PSW.VB.KU - ciągle wraca po usunięciu

xTomIx · 11 Wrzesień 2007 14:55

Witam, mam taki mały problem, mój antyvir wykrył trojana PSW.VB.KU który siedzi w c:/windows/iexplorer.exe i tworzy swoje kopie w doc and settings - temporaty internet files… i za kazdym razem jak antyvir go “wyleczy”(usunie ten plik) to po jakims czasie on sie tworzy na nowo

Log z HijackThis:

Logfile of HijackThis v1.99.1 Scan saved at 16:45:48, on 2007-09-11 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\System32\RunDLL32.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\PnkBstrA.exe C:\WINDOWS\System32\PnkBstrB.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKLM…\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [Explorer] C:\WINDOWS\iexplorer.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [bitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized O4 - HKCU…\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU…\Run: [data gpl] C:\DOCUME~1\AGA~1\DANEAP~1\planref\PART FIVE TYPE.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Log z Combfix:

ComboFix 07-09-10.6 - “ťaga” 2007-09-11 16:51:39.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.581 [GMT 2:00] . ((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 ))))))))))))))))))))))))))))))) . 2007-09-11 16:47 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-10 20:57 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat 2007-09-10 20:57 2007-09-10 20:54 2007-09-10 18:32 0 --a------ C:\WINDOWS\system32\ne1.exe 2007-09-10 18:32 0 --a------ C:\WINDOWS\system32\it.exe 2007-09-10 18:30 0 --a------ C:\WINDOWS\system32\re1.exe 2007-09-10 18:29 0 --a------ C:\WINDOWS\system32\scricon.exe 2007-09-10 18:26 2007-09-01 18:08 2007-08-29 13:31 2007-08-19 18:54 2007-08-16 00:21 2007-08-13 18:17 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-11 00:33 --------- d-------- C:\Program Files\MegauploadToolbar 2007-09-10 20:59 1568 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-09-10 20:59 14368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-09-10 20:59 1244 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-09-10 20:59 1220 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-09-10 20:56 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-09-10 20:56 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat 2007-09-10 19:41 12027519 --a------ C:\AVG7QT.DAT 2007-09-10 15:09 --------- d-------- C:\Program Files\BitComet 2007-09-04 15:35 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-09-04 15:35 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-09-01 14:21 --------- d-------- C:\Program Files\FlashGet 2007-08-31 14:42 66872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-08-31 14:34 --------- d—s---- C:\Program Files\Xfire 2007-08-14 12:25 --------- d–h----- C:\Program Files\InstallShield Installation Information 2007-08-14 12:25 --------- d-------- C:\Program Files\ARCHPR 2007-08-13 20:47 --------- d-------- C:\Program Files\All Sound Recorder XP 2007-08-09 16:35 --------- d-------- C:\Program Files\Codemasters 2007-08-09 15:29 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2007-08-04 15:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Bluetooth 2007-08-04 15:02 --------- d-------- C:\Program Files\IVT Corporation 2007-08-04 13:26 --------- d-------- C:\Program Files\Wolfenstein - Enemy Territory 2007-07-30 21:16 --------- d-------- C:\Program Files\KONAMI 2007-07-30 19:49 20480 --a------ C:\WINDOWS\system32\H@tKeysH@@k.DLL 2007-07-28 22:35 --------- d-------- C:\Program Files\DivX 2007-07-12 09:12 81920 --a------ C:\WINDOWS\system32\frapsvid.dll 2007-07-09 21:07 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-07-09 21:07 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-06-21 21:54 75248 --a------ C:\WINDOWS\zllsputility.exe 2007-06-21 21:54 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll 2005-03-31 23:17 40960 --a------ C:\Program Files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2006-10-22 13:22] “nwiz”=“nwiz.exe” [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe] “RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2003-12-08 18:35] “InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2005-06-10 16:20] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 18:05] “NvMediaCenter”=“NvMCTray.dll” [2006-10-22 13:22 C:\WINDOWS\system32\nvmctray.dll] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00] “PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2005-03-22 10:39] “DataLayer”=“C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe” [2005-03-31 10:30] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2006-11-21 19:38] “AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2007-08-14 12:19] “SoundMan”=“SOUNDMAN.EXE” [2005-03-24 15:20 C:\WINDOWS\SOUNDMAN.EXE] “ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-06-21 21:54] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2002-09-20 18:05] “BitTorrent”=“C:\Program Files\BitTorrent\bittorrent.exe” [] “PcSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2005-04-20 10:57] “data gpl”=“C:\DOCUME~1\AGA~1\DANEAP~1\planref\PART FIVE TYPE.exe” [] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 09:39] C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1\ BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-09-20 10:28:16] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04] R1 BIOS;BIOS;??\C:\WINDOWS\System32\drivers\BIOS.sys R1 oreans32;oreans32;??\C:\WINDOWS\system32\drivers\oreans32.sys S3 gdrv;gdrv;??\C:\WINDOWS\gdrv.sys S3 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\System32\DRIVERS\MSIRCOMM.sys S3 SF-620;Kingsun SF-620 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\SF-620.sys *Newly Created Service* - CATCHME . Contents of the ‘Scheduled Tasks’ folder “2007-09-10 17:00:00 C:\WINDOWS\Tasks\AE26D06F91994997.job” - c:\docume~1\aga~1\daneap~1\planref\Ball license bash.exe . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-11 16:51:59 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-11 16:52:36 . — E O F —

