chen1
(Chen1)
25 Czerwiec 2007 18:01
#1
Witam,
mam problem z trojanem Smitfraud-C. Walczyłem z nim cały dzień, w końcu przy użyciu Ad-Aware 2007 chyba go usunąłem, ale za to nie mam neta. System przy starcie pobiera mi automatycznie jakiś dziwny adres ip 169.254.52.130 (zamiast pobierać dobry generowany przez router) i nie mogę połączyć się z internetem (piszę teraz z innego kompa). Polecenia ipconfig /release i /renew w ogóle nie działają i nie wiem co mam dalej robić.
Da się coś z tym zrobić czy czeka mnie format ?? (czego naprawdę wolał bym uniknąć)
Bardzo proszę o pomoc, z góry dziękuję.
Log z Hijackthis:
Logfile of HijackThis v1.99.1 Scan saved at 19:33:36, on 2007-06-25 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\All\Pulpit\Użytki\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O10 - Broken Internet access because of LSP provider ‘c:\windows\system32\sdcbzdz.dll’ missing O15 - Trusted Zone: http://*.mks.com.pl O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
Log z Silent Runners
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SpybotSD TeaTimer” = “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SynTPLpr” = “C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [“Synaptics, Inc.”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “ATIModeChange” = “Ati2mdxx.exe” [“ATI Technologies, Inc.”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“lsdelete” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\Web\Wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\Web\Wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\System32\sdcbzdz.dll [file not found], 01 - 13, 27 %SystemRoot%\system32\mswsock.dll [MS], 14 - 16, 19 - 26 %SystemRoot%\system32\rsvpsp.dll [MS], 17 - 18 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ad-Aware 2007 Service, aawservice, “C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe” [“Lavasoft AB”] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 191 seconds. ---------- (total run time: 1393 seconds)
Przepraszam za kilka wiadomości, nie wiem czemu az tyle ich się utworzyło.
Gutek
(Gutek)
25 Czerwiec 2007 19:11
#2
Czyszczenie rejestru:
RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177
możesz rejestr przelecieć albo
jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509
Odpal LSP-Fix zaznacz “I know what I’m doing” następnie w okienku Keep zaznacz plik sdcbzdz.dll i za pomocą strzałki (>>) przenieś go do okienka Remover i kliknij Finish
Daj log z Combofix
chen1
(Chen1)
25 Czerwiec 2007 20:21
#3
Rejestr wyczyściłem za pomocą jv16 PowerTools, następnie użyłem jak mi poleciłeś LSP-Fix, a ponieżej wklejam log z Combofix:
“All” - 2007-06-25 22:09:27 - ComboFix 07-06-25.3 NTFS ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected C:\DOCUME~1\All\DANEAP~1.\macromedia\Flash Player#SharedObjects\AJDTAEMW\www.broadcaster.com C:\DOCUME~1\All\DANEAP~1.\macromedia\Flash Player#SharedObjects\AJDTAEMW\www.broadcaster.com \played_list.sol C:\DOCUME~1\All\DANEAP~1.\macromedia\Flash Player#SharedObjects\AJDTAEMW\www.broadcaster.com \video_queue.sol C:\DOCUME~1\All\DANEAP~1.\macromedia\Flash Player\macromedia.com \support\flashplayer\sys#www.broadcaster.com C:\DOCUME~1\All\DANEAP~1.\macromedia\Flash Player\macromedia.com \support\flashplayer\sys#www.broadcaster.com \settings.sol C:\DOCUME~1\All\Pulpit\internet.lnk C:\WINDOWS\system32\1_exception.nls C:\WINDOWS\system32\drivers\hd_dirs.cfg C:\WINDOWS\system32\drivers\hd_rkeys.cfg C:\WINDOWS\system32\drivers\hd_rvals.cfg C:\WINDOWS\system32\drivers\rtaldkeb.sys C:\WINDOWS\system32\drivers\runtime2.sys Restored copy from - C:\WINDOWS\system32\dllcache\ndis.sys ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_GB -------\LEGACY_HFLT_IPF -------\LEGACY_RUNTIME -------\LEGACY_RUNTIME2 -------\LEGACY_YRTBTWGH -------\yrtbtwgh ((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 ))))))))))))))))))))))))))))))) 2007-06-25 22:08 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-25 21:40 23 --ahs---- C:\WINDOWS\system32\eafdfefbb5_r.dll 2007-06-25 21:40 2007-06-25 13:49 2007-06-25 13:49 2007-06-25 13:49 2007-06-25 10:43 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-06-25 10:43 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-06-25 10:43 2007-06-25 10:33 2007-06-21 20:15 0 --a------ C:\WINDOWS\PowerReg.dat 2007-06-19 20:13 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2007-06-13 22:01 16,000 --a------ C:\WINDOWS\system32\drivers\XPC4DRVR.SYS 2007-06-13 21:52 194,200 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys 2007-06-13 10:40 2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys 2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys 2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys 2007-05-27 17:33 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-24 19:22:52 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Skype 2007-06-21 17:58:59 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-06-19 10:36:03 -------- d-----w C:\Program Files\Gadu-Gadu 2007-06-08 10:15:31 -------- d-----w C:\Program Files\microsoft frontpage 2007-05-31 21:37:35 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Creative 2007-05-24 00:28:12 64,512 ----a-w C:\WINDOWS\system32\souoaaaa.exe 2007-05-11 12:25:44 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Apple Computer 2007-05-04 20:32:03 -------- d-----w C:\DOCUME~1\All\DANEAP~1\GanymedeNet 2007-04-25 14:12:10 64,412 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-04-25 14:12:10 397,726 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-04-15 13:49:28 720,896 ----a-w C:\WINDOWS\iun6002.exe 2007-04-15 11:19:57 25,992 ----a-w C:\WINDOWS\system32\pgdfgsvc.exe 2007-04-13 13:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 06:12] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2004-02-05 17:07] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2004-02-05 17:07] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-02-24 22:10] “ATIModeChange”=“Ati2mdxx.exe” [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2005-05-31 01:04] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice] ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-25 22:11:27 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-25 22:12:14 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-06-25 22:11 — E O F —
jeszcze raz bardzo dziękuję za pomoc
Gutek
(Gutek)
25 Czerwiec 2007 20:40
#4
do usunięcia
Skan AVG Anti-Spyware 7.5 po update
chen1
(Chen1)
26 Czerwiec 2007 16:35
#5
Net już jest. Tego:
już nie było.
Zainstalowałem AVG i znalazł mi to:
Usunąłem wszystko, następnie wyczyściłem rejestr i odpaliłem HijackThis, oto rezultat:
Logfile of HijackThis v1.99.1 Scan saved at 17:49:24, on 2007-06-26 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\All\Pulpit\Użytki\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM…\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Następnie odpaliłem Silent Runners, ale niestety otrzymałem tylko częściowego loga:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SpybotSD TeaTimer” = “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “!AVG Anti-Spyware” = ““C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized” [“GRISOFT s.r.o.”] “SynTPLpr” = “C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [“Synaptics, Inc.”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “ATIModeChange” = “Ati2mdxx.exe” [“ATI Technologies, Inc.”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“GRISOFT s.r.o.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“GRISOFT s.r.o.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“GRISOFT s.r.o.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\Web\Wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\Web\Wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]
bo skrypt prerywa z błędem:
Czy to już koniec moich problemów czy jeszcze coś powininem zrobić, i czemu Silent Runners wychodzi z błędem ??
Jeszcze raz dziękuję za pomoc, sam nie dał bym sobie rady.
