Mój komputer wysyła spam


(Sheanheavel) #1

Proszę o pomoc. oto log z combofixa:

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Sheanheavel\Pulpit\Ivan Komarenko - Ta Jedna Noc

c:\documents and settings\Sheanheavel\Recent\Thumbs.db

c:\windows\AppPatch\Custom{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

c:\windows\system32_000006_.tmp.dll

c:\windows\system32\crt.dat

c:\windows\system32\cryptnet32.dll

c:\windows\system32\drivers\str.sys

c:\windows\system32\shimg.dll

.

.

((((((((((((((((((((((((( Pliki utworzone od 2011-04-19 do 2011-05-19 )))))))))))))))))))))))))))))))

.

.

2011-05-18 16:34 . 2011-05-18 16:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-05 18:18 . 2011-05-05 18:18 -------- d-----w- c:\program files\Common Files\Java

2011-04-28 17:45 . 2001-10-26 15:29 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-04-28 17:45 . 2004-08-03 22:44 159232 ----a-w- c:\windows\system32\ptpusd.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-27 09:38 . 2008-10-27 09:38 95056 ----a-w- c:\program files\DSETUP.dll

2008-10-27 09:37 . 2008-10-27 09:37 1692496 ----a-w- c:\program files\dsetup32.dll

2008-10-27 09:36 . 2008-10-27 09:36 526160 ----a-w- c:\program files\DXSETUP.exe

2004-10-01 14:00 . 2009-02-01 16:25 40960 ----a-w- c:\program files\Uninstall_CDS.exe

2009-03-10 07:30 . 2009-03-10 07:30 5817072 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

2011-04-30 11:54 . 2011-04-18 20:57 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

.

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\bb44941ebc6c98c13a74d1f65de46494\atapi.sys

[7] 2006-03-02 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys

[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys

[-] 2004-08-03 21:59 . !HASH: COULD NOT OPEN FILE !!

[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{D4027C7F-154A-4066-A1AD-4243D8127440}]

2011-02-01 18:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]

.

[HKEY_CLASSES_ROOT\clsid{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]

.

[HKEY_CLASSES_ROOT\clsid{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-04-28 2633976]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-07 323392]

"DrvMon.exe"="c:\windows\system32\DrvMon.exe" [2006-11-01 53248]

"Gadu-Gadu 10"="e:\programy\Gadu-Gadu 10\gg.exe" [2010-07-21 12477024]

"DAEMON Tools Lite"="e:\programy\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

"NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2011-01-31 703360]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2010-12-21 1483264]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]

"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-02-24 196709]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 52840]

"ipTray.exe"="c:\program files\Intel\IDU\iptray.exe" [2006-10-16 2205696]

"Remote Console"="c:\syam\system_monitor\agent\winvnc.exe" [2009-02-01 368640]

"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"TWCU"="c:\program files\TP-LINK\TWCU\TWCU.exe" [2006-10-17 380928]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-02 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-02 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-02 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-02 455168]

"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]

"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2008-03-27 660136]

"lxdnamon"="c:\program files\Lexmark 2600 Series\lxdnamon.exe" [2008-03-27 16040]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-12 143360]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-12 172032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-12 143360]

"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-02 9134080]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

.

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

.

c:\documents and settings\Sheanheavel\Menu Start\Programy\Autostart\

Styler.lnk - c:\documents and settings\Sheanheavel\Dane aplikacji\Microsoft\Installer{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}_585b207a.exe [2009-4-3 15086]

.

c:\documents and settings\All Users\Menu Start\Programy\Autostart\

Kalendarz XP.lnk - c:\program files\Kalendarz XP\Kalendarz.exe [2009-2-1 882176]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"c:\WINDOWS\system32\lxdncoms.exe"=

"c:\Program Files\Lexmark 2600 Series\lxdnamon.exe"=

"c:\Program Files\Lexmark 2600 Series\frun.exe"=

"c:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe"=

"c:\Program Files\Lexmark 2600 Series\lxdnmon.exe"=

"c:\WINDOWS\system32\spool\drivers\w32x86\3\lxdnpswx.exe"=

"c:\WINDOWS\system32\spool\drivers\w32x86\3\lxdntime.exe"=

"c:\WINDOWS\system32\spool\drivers\w32x86\3\lxdnjswx.exe"=

"c:\Program Files\Lexmark 2600 Series\lxdnlscn.exe"=

"c:\WINDOWS\system32\spool\drivers\w32x86\3\lxdnwbgw.exe"=

"c:\Program Files\DNA\btdna.exe"=

"c:\Program Files\Windows Live\Messenger\msnmsgr.exe"=

"c:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"=

"c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"=

"c:\Program Files\Microsoft Office\Office12\GROOVE.EXE"=

"c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"=

"c:\Program Files\Skype\Phone\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3894:UDP"= 3894:UDP:SyAM-Desktop-Monitor-Agent-3894

"3930:TCP"= 3930:TCP:SyAM-Desktop-Monitor-Web-Server-3930

"5800:TCP"= 5800:TCP:SyAM-Desktop-Monitor-Remote-console-5800

"5900:TCP"= 5900:TCP:SyAM-Desktop-Monitor-Remote-console-5900

.

