ciaper79
(ciaper79)
22 Maj 2007 14:03
#1
Witam,
Mam Avast’a i od jakiegoś tygodnia wyskakuje mi komunikat, że jest jakiś trojan dialer i blokuje go, więc nie dostaje się on do mojego kompa, ale wkurzajace jest, ajk co 10 minut wyskakuje alarm.
Nazwa pasożyta: Win32:Dialer-Bn[Trj]
Plik: http://gameglobin.info/g.php?wmid=bg002 [VPX]
Skanowałem programami do usuwania robali i nic nie znalazło…
Proszę o sprawdzenie loga - z góry dziękuję.
Logfile of HijackThis v1.99.1 Scan saved at 15:59:49, on 2007-05-22 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\uTorrent\utorrent.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Monia\USTAWI~1\Temp\Rar$EX00.344\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-781cd0e19f00} - c:\program files\steganos internet anonym pro 7\siapro7iep.dll O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU…\Run: [µTorrent] “C:\Program Files\uTorrent\utorrent.exe” O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemplat … kurity.cab O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O17 - HKLM\System\CCS\Services\Tcpip…{EFA5B28A-26C1-42E4-A9BA-15CE710D7173}: NameServer = 163.192.111.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: winetn32 - C:\WINDOWS\SYSTEM32\winetn32.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe" /Service (file missing) O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
Joan
(Joan Sunshine)
22 Maj 2007 14:37
#2
plik na czerwono usun ręcznie z dysku w trybie awaryjnym, wpis skasuj hjt
daj nowe logi hijack + SilentRunners
ciaper79
(ciaper79)
22 Maj 2007 15:05
#3
Niestety, nie mogę usunąć ręcznie tego pliku, bo wyskakuje standardowy komunikat o odmowie dostępu, że plik jest używany, lub coś tam…
Natomiast wpis w HiJack kasuję, ale zaraz jest spowrotem
Krzychuu
(Krzychuu)
22 Maj 2007 15:09
#4
ciaper79 napewno robisz to w awaryjnym?
ciaper79
(ciaper79)
22 Maj 2007 15:11
#5
Oj, na pewno
Zrestartowałem kompa, F8 i wybrałem na samej górze “Tryb awaryjny”
ciaper79
(ciaper79)
22 Maj 2007 16:05
#7
Uruchomiłem Combofix.
Otrzymałem 2 pliki tekstowe:
1.ComboFix
2.ComboFix-quarantined-files
Oto one:
“Monia” - 2007-05-22 17:55:04 Dodatek Service Pack 2 ComboFix 07-05.21.6.V - Running from: “C:\Documents and Settings\Monia\Pulpit\Free Download Manager” (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\winetn32.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe C:\WINDOWS\hosts C:\WINDOWS\services.exe C:\WINDOWS\system32.dll ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_GB -------\nm ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 )))))))))))))))))))))))))))))))))) 2007-05-18 15:38 2007-05-17 16:39 2007-05-07 22:06 2007-05-07 22:04 2007-05-07 21:56 2007-05-07 21:54 2007-05-07 21:53 2007-05-06 19:37 2007-04-30 18:27 2007-04-30 18:27 2007-04-23 14:15 2007-04-23 14:15 2007-04-22 14:00 2007-04-22 14:00 2007-04-22 13:58 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-04-22 13:58 73,728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-04-22 13:58 639,066 --a------ C:\WINDOWS\system32\divx.dll 2007-04-22 13:58 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-04-22 13:58 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-04-22 13:58 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-04-22 13:58 196,608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-04-22 13:58 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-04-22 13:58 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-04-22 13:58 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-04-22 13:58 2007-04-22 13:58 2007-04-22 13:58 2007-04-22 10:27 2007-04-22 10:27 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2060-08-18 17:02:22 1,496,064 ----a-w C:\WINDOWS\system32\Cc3250mt.dll 2060-08-18 16:40:44 909,824 ----a-w C:\WINDOWS\system32\Cp3245mt.dll 2060-08-18 16:40:44 24,064 ----a-w C:\WINDOWS\system32\Borlndmm.dll 2007-05-20 12:57:58 -------- d-----w C:\DOCUME~1\Monia\DANEAP~1\Skype 2007-05-16 15:32:14 -------- d-----w C:\Program Files\Common Files\KAV Shared Files 2007-05-10 08:03:49 -------- d-----w C:\Program Files\SpeedFan 2007-05-09 17:10:57 -------- d-----w C:\DOCUME~1\Monia\DANEAP~1\SopCast 2007-04-30 16:33:44 68,334 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-04-30 16:33:44 439,194 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-04-30 16:27:43 