Problem z Service.exe i natretny trojan

miirage · 10 Listopad 2007 15:31

Sformatowałem dysk. Zainstalowałem od nowa Win 2000, sp4 i znane mi nakładki.

Do tego avast! Antivirus, no i nie wiem co zrobić.

Co jakiś czas wyskakuje mi komunikat ze Service.exe wygenerował błąd, kod błędu 128 i system zostanie ponownie uruchomiony, albo komputes sam sie resetuje.

Do tego srednio co 30min antywir wyrzuca mi komunikat o ataku wirusem trojeanem Win32-VanBot-DVI raz go usuwa, a czasem nie i wtedy nic juz nie pozostaje poza restartem.

Ponizej zamieszczam loga z HijackThis mam nadzieje ze mi pomożecie.

Logfile of HijackThis v1.99.1 Scan saved at 16:17:30, on 2007-11-10 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\setup\avast.setup C:\WINNT\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINNT\system32\RUNDLL32.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINNT\system32\internat.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINNT\system32\cmd.exe E:\z c\Gadu-Gadu\gg.exe C:\Documents and Settings\Administrator\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” O4 - HKLM…\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice O4 - HKCU…\Run: [internat.exe] internat.exe O4 - HKCU…\Run: [Gadu-Gadu] “E:\z c\Gadu-Gadu\gg.exe” /tray O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O17 - HKLM\System\CCS\Services\Tcpip…{E4710E68-3ACA-4993-A4F3-6332368C49B8}: NameServer = 217.30.137.200,217.30.129.149 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe

Dodaje odrazu log z ComboFix

ComboFix 07-11-08.1 - Administrator 2007-11-10 16:47:04.1 - FAT32x86 Microsoft Windows 2000 Professional 5.0.2195.4.1250.1.1045.18.75 [GMT 1:00] Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 ))))))))))))))))))))))))))))))) . 2007-11-10 16:47 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_344.dat 2007-11-10 16:45 51,200 --a------ C:\WINNT\NirCmd.exe 2007-11-10 15:01 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_204.dat 2007-11-10 13:46 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_200.dat 2007-11-10 12:37 2007-11-10 12:37 2007-11-10 11:53 65,540 —hs---- C:\WINNT\system32\Offlce.exe 2007-11-09 19:36 684,377 --a------ C:\WINNT\unins000.exe 2007-11-09 19:36 3,449 --a------ C:\WINNT\unins000.dat 2007-11-09 19:32 2007-11-07 21:26 2007-11-07 21:25 2007-11-06 19:53 2007-11-05 20:48 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_210.dat 2007-11-04 18:51 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_4f0.dat 2007-11-03 18:45 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_318.dat 2007-10-28 17:27 2007-10-28 17:12 2007-10-28 13:37 2007-10-28 13:37 2007-10-28 13:11 2007-10-27 21:25 2007-10-27 21:24 2007-10-27 21:24 2007-10-27 21:24 2007-10-24 20:56 2007-10-24 20:54 2007-10-24 20:53 2007-10-23 22:47 2007-10-23 22:47 1,277 --a------ C:\WINNT\mozver.dat 2007-10-23 20:21 2007-10-23 20:20 2007-10-23 19:41 2007-10-23 19:41 2007-10-23 19:38 0 --a------ C:\WINNT\system32\m01811.exe 2007-10-23 19:37 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_20c.dat 2007-10-23 19:12 6,928 --a------ C:\WINNT\system32\dllcache\msdtc.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-28 10:30 41,232 ----a-w C:\WINNT\system32\FTP.EXE 2007-10-28 10:30 17,680 ----a-w C:\WINNT\system32\tftp.exe 2007-10-23 18:39 96,048 ----a-w C:\WINNT\system32\sfc.dll 2007-10-23 17:49 --------- d-----w C:\Program Files\Alwil Software 2007-10-23 17:24 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-23 17:16 --------- d-----w C:\Program Files\microsoft frontpage 2007-10-23 17:14 271 —h–w C:\Program Files\desktop.ini 2007-10-23 17:14 22,039 —h–w C:\Program Files\folder.htt 2007-10-23 17:12 --------- d-----w C:\Program Files\Accessories 2007-09-06 11:09 801,144 ----a-w C:\WINNT\system32\aswBoot.exe 2007-09-06 11:00 95,608 ----a-w C:\WINNT\system32\AVASTSS.scr 2000-03-20 23:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 745,472 2004-02-27 10:03:26 E:\z c\Gadu-Gadu\bak\gg.exe ----a-w 745,472 2004-02-27 10:03:26 E:\z c\Gadu-Gadu\gg.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Synchronization Manager”=“mobsync.exe” [03-06-19 12:05 C:\WINNT\system32\mobsync.exe] “NvCplDaemon”=“C:\WINNT\System32\NvCpl.dll” [05-12-10 03:06] “nwiz”=“nwiz.exe” [05-12-10 03:06 C:\WINNT\system32\nwiz.exe] “NvMediaCenter”=“C:\WINNT\System32\NvMcTray.dll” [05-12-10 03:06] “C-Media Mixer”=“Mixer.exe” [] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [07-09-06 12:06] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [07-09-25 01:11] “Outpost Firewall”=“C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe” [02-02-20 13:50] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “internat.exe”=“internat.exe” [00-03-21 00:00 C:\WINNT\system32\internat.exe] “Gadu-Gadu”=“E:\z c\Gadu-Gadu\gg.exe” [04-02-27 11:03] [HKEY_USERS.default\software\microsoft\windows\currentversion\runonce] “^SetupICWDesktop”=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “internat.exe”=internat.exe “OfficeWord Monitors”=C:\WINNT\system32\Offlce.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeWord Monitors] C:\WINNT\system32\Offlce.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “s3contrl (32-bit)”=2 (0x2) R1 VFILT;Outpost Firewall Kernel Driver;??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\2000\FILTNT.SYS R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\ADBLOCK.DLL S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\CONTENT.DLL S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\DNSCACHE.DLL S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\FTPFILT.DLL S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\HTMLFILT.DLL S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\HTTPFILT.DLL S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\IMAPFILT.DLL S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\MAILFILT.DLL S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\NNTPFILT.DLL S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\POP3FILT.DLL S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\PROTECT.DLL S4 s3contrl (32-bit);s3contrl (32-bit);“C:\WINNT\VTTray.exe” *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-10 16:50:35 Windows 5.0.2195 Service Pack 4 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-10 16:52:54 . — E O F —

