Problem z trojanem

CHINA · 27 Maj 2007 15:15

Witam.

Dzisiaj Avast zgłasza mi, że znalazł pasożyta:

http://gameglobin.info/g.php?wmid=bg002[uPX]

Próbowałem skanować komputer, używałem programów do usuwania spyware ale bez rezultatu.

Jeśli to ma jakieś znaczenie dla tego problemu to używam WinXP i Mozilli Firefox do przeglądania stron www.

Prosiłbym o sprawdzenie tego loga z z ComboFix i powiedzenie mi co zrobić aby pozbyć się trojana. Poniżej jest też log z Hijack.

Mam nadzieję, że teraz post wygląda odpowiednio.

“x” - 2007-05-27 16:57:53 Dodatek Service Pack 2 ComboFix 07-05.27.V - Running from: “C:\Documents and Settings\x\Pulpit” (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\hnnbscko.dll C:\WINDOWS\system32\vjnqdrhn.dll C:\WINDOWS\system32\winxtx32.dll C:\WINDOWS\system32\kmllm.bak1 C:\WINDOWS\system32\kmllm.ini C:\WINDOWS\system32\okcsbnnh.ini C:\WINDOWS\system32\kmllm.bak1 C:\WINDOWS\system32\kmllm.ini C:\WINDOWS\system32\mllmk.dll C:\WINDOWS\system32\ljjgdde.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) “C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe” “C:\WINDOWS\wpcjmd.log” ((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 )))))))))))))))))))))))))))))))))) 2007-05-27 16:27 2007-05-27 15:59 6,656 -r-hs---- C:\WINDOWS\system32\hguard.dll 2007-05-27 15:59 22,016 -r-hs---- C:\WINDOWS\system32\hoko.dll 2007-05-27 15:59 199,680 -r-hs---- C:\WINDOWS\system32\upx202-adtp.exe 2007-05-27 14:36 2007-05-27 14:26 74,305 --a------ C:\WINDOWS\fgredsds.exe 2007-05-27 14:26 74,231 --a------ C:\WINDOWS\dshgthgrege.exe 2007-05-27 14:26 45,610 --a------ C:\WINDOWS\htrrgrtgrgewfer.exe 2007-05-27 14:16 6,144 --a------ C:\WINDOWS\system32\autosys.exe 2007-05-27 14:15 61,088 --a------ C:\WINDOWS\system32\xpdx.sys 2007-05-20 14:15 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2007-05-20 14:13 2007-05-20 14:07 2007-05-20 14:05 2007-05-16 16:26 2007-05-16 16:20 2007-05-14 21:14 2007-05-14 21:14 2007-05-14 21:14 2007-05-14 21:14 2007-05-11 14:21 2007-05-11 14:21 2007-05-09 19:54 2007-05-09 19:54 2007-05-09 14:47 2007-05-06 14:34 2007-05-05 16:15 5,112 --a------ C:\WINDOWS\GPCIDrv.sys 2007-05-05 11:37 2007-05-05 11:35 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-27 15:00:41 19,039 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys 2007-05-27 14:44:55 74,450 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-05-27 14:44:55 448,348 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-05-27 12:15:48 -------- d-----w C:\Program Files\Winamp 2007-05-22 15:51:21 -------- d-----w C:\DOCUME~1\x\DANEAP~1\FinalBurner DATA 2007-05-20 12:23:44 -------- d-----w C:\DOCUME~1\x\DANEAP~1\OpenOffice.org2 2007-05-19 10:34:07 -------- d-----w C:\DOCUME~1\x\DANEAP~1\BearShare 2007-05-17 14:18:06 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-05-09 21:20:15 -------- d-----w C:\Program Files\Messenger 2007-04-28 19:32:57 1,289 ----a-w C:\WINDOWS\mozver.dat 2007-04-18 16:14:32 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-14 07:47:45 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-14 07:47:32 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-14 07:45:35 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-14 07:44:52 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-14 07:43:31 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-14 07:42:43 90,112 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-10 11:18:32 712,832 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-04 11:09:28 -------- d-----w C:\Program Files\D-Tools 2007-04-03 13:06:06 -------- d-----w C:\Program Files\OpenOffice.org 2.1 2007-03-30 14:52:10 -------- d-----w C:\DOCUME~1\x\DANEAP~1\FinalBurner Audio CD 2007-03-17 13:45:36 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-08 15:38:47 579,072 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:38:47 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:38:47 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 15:37:33 1,843,840 ----a-w C:\WINDOWS\system32\win32k.sys 2004-08-03 23:44:20 87,713 --sha-r C:\WINDOWS\system32\autokmeo.exe~ 2004-08-03 23:44:20 74,305 --sha-r C:\WINDOWS\system32\netwsmlx.exe~ 2004-08-03 23:44:20 74,231 --sha-r C:\WINDOWS\system32\smdlsset.exe~ 2004-08-03 23:44:20 45,610 --sha-r C:\WINDOWS\system32\capienkt.exe~ (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-20 00:55] {F97DA966-F09D-4cab-BF29-75A0026986EA}=C:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll [2006-11-12 09:40] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SkyTel”=“SkyTel.EXE” [] “RTHDCPL”=“RTHDCPL.EXE” [] “Alcmtr”=“ALCMTR.EXE” [] “nwiz”=“nwiz.exe” [2006-06-01 11:22 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“NvMCTray.dll” [2006-06-01 11:22 C:\WINDOWS\system32\nvmctray.dll] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 12:38] “VGAUtil”=“C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe” [2006-07-12 16:27] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-14 09:48] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 17:05] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] “statemdd”=“autokmeo.exe” [] “NI.UERSL_9999_N91S2209”=“C:\Documents and Settings\x\Pulpit\ErrorSafeSwedishNewReleaseInstall.exe” [] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-06-01 11:22] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2007-02-24 14:30] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44] “statemdd”=“autokmeo.exe” [] “dlmicss”=“C:\WINDOWS\system32\netwsmlx.exe” [] “cpssystem”=“C:\WINDOWS\system32\smdlsset.exe” [] “netsscv”=“C:\WINDOWS\system32\capienkt.exe” [] “lmdisc”=“C:\WINDOWS\system32\capienkt.exe” [] “Anti-Dialer Toolkit Pro”=“C:\Documents and Settings\x\Pulpit\ADTP.exe” [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{C7F76815-E647-4BCE-B21A-600CE626E5D8}”=“C:\WINDOWS\system32\nvstatld.dll” [] ******************************************************************** catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-27 17:00:17 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-05-27 17:02:09 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-05-27 17:01 — E O F — (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\hnnbscko.dll C:\WINDOWS\system32\vjnqdrhn.dll C:\WINDOWS\system32\winxtx32.dll C:\WINDOWS\system32\kmllm.bak1 C:\WINDOWS\system32\kmllm.ini C:\WINDOWS\system32\okcsbnnh.ini C:\WINDOWS\system32\kmllm.bak1 C:\WINDOWS\system32\kmllm.ini C:\WINDOWS\system32\mllmk.dll C:\WINDOWS\system32\ljjgdde.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) “C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe” “C:\WINDOWS\wpcjmd.log” ((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))

