Hamachi\hamachi.exe"=

"D:\Program Files\EA Sports\FIFA 08\FIFA08.exe"=

"C:\Program Files\TVUPlayer\TVUPlayer.exe"=

"C:\Program Files\DC++\DCPlusPlus.exe"=

"C:\Program Files\Skype\Phone\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"17018:TCP"= 17018:TCP:BitComet 17018 TCP

"17018:UDP"= 17018:UDP:BitComet 17018 UDP

"1492:TCP"= 1492:TCP:BitComet 1492 TCP

"1492:UDP"= 1492:UDP:BitComet 1492 UDP

"8514:TCP"= 8514:TCP:BitComet 8514 TCP

"8514:UDP"= 8514:UDP:BitComet 8514 UDP

R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 16:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{279a7c47-9742-11dc-bad1-806d6172696f}]

\Shell\AutoRun\command - F:\ASUSACPI.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{eebafb5c-cdde-11dc-96bd-00173185abfc}]

\Shell\AutoRun\command - I:\setupSNK.exe

.

Contents of the 'Scheduled Tasks' folder

"2008-06-20 10:40:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-25 14:36:22

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe

  • C:\Program Files\Eset\pr_imon.dll

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

.

**************************************************************************

.

Completion time: 2008-06-25 14:38:38 - machine was rebooted

ComboFix-quarantined-files.txt 2008-06-25 12:38:26

Pre-Run: 21,742,911,488 bajtów wolnych

Post-Run: 21,892,935,680 bajt˘w wolnych

202

HijackThis:

Logfile of HijackThis v1.99.1

Scan saved at 14:28:33, on 2008-06-25

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Gadu-Gadu\gg.exe

C:\DOCUME~1\Arek\USTAWI~1\Temp\Katalog tymczasowy 2 dla hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot

O4 - HKLM..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU..\Run: [AQQ] C:\PROGRA~1\WapSter\AQQ\AQQ.exe

O4 - HKCU..\Run: [Antivirus] C:\Program Files\Antivirus2008\Antvrs.exe

O8 - Extra context menu item: Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O15 - Trusted Zone: http://www.mks.com.pl

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip..{5C49EA34-820A-4F84-86A5-755FAFFBB4BA}: NameServer = 85.255.116.162,85.255.112.110

O17 - HKLM\System\CCS\Services\Tcpip..{9DCEDCA8-8144-404D-9071-6A41A7ED8E3A}: NameServer = 85.255.116.162,85.255.112.110

O17 - HKLM\System\CCS\Services\Tcpip..{B8B53BEC-E3DE-4141-AC8E-527EC6A58E61}: NameServer = 85.255.116.162,85.255.112.110

O17 - HKLM\System\CCS\Services\Tcpip..{C5F78C5C-A691-4B1D-9A74-CB0FE071CA8A}: NameServer = 85.255.116.162,85.255.112.110

O17 - HKLM\System\CCS\Services\Tcpip..{F92B95E7-1645-4547-BB99-FED2934B9A30}: NameServer = 85.255.116.162,85.255.112.110

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.162 85.255.112.110

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.162 85.255.112.110

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.162 85.255.112.110

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


(Gd1984) #4

ciekaw rozwiazania jestem bo to samo mam od 3 dni na drugim kompie, próbowałem reinstalowac (naprawic) system ale nic to nie zmieniło, czy sa jakies wyjscia bez potrzeby robienia formata???


(huber2t) #5

fix w hijackthis

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!


(@ro) #6

Nazwa zainfekowanego obiektu / Nazwa wirusa / Ostatnie działanie

C:\Documents and Settings\All Users\Dane aplikacji\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked pominięty

C:\Documents and Settings\Arek\Cookies\index.dat Object is locked pominięty

C:\Documents and Settings\Arek\Dane aplikacji\Microsoft\Szablony\Normal.dot Object is locked pominięty

C:\Documents and Settings\Arek\Dane aplikacji\Mozilla\Firefox\Profiles\0vqytdos.default\cert8.db Object is locked pominięty

C:\Documents and Settings\Arek\Dane aplikacji\Mozilla\Firefox\Profiles\0vqytdos.default\flashgot.log Object is locked pominięty

