Witam. Otóż mam na komputerze programik o nazwie Ntos.exe. Probowalem fixnac za pomoca hjt, jednak odradza sie przy nastepnym skanie. Dotyczy linijki F2. Radzono mi, abym w trybie awaryjnym puścił skana SDFixem. I tu zaczynaja sie schody. Podczas skanowania wyskakuje jakis blad dotyczacy programu *.dll mianowicie w C:\Progra~1\Symantec A takiego folderu nie mam. Mam 2 dostepne opcje: Zamknij oraz Ignoruj. Po kliknieciu zamknij blad znow sie pojawia, i tak ze 3x, potem sdfix nie pracuje, po kliknieciu ignoruj Sdfix odrazu sie zwiesza tak jak 3x zamknij. Pytanie: Jak temu zaradzic? Szukalem w necie i nic tam nie bylo.

No daj tego loga z HJT

Logfile of HijackThis v1.99.1

Scan saved at 18:47:59, on 2008-02-10

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SAGEM WiFi manager\WLANUTL.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\wlasciciel\Pulpit\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

O4 - HKLM…\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”

O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime

O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”

O4 - HKLM…\Run: [sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions

O4 - HKLM…\Run: [DXDllRegExe] dxdllreg.exe

O4 - HKLM…\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”

O4 - HKLM…\Run: [Onet.pl AutoUpdate] C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe /tsr

O4 - HKLM…\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O17 - HKLM\System\CCS\Services\Tcpip…{4A4B7E8A-76E6-4F7C-9D00-AE7892035B2B}: NameServer = 194.204.159.1

O17 - HKLM\System\CCS\Services\Tcpip…{DFCEB65D-1524-45F2-86DF-7410483CD2FB}: NameServer = 192.168.1.1,194.204.152.34

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

I dobrze Ci powiedzieli - że w trybie awaryjnym a powiedz mi -kiedy już wejdziesz w tryb awaryjny to który plik odpalasz w tym folderze z zainstalowanym programem (chodzi mi o nazwę i rozszerzenie) ??

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

Wpis usun w HJT

Pobierz Combofix viewtopic.php?f=16&t=36654

Wklej do notatnika:

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

na pytanie “1 or 2” - to wpisz 1 i naciśnij ENTER

Powinno rozpocząć się usuwanie

Potem log z usuwania

@ronino1

Uruchamiam w trybie awaryjnym, uruchamiam Runthis.

@enigma79

probowalem fixem ale zmiana w rejestrze powoduje jedynie ponowne zainstalowanie(?) szkodnika.

Sprobuje cos z tym zrobic tak jak radzisz.

@ronino1[2]

Jest to plik wsadowy MS-DOS (ikona okienka z trybkiem w srodku)

Czy zrobiles tak jak napisalem???

Tu masz dokladny opis Combofix viewtopic.php?f=16&t=36654

A tu masz loga z CF, zrobilem chyba wszystko tak jak napisales.

ComboFix 08-02.05.3 - wlasciciel 2008-02-10 21:21:59.3 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.633 [GMT 1:00]

Running from: C:\Documents and Settings\wlasciciel\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\wlasciciel\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE

C:\WINDOWS\system32\ntos.exe

.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))

.

2008-02-10 21:09 . 2004-08-03 22:44 395,776 --a------ C:\kmd.exe

2008-02-10 16:37 . 2008-02-10 16:37

2008-02-10 16:04 . 2008-02-10 16:04

2008-01-15 21:57 . 2008-01-15 21:57

2008-01-15 12:17 . 2008-01-15 12:17

2008-01-15 12:17 . 2008-01-15 12:17

2008-01-15 12:17 . 2006-01-18 14:09 31,744 --a------ C:\WINDOWS\system32\drivers\ZDPSp50a64.sys

2008-01-15 12:17 . 2006-01-18 14:09 29,184 --a------ C:\WINDOWS\system32\drivers\BRGSp50a64.sys

2008-01-15 12:17 . 2006-01-18 14:09 20,608 --a------ C:\WINDOWS\system32\drivers\BRGSp50.sys

2008-01-15 12:17 . 2006-01-18 14:09 17,664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys

