Problem z Trojanami

seweryn.h · 9 Listopad 2007 11:38

Mam problem z kompem,chodzi jak muł bagienny,przerywa myszka,wiesza sie ,przeglądarka słabo chodzi,win xp dlugo sie odpala…Ksperski znalazł jakieś Trojany::: oto ich lista

usunięto: Koń trojański Trojan.Win32.Obfuscated.en	Plik: C:\Documents and Settings\Kotus 3\Ustawienia lokalne\Temp\BitDownload Setup.exe//data0007

usunięto: adware not-a-virus:AdWare.Win32.Vapsup.js	Plik: C:\Documents and Settings\Kotus 3\Ustawienia lokalne\Temp\bx18dxv.dat//stream//data0002

usunięto: Koń trojański Trojan-Downloader.Win32.Zlob.gen	Plik: C:\System Volume Information\_restore{B4767070-0BF8-43C7-BE50-26DC471A48A2}\RP90\A0040807.exe

usunięto: Koń trojański Trojan-Downloader.Win32.Zlob.ecs	Plik: C:\Program Files\FlashGet\crack.exe//stream//data0003

usunięto: Koń trojański Backdoor.Win32.Bifrose.la	Plik: C:\System Volume Information\_restore{B4767070-0BF8-43C7-BE50-26DC471A48A2}\RP46\A0017231.exe//data0000.cab/hamma.exe

usunięto: Koń trojański Trojan-Downloader.Win32.Zlob.ecs	Plik: C:\System Volume Information\_restore{B4767070-0BF8-43C7-BE50-26DC471A48A2}\RP87\A0040408.exe/crack.exe//stream//data0003

usunięto: Koń trojański Trojan-Downloader.Win32.Zlob.ecs	Plik: C:\System Volume Information\_restore{B4767070-0BF8-43C7-BE50-26DC471A48A2}\RP87\A0040409.exe

usunięto: Koń trojański Trojan-Downloader.Win32.Zlob.ecs	Plik: C:\System Volume Information\_restore{B4767070-0BF8-43C7-BE50-26DC471A48A2}\RP93\A0043288.exe

usunięto: Koń trojański Trojan-Downloader.Win32.Zlob.ecs	Plik: C:\System Volume Information\_restore{B4767070-0BF8-43C7-BE50-26DC471A48A2}\RP93\A0043288.exe//stream//data0003

usunięto: Koń trojański Trojan.Win32.Inject.jt	Plik: C:\DOCUME~1\KOTUS3~1\USTAWI~1\Temp\bvvugmfm.dll

nie odnaleziono: Koń trojański Trojan.Win32.Inject.jt	Plik: C:\DOCUME~1\KOTUS3~1\USTAWI~1\Temp\bvvugmfm.dll

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:02:07, on 2007-11-08

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\FlashGet\FlashGet.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe”

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nlpo_01] cmd.exe /c md “%USERPROFILE%\Ustawienia lokalne\Temp” (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nlpo_03] cmd.exe /c md “%SystemRoot%\System32\dllcache” (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nlpo_04] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nlpo_05] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\RunOnce: [nlpo_06] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-20…\RunOnce: [nlpo_01] cmd.exe /c md “%USERPROFILE%\Ustawienia lokalne\Temp” (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

–

End of file - 5591 bytes

ComboFix 07-11-08.1 - Kotus 3 2007-11-08 19:40:53.3 - NTFSx86

Gutek · 9 Listopad 2007 20:09

Użyj ATF-Cleaner i opróżnij TEMP - http://www.atribune.org/ccount/click.php?id=1

seweryn.h · 9 Listopad 2007 21:05

ok zrobione… to wystarczy???

Gutek · 10 Listopad 2007 00:14

Nowy log z Combo

seweryn.h · 10 Listopad 2007 16:52

ok podaje, jeszcze jadna sprawa jak odpalam combofix-a to po chwili kasperski wykrywa jakiegos wirusa,po neutralizacij pokazuje to…

nie odnaleziono: Koń trojański Trojan.Win32.Inject.jt Plik: C:\DOCUME~1\KOTUS3~1\USTAWI~1\Temp\bvvugmfm.dll

Dziekuje ci z góry i pozdrawiam

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.341 [GMT 1:00]

Running from: E:\sciagniete\ntywirusy\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))

.

