Proszę o spr logów - Problem z Adware - logi HJT, SR, CF!

Venice3000 · 14 Listopad 2007 16:08

Witam!

Po wczorajszych odwiedzinach serwera “depositfiles” (z nieuniknonymi okienkami pop up) NOD32 wykrywa różne robaczki itp., usunął sporo, ale dwóch plików zainfekowanych potencjalnie nie można usunąć tradycyjnie, ani w trybie awaryjnym - myślę że mają związek z “winlogon” … mowa tutaj o vtstt.dll oraz nnnmnon.dll ( Win32/Adware.Virtumonde application ). Poniżej graficzne alerty z NODa:

Prosiłbym o pomoc w tej sprawie …

a poza tym kompletne sprawdzenie logów i zalecenia, co do wpisów z powyższymi plikami .dll

LOG HJT :!:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:46:14, on 2007-11-14

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe

C:\Program Files\Eset\nod32kui.exe

D:\QuickTimePro\Pliki\qttask.exe

C:\Program Files\Lexmark 5200 series\lxbtbmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\RaConfig.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

D:\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.napiprojekt.pl/viewtopic.php?p=2916#2916

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - C:\WINDOWS\system32\nnnmnon.dll

O2 - BHO: (no name) - {64B96CAC-D8EB-4293-AD65-0565D4B295B3} - C:\WINDOWS\system32\vtstt.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTimePro\Pliki\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\Damianeo\USTAWI~1\Temp\wintavsnet.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

O8 - Extra context menu item: Clean Traces - D:\DAP85\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: Download with DAP - D:\DAP85\DAP\dapextie.htm

O8 - Extra context menu item: Download all with DAP - D:\DAP85\DAP\dapextie2.htm

O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: nnnmnon - C:\WINDOWS\SYSTEM32\nnnmnon.dll

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O24 - Desktop Component 1: SUPER ODTWARZACZ MP4!!! NAJTANIEJ!! (250675410) - Aukcje internetowe Allegro - http://www.allegro.pl/item250675410_super_odtwarzacz_mp4_najtaniej_.html

O24 - Desktop Component 2: Przedmioty użytkownika - Aukcje internetowe Allegro - http://www.allegro.pl/show_user_auctions.php?uid=3717847gr_id=20161

O24 - Desktop Component 3: ----APOLLO AP-909 CHERRY - 2 GB--NOWY!! (248530420) - Aukcje internetowe Allegro - http://www.allegro.pl/item248530420__apollo_ap_909_cherry_2_gb_nowy_.html

O24 - Desktop Component 4: Mp4 Apollo Dragon GWARANCJA - OKAZJA! (253909760) - Aukcje internetowe Allegro - http://www.allegro.pl/item253909760_mp4_apollo_dragon_gwarancja_okazja_.html

O24 - Desktop Component 5: Super odtwarzacz mp4 z 2" calowym ekranem (247568648) - Aukcje internetowe Allegro - http://www.allegro.pl/item247568648_super_odtwarzacz_mp4_z_2_calowym_ekranem.html


--

End of file - 5594 bytes

[/code]






LOG SR :!:

[code]“Silent Runners.vbs”, revision R51, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “Lexmark 5200 series” = ““C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe”” [“Lexmark International, Inc.”] “CTxfiHlp” = “CTXFIHLP.EXE” [“Creative Technology Ltd”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “LXBTCATS” = “rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16” [MS] “QuickTime Task” = ““D:\QuickTimePro\Pliki\qttask.exe” -atboottime” [“Apple Inc.”] “NI.UGA6P_0001_N122M2210” = ““C:\DOCUME~1\Damianeo\USTAWI~1\Temp\wintavsnet.exe”” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nnnmnon.dll” [null data] {64B96CAC-D8EB-4293-AD65-0565D4B295B3}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\vtstt.dll” [null data] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) - {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” - {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” - {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” - {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” - {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” - {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” - {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{721A1B24-EC8B-4eda-9CCE-39720B9FA747}” = “WipeExt Class” - {HKLM…CLSID} = “WipeExt Class” \InProcServer32(Default) = “D:\Ace Utilities\wipext.dll” [null data] “{8f7261d0-d2b9-11d2-9909-00605205b24c}” = “CuteFTP 8 Professional Shell Extension” - {HKLM…CLSID} = “CuteFTP 8 Professional Shell Extension” \InProcServer32(Default) = “C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll” [“GlobalSCAPE Texas, LP.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ “{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}” = “*f” (unwritable string) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nnnmnon.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ nnnmnon\DLLName = “nnnmnon.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ CuteFTP 8 Professional(Default) = “{8f7261d0-d2b9-11d2-9909-00605205b24c}” - {HKLM…CLSID} = “CuteFTP 8 Professional Shell Extension” \InProcServer32(Default) = “C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll” [“GlobalSCAPE Texas, LP.”] DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” - {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “D:\DAP85\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” - {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data] WipeExt(Default) = “{721A1B24-EC8B-4eda-9CCE-39720B9FA747}” - {HKLM…CLSID} = “WipeExt Class” \InProcServer32(Default) = “D:\Ace Utilities\wipext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ CuteFTP 8 Professional(Default) = “{8f7261d0-d2b9-11d2-9909-00605205b24c}” - {HKLM…CLSID} = “CuteFTP 8 Professional Shell Extension” \InProcServer32(Default) = “C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll” [“GlobalSCAPE Texas, LP.”] DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” - {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “D:\DAP85\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” - {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data] WipeExt(Default) = “{721A1B24-EC8B-4eda-9CCE-39720B9FA747}” - {HKLM…CLSID} = “WipeExt Class” \InProcServer32(Default) = “D:\Ace Utilities\wipext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Damianeo\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\FANTAS~1.SCR” (Fantastic Flame Screensaver.scr) [empty string] Startup items in “Damianeo” “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “RaConfig” - shortcut to: “C:\WINDOWS\system32\RaConfig.exe” [“Ralink Technology, Corp.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 19 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}” - {HKCU…CLSID} = “Java Plug-in 1.5.0_09” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”] - {HKLM…CLSID} = “Java Plug-in 1.5.0_09” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll” [“Sun Microsystems, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [“Hewlett-Packard Company”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] Ulead Burning Helper, UleadBurningHelper, “C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe” [“Ulead Systems, Inc.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ 5200 Series Port\Driver = “lxbtlmpm.DLL” [“Lexmark International, Inc.”] PDFConverter\Driver = “prnmnt.dll” [null data] ---------- (launch time: 2007-11-14 16:47:25) : Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 42 seconds. ---------- (total run time: 87 seconds)