Gutek · 10 Listopad 2007 23:57

Pobierz program SDFix

miirage · 11 Listopad 2007 12:41

Zrobilem jak poleciles oto raport:

co dalej…

SDFix: Version 1.114 Run by Administrator on N 2007-11-11 at 13:29 Microsoft Windows 2000 [Wersja 5.00.2195] Running From: C:\SDFix Safe Mode: Checking Services: Name: s3contrl (32-bit) Path: “C:\WINNT\VTTray.exe” s3contrl (32-bit) - Deleted C:\WINNT\system32\Microsoft\backup.ftp Found C:\WINNT\system32\Microsoft\backup.tftp Found Checking files: Genuine: C:\WINNT\system32\Microsoft\backup.ftp C:\WINNT\system32\Microsoft\backup.tftp Dummy: C:\WINNT\system32\ftp.exe C:\WINNT\system32\tftp.exe Files copied to SDFix\Backups Restoring files if backups are found Final Check: Genuine: C:\WINNT\system32\Microsoft\backup.ftp C:\WINNT\system32\Microsoft\backup.tftp C:\WINNT\system32\ftp.exe C:\WINNT\system32\tftp.exe C:\WINNT\system32\dllcache\ftp.exe C:\WINNT\system32\dllcache\tftp.exe Dummy: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINNT\system32.exe - Deleted C:\WINNT\SYSTEM32\M01811.EXE - Deleted C:\WINNT\system32.exe - Deleted C:\WINNT\system32\Microsoft\backup.ftp - Deleted C:\WINNT\system32\Microsoft\backup.tftp - Deleted C:\WINNT\VTTray.exe - Deleted Removing Temp Files… ADS Check: C:\WINNT No streams found. C:\WINNT\system32 No streams found. C:\WINNT\system32\svchost.exe No streams found. C:\WINNT\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-11 13:34:15 Windows 5.0.2195 Service Pack 4 FAT NTAPI scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Mon 22 Oct 2007 577,024 A.SHR — “C:\WINNT\m81857.exe” Mon 29 Oct 2007 577,024 A.SHR — “C:\WINNT\m31475.exe” Mon 29 Oct 2007 577,024 A.SHR — “C:\WINNT\m45365.exe” Sat 10 Nov 2007 577,024 A.SHR — “C:\WINNT\m15628.exe” Wed 31 Oct 2007 577,024 A.SHR — “C:\WINNT\m13211.exe” Mon 29 Oct 2007 577,024 A.SHR — “C:\WINNT\m80811.exe” Sun 11 Nov 2007 65,540 …SH. — “C:\WINNT\system32\a.exe” Sat 10 Nov 2007 65,540 …SH. — “C:\WINNT\system32\Offlce.exe” Finished!

