Infekcja z pen drive - trojany

efcia · 19 Listopad 2007 22:39

witam, wątek mój sobie spadł na drugą stronę… więc znów wkleje loga moze go ktoś przejrzy…

wczoraj miałam znajomy mnie poczęstował pen drive z trojanem…

Logfile of HijackThis v1.99.1 Scan saved at 23:36:02, on 2007-11-19 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL$INSERTGT\Binn\sqlservr.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\svchost.exe C:\PROGRAM FILES\COMMON FILES\YDP\USERACCESSMANAGER\useraccess.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\explorer.exe C:\Program Files\InsERT\InsERT GT\Rachmistrz.exe C:\Program Files\Tlen.pl\Tlen.exe C:\PROGRA~1\WinZip\winzip32.exe C:\DOCUME~1\Ewa\USTAWI~1\Temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [statusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM…\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {37A49D66-2735-4BB9-8503-82BA5E2333D0} (MailCfg Control) - http://poczta.wp.pl/2/mailcfg.ocx O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/ArcaOnline.cab O16 - DPF: {5AE70FF8-20A7-4FC4-B896-404196B8B04C} (Smtpauth Control) - http://i.wp.pl/a/i/poczta_xl/smtpauth.ocx O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru … ebscan.cab O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{736C4FC8-D2D5-4893-A242-F9C960555898}: NameServer = 194.204.159.1 217.98.63.164 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC (UserAccess) - Unknown owner - C:\PROGRAM FILES\COMMON FILES\YDP\USERACCESSMANAGER\useraccess.exe

Złączono Posta : 19.11.2007 (Pon) 23:42

ComboFix 07-11-08.1 - Ewa 2006-11-19 19:23:57.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.412 [GMT 1:00] Running from: D:\Moje dokumenty\Programy\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Documents and Settings\Ewa\Dane aplikacji\Install.dat . ((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 ))))))))))))))))))))))))))))))) . 2007-11-19 11:01 2007-11-19 00:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-22 17:49 2007-10-10 12:29 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-19 11:39 --------- d-----w C:\Documents and Settings\Ewa\Dane aplikacji\Tlen.pl 2007-11-19 11:02 --------- d-----w C:\Program Files\Google 2007-11-19 10:37 --------- d-----w C:\Program Files\Gadu-Gadu 2007-11-18 19:18 --------- d-----w C:\Program Files\Puzzle 2007-10-25 16:57 8,483,328 ------w C:\WINDOWS\system32\dllcache\shell32.dll 2007-10-12 11:58 --------- d-----w C:\Program Files\Tlen.pl 2007-09-24 09:50 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\InsERT 2007-08-22 13:19 96,768 ------w C:\WINDOWS\system32\dllcache\inseng.dll 2007-08-22 13:19 661,504 ------w C:\WINDOWS\system32\dllcache\wininet.dll 2007-08-22 13:19 616,448 ------w C:\WINDOWS\system32\dllcache\urlmon.dll 2007-08-22 13:19 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll 2007-08-22 13:19 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll 2007-08-22 13:19 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll 2007-08-22 13:19 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-08-22 13:19 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll 2007-08-22 13:19 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll 2007-08-22 13:19 3,079,168 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-08-22 13:19 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll 2007-08-22 13:19 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll 2007-08-22 13:19 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-08-22 13:19 151,552 ------w C:\WINDOWS\system32\dllcache\cdfview.dll 2007-08-22 13:19 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll 2007-08-22 13:19 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll 2007-08-22 13:19 1,055,744 ------w C:\WINDOWS\system32\dllcache\danim.dll 2007-08-22 13:19 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll 2007-08-21 10:30 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-08-21 06:18 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-04-15 21:24 217 ------w C:\Documents and Settings\Ewa\FIX.REG 2005-06-01 16:54 36,352 ------w C:\Documents and Settings\Ewa\Dane aplikacji\GDIPFONTCACHEV1.DAT 2005-05-26 20:40 226,584 ------w C:\Program Files\jre-1_5_0_02-windows-i586-p-iftw.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2002-09-11 02:57 C:\WINDOWS\SOUNDMAN.EXE] “StatusClient”=“C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe” [2002-12-16 15:51] “TomcatStartup”=“C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe” [2003-03-31 18:28] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-06-06 08:07] “OrderReminder”=“C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe” [2005-12-21 10:00] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2004-12-06 18:40] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2007-03-02 21:38] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-04-25 19:32:58] NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2003-11-06 19:23:38] Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 15:23:32] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\twpkad.sys] @=“Driver” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\twpkbd.sys] @=“Driver” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyTraveler] C:\Documents and Settings\Ewa\Dane aplikacji\MyTraveler\MyTraveler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys R2 AVMPORT;AVMPORT;C:\WINDOWS\system32\drivers\avmport.sys R2 MSSQL$INSERTGT;MSSQL$INSERTGT;C:\Program Files\Microsoft SQL Server\MSSQL$INSERTGT\Binn\sqlservr.exe -sINSERTGT R3 AVMWAN;Sterownik karty AVM NDIS WAN CAPI;C:\WINDOWS\system32\DRIVERS\avmwan.sys R3 fpcibase;Kontroler AVM ISDN-Controller FRITZ!Card PCI;C:\WINDOWS\system32\DRIVERS\fpcibase.sys R3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys R3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS S1 twpkbd;NETLINK mapping;\C:\WINDOWS\system32\twpkbd.sys S3 SQLAgent$INSERTGT;SQLAgent$INSERTGT;C:\Program Files\Microsoft SQL Server\MSSQL$INSERTGT\Binn\sqlagent.EXE -i INSERTGT *Newly Created Service* - KPF4 . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-08 19:29:11 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-08 19:31:33 . — E O F —