2007-05-27 13:04 19456 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\winxtx32.dll.vir 2007-05-27 13:04 29206 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ljjgdde.dll.vir 2007-05-27 13:05 40183 --a------ C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1162OinUninstaller.exe.vir 2007-05-27 13:10 263220 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mllmk.dll.vir 2007-05-27 13:10 638005 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kmllm.bak1.vir 2007-05-27 13:13 50745 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vjnqdrhn.dll.vir 2007-05-27 13:16 132660 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hnnbscko.dll.vir 2007-05-27 14:16 643 --a------ C:\Qoobox\Quarantine\C\WINDOWS\wpcjmd.log.vir 2007-05-27 16:58 1084259 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\okcsbnnh.ini.vir 2007-05-27 16:58 689605 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kmllm.ini.vir Zmienna PATH folderu Numer seryjny woluminu: DCD8-A542 C:\QOOBOX —Quarantine ±–C | ±–Program Files | | —Common Files | | Yazzle1162OinUninstaller.exe.vir | | | —WINDOWS | | wpcjmd.log.vir | | | —system32 | hnnbscko.dll.vir | kmllm.bak1.vir | kmllm.ini.vir | ljjgdde.dll.vir | mllmk.dll.vir | okcsbnnh.ini.vir | vjnqdrhn.dll.vir | winxtx32.dll.vir | —Registry_backups