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-24 15:31:16 -------- d-----w C:\Program Files\SopCast 2007-04-22 11:56:20 -------- d-----w C:\Program Files\SubEdit-Player 2007-04-22 11:54:19 -------- d-----w C:\Program Files\DivX 2007-04-22 11:54:04 -------- d-----w C:\Program Files\ffdshow 2007-04-22 11:51:27 -------- d-----w C:\Program Files\Common Files\Real 2007-04-22 11:51:19 -------- d-----w C:\DOCUME~1\Monia\DANEAP~1\Real 2007-04-17 17:25:30 -------- d-----w C:\Program Files\Lavalys 2007-04-12 17:21:29 -------- d-----w C:\Program Files\PITy2006 2007-04-11 15:01:26 -------- d-----w C:\Program Files\Winamp 2007-04-11 11:53:30 -------- d-----w C:\Program Files\jv16 PowerTools 2005 2007-04-11 11:37:26 -------- d-----w C:\Program Files\Norton Utilities 2007-04-11 11:37:22 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-04-11 09:32:34 -------- d-----w C:\Program Files\Skype 2007-04-11 09:28:20 -------- d-----w C:\Program Files\Gadu-Gadu (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 00:47] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {CC59E0F9-7E43-44FA-9FAA-8377850BF205}=C:\Program Files\Free Download Manager\iefdmcks.dll [2006-08-20 19:55] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-10-22 12:22] “MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe” [2004-08-04 09:44] [HKEY_USERS.default\software\microsoft\windows\currentversion\runonce] “SIAPRO7”=“C:\Program Files\Steganos Internet Anonym Pro 7\SIAPRO7.exe” -firstboot [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoInstrumentation”=1 (0x1) “NoRecentDocsHistory”=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoLowDiskSpaceChecks”=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2006-09-28 16:13] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk] backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^AutoCAD Startup Accelerator.lnk] backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^GStartup.lnk] backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Kodak EasyShare software.lnk] backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Kodak software updater.lnk] backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Norton System Doctor.lnk] backup=C:\WINDOWS\pss\Norton System Doctor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Przyspieszenie uruchomienia programu AutoCAD.lnk] backup=C:\WINDOWS\pss\Przyspieszenie uruchomienia programu AutoCAD.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Monia^Menu Start^Programy^Autostart^Power Project.lnk] backup=C:\WINDOWS\pss\Power Project.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AQ3HelperStartUp] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVPCC] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firebird] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] “RUNDLL32.EXE” C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outpost Firewall] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OutpostFeedBack] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer] “C:\Program Files\Real\RealPlayer\realplay.exe” /RunUPGToolCommandReBoot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Show missed alarms] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIAPRO7] “C:\Program Files\Steganos Internet Anonym Pro 7\SIAPRO7.exe” -boot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv] C:\WINDOWS\system32\spoolsvv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\taskdir] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows AdControl] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\µTorrent] “C:\Program Files\uTorrent\utorrent.exe” ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-22 17:58:08 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-05-22 17:59:10 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-05-22 17:59 — E O F —
Złączono Posta : 22.05.2007 (Wto) 18:06
Gutek
(Gutek)
22 Maj 2007 16:17
#8
Użyj Pocket Killbox . Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżkę
C:\WINDOWS\system32\spoolsvv.exe
i naciskasz X czerwony . Program poprosi o reset kompa … czyli resetujesz.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa
ciaper79
(ciaper79)
22 Maj 2007 16:22
#9
Zaraz to zrobię. A co ten Combofix dał do jakiejś kwarantanny? Nie trzeba tego usuwać? I co z plikiem który kazał mi usunąc Joan ??