Gutek
(Gutek)
26 Czerwiec 2007 23:10
#6
Daj jeszcze na wszelki wypadek log z Combofix
chen1
(Chen1)
27 Czerwiec 2007 09:20
#7
Log z ComboFix:
“All” - 2007-06-27 11:09:29 - ComboFix 07-06-25.3 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-27 to 2007-06-27 ))))))))))))))))))))))))))))))) 2007-06-26 16:59 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe 2007-06-26 16:32 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-06-25 22:08 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-25 21:40 23 --ahs---- C:\WINDOWS\system32\eafdfefbb5_r.dll 2007-06-25 21:40 2007-06-25 10:43 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-06-25 10:43 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-06-25 10:43 2007-06-25 10:33 2007-06-21 20:15 0 --a------ C:\WINDOWS\PowerReg.dat 2007-06-19 20:13 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2007-06-13 22:01 16,000 --a------ C:\WINDOWS\system32\drivers\XPC4DRVR.SYS 2007-06-13 21:52 194,200 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys 2007-06-13 10:40 2007-05-27 17:33 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-26 21:42:27 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Skype 2007-06-26 15:02:45 64,412 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-06-26 15:02:45 397,726 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-06-21 17:58:59 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-06-19 10:36:03 -------- d-----w C:\Program Files\Gadu-Gadu 2007-06-08 10:15:31 -------- d-----w C:\Program Files\microsoft frontpage 2007-05-31 21:37:35 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Creative 2007-05-24 00:28:12 64,512 ----a-w C:\WINDOWS\system32\souoaaaa.exe 2007-05-11 12:25:44 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Apple Computer 2007-05-04 20:32:03 -------- d-----w C:\DOCUME~1\All\DANEAP~1\GanymedeNet 2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-04-15 13:49:28 720,896 ----a-w C:\WINDOWS\iun6002.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 11:25] “SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2004-02-05 17:07] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2004-02-05 17:07] “ATIModeChange”=“Ati2mdxx.exe” [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-02-24 21:10] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2005-05-31 01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2007-05-30 14:29] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard] ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-27 11:10:32 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-27 11:11:09 C:\ComboFix-quarantined-files.txt … 2007-06-27 11:11 — E O F —
Złączono Posta : 27.06.2007 (Sro) 10:22
Log z ComboFix:
“All” - 2007-06-27 11:09:29 - ComboFix 07-06-25.3 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-27 to 2007-06-27 ))))))))))))))))))))))))))))))) 2007-06-26 16:59 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe 2007-06-26 16:32 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-06-25 22:08 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-25 21:40 23 --ahs---- C:\WINDOWS\system32\eafdfefbb5_r.dll 2007-06-25 21:40 2007-06-25 10:43 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-06-25 10:43 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-06-25 10:43 2007-06-25 10:33 2007-06-21 20:15 0 --a------ C:\WINDOWS\PowerReg.dat 2007-06-19 20:13 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2007-06-13 22:01 16,000 --a------ C:\WINDOWS\system32\drivers\XPC4DRVR.SYS 2007-06-13 21:52 194,200 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys 2007-06-13 10:40 2007-05-27 17:33 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-26 21:42:27 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Skype 2007-06-26 15:02:45 64,412 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-06-26 15:02:45 397,726 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-06-21 17:58:59 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-06-19 10:36:03 -------- d-----w C:\Program Files\Gadu-Gadu 2007-06-08 10:15:31 -------- d-----w C:\Program Files\microsoft frontpage 2007-05-31 21:37:35 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Creative 2007-05-24 00:28:12 64,512 ----a-w C:\WINDOWS\system32\souoaaaa.exe 2007-05-11 12:25:44 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Apple Computer 2007-05-04 20:32:03 -------- d-----w C:\DOCUME~1\All\DANEAP~1\GanymedeNet 2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-04-15 13:49:28 720,896 ----a-w C:\WINDOWS\iun6002.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 11:25] “SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2004-02-05 17:07] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2004-02-05 17:07] “ATIModeChange”=“Ati2mdxx.exe” [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-02-24 21:10] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2005-05-31 01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2007-05-30 14:29] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard] ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-27 11:10:32 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-27 11:11:09 C:\ComboFix-quarantined-files.txt … 2007-06-27 11:11 — E O F —
qrczak13
(qrczak13)
27 Czerwiec 2007 17:35
#8
Mój komp > narzędzia > opcje folderów > widok > zaznacz pokaż ukryte pliki i foldery. Pokaże się i go ciachnij.
Przeskanuj na http://www.virustotal.com/vt/ i wklej raport po skanowaniu.