Gutek · 11 Listopad 2007 14:23

do kasacji plik

przeskanuj pliki na http://virusscan.jotti.org/

Daj nowy log z Combo

miirage · 11 Listopad 2007 17:23

Oto co zrobilem.

Przelecialem system Ad-Aware, wywalil mi owe pliki i jeszcze kilkanascie inych.

Znalazlem dwa kolejne wiry: vttray.exe i OFFLCE.exe

Pokazalo ze tez sa usuniete, a kiedy po uruchomieniu kompa dalem podglad procesow to offlce.exe znowu tam jest

Do tegu teraz ad-aware pokazuje czysty rejestr.

Avsat tez nic nie lapie, a kiedy szukam tego pliku to tak jakby nie istnial…

oto log z combo

ComboFix 07-11-08.1 - Administrator 2007-11-11 18:41:51.3 - FAT32x86 Microsoft Windows 2000 Professional 5.0.2195.4.1250.1.1045.18.117 [GMT 1:00] Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 ))))))))))))))))))))))))))))))) . 2007-11-11 18:41 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2b4.dat 2007-11-11 18:35 2007-11-11 18:31 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_208.dat 2007-11-11 18:27 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_328.dat 2007-11-11 17:52 487 --a------ C:\1.vbs 2007-11-11 17:16 2007-11-11 17:12 2007-11-11 14:32 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_1fc.dat 2007-11-11 13:46 8,192 -rahs---- C:\WINNT\m78581.exe 2007-11-11 13:38 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_218.dat 2007-11-11 13:29 2007-11-11 13:29 41,232 --a------ C:\WINNT\system32\dllcache\ftp.exe 2007-11-11 13:29 17,680 --a------ C:\WINNT\system32\dllcache\tftp.exe 2007-11-11 01:24 1,050 --a------ C:\WINNT\run.vbs 2007-11-11 01:24 510 --a------ C:\WINNT\run2.vbs 2007-11-10 20:15 577,024 -rahs---- C:\WINNT\m15628.exe 2007-11-10 16:47 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_344.dat 2007-11-10 16:45 51,200 --a------ C:\WINNT\NirCmd.exe 2007-11-10 15:01 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_204.dat 2007-11-10 13:46 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_200.dat 2007-11-10 12:37 2007-11-10 12:37 2007-11-10 11:53 65,540 —hs---- C:\WINNT\system32\Offlce.exe 2007-11-09 19:36 684,377 --a------ C:\WINNT\unins000.exe 2007-11-09 19:36 3,449 --a------ C:\WINNT\unins000.dat 2007-11-09 19:32 2007-11-07 21:26 2007-11-07 21:25 2007-11-06 19:53 2007-11-05 20:48 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_210.dat 2007-11-04 18:51 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_4f0.dat 2007-11-03 18:45 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_318.dat 2007-10-28 17:27 2007-10-28 17:12 2007-10-28 13:37 2007-10-28 13:37 2007-10-28 13:11 2007-10-27 21:25 2007-10-27 21:24 2007-10-27 21:24 2007-10-27 21:24 2007-10-24 20:56 2007-10-24 20:54 2007-10-24 20:53 2007-10-23 22:47 2007-10-23 22:47 1,277 --a------ C:\WINNT\mozver.dat 2007-10-23 20:21 2007-10-23 20:20 2007-10-23 19:41 2007-10-23 19:41 2007-10-23 19:37 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_20c.dat 2007-10-23 19:12 6,928 --a------ C:\WINNT\system32\dllcache\msdtc.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-11 12:55 41,232 ----a-w C:\WINNT\system32\FTP.EXE 2007-11-11 12:55 17,680 ----a-w C:\WINNT\system32\tftp.exe 2007-10-23 18:39 96,048 ----a-w C:\WINNT\system32\sfc.dll 2007-10-23 17:49 --------- d-----w C:\Program Files\Alwil Software 2007-10-23 17:24 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-23 17:16 --------- d-----w C:\Program Files\microsoft frontpage 2007-10-23 17:14 271 —h–w C:\Program Files\desktop.ini 2007-10-23 17:14 22,039 —h–w C:\Program Files\folder.htt 2007-10-23 17:12 --------- d-----w C:\Program Files\Accessories 2007-09-06 11:09 801,144 ----a-w C:\WINNT\system32\aswBoot.exe 