mam konia trojanskiego o nazwie SDBot.

wyskakuja mi co 5 min komunikaty typu:

message from SECURITY to ALERT

STOP!

Registry Cleaner Recommended!

i dalsze instrukcje abym sciagnal Registry Repair,zainstalowal go i zarejestrowal sie co kosztuje $20

i jeszcze jeden:

message from SECURITY to ALERT

STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

Windows has found CRITICAL SYSTERM ERRORS.

I to samo do zrobienia

skanowalem go avastem, spywarem. wykryl go i usunolem ale jak lacze sie z netem to dalej mi te komunikaty wyskakuja!

Wklej logi > HJT i SilentRunners http://forum.dobreprogramy.pl/viewtopic.php?t=36654

co z tym mam zrobic??

Logfile of HijackThis v1.99.1

Scan saved at 12:57:47 PM, on 12/22/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\Explorer.EXE

D:\Progi do Projectu\VirtualCloneDrive\VCDDaemon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\PROGRA~1\NEOSTR~1\neostradatp.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\PROGRA~1\NEOSTR~1\Toaster.exe

C:\PROGRA~1\NEOSTR~1\Inactivity.exe

C:\PROGRA~1\NEOSTR~1\PollingModule.exe

C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE

C:\PROGRA~1\NEOSTR~1\Watch.exe

D:\Tlen.pl\tlen.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.twikibar.com/searchie.php

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409 … sp?Ext=vhd

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM…\Run: [VirtualCloneDrive] “D:\Progi do Projectu\VirtualCloneDrive\VCDDaemon.exe” /s

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe

O4 - HKLM…\Run: [Microsft Security Monitor Process] mssmppp.exe

O4 - HKLM…\Run: [Microsoft Security Monitor Process] mssmp.exe

O4 - HKLM…\Run: [FrameWork 2.5] FrameWork.exe

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\RunServices: [msvcc25] svcchost.exe

O4 - HKLM…\RunServices: [Microsft Security Monitor Process] mssmppp.exe

O4 - HKLM…\RunServices: [Microsoft Security Monitor Process] mssmp.exe

O4 - HKLM…\RunServices: [FrameWork 2.5] FrameWork.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip…{2F744292-B2B2-4BA8-92F9-D57FB3DACF01}: NameServer = 10.0.0.1

O17 - HKLM\System\CCS\Services\Tcpip…{91687B69-3E98-4420-B0BD-258602CE2756}: NameServer = 194.204.152.34 217.98.63.164

O17 - HKLM\System\CS1\Services\Tcpip…{2F744292-B2B2-4BA8-92F9-D57FB3DACF01}: NameServer = 10.0.0.1

O17 - HKLM\System\CS2\Services\Tcpip…{2F744292-B2B2-4BA8-92F9-D57FB3DACF01}: NameServer = 10.0.0.1

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - Unknown owner - C:\WINDOWS\System32\FTRTSVC.exe (file missing)

O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - D:\Borland\bin\ibguard.exe

O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - D:\Borland\bin\ibserver.exe

O23 - Service: Visibroker Activation Daemon (oad) - Unknown owner - d:\borland\vbroker\bin\oad.exe

O23 - Service: VisiBroker Smart Agent (osagent) - Unknown owner - d:\borland\vbroker\bin\osagent.exe

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

Pliki kasujesz ręcznie z dysku natomiast wpisy w HijackThis.

Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners.

jak wchodze do Windows Worms Doors Cleanera to wszystkie opsje sa na zolto tylko Close messenger jest na czerwono. daje na enable i dalej one zostaja na takim samym kolorze. wchodze do awaryjnego i nie moge wyszukac na dysku tych pozycji:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.twikibar.com/searchie.php

O4 - HKLM…\Run: [Microsft Security Monitor Process] mssmppp.exe

O4 - HKLM…\Run: [Microsoft Security Monitor Process] mssmp.exe

O4 - HKLM…\Run: [FrameWork 2.5] FrameWork.exe

O4 - HKLM…\RunServices: [msvcc25] svcchost.exe

O4 - HKLM…\RunServices: [Microsft Security Monitor Process] mssmppp.exe

O4 - HKLM…\RunServices: [Microsoft Security Monitor Process] mssmp.exe

O4 - HKLM…\RunServices: [FrameWork 2.5] FrameWork.exe

jedynie znalazlem :

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

wiec co mam zrobic wywalic to co znalazlem i wywalic wpisy z HiJackThis??