jessica · 11 Wrzesień 2007 15:29

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Jeśli nie masz jakiegoś narzędzia usuwającego, to ściągnij OTMoveIt

Do pola Paste List of Files/Folders to be Moved wklej poniższe ścieżki:

Następnie wciśnij przycisk MoveIt!

Pojawi się komunikat, że jest potrzebny restart do usunięcia podanych plików/folderów- wciśnij Yes.

Po restarcie usuń ręcznie folder C:** _OTMoveIt** (Prawoklik >>> Usuń >>> Opróżnij Kosz).

Ponieważ pliki “re1.exe”, “it.exe”, “ne1.exe”, zmieniają co chwila swoje nazwy, więc jeszcze użyj SDFix

Uwaga: Da się go uruchomić tylko w Trybie Awaryjnym.

Pokaż Report.txt znajdujący się w folderze SDFix.

Daj też nowe logi z Hijacka i ComboFixa.

jessi

xTomIx · 11 Wrzesień 2007 15:51

Zrobiłem wszystko według poleceń, w OTMoveIt nie żądało restarta więc może coś nie zadziałało

Report z SDFix:

SDFix: Version 1.103 Run by Administrator on 2007-09-11 at 17:42 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\system32\i - Deleted C:\WINDOWS\system32\TFTP1124 - Deleted C:\WINDOWS\system32\TFTP1232 - Deleted C:\WINDOWS\system32\TFTP2404 - Deleted C:\WINDOWS\system32\TFTP2692 - Deleted C:\WINDOWS\system32\TFTP2772 - Deleted C:\WINDOWS\system32\TFTP3228 - Deleted C:\WINDOWS\system32\TFTP3564 - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: C:\WINDOWS\LastGood.Tmp\INF\oem6.inf C:\WINDOWS\LastGood.Tmp\INF\oem6.PNF C:\WINDOWS\LastGood.Tmp\INF\oem7.inf C:\WINDOWS\LastGood.Tmp\INF\oem7.PNF C:\WINDOWS\LastGood.Tmp\INF\oem8.inf C:\WINDOWS\LastGood.Tmp\INF\oem8.PNF C:\WINDOWS\LastGood.Tmp\INF\oem9.inf C:\WINDOWS\LastGood.Tmp\INF\oem9.PNF Finished!

HijackThis Log:

Logfile of HijackThis v1.99.1 Scan saved at 17:48:05, on 2007-09-11 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\PnkBstrA.exe C:\WINDOWS\System32\PnkBstrB.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\System32\RunDLL32.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKLM…\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [Explorer] C:\WINDOWS\iexplorer.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [bitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized O4 - HKCU…\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Combofix:

ComboFix 07-09-10.6 - “ťaga” 2007-09-11 17:50:27.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.582 [GMT 2:00] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\iexplorer.exe ((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 ))))))))))))))))))))))))))))))) . 2007-09-11 16:47 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-10 20:57 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat 2007-09-10 20:57 2007-09-10 20:54 2007-09-10 18:26 2007-09-01 18:08 2007-08-29 13:31 2007-08-19 18:54 2007-08-16 00:21 2007-08-13 18:17 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-11 00:33 --------- d-------- C:\Program Files\MegauploadToolbar 2007-09-10 20:59 1568 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-09-10 20:59 14368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-09-10 20:59 1244 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-09-10 20:59 1220 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-09-10 20:56 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-09-10 20:56 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat 2007-09-10 19:41 12027519 --a------ C:\AVG7QT.DAT 2007-09-10 15:09 --------- d-------- C:\Program Files\BitComet 2007-09-04 15:35 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-09-04 15:35 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-09-01 14:21 --------- d-------- C:\Program Files\FlashGet 2007-08-31 14:42 66872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-08-31 14:34 --------- d—s---- C:\Program Files\Xfire 2007-08-14 12:25 --------- d–h----- C:\Program Files\InstallShield Installation Information 2007-08-14 12:25 --------- d-------- C:\Program Files\ARCHPR 2007-08-13 20:47 --------- d-------- C:\Program Files\All Sound Recorder XP 2007-08-09 16:35 --------- d-------- C:\Program Files\Codemasters 2007-08-09 15:29 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2007-08-04 15:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Bluetooth 2007-08-04 15:02 --------- d-------- C:\Program Files\IVT Corporation 2007-08-04 13:26 --------- d-------- C:\Program Files\Wolfenstein - Enemy Territory 2007-07-30 21:16 --------- d-------- C:\Program Files\KONAMI 2007-07-30 19:49 20480 --a------ C:\WINDOWS\system32\H@tKeysH@@k.DLL 2007-07-28 22:35 --------- d-------- C:\Program Files\DivX 2007-07-12 09:12 81920 --a------ C:\WINDOWS\system32\frapsvid.dll 2007-07-09 21:07 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-07-09 21:07 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-06-21 21:54 75248 --a------ C:\WINDOWS\zllsputility.exe 2007-06-21 21:54 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll 2005-03-31 23:17 40960 --a------ C:\Program Files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((( snapshot_2007-09-11_164924,73 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 393,216 2007-09-11 15:40:43 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT ----a-w 8,192 2007-09-11 15:40:43 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat . ----a-w 393,216 2007-09-10 16:26:45 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT ----a-w 8,192 2007-09-10 16:26:45 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2006-10-22 13:22] “nwiz”=“nwiz.exe” [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe] “RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2003-12-08 18:35] “InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2005-06-10 16:20] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 18:05] “NvMediaCenter”=“NvMCTray.dll” [2006-10-22 13:22 C:\WINDOWS\system32\nvmctray.dll] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00] “PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2005-03-22 10:39] “DataLayer”=“C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe” [2005-03-31 10:30] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2006-11-21 19:38] “AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2007-08-14 12:19] “SoundMan”=“SOUNDMAN.EXE” [2005-03-24 15:20 C:\WINDOWS\SOUNDMAN.EXE] “ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-06-21 21:54] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2002-09-20 18:05] “BitTorrent”=“C:\Program Files\BitTorrent\bittorrent.exe” [] “PcSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2005-04-20 10:57] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 09:39] C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1\ BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-09-20 10:28:16] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04] R1 BIOS;BIOS;??\C:\WINDOWS\System32\drivers\BIOS.sys R1 oreans32;oreans32;??\C:\WINDOWS\system32\drivers\oreans32.sys S3 gdrv;gdrv;??\C:\WINDOWS\gdrv.sys S3 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\System32\DRIVERS\MSIRCOMM.sys S3 SF-620;Kingsun SF-620 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\SF-620.sys . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-11 17:50:58 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-11 17:51:35 C:\ComboFix-quarantined-files.txt … 2007-09-11 17:51 C:\ComboFix2.txt … 2007-09-11 16:52 . — E O F —

jessica · 11 Wrzesień 2007 16:06

Po użyciu OTMoveIt trzeba samemu zrestartować komputer.

Ale to i tak zostało usunięte.

Chyba z jednym wyjątkiem:

Ten wpis dalej jest w Hijacku, choć plik był usunięty.

Teraz nie wiem, czy infekcja powróciła, czy to tylko pusty wpis, bo w logu ComboFixa, tego wpisu nie widać, a widać, że plik jest usunięty.

W każdym razie - zrobimy powtórkę:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Potem użyj ComboFixa, bo widzę, że potrafi to usuwać.