2007-09-06 11:00 95,608 ----a-w C:\WINNT\system32\AVASTSS.scr 2000-03-20 23:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys . ((((((((((((((((((((((((((((( snapshot@So 2007-11-10_16.50.55,29 ))))))))))))))))))))))))))))))))))))))))) . + 2007-03-13 09:57:12 163,328 ----a-w C:\WINNT\erdnt\subs\F3M\ERDNT.EXE + 2007-11-11 09:15:32 163,328 ----a-w C:\WINNT\ERUNT\SDFIX\ERDNT.EXE + 2007-11-11 12:29:14 966,656 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000001\ntuser.dat + 2007-11-11 12:29:14 151,552 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2007-11-11 09:15:32 163,328 ----a-w C:\WINNT\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2007-11-11 12:29:08 966,656 ----a-w C:\WINNT\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat + 2007-11-11 12:29:08 151,552 ----a-w C:\WINNT\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 745,472 2004-02-27 10:03:26 E:\z c\Gadu-Gadu\bak\gg.exe ----a-w 745,472 2004-02-27 10:03:26 E:\z c\Gadu-Gadu\gg.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Synchronization Manager”=“mobsync.exe” [03-06-19 12:05 C:\WINNT\system32\mobsync.exe] “NvCplDaemon”=“C:\WINNT\System32\NvCpl.dll” [05-12-10 03:06] “nwiz”=“nwiz.exe” [05-12-10 03:06 C:\WINNT\system32\nwiz.exe] “NvMediaCenter”=“C:\WINNT\System32\NvMcTray.dll” [05-12-10 03:06] “C-Media Mixer”=“Mixer.exe” [] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [07-09-06 12:06] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [07-09-25 01:11] “Outpost Firewall”=“C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe” [02-02-20 13:50] “OfficeWord Monitors”=“C:\WINNT\system32\Offlce.exe” [07-11-10 23:55] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “internat.exe”=“internat.exe” [00-03-21 00:00 C:\WINNT\system32\internat.exe] “Gadu-Gadu”=“E:\z c\Gadu-Gadu\gg.exe” [04-02-27 11:03] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [07-08-31 16:46] “OfficeWord Monitors”=“C:\WINNT\system32\Offlce.exe” [07-11-10 23:55] [HKEY_USERS.default\software\microsoft\windows\currentversion\runonce] “^SetupICWDesktop”=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “internat.exe”=internat.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeWord Monitors] C:\WINNT\system32\Offlce.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “s3contrl (32-bit)”=2 (0x2) “m63226.exe”=3 (0x3) R1 VFILT;Outpost Firewall Kernel Driver;??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\2000\FILTNT.SYS R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\ADBLOCK.DLL S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\CONTENT.DLL S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\DNSCACHE.DLL S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\FTPFILT.DLL S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\HTMLFILT.DLL S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\HTTPFILT.DLL S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\IMAPFILT.DLL S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\MAILFILT.DLL S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\NNTPFILT.DLL S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\POP3FILT.DLL S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\PROTECT.DLL . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-11 18:44:04 Windows 5.0.2195 Service Pack 4 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-11 18:46:01 C:\ComboFix2.txt … 07-11-10 16:52 . — E O F —

Gutek · 11 Listopad 2007 18:26

Wklej do Notatnika:

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo oraz z SDFix

miirage · 11 Listopad 2007 23:45

A wiec tak

Usunąłem owe pliki jak nakazałeś.