JNJN · 20 Listopad 2007 09:12

Proszę zmienić temat postu na konkretny, opcja zmień i popraw.JNJN

system · 20 Listopad 2007 11:00

Zastosuj narzędzie HaxFix w opcji 2.

efcia · 20 Listopad 2007 11:40

zrobiłam zgodnie z opcją nr 2 w haxfix to jest log a dalej z HJ ale sie w nim nic nie zmieniło…?

HAXFIX logfile - by Marckie version 4.57_1 2007-11-20 12:19:05,33 — Auto Haxdoorfix — searching for files: searching for services… service twpkbd found [sWSC] DeleteService SUCCESS — Goldunfix — searching for files: checking iexplore.exe iexplore.exe is not infected searching for SSODLkeys: no SSODLkeys found searching for notifykeys: no notifykeys found searching for services: no services found …rebooting the computer… searching for ssodlkeys not needed searching for notifykeys not needed searching for services service twpkbd not found searching for safeboot services safeboot service twpkad.sys not found safeboot service twpkbd.sys not found searching for files twpkbd.sys exists deleting twpkbd.sys twpkbd.sys has been deleted checking for other files No other files found checking for a3d files ps.a3d deleting a3d files a3d files are deleted — Catchme logfile - thank you Gmer — catchme 0.3.1207.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-20 12:25:35 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00 scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Finished

Logfile of HijackThis v1.99.1 Scan saved at 12:34:35, on 2007-11-20 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL$INSERTGT\Binn\sqlservr.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\svchost.exe C:\PROGRAM FILES\COMMON FILES\YDP\USERACCESSMANAGER\useraccess.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Ewa\USTAWI~1\Temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [statusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM…\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {37A49D66-2735-4BB9-8503-82BA5E2333D0} (MailCfg Control) - http://poczta.wp.pl/2/mailcfg.ocx O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/ArcaOnline.cab O16 - DPF: {5AE70FF8-20A7-4FC4-B896-404196B8B04C} (Smtpauth Control) - http://i.wp.pl/a/i/poczta_xl/smtpauth.ocx O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru … ebscan.cab O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{736C4FC8-D2D5-4893-A242-F9C960555898}: NameServer = 194.204.159.1 217.98.63.164 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC (UserAccess) - Unknown owner - C:\PROGRAM FILES\COMMON FILES\YDP\USERACCESSMANAGER\useraccess.exe

system · 20 Listopad 2007 12:05

HaxFix usunął plik twpkad.sys Haxdoora.

No cóż HJ nie jest narzędziem doskonałym i poprzednio również nie listował tego pliku. Był on widoczny w ComboFix.

Proszę dać nowy log z ComboFix.