C:\Documents and Settings\Arek\Dane aplikacji\Mozilla\Firefox\Profiles\0vqytdos.default\formhistory.dat Object is locked pominięty

C:\Documents and Settings\Arek\Dane aplikacji\Mozilla\Firefox\Profiles\0vqytdos.default\history.dat Object is locked pominięty

C:\Documents and Settings\Arek\Dane aplikacji\Mozilla\Firefox\Profiles\0vqytdos.default\key3.db Object is locked pominięty

C:\Documents and Settings\Arek\Dane aplikacji\Mozilla\Firefox\Profiles\0vqytdos.default\parent.lock Object is locked pominięty

C:\Documents and Settings\Arek\Dane aplikacji\Mozilla\Firefox\Profiles\0vqytdos.default\search.sqlite Object is locked pominięty

C:\Documents and Settings\Arek\Dane aplikacji\Mozilla\Firefox\Profiles\0vqytdos.default\urlclassifier2.sqlite Object is locked pominięty

C:\Documents and Settings\Arek\Dane aplikacji\Thunderbird\Profiles\3y9p486k.default\cert8.db Object is locked pominięty

C:\Documents and Settings\Arek\Dane aplikacji\Thunderbird\Profiles\3y9p486k.default\key3.db Object is locked pominięty

C:\Documents and Settings\Arek\NTUSER.DAT Object is locked pominięty

C:\Documents and Settings\Arek\ntuser.dat.LOG Object is locked pominięty

C:\Documents and Settings\Arek\Pulpit\II runda DMP.doc Object is locked pominięty

C:\Documents and Settings\Arek\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty

C:\Documents and Settings\Arek\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty

C:\Documents and Settings\Arek\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\0vqytdos.default\Cache_CACHE_001_ Object is locked pominięty

C:\Documents and Settings\Arek\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\0vqytdos.default\Cache_CACHE_002_ Object is locked pominięty

C:\Documents and Settings\Arek\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\0vqytdos.default\Cache_CACHE_003_ Object is locked pominięty

C:\Documents and Settings\Arek\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\0vqytdos.default\Cache_CACHE_MAP_ Object is locked pominięty

C:\Documents and Settings\Arek\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty

C:\Documents and Settings\Arek\Ustawienia lokalne\Temp\~DFE335.tmp Object is locked pominięty

C:\Documents and Settings\Arek\Ustawienia lokalne\Temp\~DFE636.tmp Object is locked pominięty

C:\Documents and Settings\Arek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked pominięty

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked pominięty

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty

C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked pominięty

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked pominięty

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked pominięty

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty

C:\Documents and Settings\NetworkService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty

C:\Program Files\Eset\cache\CACHE.NDB Object is locked pominięty

C:\Program Files\Eset\infected\12JA05AA.NQF Zainfekowanych: Trojan-Downloader.Win32.FraudLoad.akv pominięty

C:\Program Files\Eset\infected\E04NLWCA.NQF Zainfekowanych: not-a-virus:AdTool.Win32.Zango.am pominięty

C:\Program Files\Eset\infected\P1ITZSBA.NQF/crack.exe Zainfekowanych: Trojan-Downloader.Win32.Agent.qyb pominięty

C:\Program Files\Eset\infected\P1ITZSBA.NQF/keygen.exe Zainfekowanych: Trojan-Downloader.Win32.Small.ury pominięty

C:\Program Files\Eset\infected\P1ITZSBA.NQF RAR: zainfekowany - 2 pominięty

C:\Program Files\Eset\infected\P1ITZSBA.NQF PE-Crypt.XorPE: zainfekowany - 2 pominięty

C:\Program Files\Eset\infected\XVYTBUCA.NQF Zainfekowanych: Trojan-Downloader.Win32.FraudLoad.akv pominięty

C:\Program Files\Eset\logs\virlog.dat Object is locked pominięty

C:\Program Files\Eset\logs\warnlog.dat Object is locked pominięty

C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked pominięty

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty

C:\System Volume Information_restore{6433F358-0AD1-4A73-80EC-955EB30B6927}\RP248\A0079002.exe Zainfekowanych: Trojan-Downloader.Win32.FraudLoad.auw pominięty