Wykonalem raport SDFix i zauważylem ze zostal taki wpis

Sat 10 Nov 2007 65,540 …SH. — “C:\WINNT\system32\Offlce.exe”

Wiec zrobilem jak pisales wyzej wpisujac w pliku

w nadziej ze tez to sie usunie, jednak tak sie nie stalo:/

Potem restart i log z Sdfix i ponownie z combo

oto one

ComboFix 07-11-08.1 - Administrator 2007-11-12 0:28:00.6 - FAT32x86 Microsoft Windows 2000 Professional 5.0.2195.4.1250.1.1045.18.127 [GMT 1:00] Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 ))))))))))))))))))))))))))))))) . 2007-11-12 00:28 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2b0.dat 2007-11-12 00:25 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_200.dat 2007-11-11 21:05 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_5d0.dat 2007-11-11 20:44 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_120.dat 2007-11-11 18:58 449,132 --a------ C:\WINNT\system32\smlogsvcc.exe 2007-11-11 18:31 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_208.dat 2007-11-11 18:27 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_328.dat 2007-11-11 17:16 2007-11-11 17:12 2007-11-11 14:32 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_1fc.dat 2007-11-11 13:38 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_218.dat 2007-11-11 13:29 2007-11-11 13:29 41,232 --a------ C:\WINNT\system32\dllcache\ftp.exe 2007-11-11 13:29 17,680 --a------ C:\WINNT\system32\dllcache\tftp.exe 2007-11-10 16:47 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_344.dat 2007-11-10 16:45 51,200 --a------ C:\WINNT\NirCmd.exe 2007-11-10 12:37 2007-11-10 12:37 2007-11-10 11:53 65,540 —hs---- C:\WINNT\system32\Offlce.exe 2007-11-09 19:36 684,377 --a------ C:\WINNT\unins000.exe 2007-11-09 19:36 3,449 --a------ C:\WINNT\unins000.dat 2007-11-09 19:32 2007-11-07 21:26 2007-11-07 21:25 2007-11-06 19:53 2007-11-05 20:48 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_210.dat 2007-11-04 18:51 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_4f0.dat 2007-11-03 18:45 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_318.dat 2007-10-28 17:27 2007-10-28 17:12 2007-10-28 13:37 2007-10-28 13:37 2007-10-28 13:11 2007-10-27 21:25 2007-10-27 21:24 2007-10-27 21:24 2007-10-27 21:24 2007-10-24 20:56 2007-10-24 20:54 2007-10-24 20:53 2007-10-23 22:47 2007-10-23 22:47 1,277 --a------ C:\WINNT\mozver.dat 2007-10-23 20:21 2007-10-23 20:20 2007-10-23 19:41 2007-10-23 19:41 2007-10-23 19:37 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_20c.dat 2007-10-23 19:12 6,928 --a------ C:\WINNT\system32\dllcache\msdtc.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-11 12:55 41,232 ----a-w C:\WINNT\system32\FTP.EXE 2007-11-11 12:55 17,680 ----a-w C:\WINNT\system32\tftp.exe 2007-10-23 18:39 96,048 ----a-w C:\WINNT\system32\sfc.dll 2007-10-23 17:49 --------- d-----w C:\Program Files\Alwil Software 2007-10-23 17:24 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-23 17:16 --------- d-----w C:\Program Files\microsoft frontpage 2007-10-23 17:14 271 —h–w C:\Program Files\desktop.ini 2007-10-23 17:14 22,039 —h–w C:\Program Files\folder.htt 2007-10-23 17:12 --------- d-----w C:\Program Files\Accessories 2007-09-06 11:09 801,144 ----a-w C:\WINNT\system32\aswBoot.exe 2007-09-06 11:00 95,608 ----a-w C:\WINNT\system32\AVASTSS.scr 2000-03-20 23:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 745,472 2004-02-27 10:03:26 E:\z c\Gadu-Gadu\bak\gg.exe ----a-w 745,472 2004-02-27 10:03:26 E:\z c\Gadu-Gadu\gg.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Synchronization Manager”=“mobsync.exe” [03-06-19 12:05 C:\WINNT\system32\mobsync.exe] “NvCplDaemon”=“C:\WINNT\System32\NvCpl.dll” [05-12-10 03:06] “nwiz”=“nwiz.exe” [05-12-10 03:06 C:\WINNT\system32\nwiz.exe] “NvMediaCenter”=“C:\WINNT\System32\NvMcTray.dll” [05-12-10 03:06] “C-Media Mixer”=“Mixer.exe” [] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [07-09-06 12:06] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [07-09-25 01:11] “Outpost Firewall”=“C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe” [02-02-20 13:50] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “internat.exe”=“internat.exe” [00-03-21 00:00 C:\WINNT\system32\internat.exe] “Gadu-Gadu”=“E:\z c\Gadu-Gadu\gg.exe” [04-02-27 11:03] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [07-08-31 16:46] [HKEY_USERS.default\software\microsoft\windows\currentversion\runonce] “^SetupICWDesktop”=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “internat.exe”=internat.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “s3contrl (32-bit)”=2 (0x2) “m63226.exe”=3 (0x3) R1 VFILT;Outpost Firewall Kernel Driver;??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\2000\FILTNT.SYS R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\ADBLOCK.DLL R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\CONTENT.DLL R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\DNSCACHE.DLL R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\FTPFILT.DLL R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\HTMLFILT.DLL R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\HTTPFILT.DLL R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\IMAPFILT.DLL R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\MAILFILT.DLL R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\NNTPFILT.DLL R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\POP3FILT.DLL R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\PROTECT.DLL . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-12 00:30:25 Windows 5.0.2195 Service Pack 4 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-12 0:32:19 C:\ComboFix2.txt … 07-11-12 00:12 . — E O F —