Logfile of HijackThis v1.99.1 Scan saved at 17:24:00, on 2007-05-27 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\ComboFix\21434.cfexe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing) R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - C:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll O4 - HKLM…\Run: [skyTel] SkyTel.EXE O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM…\Run: [statemdd] autokmeo.exe O4 - HKLM…\Run: [NI.UERSL_9999_N91S2209] “C:\Documents and Settings\x\Pulpit\ErrorSafeSwedishNewReleaseInstall.exe” -nag O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [statemdd] autokmeo.exe O4 - HKCU…\Run: [dlmicss] C:\WINDOWS\system32\netwsmlx.exe O4 - HKCU…\Run: [cpssystem] C:\WINDOWS\system32\smdlsset.exe O4 - HKCU…\Run: [netsscv] C:\WINDOWS\system32\capienkt.exe O4 - HKCU…\Run: [lmdisc] C:\WINDOWS\system32\capienkt.exe O4 - HKCU…\Run: [Anti-Dialer Toolkit Pro] C:\Documents and Settings\x\Pulpit\ADTP.EXE /t O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{2E5393D2-821F-4391-B938-753F4468CFB1}: NameServer = 194.204.152.34 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Monczkin · 27 Maj 2007 15:18

Proszę poprawić posta odnośnie znaczników.

Joan · 27 Maj 2007 15:53

Pobierz i uruchom narzędzie The Avenger Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Klikasz Done , a następnie zielone światełko i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

usun wpisy, daj logi z GMERA

Zakładka Rootkit > zaznacz wszystko oprócz Pokaż wszystko > kliknij Szukaj
Zakładka Rootkit > zaznacz tylko Usługi oraz Pokaż wszystko > kliknij Szukaj i w obydwu przypadkach poczekaj cierpliwie, aż skończy pracę

CHINA · 27 Maj 2007 15:57

Dzięki za odpowiedź, zaraz powiadomię o rezultatach.

Złączono Posta : 27.05.2007 (Nie) 18:21

Niestety mogę zamieścić tylko logi z Avengera. Za każdym razem gdy używam GMER i szukam mój komputer się restartuję. Czy logi z GMER są koniecznie potrzebne czy można się bez nich obejść, jeśli tak to spróbuję raz jeszcze.

Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\jemwwsly ******************* Script file located at: ??\C:\Program Files\lfwgmbeo.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\hguard.dll deleted successfully. File C:\WINDOWS\system32\hoko.dll deleted successfully. File C:\WINDOWS\system32\upx202-adtp.exe deleted successfully. File C:\WINDOWS\fgredsds.exe deleted successfully. File C:\WINDOWS\dshgthgrege.exe deleted successfully. File C:\WINDOWS\htrrgrtgrgewfer.exe deleted successfully. File C:\WINDOWS\system32\autosys.exe deleted successfully. File C:\WINDOWS\system32\autokmeo.exe not found! Deletion of file C:\WINDOWS\system32\autokmeo.exe failed! Could not process line: C:\WINDOWS\system32\autokmeo.exe Status: 0xc0000034 File C:\WINDOWS\system32\netwsmlx.exe not found! Deletion of file C:\WINDOWS\system32\netwsmlx.exe failed! Could not process line: C:\WINDOWS\system32\netwsmlx.exe Status: 0xc0000034 File C:\WINDOWS\system32\smdlsset.exe not found! Deletion of file C:\WINDOWS\system32\smdlsset.exe failed! Could not process line: C:\WINDOWS\system32\smdlsset.exe Status: 0xc0000034 File C:\WINDOWS\system32\capienkt.exe not found! Deletion of file C:\WINDOWS\system32\capienkt.exe failed! Could not process line: C:\WINDOWS\system32\capienkt.exe Status: 0xc0000034 File C:\Documents and Settings\x\Pulpit\ErrorSafeSwedishNewReleaseInstall.exe not found! Deletion of file C:\Documents and Settings\x\Pulpit\ErrorSafeSwedishNewReleaseInstall.exe failed! Could not process line: C:\Documents and Settings\x\Pulpit\ErrorSafeSwedishNewReleaseInstall.exe Status: 0xc0000034 Folder C:\Program Files\BearShare applications deleted successfully. Completed script processing. ******************* Finished! Terminate.