Czyszczenie rejestru - jv16 PowerTools 2006 1.5.2.350
chen1
(Chen1)
29 Czerwiec 2007 07:38
#9
Tego:
na prawdę tam nie ma, sprawdzałem ręcznie i automatycznie z widocznymi plikami ukrytymi, widać jakiś skan któregoś z wielu programów które ostatnio używałego go usunął, a co do tego pliku:
to tutaj jest rezultat skanowania ze stronki:
Antivirus Version Update Result AhnLab-V3 2007.6.29.0 06.29.2007 Dropper/Xema.64512.C AntiVir 7.4.0.37 06.29.2007 TR/Morphine.A Authentium 4.93.8 06.28.2007 no virus found Avast 4.7.997.0 06.27.2007 no virus found AVG 7.5.0.476 06.28.2007 no virus found BitDefender 7.2 06.29.2007 Trojan.Spy.Bzub.NDI CAT-QuickHeal 9.00 06.27.2007 Trojan.Morphine.a ClamAV devel-20070416 06.29.2007 no virus found DrWeb 4.33 06.29.2007 Trojan.PWS.Tanspy eSafe 7.0.15.0 06.27.2007 Suspicious Trojan/Worm eTrust-Vet 30.8.3751 06.29.2007 no virus found Ewido 4.0 06.27.2007 no virus found FileAdvisor 1 06.29.2007 Low threat detected Fortinet 2.91.0.0 06.29.2007 no virus found F-Prot 4.3.2.48 06.28.2007 no virus found F-Secure 6.70.13030.0 06.29.2007 Trojan-Spy.Win32.BZub.in Ikarus T3.1.1.8 06.29.2007 Trojan-Spy.Win32.BZub.in Kaspersky 4.0.2.24 06.29.2007 Trojan-Spy.Win32.BZub.in McAfee 5063 06.28.2007 no virus found Microsoft 1.2701 06.29.2007 no virus found NOD32v2 2362 06.28.2007 no virus found Norman 5.80.02 06.27.2007 W32/BHO.QG.dropper Panda 9.0.0.4 06.29.2007 Suspicious file Sophos 4.19.0 06.24.2007 Troj/Dropper-OX Sunbelt 2.2.907.0 06.28.2007 no virus found Symantec 10 06.29.2007 Infostealer.Bzup TheHacker 6.1.6.140 06.28.2007 no virus found VBA32 3.12.0.2 06.28.2007 Trojan.PWS.Tanspy VirusBuster 4.3.23:9 06.27.2007 Trojan.Bzub.Gen!Pac.12 Webwasher-Gateway 6.0.1 06.29.2007 Trojan.Morphine.A Aditional Information File size: 64512 bytes MD5: 50c404200728892f3a24cf024909908c SHA1: 30a6757be040951437483169b84470d8b3532c22 packers: embedded packers: BINARYRES, MORPHINE, MORPHINE, UPX Bit9 info: http://fileadvisor.bit9.com/services/ex … 024909908c packers: embedded, Morphine norman sandbox: [General information] * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**. * File length: 64512 bytes. [Changes to filesystem] * Deletes file C:WINDOWSSYSTEM32ipv6mopz.dl_. * Deletes file C:WINDOWSSYSTEM32ipv6monq.dl_. * Deletes file C:WINDOWSSYSTEM32ipv6mote.dl_. * Deletes file C:WINDOWSSYSTEM32ipv6motp.dl_. * Deletes file C:WINDOWSSYSTEM32ipv6mopk.dl_. * Deletes file C:WINDOWSSYSTEM32ipv6mops.dl_. * Deletes file C:WINDOWSSYSTEM32ipv6mons.dll. * Creates file C:WINDOWSSYSTEM32ipv6mons.dll. [Changes to registry] * Creates key “HKCRCLSID{73364D99-1240-4dff-B12A-67E448373148}InprocServer32”. * Sets value “default”=“C:WINDOWSSYSTEM32ipv6mons.dll” in key “HKCRCLSID{73364D99-1240-4dff-B12A-67E448373148}InprocServer32”. * Sets value “Enable Browser Extensions”=“yes” in key “HKCRCLSID{73364D99-1240-4dff-B12A-67E448373148}InprocServer32”. * Sets value “ThreadingModel”=“apartment” in key “HKCRCLSID{73364D99-1240-4dff-B12A-67E448373148}InprocServer32”. * Creates key “HKCR.exeAppID{73364D99-1240-4dff-B12A-67E448373148}”. * Creates key “HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{73364D99-1240-4dff-B12A-67E448373148}”. [Signature Scanning] * C:WINDOWSSYSTEM32ipv6mons.dll (58976 bytes) : W32/BHO.QG.
co mam z tym zrobić ??
