SdBot Trojan

mms · 10 Maj 2007 15:33

Od jakiegoś czasu Nod32 informuje mnie, że wykrywa jakiś plik w C:\WINDOWS\system32 i przenosi go do kwarantanny.

piki nazywają się różnie “trzy literki.exe”. Odmiana wirusa: IRC/SdBot trojan. Po takim komunikacie komp nie wykrywa karty dźwiękowej dopóki nie przeinstaluje sterowników soundblastera lub nie zrestartuje go (nie zawsze działa). Ponad to zalicza dziwne zwieszki, np. teraz nie mogę przechodzić pomiędzy oknami wciskając okienka na pasku na dole. Skanowałem Nodem, XoftSpySE, Spy bot & destroy, on line Kasperski i MksVir… nici. Pomocy jest coraz gorzej.

Gutek · 10 Maj 2007 17:22

Daj logi HJT + Silenta

mms · 10 Maj 2007 18:14

hjt:

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 19:47:09, on 2007-05-10 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\userinit.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\totalcmd\TOTALCMD.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\hjt\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” O4 - HKLM…\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [CTHelper] CTHELPER.EXE O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe – End of file - 4858 bytes

sillent:

“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “(Default)” = (empty string) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “NVMixerTray” = ““C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”” [“NVIDIA Corporation”] “Adobe Photo Downloader” = ““C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”” [“Adobe Systems Incorporated”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“VeNoM386 and SwENSkE”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] “SpywareBot” = “C:\Program Files\SpywareBot\SpywareBot.exe -boot” [file not found] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “CTHelper” = “CTHELPER.EXE” [“Creative Technology Ltd”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll” [file not found] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{e82a2d71-5b2f-43a0-97b8-81be15854de8}” = “ShellLink for Application References” -> {HKLM…CLSID} = “ShellLink for Application References” \InProcServer32(Default) = “C:\WINDOWS\System32\dfshim.dll” [MS] “{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}” = “Shell Icon Handler for Application References” -> {HKLM…CLSID} = “Shell Icon Handler for Application References” \InProcServer32(Default) = “C:\WINDOWS\System32\dfshim.dll” [MS] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] PandoShellExt(Default) = “{9C150845-2A2D-44CC-90B3-AA03480AA3D2}” -> {HKLM…CLSID} = “PDShellExt Class” \InProcServer32(Default) = “C:\Program Files\Pando Networks\Pando\PandoShellExt.dll” [“Pando Networks”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ PandoShellExt(Default) = “{9C150845-2A2D-44CC-90B3-AA03480AA3D2}” -> {HKLM…CLSID} = “PDShellExt Class” \InProcServer32(Default) = “C:\Program Files\Pando Networks\Pando\PandoShellExt.dll” [“Pando Networks”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Enabled Scheduled Tasks: ------------------------ “RegCure Program Check” -> launches: “C:\Program Files\RegCure\RegCure.exe ShowReminders” [null data] “RegCure” -> launches: “C:\Program Files\RegCure\RegCure.exe -t” [null data] “SpywareBot Scheduled Scan” -> launches: “C:\Program Files\SpywareBot\SpywareBot.exe scheduled” [file not found] “Uniblue SpyEraser Nag” -> launches: “C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe -ynag” [file not found] “XoftSpySE 2” -> launches: “C:\Program Files\XoftSpySE\XoftSpy.exe ShowReminders” [“ParetoLogic”] “XoftSpySE” -> launches: “C:\Program Files\XoftSpySE\XoftSpy.exe -t” [“ParetoLogic”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 21 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 20 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] pdfinst\Driver = “pdfmont.dll” [“PDF Bean Inc.”] PrimoMon\Driver = “Primomonnt.dll” [null data] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 160 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 320 seconds. ---------- (total run time: 921 seconds)

Gutek · 10 Maj 2007 18:55

usuń wpisy HJT

Skan AVG Anti-Spyware 7.5 po update

mms · 10 Maj 2007 19:29

dzieki, ale jak mam je usunąć?? po prostu wykasować ten plik??

Gutek · 10 Maj 2007 19:34

Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked - opis w temacie przyklejonym - http://forum.dobreprogramy.pl/viewtopic.php?t=36654

mms · 10 Maj 2007 20:55

what next?? przeskanowałem (raport poniżej) i dałem “delate on reboot” - same trackingi. po restarcie skanuje jeszcze raz… połowa coockies sie powtarza. no i znowu nod32 wyświetlił mi wiadomość o tym SdBot Trojan - po tym komunikacie nie działa nic na pasku na dole. poza tym jak zmieniam alt-tab’em okna to pomiędzy innymi pojawiła się jakaś dziwna ikonka - monitor - takiej jeszcze nie widziałem