Gutek · 27 Maj 2007 16:26

Daj log z Combofix

CHINA · 27 Maj 2007 16:30

Oto log z ComboFix

“x” - 2007-05-27 16:57:53 Dodatek Service Pack 2 ComboFix 07-05.27.V - Running from: “C:\Documents and Settings\x\Pulpit” (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\hnnbscko.dll C:\WINDOWS\system32\vjnqdrhn.dll C:\WINDOWS\system32\winxtx32.dll C:\WINDOWS\system32\kmllm.bak1 C:\WINDOWS\system32\kmllm.ini C:\WINDOWS\system32\okcsbnnh.ini C:\WINDOWS\system32\kmllm.bak1 C:\WINDOWS\system32\kmllm.ini C:\WINDOWS\system32\mllmk.dll C:\WINDOWS\system32\ljjgdde.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) “C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe” “C:\WINDOWS\wpcjmd.log” ((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 )))))))))))))))))))))))))))))))))) 2007-05-27 16:27 2007-05-27 15:59 6,656 -r-hs---- C:\WINDOWS\system32\hguard.dll 2007-05-27 15:59 22,016 -r-hs---- C:\WINDOWS\system32\hoko.dll 2007-05-27 15:59 199,680 -r-hs---- C:\WINDOWS\system32\upx202-adtp.exe 2007-05-27 14:36 2007-05-27 14:26 74,305 --a------ C:\WINDOWS\fgredsds.exe 2007-05-27 14:26 74,231 --a------ C:\WINDOWS\dshgthgrege.exe 2007-05-27 14:26 45,610 --a------ C:\WINDOWS\htrrgrtgrgewfer.exe 2007-05-27 14:16 6,144 --a------ C:\WINDOWS\system32\autosys.exe 2007-05-27 14:15 61,088 --a------ C:\WINDOWS\system32\xpdx.sys 2007-05-20 14:15 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2007-05-20 14:13 2007-05-20 14:07 2007-05-20 14:05 2007-05-16 16:26 2007-05-16 16:20 2007-05-14 21:14 2007-05-14 21:14 2007-05-14 21:14 2007-05-14 21:14 2007-05-11 14:21 2007-05-11 14:21 2007-05-09 19:54 2007-05-09 19:54 2007-05-09 14:47 2007-05-06 14:34 2007-05-05 16:15 5,112 --a------ C:\WINDOWS\GPCIDrv.sys 2007-05-05 11:37 2007-05-05 11:35 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-27 15:00:41 19,039 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys 2007-05-27 14:44:55 74,450 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-05-27 14:44:55 448,348 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-05-27 12:15:48 -------- d-----w C:\Program Files\Winamp 2007-05-22 15:51:21 -------- d-----w C:\DOCUME~1\x\DANEAP~1\FinalBurner DATA 2007-05-20 12:23:44 -------- d-----w C:\DOCUME~1\x\DANEAP~1\OpenOffice.org2 2007-05-19 10:34:07 -------- d-----w C:\DOCUME~1\x\DANEAP~1\BearShare 2007-05-17 14:18:06 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-05-09 21:20:15 -------- d-----w C:\Program Files\Messenger 2007-04-28 19:32:57 1,289 ----a-w C:\WINDOWS\mozver.dat 2007-04-18 16:14:32 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-14 07:47:45 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-14 07:47:32 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-14 07:45:35 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-14 07:44:52 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-14 07:43:31 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-14 07:42:43 90,112 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-10 11:18:32 712,832 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-04 11:09:28 -------- d-----w C:\Program Files\D-Tools 2007-04-03 13:06:06 -------- d-----w C:\Program Files\OpenOffice.org 2.1 2007-03-30 14:52:10 -------- d-----w C:\DOCUME~1\x\DANEAP~1\FinalBurner Audio CD 2007-03-17 13:45:36 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-08 15:38:47 579,072 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:38:47 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:38:47 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 15:37:33 1,843,840 ----a-w C:\WINDOWS\system32\win32k.sys 2004-08-03 23:44:20 87,713 --sha-r C:\WINDOWS\system32\autokmeo.exe~ 2004-08-03 23:44:20 74,305 --sha-r C:\WINDOWS\system32\netwsmlx.exe~ 2004-08-03 23:44:20 74,231 --sha-r C:\WINDOWS\system32\smdlsset.exe~ 2004-08-03 23:44:20 45,610 --sha-r C:\WINDOWS\system32\capienkt.exe~ (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-20 00:55] {F97DA966-F09D-4cab-BF29-75A0026986EA}=C:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll [2006-11-12 09:40] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SkyTel”=“SkyTel.EXE” [] “RTHDCPL”=“RTHDCPL.EXE” [] “Alcmtr”=“ALCMTR.EXE” [] “nwiz”=“nwiz.exe” [2006-06-01 11:22 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“NvMCTray.dll” [2006-06-01 11:22 C:\WINDOWS\system32\nvmctray.dll] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 12:38] “VGAUtil”=“C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe” [2006-07-12 16:27] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-14 09:48] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 17:05] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] “statemdd”=“autokmeo.exe” [] “NI.UERSL_9999_N91S2209”=“C:\Documents and Settings\x\Pulpit\ErrorSafeSwedishNewReleaseInstall.exe” [] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-06-01 11:22] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2007-02-24 14:30] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44] “statemdd”=“autokmeo.exe” [] “dlmicss”=“C:\WINDOWS\system32\netwsmlx.exe” [] “cpssystem”=“C:\WINDOWS\system32\smdlsset.exe” [] “netsscv”=“C:\WINDOWS\system32\capienkt.exe” [] “lmdisc”=“C:\WINDOWS\system32\capienkt.exe” [] “Anti-Dialer Toolkit Pro”=“C:\Documents and Settings\x\Pulpit\ADTP.exe” [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{C7F76815-E647-4BCE-B21A-600CE626E5D8}”=“C:\WINDOWS\system32\nvstatld.dll” [] ******************************************************************** catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-27 17:00:17 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-05-27 17:02:09 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-05-27 17:01 — E O F — (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\hnnbscko.dll C:\WINDOWS\system32\vjnqdrhn.dll C:\WINDOWS\system32\winxtx32.dll C:\WINDOWS\system32\kmllm.bak1 C:\WINDOWS\system32\kmllm.ini C:\WINDOWS\system32\okcsbnnh.ini C:\WINDOWS\system32\kmllm.bak1 C:\WINDOWS\system32\kmllm.ini C:\WINDOWS\system32\mllmk.dll C:\WINDOWS\system32\ljjgdde.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) “C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe” “C:\WINDOWS\wpcjmd.log” ((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))