2008-01-15 12:16 . 2005-12-22 14:45 493,440 --a------ C:\WINDOWS\system32\drivers\WlanBZ64.SYS

2008-01-15 12:16 . 2005-12-22 14:45 402,432 --a------ C:\WINDOWS\system32\drivers\WlanBZXP.sys

2008-01-14 18:50 . 2008-01-14 18:50

2008-01-11 13:17 . 2008-01-11 13:17

2008-01-11 13:16 . 2008-01-11 13:16

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-10 15:25 2,854,400 ------w C:\WINDOWS\Internet Logs\xDB20.tmp

2008-02-10 15:25 1,318,400 ------w C:\WINDOWS\Internet Logs\xDB21.tmp

2008-01-31 06:20 1,314,816 ------w C:\WINDOWS\Internet Logs\xDB1F.tmp

2008-01-15 20:08 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-01-15 20:07 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2008-01-08 15:42 --------- d-----w C:\Program Files\Activision

2008-01-07 20:55 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\MumboJumbo

2008-01-07 20:54 --------- d-----w C:\Program Files\Luxor 3

2008-01-07 20:01 --------- d-----w C:\Program Files\Inca Ball

2008-01-07 19:59 --------- d-----w C:\Program Files\ReflexiveArcade

2008-01-07 08:39 --------- d-----w C:\Program Files\Onet

2008-01-07 08:39 --------- d-----w C:\Documents and Settings\wlasciciel\Dane aplikacji\Onet

2008-01-07 08:39 --------- d-----w C:\Documents and Settings\wlasciciel\Dane aplikacji\MozillaControl

2008-01-07 08:39 --------- d-----w C:\Documents and Settings\wlasciciel\Dane aplikacji\Listonosz

2008-01-07 08:39 --------- d-----w C:\Documents and Settings\wlasciciel\Dane aplikacji\AutoUpdate

2008-01-02 17:47 --------- d-----w C:\Program Files\Electronic Arts

2007-12-29 16:13 540,672 ------w C:\WINDOWS\Internet Logs\xDB1D.tmp

2007-12-29 16:13 1,262,080 ------w C:\WINDOWS\Internet Logs\xDB1E.tmp

2007-12-28 16:48 --------- d-----w C:\Program Files\HP

2007-12-25 14:39 --------- d-----w C:\Program Files\PopCap Games

2007-12-23 17:26 18,836,349 ------w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_12_23_18_24_37_full.dmp.zip

2007-12-22 17:37 --------- d-----w C:\Program Files\Sony Ericsson

2007-12-22 17:37 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Teleca

2007-12-22 17:37 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Sony Ericsson

2007-12-20 19:22 1,225,216 ------w C:\WINDOWS\Internet Logs\xDB1C.tmp

2007-12-20 19:21 22,528 ------w C:\WINDOWS\Internet Logs\xDB1B.tmp

2007-12-20 14:10 573,440 ------w C:\WINDOWS\Internet Logs\xDB1A.tmp

2007-12-18 00:09 21,061,882 ------w C:\WINDOWS\Internet Logs\tvDebug.zip

2007-12-15 19:36 15,360 ------w C:\WINDOWS\Internet Logs\xDB18.tmp

2007-12-15 19:36 1,162,752 ------w C:\WINDOWS\Internet Logs\xDB19.tmp

2007-12-15 19:35 2,260,992 ------w C:\WINDOWS\Internet Logs\xDB16.tmp

2007-12-15 19:34 32,768 ------w C:\WINDOWS\Internet Logs\xDB15.tmp

2007-12-15 17:57 2,260,992 ------w C:\WINDOWS\Internet Logs\xDB17.tmp

2007-12-15 08:05 2,260,992 ------w C:\WINDOWS\Internet Logs\xDB14.tmp

2007-12-15 08:04 688,128 ------w C:\WINDOWS\Internet Logs\xDB13.tmp

2007-12-07 21:18 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe

2007-12-07 19:45 22,328 ----a-w C:\Documents and Settings\wlasciciel\Dane aplikacji\PnkBstrK.sys

2007-12-02 18:11 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2007-11-29 07:57 1,458,176 ------w C:\WINDOWS\Internet Logs\xDB12.tmp