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2009-02-01 160640]

R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2009-02-01 5248]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010-12-21 691696]

R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2009-02-01 21504]

R2 caniodrvr;caniodrvr;c:\syam\system_monitor\agent\drivers\Caniodrvr.sys [2005-08-24 4096]

R2 DMWebSrv;Desktop Monitor Web Server;c:\syam\jetty\DMWebSrv.exe -s c:\syam\jetty\DMWebSrv.conf -- c:\syam\jetty\DMWebSrv.exe -s c:\syam\jetty\DMWebSrv.conf [?]

R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service -- c:\windows\system32\lxdncoms.exe -service [?]

R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2009-06-28 98984]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]

S2 bdkbkuzjt;bdkbkuzjt;"c:\docume~1\SHEANH~1\USTAWI~1\Temp\DAT239.tmp.exe" --SERVICE -- c:\docume~1\SHEANH~1\USTAWI~1\Temp\DAT239.tmp.exe [?]

S2 SMAgent;Desktop Monitor Agent;c:\syam\system_monitor\agent\smaagent.exe DML 0 -- c:\syam\system_monitor\agent\smaagent.exe DML 0 [?]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service -- c:\windows\system32\GameMon.des -service [?]

S3 PAC207;USB PC CAMERA P227;c:\windows\system32\drivers\PFC027.SYS [2007-09-28 614912]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Zawartość folderu 'Zaplanowane zadania'

.

2011-01-28 c:\windows\Tasks\1-Click Maintenance.job

  • e:\programy\tune up\SystemOptimizer.exe [2006-10-05 14:09]

.

2011-04-22 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Sheanheavel.job

  • c:\progra~1\NORTON~1\Navw32.exe [2006-02-05 11:13]

.

2011-05-19 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

  • c:\program files\Ask.com\UpdateTask.exe [2011-02-01 18:17]

.

.

------- Skan uzupełniający -------

.

uInternet Connection Wizard,ShellNext = iexplore

IE: Add to Google Photos Screensaver - c:\windows\system32\GPhotos.scr/200

IE: Eksportuj do programu Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: {37EE324E-43F3-4828-9048-4B983AD09C74} = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Sheanheavel\Dane aplikacji\Mozilla\Firefox\Profiles\x9ar6yux.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-19 20:25

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

.

skanowanie ukrytych procesów ...

.

skanowanie ukrytych wpisów autostartu ...

.

skanowanie ukrytych plików ...

.

skanowanie pomyślnie ukończone

ukryte pliki: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

.

  • 'explorer.exe'(3184)

e:\programy\StylerHelper.dll

c:\windows\system32\msi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_pol.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\browselc.dll

c:\program files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

c:\program files\Microsoft Office\Office12\1045\GrooveIntlResource.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\program files\Ahead\InCD\InCDsrv.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SNDSrvc.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\windows\system32\acs.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Intel\IDU\awServ.exe

c:\program files\Wave Systems Corp\Common\DataServer.exe

c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe

c:\syam\jetty\DMWebSrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Intel\AMT\LMS.exe

c:\windows\system32\lxdncoms.exe

c:\program files\Norton AntiVirus\IWP\NPFMntor.exe

c:\program files\SigmaTel\C-Major Audio\WDM\STacSV.exe

c:\syam\java\bin\java.exe

c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Lexmark 2600 Series\lxdnMsdMon.exe

c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe

c:\program files\PC Connectivity Solution\ServiceLayer.exe

c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe

c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe

c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe

e:\programy\Styler.exe

c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

c:\program files\Norton AntiVirus\navapsvc.exe

c:\program files\Symantec\LiveUpdate\AUpdate.exe

c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe

c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe

c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe

c:\program files\Messenger\msmsgs.exe

.

**************************************************************************

.

Czas ukończenia: 2011-05-19 20:33:17 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2011-05-19 18:33

.

Przed: 2 312 847 360 bajtów wolnych

Po: 3 416 055 808 bajtów wolnych

.

WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TUTag=PKRNI2 /Kernel=TUKernel.exe

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=PKRNI2-BAK

.

  • End Of File - - E0CF7720E02561406CF54822B72D2D1D

(szymon189) #2

Pokaż logi z narzędzia OTL.

Przestawiasz w nim Processes i Modules na All, Standard Registry na Standard oraz wklejasz w dolne białe okienko Custom Scans/Fixes :

Klikasz Run Scan.

Pokazujesz dwa wynikowe logi OTL.txt + Extras.txt

Oba logi wklejasz na wklej.org lub wklej.to.


(Borysbors) #3

A skąd wiesz, że śle spam? Opowiedz sytuację, objawy a nie tylko log :wink:.


(kamil_w) #4

Poniekąd tymczasowym rozwiązaniem może być zablokowanie na routerze lub w firewallu portu 110. Jest to port, na którym domyślnie działa SMTP, czyli protokół służący do wysyłania poczty.