2007-11-08 19:57

2007-11-08 19:54

2007-11-08 19:33

2007-11-08 19:09 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-11-03 21:50

2007-11-03 21:49

2007-11-03 21:45

2007-11-03 21:18

2007-10-25 22:51 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll

2007-10-25 22:51 921,600 --a------ C:\WINDOWS\system32\vorbisenc.dll

2007-10-25 22:51 245,760 --a------ C:\WINDOWS\system32\mplvpx.dll

2007-10-25 22:51 237,568 --a------ C:\WINDOWS\system32\OggDS.dll

2007-10-25 22:51 188,416 --a------ C:\WINDOWS\system32\vorbis.dll

2007-10-25 22:51 45,056 --a------ C:\WINDOWS\system32\ogg.dll

2007-10-25 22:51 9,216 --a------ C:\WINDOWS\system32\cpuinf32.dll

2007-10-25 22:50 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll

2007-10-25 22:50 740,442 --a------ C:\WINDOWS\system32\DivX.dll

2007-10-17 22:49

2007-10-17 22:47

2007-10-14 11:44

2007-10-14 11:40

2007-10-10 06:55 584,192 --------- C:\WINDOWS\system32\DllCache\rpcrt4.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-10 16:45 834,080 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat

2007-11-10 15:58 --------- d-----w C:\Documents and Settings\Kotus 3\Dane aplikacji\Skype

2007-11-10 14:50 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2007-11-10 14:49 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2007-11-10 09:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab

2007-11-09 22:21 986,396 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2007-11-09 22:21 82,088 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx

2007-11-09 22:21 73,778,464 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2007-11-09 21:05 --------- d-----w C:\Program Files\FlashGet

2007-11-05 20:37 --------- d-----w C:\Program Files\The All-Seeing Eye

2007-11-04 12:16 --------- d–h--w C:\Program Files\InstallShield Installation Information

2007-11-03 20:33 --------- d-----w C:\Program Files\ElcomSoft

2007-11-03 20:33 --------- d-----w C:\Program Files\CureROM

2007-11-03 20:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-11-03 20:32 --------- d-----w C:\Program Files\EA SPORTS

2007-11-03 20:19 --------- d-----w C:\Program Files\Google

2007-11-03 20:15 --------- d-----w C:\Program Files\Total Video Converter

2007-11-03 20:15 --------- d-----w C:\Program Files\Magic Morph

2007-11-03 20:15 --------- d-----w C:\Program Files\ivo

2007-10-31 22:38 --------- d-----w C:\Program Files\Gadu-Gadu

2007-10-17 22:00 --------- d-----w C:\Program Files\BitTorrent

2007-10-17 22:00 --------- d-----w C:\Program Files\BitComet

2007-10-17 21:45 --------- d-----w C:\Documents and Settings\Kotus 3\Dane aplikacji\BitTorrent

2007-10-14 10:38 --------- d-----w C:\Program Files\Common Files\ACD Systems

2007-10-07 14:14 --------- d-----w C:\Documents and Settings\Kotus 3\Dane aplikacji\ACD Systems

2007-10-07 14:06 --------- d-----w C:\Program Files\Motherboard Monitor 5

2007-10-07 13:55 --------- d—a-w C:\Program Files\BearShare Applications

2007-10-02 18:16 720,896 ----a-w C:\WINDOWS\iun6002.exe

2007-09-24 17:32 --------- d-----w C:\Program Files\Skype

2007-09-24 17:32 --------- d-----w C:\Program Files\Common Files\Skype

2007-09-24 17:32 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype

2007-09-23 19:19 --------- d-----w C:\Documents and Settings\Kotus 3\Dane aplikacji\BitTorrent DNA

2007-09-23 16:20 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe

2007-09-22 20:48 --------- d-----w C:\Program Files\BearShare

2007-09-21 19:59 --------- d-----w C:\Program Files\BitTorrent_DNA

2007-09-21 18:01 --------- d-----w C:\Documents and Settings\Kotus 3\Dane aplikacji\AdobeUM

2007-09-21 17:59 --------- d-----w C:\Program Files\Common Files\Adobe

2007-09-21 17:22 1,386,496 ----a-w C:\WINDOWS\system32\msvbvm60.dll

2007-09-19 20:31 --------- d-----w C:\Program Files\MarBit

2007-09-16 18:53 --------- d-----w C:\Program Files\Alcohol Soft

2007-09-16 18:50 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-09-13 20:57 --------- d-----w C:\Program Files\ATI Technologies

2007-09-13 18:05 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-09-13 16:29 223,128 ----a-w C:\WINDOWS\system32\drivers\dtscsi.sys