--------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 22:24:28 2007-05-10 + Scan result: D:\progsy\Total Commander 6.0\Reg\total-commander-v6.0-patch.zip/total-commander-v6.0-patch.exe -> Logger.Banker.zn : No action taken. C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken. :mozilla.575:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.576:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.81:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.82:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.203:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.204:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.276:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.277:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.278:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.279:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.27:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.28:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.29:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.30:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.313:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.314:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.411:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.412:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.413:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.484:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. :mozilla.485:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Adocean : No action taken. C:\Documents and Settings\ja\Cookies\ja@gde.adocean[2].txt -> TrackingCookie.Adocean : No action taken. :mozilla.74:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Bbmedia : No action taken. :mozilla.147:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Connextra : No action taken. :mozilla.148:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Connextra : No action taken. :mozilla.833:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Etracker : No action taken. :mozilla.7:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Gemius : No action taken. :mozilla.8:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Gemius : No action taken. C:\Documents and Settings\ja\Cookies\ja@hit.gemius[1].txt -> TrackingCookie.Gemius : No action taken. :mozilla.843:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken. :mozilla.844:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken. :mozilla.845:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken. :mozilla.846:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken. :mozilla.847:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken. :mozilla.848:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken. :mozilla.849:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken. :mozilla.850:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken. :mozilla.851:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken. :mozilla.332:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Ivwbox : No action taken. :mozilla.13:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Netflame : No action taken. :mozilla.890:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Paypal : No action taken. :mozilla.476:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Pocitadlo : No action taken. :mozilla.515:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Real : No action taken. :mozilla.516:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Realmedia : No action taken. :mozilla.517:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Realmedia : No action taken. :mozilla.523:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Revsci : No action taken. :mozilla.524:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Revsci : No action taken. :mozilla.525:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Revsci : No action taken. :mozilla.526:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Revsci : No action taken. :mozilla.527:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Revsci : No action taken. :mozilla.686:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Revsci : No action taken. :mozilla.587:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Tacoda : No action taken. :mozilla.588:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Tacoda : No action taken. :mozilla.589:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Tacoda : No action taken. :mozilla.590:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Tacoda : No action taken. :mozilla.595:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Toplist : No action taken. :mozilla.605:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken. :mozilla.24:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken. :mozilla.150:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Xhit : No action taken. :mozilla.151:C:\Documents and Settings\ja\Dane aplikacji\Mozilla\Firefox\Profiles\pykb4564.default\cookies.txt -> TrackingCookie.Xhit : No action taken. ::Report end