I daj nowe logi.

jessi

xTomIx · 11 Wrzesień 2007 16:17

Ok teraz mamy tak:

Combofix:

ComboFix 07-09-10.6 - “ťaga” 2007-09-11 18:11:13.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.686 [GMT 2:00] . ((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 ))))))))))))))))))))))))))))))) . 2007-09-11 16:47 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-10 20:57 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat 2007-09-10 20:57 2007-09-10 20:54 2007-09-10 18:26 2007-09-01 18:08 2007-08-29 13:31 2007-08-19 18:54 2007-08-16 00:21 2007-08-13 18:17 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-11 00:33 --------- d-------- C:\Program Files\MegauploadToolbar 2007-09-10 20:59 1568 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-09-10 20:59 14368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-09-10 20:59 1244 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-09-10 20:59 1220 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-09-10 20:56 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-09-10 20:56 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat 2007-09-10 19:41 12027519 --a------ C:\AVG7QT.DAT 2007-09-10 15:09 --------- d-------- C:\Program Files\BitComet 2007-09-04 15:35 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-09-04 15:35 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-09-01 14:21 --------- d-------- C:\Program Files\FlashGet 2007-08-31 14:42 66872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-08-31 14:34 --------- d—s---- C:\Program Files\Xfire 2007-08-14 12:25 --------- d–h----- C:\Program Files\InstallShield Installation Information 2007-08-14 12:25 --------- d-------- C:\Program Files\ARCHPR 2007-08-13 20:47 --------- d-------- C:\Program Files\All Sound Recorder XP 2007-08-09 16:35 --------- d-------- C:\Program Files\Codemasters 2007-08-09 15:29 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2007-08-04 15:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Bluetooth 2007-08-04 15:02 --------- d-------- C:\Program Files\IVT Corporation 2007-08-04 13:26 --------- d-------- C:\Program Files\Wolfenstein - Enemy Territory 2007-07-30 21:16 --------- d-------- C:\Program Files\KONAMI 2007-07-30 19:49 20480 --a------ C:\WINDOWS\system32\H@tKeysH@@k.DLL 2007-07-28 22:35 --------- d-------- C:\Program Files\DivX 2007-07-12 09:12 81920 --a------ C:\WINDOWS\system32\frapsvid.dll 2007-07-09 21:07 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-07-09 21:07 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-06-21 21:54 75248 --a------ C:\WINDOWS\zllsputility.exe 2007-06-21 21:54 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll 2005-03-31 23:17 40960 --a------ C:\Program Files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2006-10-22 13:22] “nwiz”=“nwiz.exe” [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe] “RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2003-12-08 18:35] “InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2005-06-10 16:20] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 18:05] “NvMediaCenter”=“NvMCTray.dll” [2006-10-22 13:22 C:\WINDOWS\system32\nvmctray.dll] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00] “PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2005-03-22 10:39] “DataLayer”=“C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe” [2005-03-31 10:30] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2006-11-21 19:38] “AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2007-08-14 12:19] “SoundMan”=“SOUNDMAN.EXE” [2005-03-24 15:20 C:\WINDOWS\SOUNDMAN.EXE] “ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-06-21 21:54] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2002-09-20 18:05] “BitTorrent”=“C:\Program Files\BitTorrent\bittorrent.exe” [] “PcSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2005-04-20 10:57] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 09:39] C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1\ BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-09-20 10:28:16] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04] R1 BIOS;BIOS;??\C:\WINDOWS\System32\drivers\BIOS.sys R1 oreans32;oreans32;??\C:\WINDOWS\system32\drivers\oreans32.sys S3 gdrv;gdrv;??\C:\WINDOWS\gdrv.sys S3 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\System32\DRIVERS\MSIRCOMM.sys S3 SF-620;Kingsun SF-620 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\SF-620.sys . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-11 18:12:12 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-11 18:12:48 . — E O F —

HijackThis:

Logfile of HijackThis v1.99.1 Scan saved at 18:15:26, on 2007-09-11 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\System32\RunDLL32.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\PnkBstrA.exe C:\WINDOWS\System32\PnkBstrB.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKLM…\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [Explorer] C:\WINDOWS\iexplorer.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [bitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized O4 - HKCU…\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

no i jak widać ten plik ciągle pojawia się na nowo, a oprócz tego w

C:\Documents and Settings\Łaga\Ustawienia lokalne\Temporary Internet Files co chwila pojawiają sie te same pliki iexplorer.exe i to po pare… nie wiem skad to sie bierze… co dalej?