2007-05-27 13:04 19456 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\winxtx32.dll.vir 2007-05-27 13:04 29206 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ljjgdde.dll.vir 2007-05-27 13:05 40183 --a------ C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1162OinUninstaller.exe.vir 2007-05-27 13:10 263220 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mllmk.dll.vir 2007-05-27 13:10 638005 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kmllm.bak1.vir 2007-05-27 13:13 50745 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vjnqdrhn.dll.vir 2007-05-27 13:16 132660 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hnnbscko.dll.vir 2007-05-27 14:16 643 --a------ C:\Qoobox\Quarantine\C\WINDOWS\wpcjmd.log.vir 2007-05-27 16:58 1084259 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\okcsbnnh.ini.vir 2007-05-27 16:58 689605 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kmllm.ini.vir Zmienna PATH folderu Numer seryjny woluminu: DCD8-A542 C:\QOOBOX —Quarantine ±–C | ±–Program Files | | —Common Files | | Yazzle1162OinUninstaller.exe.vir | | | —WINDOWS | | wpcjmd.log.vir | | | —system32 | hnnbscko.dll.vir | kmllm.bak1.vir | kmllm.ini.vir | ljjgdde.dll.vir | mllmk.dll.vir | okcsbnnh.ini.vir | vjnqdrhn.dll.vir | winxtx32.dll.vir | —Registry_backups

Teraz dam też drugi log z ComboFix:

“x” - 2007-05-27 18:51:17 Dodatek Service Pack 2 ComboFix 07-05.27.V - Running from: “C:\Documents and Settings\x\Pulpit\R˘ľne” ((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 )))))))))))))))))))))))))))))))))) 2007-05-27 18:00 2007-05-27 17:16 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-05-27 17:02 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-27 16:27 2007-05-27 14:36 2007-05-27 14:15 61,088 --a------ C:\WINDOWS\system32\xpdx.sys 2007-05-20 14:15 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2007-05-20 14:13 2007-05-20 14:07 2007-05-20 14:05 2007-05-16 16:26 2007-05-16 16:20 2007-05-14 21:14 2007-05-14 21:14 2007-05-14 21:14 2007-05-14 21:14 2007-05-11 14:21 2007-05-11 14:21 2007-05-09 19:54 2007-05-09 19:54 2007-05-09 14:47 2007-05-06 14:34 2007-05-05 16:15 5,112 --a------ C:\WINDOWS\GPCIDrv.sys 2007-05-05 11:37 2007-05-05 11:35 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-27 16:30:20 74,450 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-05-27 16:30:20 448,348 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-05-27 16:26:36 19,039 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys 2007-05-27 12:15:48 -------- d-----w C:\Program Files\Winamp 2007-05-22 15:51:21 -------- d-----w C:\DOCUME~1\x\DANEAP~1\FinalBurner DATA 2007-05-20 12:23:44 -------- d-----w C:\DOCUME~1\x\DANEAP~1\OpenOffice.org2 2007-05-19 10:34:07 -------- d-----w C:\DOCUME~1\x\DANEAP~1\BearShare 2007-05-17 14:18:06 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-05-09 21:20:15 -------- d-----w C:\Program Files\Messenger 2007-04-28 19:32:57 1,289 ----a-w C:\WINDOWS\mozver.dat 2007-04-18 16:14:32 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-14 07:47:45 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-14 07:47:32 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-14 07:45:35 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-14 07:44:52 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-14 07:43:31 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-14 07:42:43 90,112 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-10 11:18:32 712,832 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-04 11:09:28 -------- d-----w C:\Program Files\D-Tools 2007-04-03 13:06:06 -------- d-----w C:\Program Files\OpenOffice.org 2.1 2007-03-30 14:52:10 -------- d-----w C:\DOCUME~1\x\DANEAP~1\FinalBurner Audio CD 2007-03-17 13:45:36 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-08 15:38:47 579,072 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:38:47 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:38:47 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 15:37:33 1,843,840 ----a-w C:\WINDOWS\system32\win32k.sys 2004-08-03 23:44:20 87,713 --sha-r C:\WINDOWS\system32\autokmeo.exe~ 2004-08-03 23:44:20 74,305 --sha-r C:\WINDOWS\system32\netwsmlx.exe~ 2004-08-03 23:44:20 74,231 --sha-r C:\WINDOWS\system32\smdlsset.exe~ 2004-08-03 23:44:20 45,610 --sha-r C:\WINDOWS\system32\capienkt.exe~ (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-20 00:55] {F97DA966-F09D-4cab-BF29-75A0026986EA}=C:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SkyTel”=“SkyTel.EXE” [] “RTHDCPL”=“RTHDCPL.EXE” [] “Alcmtr”=“ALCMTR.EXE” [] “nwiz”=“nwiz.exe” [2006-06-01 11:22 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“NvMCTray.dll” [2006-06-01 11:22 C:\WINDOWS\system32\nvmctray.dll] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 12:38] “VGAUtil”=“C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe” [2006-07-12 16:27] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-14 09:48] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 17:05] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] “statemdd”=“autokmeo.exe” [] “NI.UERSL_9999_N91S2209”=“C:\Documents and Settings\x\Pulpit\ErrorSafeSwedishNewReleaseInstall.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2007-02-24 14:30] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44] “statemdd”=“autokmeo.exe” [] “dlmicss”=“C:\WINDOWS\system32\netwsmlx.exe” [] “cpssystem”=“C:\WINDOWS\system32\smdlsset.exe” [] “netsscv”=“C:\WINDOWS\system32\capienkt.exe” [] “lmdisc”=“C:\WINDOWS\system32\capienkt.exe” [] “Anti-Dialer Toolkit Pro”=“C:\Documents and Settings\x\Pulpit\ADTP.exe” [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{C7F76815-E647-4BCE-B21A-600CE626E5D8}”=“C:\WINDOWS\system32\nvstatld.dll” [] ******************************************************************** catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-27 18:52:29 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-05-27 18:53:02 C:\ComboFix-quarantined-files.txt … 2007-05-27 18:52 C:\ComboFix2.txt … 2007-05-27 17:02 — E O F —