…
Zrobiłem, ale po naciśnięciu czerwonego krzyżyka, zaczęło się odliczanie do restartu systemu, a następnie wyskoczył błąd - komunikat “PendindFileRenameOperations Registry Data has been Removed by External Process!” i komputer sam się nie zrestartował, więc nie wiem czy usunięto ten plik
Gutek
(Gutek)
22 Maj 2007 16:29
#10
Został zneutralizowany
Możesz usunać folder C:\QOOBOX
ciaper79
(ciaper79)
22 Maj 2007 16:33
#11
Więc nie wiem czy mogę dalej robić to co napisałeś - czyli pisać w notatniku ta komendę…
Gutek
(Gutek)
22 Maj 2007 16:48
#14
Pobierz The Avenger . Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:
kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).
ciaper79
(ciaper79)
22 Maj 2007 16:56
#15
Oto plik utworzony przez The Avenger
Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\gkasawih ******************* Script file located at: ??\C:\fqqtvvka.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\spoolsvv.exe not found! Deletion of file C:\WINDOWS\system32\spoolsvv.exe failed! Could not process line: C:\WINDOWS\system32\spoolsvv.exe Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv deleted successfully. Completed script processing. ******************* Finished! Terminate.
Gutek
(Gutek)
22 Maj 2007 17:02
#16
I kontrolnie daj loga z Combo powinno być Ok
ciaper79
(ciaper79)
22 Maj 2007 17:17
#17
“Monia” - 2007-05-22 19:11:08 Dodatek Service Pack 2 ComboFix 07-05.21.6.V - Running from: “E:\Instalki\Do usuwania g˘wien” ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 )))))))))))))))))))))))))))))))))) 2007-05-22 18:53 2007-05-22 17:59 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-18 15:38 2007-05-17 16:39 2007-05-07 22:06 2007-05-07 22:04 2007-05-07 21:56 2007-05-07 21:54 2007-05-07 21:53 2007-05-06 19:37 2007-04-30 18:27 2007-04-30 18:27 2007-04-23 14:15 2007-04-23 14:15 2007-04-22 14:00 2007-04-22 14:00 2007-04-22 13:58 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-04-22 13:58 73,728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-04-22 13:58 639,066 --a------ C:\WINDOWS\system32\divx.dll 2007-04-22 13:58 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-04-22 13:58 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-04-22 13:58 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-04-22 13:58 196,608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-04-22 13:58 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-04-22 13:58 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-04-22 13:58 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-04-22 13:58 2007-04-22 13:58 2007-04-22 13:58 2007-04-22 10:27 2007-04-22 10:27 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2060-08-18 17:02:22 1,496,064 ----a-w C:\WINDOWS\system32\Cc3250mt.dll 2060-08-18 16:40:44 909,824 ----a-w C:\WINDOWS\system32\Cp3245mt.dll 2060-08-18 16:40:44 24,064 ----a-w C:\WINDOWS\system32\Borlndmm.dll 2007-05-20 12:57:58 -------- d-----w C:\DOCUME~1\Monia\DANEAP~1\Skype 2007-05-16 15:32:14 -------- d-----w C:\Program Files\Common Files\KAV Shared Files 2007-05-10 08:03:49 -------- d-----w C:\Program Files\SpeedFan 2007-05-09 17:10:57 -------- d-----w C:\DOCUME~1\Monia\DANEAP~1\SopCast 2007-04-30 16:33:44 68,334 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-04-30 16:33:44 439,194 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-04-30 16:27:43 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-24 15:31:16 -------- d-----w C:\Program Files\SopCast 2007-04-22 11:56:20 -------- d-----w C:\Program Files\SubEdit-Player 2007-04-22 11:54:19 -------- d-----w C:\Program Files\DivX 2007-04-22 11:54:04 -------- d-----w C:\Program Files\ffdshow 2007-04-22 11:51:27 -------- d-----w C:\Program Files\Common Files\Real 2007-04-22 11:51:19 -------- d-----w