LOG CF :!:

ComboFix 07-07-30.2 - "Damianeo" 2007-11-14 16:49:56.4 [GMT 1:00] - NTFS

Gutek · 14 Listopad 2007 17:36

Użyj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone.

Po tym nowy log z Combo

Venice3000 · 14 Listopad 2007 18:07

Tego programu nie mogłem uruchomić niestety, bo sama nazwa wskazuje że właśnie jest on odpowiedni do mojej infekcji kompa.

Natomiast

nie wykrył żadnej infekcji.

Po skanie wszystkich dykow

wykrył i usunął tylko 1 infekcje.

Prosiłbym o alternatywny programik do VirtumundoBeGone, bo pliki .dll pozostały.

Niżej log CF:

ComboFix 07-07-30.2 - "Damianeo" 2007-11-14 19:05:09.5 [GMT 1:00] - NTFS

Gutek · 14 Listopad 2007 18:23

:x

Wklej do Notatnika:

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo, ale przed logiem:

Wklej do Notatnika:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=-

"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\

  00

Z menu Notatnika Plik Zapisz jako Ustaw rozszerzenie na “Wszystkie pliki” Zapisz jako FIX.REG uruchom ten plik (dwuklik).

Venice3000 · 14 Listopad 2007 18:40

Wszystko tym razem gładko poszło.

Log CF:

ComboFix 07-07-30.2 - "Damianeo" 2007-11-14 19:33:27.7 [GMT 1:00] - NTFS 

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.Prawda



((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))



2007-11-14 18:48	






Niepokoi mnie jeszcze jeden plik

[code]“NI.UGA6P_0001_N122M2210”=“C:\DOCUME~1\Damianeo\USTAWI~1\Temp\wintavsnet.exe”
… ale nie wiem czy jest on groźny :?: A z HJT rozumiem wpis tylko w programie usunąc (bo pozostał “vstt.dll”) - log HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:39:42, on 2007-11-14

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe

C:\Program Files\Eset\nod32kui.exe

D:\QuickTimePro\Pliki\qttask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Lexmark 5200 series\lxbtbmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\RaConfig.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

D:\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.napiprojekt.pl/viewtopic.php?p=2916#2916

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {6AC223F9-875F-447A-8173-AA961AA8CFD0} - C:\WINDOWS\system32\vtstt.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTimePro\Pliki\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\Damianeo\USTAWI~1\Temp\wintavsnet.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

O8 - Extra context menu item: &Clean Traces - D:\DAP85\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - D:\DAP85\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - D:\DAP85\DAP\dapextie2.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O24 - Desktop Component 1: SUPER ODTWARZACZ MP4!!! NAJTANIEJ!! (250675410) - Aukcje internetowe Allegro - http://www.allegro.pl/item250675410_super_odtwarzacz_mp4_najtaniej_.html

O24 - Desktop Component 2: Przedmioty użytkownika - Aukcje internetowe Allegro - http://www.allegro.pl/show_user_auctions.php?uid=3717847&gr_id=20161

O24 - Desktop Component 3: ----APOLLO AP-909 CHERRY - 2 GB--NOWY!! (248530420) - Aukcje internetowe Allegro - http://www.allegro.pl/item248530420__apollo_ap_909_cherry_2_gb_nowy_.html

O24 - Desktop Component 4: Mp4 Apollo Dragon GWARANCJA - OKAZJA! (253909760) - Aukcje internetowe Allegro - http://www.allegro.pl/item253909760_mp4_apollo_dragon_gwarancja_okazja_.html

O24 - Desktop Component 5: Super odtwarzacz mp4 z 2" calowym ekranem (247568648) - Aukcje internetowe Allegro - http://www.allegro.pl/item247568648_super_odtwarzacz_mp4_z_2_calowym_ekranem.html


--

End of file - 5292 bytes

[/code]

:?: :?:

Gutek · 14 Listopad 2007 19:30

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.