Gutek · 27 Maj 2007 16:54

Pobierz i uruchom narzędzie The Avenger Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Files to delete: C:\WINDOWS\system32\hguard.dll C:\WINDOWS\system32\hoko.dll C:\WINDOWS\system32\upx202-adtp.exe C:\WINDOWS\fgredsds.exe C:\WINDOWS\dshgthgrege.exe C:\WINDOWS\htrrgrtgrgewfer.exe C:\WINDOWS\system32\autosys.exe C:\WINDOWS\system32\autokmeo.exe~ C:\WINDOWS\system32\netwsmlx.exe~ C:\WINDOWS\system32\smdlsset.exe~ C:\WINDOWS\system32\capienkt.exe~ Registry values to delete: “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” | “statemdd” “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “statemdd” “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “dlmicss” “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “cpssystem” “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “netsscv” “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “lmdisc” “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “Anti-Dialer Toolkit Pro” “HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks” | “{C7F76815-E647-4BCE-B21A-600CE626E5D8}”

Klikasz Done , a następnie zielone światełko i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

CHINA · 27 Maj 2007 17:05

Już zrobione.

Log z Avengera:

////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Syntax error in line — does not appear to be a valid registry path. Line will be ignored. Error code: 0 Line: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | “statemdd Syntax error in line — does not appear to be a valid registry path. Line will be ignored. Error code: 0 Line: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “dlmicss Syntax error in line — does not appear to be a valid registry path. Line will be ignored. Error code: 0 Line: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “cpssystem Syntax error in line — does not appear to be a valid registry path. Line will be ignored. Error code: 0 Line: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “netsscv Syntax error in line — does not appear to be a valid registry path. Line will be ignored. Error code: 0 Line: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | “lmdisc Syntax error in line — does not appear to be a valid registry path. Line will be ignored. Error code: 0 Line: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” | "Anti-Dialer Toolkit Pro ////////////////////////////////////////// Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\qsmkamsc ******************* Script file located at: ??\C:\Documents and Settings\jpnacihm.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\hguard.dll not found! Deletion of file C:\WINDOWS\system32\hguard.dll failed! Could not process line: C:\WINDOWS\system32\hguard.dll Status: 0xc0000034 File C:\WINDOWS\system32\hoko.dll not found! Deletion of file C:\WINDOWS\system32\hoko.dll failed! Could not process line: C:\WINDOWS\system32\hoko.dll Status: 0xc0000034 File C:\WINDOWS\system32\upx202-adtp.exe not found! Deletion of file C:\WINDOWS\system32\upx202-adtp.exe failed! Could not process line: C:\WINDOWS\system32\upx202-adtp.exe Status: 0xc0000034 File C:\WINDOWS\fgredsds.exe not found! Deletion of file C:\WINDOWS\fgredsds.exe failed! Could not process line: C:\WINDOWS\fgredsds.exe Status: 0xc0000034 File C:\WINDOWS\dshgthgrege.exe not found! Deletion of file C:\WINDOWS\dshgthgrege.exe failed! Could not process line: C:\WINDOWS\dshgthgrege.exe Status: 0xc0000034 File C:\WINDOWS\htrrgrtgrgewfer.exe not found! Deletion of file C:\WINDOWS\htrrgrtgrgewfer.exe failed! Could not process line: C:\WINDOWS\htrrgrtgrgewfer.exe Status: 0xc0000034 File C:\WINDOWS\system32\autosys.exe not found! Deletion of file C:\WINDOWS\system32\autosys.exe failed! Could not process line: C:\WINDOWS\system32\autosys.exe Status: 0xc0000034 File C:\WINDOWS\system32\autokmeo.exe~ deleted successfully. File C:\WINDOWS\system32\netwsmlx.exe~ deleted successfully. File C:\WINDOWS\system32\smdlsset.exe~ deleted successfully. File C:\WINDOWS\system32\capienkt.exe~ deleted successfully. Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|statemdd deleted successfully. Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{C7F76815-E647-4BCE-B21A-600CE626E5D8} deleted successfully. Completed script processing. ******************* Finished! Terminate.

Gutek · 27 Maj 2007 17:09

Daj log z combo.