i 2 log

SDFix: Version 1.114 Run by Administrator on Pn 2007-11-12 at 0:20 Microsoft Windows 2000 [Wersja 5.00.2195] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINNT No streams found. C:\WINNT\system32 No streams found. C:\WINNT\system32\svchost.exe No streams found. C:\WINNT\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-12 00:25:45 Windows 5.0.2195 Service Pack 4 FAT NTAPI scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Remaining Files: --------------- Files with Hidden Attributes: Sat 10 Nov 2007 65,540 …SH. — “C:\WINNT\system32\Offlce.exe” Finished!

Jak widac offlce.exe zostal mimo proby usuniecia.

Dzis juz nie mam kiedy sprawdzic czy bedzie dobrze bo ide spac,

a neta nie wlaczam na dluzej niz 10min aby znowu mi cos nie wlazlo.

Cos jeszcze mam robic…czy ten offlce.exe trzeba jakos usunać??

No i jak sie najlepiej zabezpieczyc aby sytuacja sie nie odnawiala.

Obecnie mam tylko avasata i spybot

Dzieki za dotychczasowa pomoc

Gutek · 12 Listopad 2007 06:04

przeskanuj plik na http://virusscan.jotti.org/ i daj wynik

miirage · 12 Listopad 2007 18:55

Oto co pokazal skan:

Ja uzywam avasat na tym wykazie nic by nie wykryl to znaczy ze mam zmienic antywirusa na jakis lepszy?? Cos bys doradzil…

Gutek · 12 Listopad 2007 19:33

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżkę

C:\WINNT\system32\Offlce.exe

i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz.

po tym nowy log z Combo

miirage · 13 Listopad 2007 21:45

a wiec tak.

Zmienilem program antywirusowy na kasperskyego.

I takie jaja: w trakcie wykonywania loga, antywir krzyczal ze wykryto trojana co wiecej nie mogl go usunac gdyz plik nie istnieje.

W raporcie widnieje jedynie wpis

A oto ostatni log z combo.