Złączono Posta : 11.09.2007 (Wto) 18:27

Popatrz na to, kiedy pojawił się na nowo to zrobiłem samego Combofixa bez Hijacka i combo go wykrył:

ComboFix 07-09-10.6 - “ťaga” 2007-09-11 18:23:43.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.676 [GMT 2:00] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\iexplorer.exe ((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 ))))))))))))))))))))))))))))))) . 2007-09-11 16:47 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-10 20:57 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat 2007-09-10 20:57 2007-09-10 20:54 2007-09-10 18:26 2007-09-01 18:08 2007-08-29 13:31 2007-08-19 18:54 2007-08-16 00:21 2007-08-13 18:17 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-11 00:33 --------- d-------- C:\Program Files\MegauploadToolbar 2007-09-10 20:59 1568 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-09-10 20:59 14368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-09-10 20:59 1244 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-09-10 20:59 1220 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-09-10 20:56 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-09-10 20:56 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat 2007-09-10 19:41 12027519 --a------ C:\AVG7QT.DAT 2007-09-10 15:09 --------- d-------- C:\Program Files\BitComet 2007-09-04 15:35 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-09-04 15:35 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-09-01 14:21 --------- d-------- C:\Program Files\FlashGet 2007-08-31 14:42 66872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-08-31 14:34 --------- d—s---- C:\Program Files\Xfire 2007-08-14 12:25 --------- d–h----- C:\Program Files\InstallShield Installation Information 2007-08-14 12:25 --------- d-------- C:\Program Files\ARCHPR 2007-08-13 20:47 --------- d-------- C:\Program Files\All Sound Recorder XP 2007-08-09 16:35 --------- d-------- C:\Program Files\Codemasters 2007-08-09 15:29 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2007-08-04 15:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Bluetooth 2007-08-04 15:02 --------- d-------- C:\Program Files\IVT Corporation 2007-08-04 13:26 --------- d-------- C:\Program Files\Wolfenstein - Enemy Territory 2007-07-30 21:16 --------- d-------- C:\Program Files\KONAMI 2007-07-30 19:49 20480 --a------ C:\WINDOWS\system32\H@tKeysH@@k.DLL 2007-07-28 22:35 --------- d-------- C:\Program Files\DivX 2007-07-12 09:12 81920 --a------ C:\WINDOWS\system32\frapsvid.dll 2007-07-09 21:07 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-07-09 21:07 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-06-21 21:54 75248 --a------ C:\WINDOWS\zllsputility.exe 2007-06-21 21:54 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll 2005-03-31 23:17 40960 --a------ C:\Program Files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2006-10-22 13:22] “nwiz”=“nwiz.exe” [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe] “RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2003-12-08 18:35] “InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2005-06-10 16:20] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 18:05] “NvMediaCenter”=“NvMCTray.dll” [2006-10-22 13:22 C:\WINDOWS\system32\nvmctray.dll] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00] “PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2005-03-22 10:39] “DataLayer”=“C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe” [2005-03-31 10:30] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2006-11-21 19:38] “AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2007-08-14 12:19] “SoundMan”=“SOUNDMAN.EXE” [2005-03-24 15:20 C:\WINDOWS\SOUNDMAN.EXE] “ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-06-21 21:54] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2002-09-20 18:05] “BitTorrent”=“C:\Program Files\BitTorrent\bittorrent.exe” [] “PcSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2005-04-20 10:57] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 09:39] C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1\ BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-09-20 10:28:16] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04] R1 BIOS;BIOS;??\C:\WINDOWS\System32\drivers\BIOS.sys R1 oreans32;oreans32;??\C:\WINDOWS\system32\drivers\oreans32.sys S3 gdrv;gdrv;??\C:\WINDOWS\gdrv.sys S3 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\System32\DRIVERS\MSIRCOMM.sys S3 SF-620;Kingsun SF-620 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\SF-620.sys . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-11 18:24:02 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-11 18:24:46 C:\ComboFix-quarantined-files.txt … 2007-09-11 18:24 C:\ComboFix2.txt … 2007-09-11 18:12 . — E O F —

no i w momencie kiedy włączyłem firefoxa to plik na nowo pojawił się w windows\iexplorer.exe oraz w temporary internet files… wiec on sie odnawia kiedy uruchamiam przeglądarke… to co mam usunąć firefoxa? przeinstalować czy jak?

jessica · 11 Wrzesień 2007 16:38

Tak - czarno to widzę, chyba trzeba będzie sformatować dysk.