2007-09-13 16:29 --------- d-----w C:\Program Files\VVSN

2007-09-13 16:29 --------- d-----w C:\Program Files\DAEMON Tools

2007-09-04 15:30 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2007-08-22 12:58 96,768 ------w C:\WINDOWS\system32\DllCache\inseng.dll

2007-08-22 12:58 668,160 ------w C:\WINDOWS\system32\DllCache\wininet.dll

2007-08-22 12:58 619,008 ------w C:\WINDOWS\system32\DllCache\urlmon.dll

2007-08-22 12:58 55,808 ------w C:\WINDOWS\system32\DllCache\extmgr.dll

2007-08-22 12:58 532,480 ------w C:\WINDOWS\system32\DllCache\mstime.dll

2007-08-22 12:58 474,112 ------w C:\WINDOWS\system32\DllCache\shlwapi.dll

2007-08-22 12:58 449,024 ------w C:\WINDOWS\system32\DllCache\mshtmled.dll

2007-08-22 12:58 39,424 ------w C:\WINDOWS\system32\DllCache\pngfilt.dll

2007-08-22 12:58 357,888 ------w C:\WINDOWS\system32\DllCache\dxtmsft.dll

2007-08-22 12:58 3,085,824 ------w C:\WINDOWS\system32\DllCache\mshtml.dll

2007-08-22 12:58 251,904 ------w C:\WINDOWS\system32\DllCache\iepeers.dll

2007-08-22 12:58 205,824 ------w C:\WINDOWS\system32\DllCache\dxtrans.dll

2007-08-22 12:58 16,384 ------w C:\WINDOWS\system32\DllCache\jsproxy.dll

2007-08-22 12:58 151,552 ------w C:\WINDOWS\system32\DllCache\cdfview.dll

2007-08-22 12:58 146,432 ------w C:\WINDOWS\system32\DllCache\msrating.dll

2007-08-22 12:58 1,498,112 ------w C:\WINDOWS\system32\DllCache\shdocvw.dll

2007-08-22 12:58 1,055,744 ------w C:\WINDOWS\system32\DllCache\danim.dll

2007-08-22 12:58 1,022,976 ------w C:\WINDOWS\system32\DllCache\browseui.dll

2007-08-21 10:19 18,432 ------w C:\WINDOWS\system32\DllCache\iedw.exe

2007-08-21 06:26 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-08-21 06:26 683,520 ------w C:\WINDOWS\system32\DllCache\inetcomm.dll

2007-08-18 20:36 107,132 ----a-w C:\WINDOWS\UninstallFirefox.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]

2007-10-04 21:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2}”= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 21:06 1135968]

[HKEY_CLASSES_ROOT\CLSID{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]

[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“SoundMan”=“SOUNDMAN.EXE” [2002-10-28 07:38 C:\WINDOWS\soundman.exe]

“AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe” [2007-03-09 19:50]

“MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe” [2004-08-04 01:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“AppInit_DLLs”=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^WinZip Quick Pick.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\WinZip Quick Pick.lnk

backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kotus 3^Menu Start^Programy^Autostart^UniSpiker-2.6.lnk]

path=C:\Documents and Settings\Kotus 3\Menu Start\Programy\Autostart\UniSpiker-2.6.lnk

backup=C:\WINDOWS\pss\UniSpiker-2.6.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]

“C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]

“C:\Program Files\BearShare\BearShare.exe” /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]

“C:\Program Files\BitTorrent_DNA\dna.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

“C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]

C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]

C:\Program Files\FlashGet\FlashGet.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

“C:\Program Files\Gadu-Gadu\gg.exe” /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

“C:\Program Files\Messenger\msmsgs.exe” /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]

“C:\Program Files\Winamp Remote\bin\OrbTray.exe” /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Resume copy]

copyfstq.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]

“C:\Program Files\Unlocker\UnlockerAssistant.exe” -H

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse]

C:\Program Files\A4Tech\Mouse\Amoumain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

“C:\Program Files\Winamp\winampa.exe”

R1 oreans32;oreans32;??\C:\WINDOWS\system32\drivers\oreans32.sys

R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\DRIVERS\V0260Vid.sys

S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys

S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

*Newly Created Service* - PNKBSTRK

.

**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-10 17:45:30

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

**************************************************************************

.

Completion time: 2007-11-10 17:47:38

C:\ComboFix2.txt … 2007-11-08 20:18

C:\ComboFix3.txt … 2007-11-08 19:46

.