dzięki, ale chyba niewiele to pomogło

pozdrawiam

Gutek · 10 Maj 2007 22:35

Daj log z Combofix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe

mms · 11 Maj 2007 13:30

“ja” - 2007-05-11 15:25:21 Dodatek Service Pack. 1 ComboFix 07-05.09.V - Running from: “C:\Program Files\Mozilla Thunderbird” ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-11 )))))))))))))))))))))))))))))))))) 2007-05-10 21:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-05-10 19:44 2007-05-09 21:30 9,856 --a------ C:\WINDOWS\system32\drivers\gameenum.sys 2007-05-09 21:30 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-05-09 21:30 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-05-09 21:29 10,240 --a------ C:\WINDOWS\CTDCRES.DLL 2007-05-09 21:26 2007-05-09 21:26 2007-05-09 21:26 2007-05-09 21:20 75,264 --a------ C:\WINDOWS\system32\MACDec.dll 2007-05-09 21:20 61,440 --a------ C:\WINDOWS\system32\libfaac.dll 2007-05-09 21:20 45,568 --a------ C:\WINDOWS\system32\huffyuv.dll 2007-05-09 21:20 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll 2007-05-09 21:20 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll 2007-05-09 21:20 421,888 --a------ C:\WINDOWS\system32\OpenQuicktimeLib.dll 2007-05-09 21:20 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll 2007-05-09 21:20 245,408 --a------ C:\WINDOWS\system32\unicows.dll 2007-05-09 21:20 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll 2007-05-09 16:14 8,192 --a------ C:\WINDOWS\system32\nap.exe 2007-05-09 16:08 0 --a------ C:\WINDOWS\system32\xkz.exe 2007-05-09 16:03 4,096 --a------ C:\WINDOWS\system32\ltb.exe 2007-05-09 15:57 4,096 --a------ C:\WINDOWS\system32\vsv.exe 2007-05-09 15:38 8,192 --a------ C:\WINDOWS\system32\mdc.exe 2007-05-09 14:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-05-09 14:00 2007-05-09 14:00 2007-05-09 14:00 2007-05-09 01:57 2007-05-08 22:17 0 --a------ C:\WINDOWS\system32\SBRC.dat 2007-05-08 22:17 0 --a------ C:\WINDOWS\system32\SBFC.dat 2007-05-08 21:51 2007-05-08 20:00 2007-05-08 19:04 2007-05-08 18:38 2007-05-08 18:18 2007-05-08 14:43 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-04 17:44 774,656 --a------ C:\WINDOWS\system32\mmc.exe 2007-05-04 17:26 2007-05-04 17:01 2007-05-04 16:56 73,728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-05-04 16:56 679,936 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-05-04 16:56 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-05-04 16:56 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-05-04 16:56 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-05-04 16:56 196,608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-05-04 16:56 155,648 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-05-04 16:56 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-05-04 16:55 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-05-04 16:55 2007-05-02 18:18 2007-04-29 23:38 2007-04-29 23:31 77,824 --a------ C:\WINDOWS\system32\mplaw7.dll 2007-04-29 23:31 77,824 --a------ C:\WINDOWS\system32\mplaa6.dll 2007-04-29 23:31 65,536 --a------ C:\WINDOWS\system32\mplapx.dll 2007-04-29 23:31 65,536 --a------ C:\WINDOWS\system32\mplam6.dll 2007-04-29 23:31 1,650,688 --a------ C:\WINDOWS\system32\mplva6.dll 2007-04-29 23:31 1,581,056 --a------ C:\WINDOWS\system32\mplvw7.dll 2007-04-29 23:31 1,552,384 --a------ C:\WINDOWS\system32\mplvm6.dll 2007-04-29 23:31 1,122,304 --a------ C:\WINDOWS\system32\mplvpx.dll 2007-04-29 20:28 2007-04-28 18:18 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-04-28 18:18 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-04-28 18:18 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-04-28 17:47 2007-04-27 16:30 2007-04-27 15:39 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-27 15:16 2007-04-27 12:26 2007-04-27 12:20 2007-04-26 14:32 2007-04-25 19:34 2007-04-25 19:02 2007-04-25 18:15 2007-04-25 18:14 2007-04-23 23:08 2007-04-23 23:07 2007-04-23 23:07 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-11 13:24:26 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-05-09 19:30:52 -------- d-----w C:\Program Files\Creative 2007-05-09 19:29:58 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Creative 2007-04-27 09:03:00 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-04-23 21:08:13 4,908 ----a-w C:\WINDOWS\mozver.dat 2007-04-21 11:18:00 -------- d-----w C:\Program Files\Soulseek 2007-04-10 08:45:58 -------- d-----w C:\Program Files\FxTrading 2007-04-01 22:41:11 -------- d-----w C:\Program Files\KodyPocztowe 2007-04-01 22:40:29 74,230 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-04-01 22:40:29 448,004 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-04-01 20:16:32 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\AdobeUM 2007-04-01 20:16:32 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\AdobeAUM 2007-04-01 17:58:28 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-03-30 12:22:11 -------- d-----w C:\Program Files\activePDF 2007-03-30 12:19:34 -------- d-----w C:\Program Files\pdf995 2007-03-30 12:16:49 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll 2007-03-30 12:16:49 122,880 ----a-w C:\WINDOWS\system32\pdfmona.dll 2007-03-30 12:10:45 -------- d-----w C:\Program Files\PDF4Free 2007-03-30 10:43:17 -------- d–h--w C:\Program Files\WindowsUpdate 2007-03-27 12:56:59 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\PTC 2007-03-27 12:54:50 -------- d-----w C:\Program Files\proeWildfire 2.0 2007-03-20 19:59:02 -------- d-----w C:\Program Files\Pando Networks 2007-03-19 11:29:54 -------- d-----w C:\Program Files\Ahead 2007-03-19 11:29:53 -------- d-----w C:\Program Files\Common Files\Ahead 2007-03-15 13:49:28 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\GanymedeNet 2007-03-15 13:19:18 -------- d-----w C:\Program Files\Ganymede 2007-03-15 10:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll 2007-03-15 10:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll 2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll 2007-03-15 09:04:24 -------- d-----w C:\Program Files\Gadu-Gadu 2007-03-14 16:54:07 -------- d-----w C:\Program Files\Microsoft.NET 2007-03-14 16:37:26 -------- d-----w C:\Program Files\D-Tools 2007-03-14 11:10:53 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Talkback 2007-03-14 11:10:47 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Thunderbird 2007-03-07 15:13:38 81 ----a-w C:\CTX.DAT 2007-03-07 15:08:31 -------- d-----w C:\Program Files\MultiResource Client 2007-03-07 15:08:26 737,280 ----a-w C:\WINDOWS\iun6002.exe 2007-03-06 23:05:06 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Help 2007-03-06 21:05:36 -------- d-----w C:\Program Files\Common Files\DirectX 2007-03-06 20:57:05 -------- d-----w C:\Program Files\SCi Games 2007-03-06 17:14:35 -------- d-----w C:\Program Files\Python 2007-03-05 12:44:48 4 ----a-w C:\WINDOWS\system32\proc1795523372.bin 2007-03-01 18:34:58 0 ----a-w C:\WINDOWS\nsreg.dat 2007-03-01 11:14:50 0 --sha-r C:\MSDOS.SYS 2007-03-01 11:14:50 0 --sha-r C:\IO.SYS 2007-03-01 11:14:50 0 ----a-w C:\CONFIG.SYS 2007-03-01 11:14:50 0 ----a-w C:\AUTOEXEC.BAT 2007-03-01 11:11:59 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] “{53707962-6F74-2D53-2644-206D7942484F}”=“C:\PROGRA~1\SPYBOT~1\SDHelper.dll” “{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}”=“C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “NVMixerTray”="“C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”" “Adobe Photo Downloader”="“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” “SunJavaUpdateSched”="“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”" “DAEMON Tools-1033”="“C:\Program Files\D-Tools\daemon.exe” -lang 1033" “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “TkBellExe”="“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot" “SpywareBot”=“C:\Program Files\SpywareBot\SpywareBot.exe -boot” “nod32kui”="“C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE" “CTHelper”=“CTHELPER.EXE” “!AVG Anti-Spyware”="“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" @="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “NoColorChoice”=dword:00000000 “NoSizeChoice”=dword:00000000 “NoDispScrSavPage”=dword:00000000 “NoDispCPL”=dword:00000000 “NoVisualStyleChoice”=dword:00000000 “NoDispSettingsPage”=dword:00000000 “NoDispAppearancePage”=dword:00000000 “NoDispBackgroundPage”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoActiveDesktopChanges”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSaveSettings”=dword:00000000 “NoThemesTab”=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^menu start^programy^autostart^adobe reader speed launch.lnk C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^menu start^programy^autostart^adobe reader synchronizer.lnk C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^ja^menu start^programy^autostart^openoffice.org 2.0.lnk C:\PROGRA~1\OPENOF~1.0\program\QUICKS~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pando “C:\Program Files\Pando Networks\Pando\Pando.exe” /Minimized HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20070510-214221-788 O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm backup-20070510-214221-936 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\RegCure Program Check.job C:\WINDOWS\tasks\RegCure.job C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job C:\WINDOWS\tasks\XoftSpySE 2.job C:\WINDOWS\tasks\XoftSpySE.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-11 15:27:07 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 2007-05-11 15:27:15 C:\ComboFix-quarantined-files.txt … 2007-05-11 15:27