ComboFix 07-11-08.1 - Administrator 2007-11-13 22:28:55.8 - FAT32x86 Microsoft Windows 2000 Professional 5.0.2195.4.1250.1.1045.18.129 [GMT 1:00] Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 ))))))))))))))))))))))))))))))) . 2007-11-13 22:28 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2f8.dat 2007-11-13 22:05 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_46c.dat 2007-11-13 21:47 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_300.dat 2007-11-12 22:55 2007-11-12 22:55 2007-11-12 22:55 82,061 --a------ C:\WINNT\system32\drivers\klick.dat 2007-11-12 22:55 81,549 --a------ C:\WINNT\system32\drivers\klin.dat 2007-11-12 22:55 32 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat 2007-11-12 22:55 32 --ahs---- C:\WINNT\system32\drivers\fidbox.dat 2007-11-12 22:54 2007-11-12 22:33 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_208.dat 2007-11-12 22:25 1,050 --a------ C:\WINNT\run.vbs 2007-11-12 22:25 510 --a------ C:\WINNT\run2.vbs 2007-11-11 21:05 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_5d0.dat 2007-11-11 20:44 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_120.dat 2007-11-11 18:58 449,132 --a------ C:\WINNT\system32\smlogsvcc.exe 2007-11-11 18:27 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_328.dat 2007-11-11 17:16 2007-11-11 17:12 2007-11-11 13:38 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_218.dat 2007-11-11 13:29 2007-11-11 13:29 41,232 --a------ C:\WINNT\system32\dllcache\ftp.exe 2007-11-11 13:29 17,680 --a------ C:\WINNT\system32\dllcache\tftp.exe 2007-11-10 16:47 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_344.dat 2007-11-10 16:45 51,200 --a------ C:\WINNT\NirCmd.exe 2007-11-10 12:37 2007-11-10 12:37 2007-11-09 19:36 684,377 --a------ C:\WINNT\unins000.exe 2007-11-09 19:36 3,449 --a------ C:\WINNT\unins000.dat 2007-11-09 19:32 2007-11-07 21:26 2007-11-07 21:25 2007-11-06 19:53 2007-11-05 20:48 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_210.dat 2007-11-04 18:51 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_4f0.dat 2007-11-03 18:45 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_318.dat 2007-10-28 17:27 2007-10-28 17:12 2007-10-28 13:37 2007-10-28 13:37 2007-10-28 13:11 2007-10-27 21:25 2007-10-27 21:24 2007-10-27 21:24 2007-10-27 21:24 2007-10-24 20:56 2007-10-24 20:54 2007-10-24 20:53 2007-10-23 22:47 2007-10-23 22:47 1,277 --a------ C:\WINNT\mozver.dat 2007-10-23 20:21 2007-10-23 20:20 2007-10-23 19:41 2007-10-23 19:41 2007-10-23 19:37 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_20c.dat 2007-10-23 19:12 6,928 --a------ C:\WINNT\system32\dllcache\msdtc.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-13 18:52 32 --sha-w C:\WINNT\system32\drivers\fidbox2.idx 2007-11-13 18:52 32 --sha-w C:\WINNT\system32\drivers\fidbox.idx 2007-11-11 12:55 41,232 ----a-w C:\WINNT\system32\FTP.EXE 2007-11-11 12:55 17,680 ----a-w C:\WINNT\system32\tftp.exe 2007-10-23 18:39 96,048 ----a-w C:\WINNT\system32\sfc.dll 2007-10-23 17:49 --------- d-----w C:\Program Files\Alwil Software 2007-10-23 17:24 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-23 17:16 --------- d-----w C:\Program Files\microsoft frontpage 2007-10-23 17:14 271 —h–w C:\Program Files\desktop.ini 2007-10-23 17:14 22,039 —h–w C:\Program Files\folder.htt 2007-10-23 17:12 --------- d-----w C:\Program Files\Accessories 2000-03-20 23:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 745,472 2004-02-27 10:03:26 E:\z c\Gadu-Gadu\bak\gg.exe ----a-w 745,472 2004-02-27 10:03:26 E:\z c\Gadu-Gadu\gg.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Synchronization Manager”=“mobsync.exe” [03-06-19 12:05 C:\WINNT\system32\mobsync.exe] “NvCplDaemon”=“C:\WINNT\System32\NvCpl.dll” [05-12-10 03:06] “nwiz”=“nwiz.exe” [05-12-10 03:06 C:\WINNT\system32\nwiz.exe] “NvMediaCenter”=“C:\WINNT\System32\NvMcTray.dll” [05-12-10 03:06] “C-Media Mixer”=“Mixer.exe” [] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [07-09-25 01:11] “Outpost Firewall”=“C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe” [02-02-20 13:50] “AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe” [07-06-28 12:51] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “internat.exe”=“internat.exe” [00-03-21 00:00 C:\WINNT\system32\internat.exe] “Gadu-Gadu”=“E:\z c\Gadu-Gadu\gg.exe” [04-02-27 11:03] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [07-08-31 16:46] [HKEY_USERS.default\software\microsoft\windows\currentversion\runonce] “^SetupICWDesktop”=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “internat.exe”=internat.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “s3contrl (32-bit)”=2 (0x2) “m63226.exe”=3 (0x3) R1 VFILT;Outpost Firewall Kernel Driver;??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\2000\FILTNT.SYS R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\ADBLOCK.DLL R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\CONTENT.DLL R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\DNSCACHE.DLL R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\FTPFILT.DLL R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\HTMLFILT.DLL R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\HTTPFILT.DLL R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\IMAPFILT.DLL R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINNT\system32\DRIVERS\klim5.sys R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\MAILFILT.DLL R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\NNTPFILT.DLL R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\POP3FILT.DLL R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);??\C:\PROGRA~1\AGNITUM\OUTPOS~1.0\kernel\PROTECT.DLL . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-13 22:32:06 Windows 5.0.2195 Service Pack 4 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-13 22:34:17 . — E O F —