Na razie:

Opróżnij całkowicie folder “Temporary Internet Files”.
Ściągnij -->GMER.
Otwórz Notatnik i wklej do niego:

Plik >>> zapisz jako >>> zmień rozszerzenie z TXT na wszystkie typy plików >>> zapisz pod nazwą FIX.BAT

( np. na C:\ )

Uruchom Gmer, w >>>zakładce Procesy wybierz Gmer Awaryjny. Komputer się zresetuje i uruchomi się Gmer.

Wybierz znów >>>zakładkę Procesy i na dole w „Poleceniu” przez trzy kropki wskaż plik FIX.BAT , po czym go uruchom (dwuklik).

Potem zrób log z GMERa na ustawieniu:

>>>Rootkit>>zaznacz tylko “Usługi” i “Pokaż wszystko”>>Szukaj>>Kopiuj>>CTRL+V do Notatnika (zapisz gdzieś).

Log wklej na http://wklej.org/, a w poście daj tylko link.

Daj też nowy log z Hijacka, oczywiście po sfiksowaniu tego wpisu “O4”.

jessi

xTomIx · 11 Wrzesień 2007 17:15

w Gmerze wyskoczyło że nie można usunąć tego pliku…

ale nie wiesz dlaczego ten plik powraca za każdym razem po odpaleniu firefoxa? musi być jakiś sposób poza formatem, pozatym ten plik właściwie nic nie robi tylko jest, a format byłby dla mnie w tej chwili katastrofą…

Leon1 · 11 Wrzesień 2007 18:32

A masz wyłączone przywracanie systemu na wszystkich dyskach?jak nie to wyłącz

przeleć to Combo

otwórz notatnik wklej

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"Explorer"=-

zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart

xTomIx · 11 Wrzesień 2007 19:14

Zrobiłem tak jak napisałeś:

wyłączyłem przywracanie systemu…
przeleciałem to combo, który usunął plik iexplorer.exe
stworzyłem plik.reg z tym kluczem i dodałem go do rejestru
restart kompa

i po odpaleniu mozilli firefox, iexplorer.exe znowu się pojawił więc bezkutecznie…

do czego wogóle owy wpis do rejestru służy?

Leon1 · 11 Wrzesień 2007 20:10

Czy po włączeniu Internet Explorera też powraca ten wpis czy tylko przy Mozilli?

xTomIx · 11 Wrzesień 2007 21:23

tylko przy mozilli

jessica · 12 Wrzesień 2007 09:30

A może wystarczy usunąć Mozillę i potem od nowa zainstalować?

jessi

xTomIx · 12 Wrzesień 2007 10:32

tego próbowałem już wcześniej, ale po ponownym zainstalowaniu i odpaleniu plik wraca… ciekawe

jessica · 12 Wrzesień 2007 10:35

W takim razie wywal całkiem Mozillę, a zainstaluj np. Operę.

Być może Twoja Mozilla pochodziła z niesprawdzonego źródła i była zarażona.

jessi

xTomIx · 12 Wrzesień 2007 13:23

Nie chce innej przeglądarki
Korzystam z niej od 4 miesięcy a problem pojawił się pare dni temu, więc to nie mozilla była zarażona tylko jakiś plik się pod nią “podczepił” i napewno można się tego jakoś pozbyć…

Leon1 · 12 Wrzesień 2007 15:54

Czy po odinstalowaniu usuwałeś coś z profili i czyściłeś rejestr?

Jeśli nie to spróbuj jeszcze raz odinstalować

Pobierz instalkę FF

Pobierz i zainstaluj CCleaner 2.00.500 http://www.filehippo.com/download_ccleaner/

Cleaner - uruchom - wyczyści co niepotrzebne

Rejestr - skanuj by znaleźć problemy - usunie błędne lub puste wpisy w rejestrze

Odinstaluj FF

Opcje folderów >> Widok >> Wyczyść pola przy ukryj chronione pliki systemu >> zaznacz pokaż ukryte pliki i foldery >> zatwierdź

Wejdź do profili

C:\Documents and Settings???\Dane aplikacji\ Mozilla - usuń

Przeskanuj CCleanerem

Wywal Combofixem ten nieszczęsny plik C:\WINDOWS\ iexplorer.exe

Dopiero później zainstaluj na nowo FF

xTomIx · 13 Wrzesień 2007 10:29

no i pozamiatane zrobiłem tak jak napisałeś i póki co plik nie powrócił

dzięki wszystkim za pomoc…