— E O F —

a i po stworzeniu loga przez ComboFIX-a na c/:itd… kasper wykrywa to samo czyli

wykryto: Koń trojański Trojan.Win32.Inject.jt Plik: C:\DOCUME~1\KOTUS3~1\USTAWI~1\Temp\bvvugmfm.dll

ComboFix 07-11-08.1 - Kotus 3 2007-11-10 17:41:57.5 - NTFSx86

Gutek · 11 Listopad 2007 00:07

Użyj ATF-Cleaner - http://www.atribune.org/ccount/click.php?id=1 i oczyść TEMP

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

seweryn.h · 11 Listopad 2007 11:43

zastosowałem sie do twoich rad ale wydaje sie ze problem nadal istnieje

po uzyciu ATF-Cleaner stworzylem nowego loga Combofix-em,i kasper znowu wykryl trojana po czym zrestetowal kompa…przez ok 15min nie chcial sie odpalic …Dobra podaje loga…pozdrawiam

ComboFix 07-11-08.1 - Kotus 3 2007-11-11 12:16:31.6 - NTFSx86

Gutek · 11 Listopad 2007 14:08

Pobierz program SDFix

seweryn.h · 11 Listopad 2007 15:57

ok podaje loga,po wklejeniu komendy system nie może odnaleźć okreslonego pliku…pozdrawiam

SDFix: Version 1.114 Run by Kotus 3 on 2007-11-11 at 16:39 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\sdfix\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-11 16:43:22 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:08c3da58 “s2”=dword:dd8593cb “h0”=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “h0”=dword:00000001 “ujdew”=hex:64,e1,16,48,d1,25,31,dc,32,b1,2b,8d,af,fa,c3,35,a5,2c,f3,20,59,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:58,2e,37,1c,6b,ac,37,6a,c7,49,fc,79,52,b8,5f,0c,03,77,52,20,46,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,d6,57,90,77,6f,43,08,2e,d2,c5,1d,52,c6,01,d0,84,98,… “khjeh”=hex:b0,a0,99,87,67,b5,23,45,1e,53,04,88,a4,04,40,b0,68,12,40,98,7f,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:29,0b,1b,8a,a6,e0,d4,35,9f,b1,61,e7,d9,56,10,f0,df,96,01,91,0b,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “h0”=dword:00000001 “ujdew”=hex:64,e1,16,48,d1,25,31,dc,32,b1,2b,8d,af,fa,c3,35,a5,2c,f3,20,59,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:58,2e,37,1c,6b,ac,37,6a,c7,49,fc,79,52,b8,5f,0c,03,77,52,20,46,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,d6,57,90,77,6f,43,08,2e,d2,c5,1d,52,c6,01,d0,84,98,… “khjeh”=hex:b0,a0,99,87,67,b5,23,45,1e,53,04,88,a4,04,40,b0,68,12,40,98,7f,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:29,0b,1b,8a,a6,e0,d4,35,9f,b1,61,e7,d9,56,10,f0,df,96,01,91,0b,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program główny” “C:\Program Files\FlashGet\flashget.exe”=“C:\Program Files\FlashGet\flashget.exe:*:Enabled:FlashGet” “C:\Program Files\The All-Seeing Eye\eye.exe”=“C:\Program Files\The All-Seeing Eye\eye.exe:*:Enabled:Yahoo! All-Seeing Eye” “C:\Program Files\Skype\Phone\Skype.exe”=“C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Onet.pl - Skype” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Tue 4 Sep 2007 56 …SHR — “C:\WINDOWS\system32\6D0BA19373.sys” Tue 4 Sep 2007 3,350 A.SH. — “C:\WINDOWS\system32\KGyGaAvL.sys” Tue 4 Sep 2007 3,350 A.SH. — “C:\System Volume Information_restore{B4767070-0BF8-43C7-BE50-26DC471A48A2}\RP35\A0011206.sys” Finished!

Gutek · 11 Listopad 2007 17:56

Prawoklik na Mój Komputer>>Przywracanie systemu>> wyłącz przywracanie systemu na wszystkich dyskach.

Czy w folderze TEMP C:\Documents and Settings\Kotus 3\Ustawienia lokalne\Temp coś jest?

seweryn.h · 11 Listopad 2007 19:21

byl plik flashget-a ale usunolem ,skanowałem tez kompa ani adaware,kasperski nic nie wykryły mysle ze jest juz ok pozostał tylko problem z odpalaniem xp dosc długo to trwa

Gutek · 11 Listopad 2007 19:57

Optymalizacja XP: http://forum.dobreprogramy.pl/viewtopic.php?t=76580

seweryn.h · 13 Listopad 2007 15:45

Wydaje sie ze wszystko wróciło do normy…Dziekuję ci bardzo …Pozdrawiam