CHINA · 27 Maj 2007 17:12

Log z Combo

“x” - 2007-05-27 19:09:51 Dodatek Service Pack 2 ComboFix 07-05.27.V - Running from: “C:\Documents and Settings\x\Pulpit\R˘ľne” ((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 )))))))))))))))))))))))))))))))))) 2007-05-27 19:03 2007-05-27 17:16 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-05-27 17:02 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-27 16:27 2007-05-27 14:36 2007-05-27 14:15 61,088 --a------ C:\WINDOWS\system32\xpdx.sys 2007-05-20 14:15 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2007-05-20 14:13 2007-05-20 14:07 2007-05-20 14:05 2007-05-16 16:26 2007-05-16 16:20 2007-05-14 21:14 2007-05-14 21:14 2007-05-14 21:14 2007-05-14 21:14 2007-05-11 14:21 2007-05-11 14:21 2007-05-09 19:54 2007-05-09 19:54 2007-05-09 14:47 2007-05-06 14:34 2007-05-05 16:15 5,112 --a------ C:\WINDOWS\GPCIDrv.sys 2007-05-05 11:37 2007-05-05 11:35 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-27 17:06:53 74,450 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-05-27 17:06:53 448,348 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-05-27 17:03:15 19,039 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys 2007-05-27 12:15:48 -------- d-----w C:\Program Files\Winamp 2007-05-22 15:51:21 -------- d-----w C:\DOCUME~1\x\DANEAP~1\FinalBurner DATA 2007-05-20 12:23:44 -------- d-----w C:\DOCUME~1\x\DANEAP~1\OpenOffice.org2 2007-05-19 10:34:07 -------- d-----w C:\DOCUME~1\x\DANEAP~1\BearShare 2007-05-17 14:18:06 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-05-09 21:20:15 -------- d-----w C:\Program Files\Messenger 2007-04-28 19:32:57 1,289 ----a-w C:\WINDOWS\mozver.dat 2007-04-18 16:14:32 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-14 07:47:45 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-14 07:47:32 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-14 07:45:35 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-14 07:44:52 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-14 07:43:31 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-14 07:42:43 90,112 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-10 11:18:32 712,832 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-04 11:09:28 -------- d-----w C:\Program Files\D-Tools 2007-04-03 13:06:06 -------- d-----w C:\Program Files\OpenOffice.org 2.1 2007-03-30 14:52:10 -------- d-----w C:\DOCUME~1\x\DANEAP~1\FinalBurner Audio CD 2007-03-17 13:45:36 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-08 15:38:47 579,072 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:38:47 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:38:47 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 15:37:33 1,843,840 ----a-w C:\WINDOWS\system32\win32k.sys (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-20 00:55] {F97DA966-F09D-4cab-BF29-75A0026986EA}=C:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SkyTel”=“SkyTel.EXE” [] “RTHDCPL”=“RTHDCPL.EXE” [] “Alcmtr”=“ALCMTR.EXE” [] “nwiz”=“nwiz.exe” [2006-06-01 11:22 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“NvMCTray.dll” [2006-06-01 11:22 C:\WINDOWS\system32\nvmctray.dll] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 12:38] “VGAUtil”=“C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe” [2006-07-12 16:27] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-14 09:48] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 17:05] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] “NI.UERSL_9999_N91S2209”=“C:\Documents and Settings\x\Pulpit\ErrorSafeSwedishNewReleaseInstall.exe” [] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-06-01 11:22] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2007-02-24 14:30] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44] “statemdd”=“autokmeo.exe” [] “dlmicss”=“C:\WINDOWS\system32\netwsmlx.exe” [] “cpssystem”=“C:\WINDOWS\system32\smdlsset.exe” [] “netsscv”=“C:\WINDOWS\system32\capienkt.exe” [] “lmdisc”=“C:\WINDOWS\system32\capienkt.exe” [] “Anti-Dialer Toolkit Pro”=“C:\Documents and Settings\x\Pulpit\ADTP.exe” [] ******************************************************************** catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-27 19:10:58 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-05-27 19:11:29 C:\ComboFix-quarantined-files.txt … 2007-05-27 19:11 C:\ComboFix2.txt … 2007-05-27 18:53 C:\ComboFix3.txt … 2007-05-27 17:02 — E O F —

Gutek · 27 Maj 2007 17:18

Avengerem usuń jeszcze plik:

i po tym

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa

CHINA · 27 Maj 2007 17:27

Zrobiłem to już. Czy to już wszystko ?

Gutek · 27 Maj 2007 17:29

Powinno być Ok

CHINA · 27 Maj 2007 17:30

Dzięki bardzo za pomoc.