2007-11-01 00:45 540,672 ------w C:\WINDOWS\Internet Logs\xDB11.tmp

2007-10-30 14:43 622,592 ------w C:\WINDOWS\Internet Logs\xDBF.tmp

2007-10-30 14:43 2,260,992 ------w C:\WINDOWS\Internet Logs\xDB10.tmp

2007-10-26 13:47 557,056 ------w C:\WINDOWS\Internet Logs\xDBE.tmp

2007-10-25 22:02 540,672 ------w C:\WINDOWS\Internet Logs\xDBC.tmp

2007-10-25 22:02 2,260,992 ------w C:\WINDOWS\Internet Logs\xDBD.tmp

2007-10-20 12:30 770,048 ------w C:\WINDOWS\Internet Logs\xDBA.tmp

2007-10-20 12:29 2,260,992 ------w C:\WINDOWS\Internet Logs\xDBB.tmp

2007-10-07 22:41 301,568 ------w C:\WINDOWS\Internet Logs\xDB9.tmp

2007-09-24 14:31 753,664 ------w C:\WINDOWS\Internet Logs\xDB7.tmp

2007-09-24 14:31 2,260,992 ------w C:\WINDOWS\Internet Logs\xDB8.tmp

2007-09-15 15:17 19,944 ----a-w C:\Documents and Settings\wlasciciel\Dane aplikacji\GDIPFONTCACHEV1.DAT

2007-08-28 08:32 2,260,992 ------w C:\WINDOWS\Internet Logs\xDB6.tmp

2007-08-28 08:32 1,327,104 ------w C:\WINDOWS\Internet Logs\xDB5.tmp

2007-08-15 16:32 2,260,992 ------w C:\WINDOWS\Internet Logs\xDB4.tmp

2007-04-29 20:27 1,392,640 ------w C:\WINDOWS\Internet Logs\xDB3.tmp

2007-04-27 14:47 1,392,640 ------w C:\WINDOWS\Internet Logs\xDB2.tmp

2007-02-24 21:48 18,729,512 ------w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_02_24_17_45_41_full.dmp.zip

2007-02-24 08:13 1,716,736 ------w C:\WINDOWS\Internet Logs\xDB1.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 22:44 15360]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 11:54 2131392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2006-12-14 19:26 917504]

“Zone Labs Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2006-08-23 23:38 968696]

“ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2006-01-02 16:41 45056]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-01-20 20:52 77824]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]

“Sony Ericsson PC Suite”=“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [2005-10-26 16:17 159744]

“DXDllRegExe”=“dxdllreg.exe” []

“HP Component Manager”=“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [2003-12-22 08:38 241664]

“Onet.pl AutoUpdate”=“C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe” []

“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-06-16 06:03 221184]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 22:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]

Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - C:\Program Files\SAGEM WiFi manager\WLANUTL.exe [2008-01-15 12:17:41 925696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

–a------ 2004-06-16 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

–a------ 2006-01-20 20:52 77824 C:\Program Files\QuickTime\qttask.exe

R3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;C:\WINDOWS\system32\DRIVERS\WlanBZXP.sys [2005-12-22 14:45]

S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Lineage II\system\GameGuard\dump_wmimmc.sys []

S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2007-08-12 20:44]

S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2007-08-12 20:44]

S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2007-08-12 20:44]

S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2007-08-12 20:44]

S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2007-08-12 20:44]

S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS []

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-10 21:24:16

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

C:\WINDOWS\system32ntos.exe 557056 bytes

C:\WINDOWS\system32wsnpoem

scan completed successfully

hidden files: 2

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]

• C:\Program Files\Eset\pr_imon.dll

.

Completion time: 2008-02-10 21:25:13

ComboFix-quarantined-files.txt 2008-02-10 20:25:10

ComboFix3.txt 2008-02-10 20:00:10

ComboFix2.txt 2008-02-10 20:14:22

Uruchom Avenger http://www.searchengines.pl/Nie-moge-us … 12510.html

zaznacz Input script manually, klik w lupę, w oknie wklej:

Klik w Done, klik w zielone światło, zatwierdź reboot. Na resecie może wywalić błąd nie znalezionego pliku = będzie to normalne.

Oczysc Temp ATF Cleaner http://dobreprogramy.pl/index.php?dz=2& … TF+Cleaner