Dodam ze problem z services tez nie zniknal dalej generuje blad i powoduje zamkniecie systemu

Gutek · 13 Listopad 2007 22:11

Użyj ATF-Cleaner - http://www.atribune.org/ccount/click.php?id=1

miirage · 13 Listopad 2007 23:11

Uzylem nie wiem czy to cos zmieni, ale sie zobaczy.

Ale to co mnie zdziwilo to kasperski krzyczal tylko w trakcie gdy generowal sie log w combo to mnie wlasnie zadziwilo…

Jutro zrobie skan combo i sdfix i wkleje oby bylo juz czysto bo to 4 dzien i powoli mam juz tego dosc

Gutek · 13 Listopad 2007 23:28

Ok czekam

miirage · 18 Listopad 2007 16:01

A wiec tak.

Przez 3 dni testowalem kompa.

Services przestal mi generowac blad i zamykac system.

Z trojanami chyba tez sie uporalem.

Jedyny problem to taki ze teraz nie wiadomo dlaczego komp sie po prostu wylacza jakby byl skok napieca, no i zaczał sie slimaczyć

Po ponownym uruchomieniu jest ok.

Niestety nie moge zrobic loga z combo bo wyrzuca mi komunikat ze dzis jest 18-11-2007 i mam sciagnac jakis upload po czy program sie odinstalowuje z kompa

Zamieszczaj jedynie log z SDFx bo nie wiem jak zrobic ten 2.

SDFix: Version 1.114 Run by Administrator on N 2007-11-18 at 16:35 Microsoft Windows 2000 [Wersja 5.00.2195] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINNT No streams found. C:\WINNT\system32 No streams found. C:\WINNT\system32\svchost.exe No streams found. C:\WINNT\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-18 16:40:27 Windows 5.0.2195 Service Pack 4 FAT NTAPI scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Remaining Files: --------------- Files with Hidden Attributes: Finished!

Zamieszczam za to log z HijackThis moze mam cos uruchomione czego nie trzeba ze komp tak wolno chodzi??

Logfile of HijackThis v1.99.1 Scan saved at 17:16:11, on 2007-11-18 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\nvsvc32.exe C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\WINNT\system32\internat.exe E:\z c\Gadu-Gadu\gg.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Documents and Settings\Administrator\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” O4 - HKLM…\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe” O4 - HKCU…\Run: [internat.exe] internat.exe O4 - HKCU…\Run: [Gadu-Gadu] “E:\z c\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O17 - HKLM\System\CCS\Services\Tcpip…{E4710E68-3ACA-4993-A4F3-6332368C49B8}: NameServer = 217.30.137.200,217.30.129.149 O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll O23 - Service: Kaspersky Anti-Virus Home Edition 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe

Gutek · 18 Listopad 2007 21:15

Dokończyć skanerami online - Skanery do wyboru - użyj z dwóch i wklej raport