efcia · 20 Listopad 2007 23:23

ComboFix 07-11-08.1 - Ewa 2006-11-21 0:13:56.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.364 [GMT 1:00] Running from: D:\Moje dokumenty\Programy\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 ))))))))))))))))))))))))))))))) . 2007-11-20 12:10 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe 2007-11-20 12:10 53,248 --a------ C:\WINDOWS\system32\process.exe 2007-11-20 12:10 8,925 --a------ C:\clean.bat 2007-11-20 12:10 4,096 --a------ C:\WINDOWS\system32\reboot.exe 2007-11-20 12:10 347 --a------ C:\run2.reg 2007-11-19 11:01 2007-11-19 00:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-22 17:49 2007-10-10 12:29 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-20 18:42 --------- d-----w C:\Program Files\Puzzle 2007-11-20 11:02 --------- d-----w C:\Documents and Settings\Ewa\Dane aplikacji\Tlen.pl 2007-11-19 11:02 --------- d-----w C:\Program Files\Google 2007-11-19 10:37 --------- d-----w C:\Program Files\Gadu-Gadu 2007-10-25 16:57 8,483,328 ------w C:\WINDOWS\system32\dllcache\shell32.dll 2007-10-12 11:58 --------- d-----w C:\Program Files\Tlen.pl 2007-09-24 09:50 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\InsERT 2007-08-22 13:19 96,768 ------w C:\WINDOWS\system32\dllcache\inseng.dll 2007-08-22 13:19 661,504 ------w C:\WINDOWS\system32\dllcache\wininet.dll 2007-08-22 13:19 616,448 ------w C:\WINDOWS\system32\dllcache\urlmon.dll 2007-08-22 13:19 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll 2007-08-22 13:19 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll 2007-08-22 13:19 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll 2007-08-22 13:19 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-08-22 13:19 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll 2007-08-22 13:19 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll 2007-08-22 13:19 3,079,168 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-08-22 13:19 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll 2007-08-22 13:19 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll 2007-08-22 13:19 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-08-22 13:19 151,552 ------w C:\WINDOWS\system32\dllcache\cdfview.dll 2007-08-22 13:19 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll 2007-08-22 13:19 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll 2007-08-22 13:19 1,055,744 ------w C:\WINDOWS\system32\dllcache\danim.dll 2007-08-22 13:19 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll 2007-08-21 10:30 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-08-21 06:18 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-04-15 21:24 217 ------w C:\Documents and Settings\Ewa\FIX.REG 2005-06-01 16:54 36,352 ------w C:\Documents and Settings\Ewa\Dane aplikacji\GDIPFONTCACHEV1.DAT 2005-05-26 20:40 226,584 ------w C:\Program Files\jre-1_5_0_02-windows-i586-p-iftw.exe . ((((((((((((((((((((((((((((( snapshot@2007-11-08_19.29.56.98 ))))))))))))))))))))))))))))))))))))))))) . - 2007-10-22 19:43:45 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll + 2007-11-20 07:39:35 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll - 2005-03-01 12:08:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll + 2007-10-25 09:26:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll - 2005-03-01 12:08:52 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll + 2007-10-25 09:26:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll - 2007-10-22 19:43:48 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll + 2007-11-20 07:39:37 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll + 2007-10-25 09:26:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\bdupd.dll + 2007-10-25 09:26:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ipsupd.dll + 2005-11-08 23:26:46 38,400 ----a-w C:\WINDOWS\system32\moveex.exe - 2006-07-08 13:04:06 75,394 ----a-w C:\WINDOWS\system32\perfc009.dat + 2007-11-20 10:30:51 75,394 ----a-w C:\WINDOWS\system32\perfc009.dat - 2006-07-08 13:04:06 92,136 ----a-w C:\WINDOWS\system32\perfc015.dat + 2007-11-20 10:30:52 92,136 ----a-w C:\WINDOWS\system32\perfc015.dat - 2006-07-08 13:04:06 433,034 ----a-w C:\WINDOWS\system32\perfh009.dat + 2007-11-20 10:30:52 433,034 ----a-w C:\WINDOWS\system32\perfh009.dat - 2006-07-08 13:04:06 489,860 ----a-w C:\WINDOWS\system32\perfh015.dat + 2007-11-20 10:30:52 489,860 ----a-w C:\WINDOWS\system32\perfh015.dat + 2007-11-20 11:23:36 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_50c.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2002-09-11 02:57 C:\WINDOWS\SOUNDMAN.EXE] “StatusClient”=“C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe” [2002-12-16 15:51] “TomcatStartup”=“C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe” [2003-03-31 18:28] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-06-06 08:07] “OrderReminder”=“C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe” [2005-12-21 10:00] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2004-12-06 18:40] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2007-03-02 21:38] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-04-25 19:32:58] NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2003-11-06 19:23:38] Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 15:23:32] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyTraveler] C:\Documents and Settings\Ewa\Dane aplikacji\MyTraveler\MyTraveler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys R2 AVMPORT;AVMPORT;C:\WINDOWS\system32\drivers\avmport.sys R2 MSSQL$INSERTGT;MSSQL$INSERTGT;C:\Program Files\Microsoft SQL Server\MSSQL$INSERTGT\Binn\sqlservr.exe -sINSERTGT R3 AVMWAN;Sterownik karty AVM NDIS WAN CAPI;C:\WINDOWS\system32\DRIVERS\avmwan.sys R3 fpcibase;Kontroler AVM ISDN-Controller FRITZ!Card PCI;C:\WINDOWS\system32\DRIVERS\fpcibase.sys R3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys R3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS S3 SQLAgent$INSERTGT;SQLAgent$INSERTGT;C:\Program Files\Microsoft SQL Server\MSSQL$INSERTGT\Binn\sqlagent.EXE -i INSERTGT . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-08 00:19:21 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-08 0:21:50 C:\ComboFix2.txt … 2007-11-08 19:31 . — E O F —

Gutek · 21 Listopad 2007 22:01

Powinno być Ok