C:\System Volume Information_restore{6433F358-0AD1-4A73-80EC-955EB30B6927}\RP250\A0079102.exe Zainfekowanych: Trojan-Downloader.Win32.FraudLoad.auw pominięty

C:\System Volume Information_restore{6433F358-0AD1-4A73-80EC-955EB30B6927}\RP250\A0079108.exe Zainfekowanych: Trojan.Win32.Monder.gen pominięty

C:\System Volume Information_restore{6433F358-0AD1-4A73-80EC-955EB30B6927}\RP250\change.log Object is locked pominięty

C:\WINDOWS\Debug\PASSWD.LOG Object is locked pominięty

C:\WINDOWS\SchedLgU.Txt Object is locked pominięty

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked pominięty

C:\WINDOWS\Sti_Trace.log Object is locked pominięty

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked pominięty

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked pominięty

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked pominięty

C:\WINDOWS\system32\config\default Object is locked pominięty

C:\WINDOWS\system32\config\default.LOG Object is locked pominięty

C:\WINDOWS\system32\config\SAM Object is locked pominięty

C:\WINDOWS\system32\config\SAM.LOG Object is locked pominięty

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked pominięty

C:\WINDOWS\system32\config\SECURITY Object is locked pominięty

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked pominięty

C:\WINDOWS\system32\config\software Object is locked pominięty

C:\WINDOWS\system32\config\software.LOG Object is locked pominięty

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked pominięty

C:\WINDOWS\system32\config\system Object is locked pominięty

C:\WINDOWS\system32\config\system.LOG Object is locked pominięty

C:\WINDOWS\system32\drivers\sptd.sys Object is locked pominięty

C:\WINDOWS\system32\h323log.txt Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked pominięty

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked pominięty

C:\WINDOWS\wiadebug.log Object is locked pominięty

C:\WINDOWS\wiaservc.log Object is locked pominięty

C:\WINDOWS\WindowsUpdate.log Object is locked pominięty

D:\My Downloads\El Inolvidable Simon Birch Spanish www Elite net por GammaRay .avi Object is locked pominięty

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty

D:\System Volume Information_restore{6433F358-0AD1-4A73-80EC-955EB30B6927}\RP250\change.log Object is locked pominięty

E:\48294c305d4d04da21\SP2GDR\gdi32.dll Object is locked pominięty

E:\48294c305d4d04da21\SP2GDR\mf3216.dll Object is locked pominięty

E:\48294c305d4d04da21\SP2GDR\user32.dll Object is locked pominięty

E:\48294c305d4d04da21\SP2GDR\win32k.sys Object is locked pominięty

E:\48294c305d4d04da21\SP2QFE\gdi32.dll Object is locked pominięty

E:\48294c305d4d04da21\SP2QFE\mf3216.dll Object is locked pominięty

E:\48294c305d4d04da21\SP2QFE\user32.dll Object is locked pominięty

E:\48294c305d4d04da21\SP2QFE\win32k.sys Object is locked pominięty

E:\48294c305d4d04da21\spmsg.dll Object is locked pominięty

E:\48294c305d4d04da21\spuninst.exe Object is locked pominięty

E:\48294c305d4d04da21\update\branches.inf Object is locked pominięty

E:\48294c305d4d04da21\update\KB925902.CAT Object is locked pominięty

E:\48294c305d4d04da21\update\spcustom.dll Object is locked pominięty

E:\48294c305d4d04da21\update\update.exe Object is locked pominięty

E:\48294c305d4d04da21\update\update.ver Object is locked pominięty

E:\48294c305d4d04da21\update\updatebr.inf Object is locked pominięty

E:\48294c305d4d04da21\update\update_SP2GDR.inf Object is locked pominięty

E:\48294c305d4d04da21\update\update_SP2QFE.inf Object is locked pominięty

E:\48294c305d4d04da21\update\updspapi.dll Object is locked pominięty


(huber2t) #7

Usuń wszystkie pliki z tego folderu:

Wyłącz i Włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Powinno byc ok