Plików poszukaj w lokalizacji c:\windows\system32. Tylko włącz pokazywanie ukrytych plików i folderów bo mogą one być ukryte.

Pokazywanie ukrytych plików i folderów włącza się tak:

Mój komputer => narzędzia => opcje folderów => zakładka Widok => zaznacz Pokaż ukryte pliki i foldery.

Wydal co znajdziesz i pokaż logi, o które prosiłem.

no wlasnie sprawdzalem na ukrytych i znalazlem tylko to co napisalem wyzej

Złączono Posta : 23.12.2006 (Sob) 12:19

zaraz ci pokaze logi

Złączono Posta : 23.12.2006 (Sob) 12:52

Logfile of HijackThis v1.99.1

Scan saved at 3:44:19 AM, on 12/23/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\svchost.exe

D:\Progi do Projectu\VirtualCloneDrive\VCDDaemon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409 … sp?Ext=vhd

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM…\Run: [VirtualCloneDrive] “D:\Progi do Projectu\VirtualCloneDrive\VCDDaemon.exe” /s

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip…{2F744292-B2B2-4BA8-92F9-D57FB3DACF01}: NameServer = 10.0.0.1

O17 - HKLM\System\CS1\Services\Tcpip…{2F744292-B2B2-4BA8-92F9-D57FB3DACF01}: NameServer = 10.0.0.1

O17 - HKLM\System\CS2\Services\Tcpip…{2F744292-B2B2-4BA8-92F9-D57FB3DACF01}: NameServer = 10.0.0.1

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - Unknown owner - C:\WINDOWS\System32\FTRTSVC.exe (file missing)

O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - D:\Borland\bin\ibguard.exe

O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - D:\Borland\bin\ibserver.exe

O23 - Service: Visibroker Activation Daemon (oad) - Unknown owner - d:\borland\vbroker\bin\oad.exe

O23 - Service: VisiBroker Smart Agent (osagent) - Unknown owner - d:\borland\vbroker\bin\osagent.exe

Złączono Posta : 23.12.2006 (Sob) 12:53

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

---

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“TransparentIcons” = “(empty string)” [file not found]

“BlockAds” = “(empty string)” [file not found]

“Tweak-XP” = “(empty string)” [file not found]

“TransTask” = “(empty string)” [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“VirtualCloneDrive” = ““D:\Progi do Projectu\VirtualCloneDrive\VCDDaemon.exe” /s” [“Elaborate Bytes AG”]

“SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]

“WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”]

“WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe” [“France Télécom R&D”]

“msvcc25” = “(empty string)” [file not found]

“avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided)

\StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension”

-> {HKLM…CLSID} = “Display Panning CPL Extension”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” = “PowerISO”

-> {HKLM…CLSID} = “PowerISO”

\InProcServer32(Default) = “D:\Progi do Projectu\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”]

“{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”

-> {HKLM…CLSID} = “Microsoft Office Outlook”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS]

“{B7056B8E-4F99-44f8-8CBD-282390FE5428}” = “VirtualCloneDrive”

-> {HKLM…CLSID} = “VirtualCloneDrive Shell Extension”

\InProcServer32(Default) = “D:\Progi do Projectu\VirtualCloneDrive\ElbyVCDShell.dll” [“Elaborate Bytes AG”]

“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

“{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” = “Webroot Spy Sweeper Context Menu Integration”

-> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration”

\InProcServer32(Default) = “C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [“Webroot Software, Inc.”]

HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

Złączono Posta : 23.12.2006 (Sob) 12:54

i dalej mi wyskakuja te komunikaty:(

Złączono Posta : 23.12.2006 (Sob) 13:03

teraz avast znalazl mi nastepnego trojana C:\WINDOWS\system32\unmufuou.exe

tez go wywalilem

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.

Możesz przeskanować http://www.ewido.net/en/.

Po wykonaniu proszę pokazać nowy log z Silenta.