Złączono Posta : 29.06.2007 (Pią) 10:01
Przeskanowałem kompa Kaspersky Online Skanerem, oto rezultaty:
co mam z tym zrobić ??
adam9870
(adam9870)
29 Czerwiec 2007 09:07
#10
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT
Przejdź do trybu awaryjnego i uruchom utworzony plik FIX.BAT. Po uruchomieniu mignie przez chwilkę ekran. Następnie korzystając z edytora rejestru (start -> uruchom -> regedit) odnajdź i skasuj klucze zaznaczone na czerwono.
Przeskanuj system tym skanerem on-line -> http://www.ewido.net/de/onlinescan/ i usuń wszystko, co zostanie znalezione.
Po wykonaniu wklej nowy log z ComboFix.
chen1
(Chen1)
29 Czerwiec 2007 15:27
#11
Odpaliłem program w trybie awaryjnym, kluczy tych w rejestrze już nie było, następnie odpaliłem skaner ze stronki i było tylko 1 tracing cookie, a poniej wklejam log z ComboFix:
“All” - 2007-06-29 17:20:58 - ComboFix 07-06-25.3 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-29 ))))))))))))))))))))))))))))))) 2007-06-29 11:53 175,620 --a------ C:\WINDOWS\system32\drivers\AMWL11B.sys 2007-06-29 09:39 2007-06-26 16:59 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe 2007-06-26 16:32 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-06-25 22:08 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-25 21:40 2007-06-25 10:43 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-06-25 10:43 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-06-25 10:43 2007-06-25 10:33 2007-06-21 20:15 0 --a------ C:\WINDOWS\PowerReg.dat 2007-06-19 20:13 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2007-06-13 22:01 16,000 --a------ C:\WINDOWS\system32\drivers\XPC4DRVR.SYS 2007-06-13 21:52 194,200 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys 2007-06-13 10:40 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-29 14:10:21 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-06-28 22:11:05 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Skype 2007-06-26 15:02:45 64,412 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-06-26 15:02:45 397,726 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-06-19 10:36:03 -------- d-----w C:\Program Files\Gadu-Gadu 2007-06-08 10:15:31 -------- d-----w C:\Program Files\microsoft frontpage 2007-05-31 21:37:35 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Creative 2007-05-27 15:33:33 -------- d-----w C:\Program Files\QuickTime 2007-05-11 12:25:44 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Apple Computer 2007-05-04 20:32:03 -------- d-----w C:\DOCUME~1\All\DANEAP~1\GanymedeNet 2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-04-15 13:49:28 720,896 ----a-w C:\WINDOWS\iun6002.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 11:25] “SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2004-02-05 17:07] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2004-02-05 17:07] “ATIModeChange”=“Ati2mdxx.exe” [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-02-24 21:10] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2005-05-31 01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2007-05-30 14:29] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard] ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-29 17:22:09 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-29 17:23:02 C:\ComboFix-quarantined-files.txt … 2007-06-29 17:22 C:\ComboFix2.txt … 2007-06-27 11:11 — E O F —
adam9870
(adam9870)
29 Czerwiec 2007 16:11
#12
Już jest Ok, czy masz jeszcze jakieś problemy?
chen1
(Chen1)
29 Czerwiec 2007 20:39
#13
Jeśli mówisz, że jest już wszystko wporządku to chyba na tym koniec. Bardzo dziękuję wszystkim, którzy mi pomogli. Pozdrawiam
Złączono Posta : 30.06.2007 (Sob) 11:35
Skanuje teraz kompa czym się da i chyba to nie koniec klopotów, bo Panda wykryła to i nie chciała tego usunąć:
co mam z tym robić ??
Zacznę skanować innymi skanerami, może one dadzą radę.
Joan
(Joan Sunshine)
1 Lipiec 2007 20:19
#14
plik jest od Combofixa, to błąd pandy, nie ma się czym przejmować