C:\DOCUME~1\Monia\DANEAP~1\Real 2007-04-17 17:25:30 -------- d-----w C:\Program Files\Lavalys 2007-04-12 17:21:29 -------- d-----w C:\Program Files\PITy2006 2007-04-11 15:01:26 -------- d-----w C:\Program Files\Winamp 2007-04-11 11:53:30 -------- d-----w C:\Program Files\jv16 PowerTools 2005 2007-04-11 11:37:26 -------- d-----w C:\Program Files\Norton Utilities 2007-04-11 11:37:22 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-04-11 09:32:34 -------- d-----w C:\Program Files\Skype 2007-04-11 09:28:20 -------- d-----w C:\Program Files\Gadu-Gadu (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 00:47] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {CC59E0F9-7E43-44FA-9FAA-8377850BF205}=C:\Program Files\Free Download Manager\iefdmcks.dll [2006-08-20 19:55] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-10-22 12:22] [HKEY_USERS.default\software\microsoft\windows\currentversion\runonce] “SIAPRO7”=“C:\Program Files\Steganos Internet Anonym Pro 7\SIAPRO7.exe” -firstboot [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoInstrumentation”=1 (0x1) “NoRecentDocsHistory”=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoLowDiskSpaceChecks”=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2006-09-28 16:13] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk] backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^AutoCAD Startup Accelerator.lnk] backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^GStartup.lnk] backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Kodak EasyShare software.lnk] backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Kodak software updater.lnk] backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Norton System Doctor.lnk] backup=C:\WINDOWS\pss\Norton System Doctor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Przyspieszenie uruchomienia programu AutoCAD.lnk] backup=C:\WINDOWS\pss\Przyspieszenie uruchomienia programu AutoCAD.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Monia^Menu Start^Programy^Autostart^Power Project.lnk] backup=C:\WINDOWS\pss\Power Project.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AQ3HelperStartUp] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVPCC] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firebird] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] “RUNDLL32.EXE” C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outpost Firewall] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OutpostFeedBack] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer] “C:\Program Files\Real\RealPlayer\realplay.exe” /RunUPGToolCommandReBoot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Show missed alarms] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIAPRO7] “C:\Program Files\Steganos Internet Anonym Pro 7\SIAPRO7.exe” -boot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\taskdir] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows AdControl] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\µTorrent] “C:\Program Files\uTorrent\utorrent.exe” ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-22 19:12:33 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-05-22 19:12:57 C:\ComboFix-quarantined-files.txt … 2007-05-22 17:59 C:\ComboFix2.txt … 2007-05-22 18:41 C:\ComboFix3.txt … 2007-05-22 17:59 — E O F —
A tak na marginesie:
Combo, coś zmienia chyba w rejestrze, bo pojawia się np. skrót IE na pulpicie, a znika z paska szybkiego uruchamiania. I zapora Windows blokuje wszystkie aplikacje od nowa.
I najbedziej mnie drażniące - gdy się najedzie na jakąś ikonę - pojawia się żółty dymek z pomocą czy czymś w tym stylu…
Jak to wyłączyć ?
Gutek
(Gutek)
22 Maj 2007 17:45
#18
ciaper79
(ciaper79)
22 Maj 2007 17:51
#19
A jeśli chodzi o ostatni plik z Combo - jest wszystko OK ?