Złączono Posta : 11.05.2007 (Pią) 15:31

“ja” - 2007-05-11 15:25:21 Dodatek Service Pack. 1 ComboFix 07-05.09.V - Running from: “C:\Program Files\Mozilla Thunderbird” ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-11 )))))))))))))))))))))))))))))))))) 2007-05-10 21:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-05-10 19:44 2007-05-09 21:30 9,856 --a------ C:\WINDOWS\system32\drivers\gameenum.sys 2007-05-09 21:30 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-05-09 21:30 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-05-09 21:29 10,240 --a------ C:\WINDOWS\CTDCRES.DLL 2007-05-09 21:26 2007-05-09 21:26 2007-05-09 21:26 2007-05-09 21:20 75,264 --a------ C:\WINDOWS\system32\MACDec.dll 2007-05-09 21:20 61,440 --a------ C:\WINDOWS\system32\libfaac.dll 2007-05-09 21:20 45,568 --a------ C:\WINDOWS\system32\huffyuv.dll 2007-05-09 21:20 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll 2007-05-09 21:20 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll 2007-05-09 21:20 421,888 --a------ C:\WINDOWS\system32\OpenQuicktimeLib.dll 2007-05-09 21:20 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll 2007-05-09 21:20 245,408 --a------ C:\WINDOWS\system32\unicows.dll 2007-05-09 21:20 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll 2007-05-09 16:14 8,192 --a------ C:\WINDOWS\system32\nap.exe 2007-05-09 16:08 0 --a------ C:\WINDOWS\system32\xkz.exe 2007-05-09 16:03 4,096 --a------ C:\WINDOWS\system32\ltb.exe 2007-05-09 15:57 4,096 --a------ C:\WINDOWS\system32\vsv.exe 2007-05-09 15:38 8,192 --a------ C:\WINDOWS\system32\mdc.exe 2007-05-09 14:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-05-09 14:00 2007-05-09 14:00 2007-05-09 14:00 2007-05-09 01:57 2007-05-08 22:17 0 --a------ C:\WINDOWS\system32\SBRC.dat 2007-05-08 22:17 0 --a------ C:\WINDOWS\system32\SBFC.dat 2007-05-08 21:51 2007-05-08 20:00 2007-05-08 19:04 2007-05-08 18:38 2007-05-08 18:18 2007-05-08 14:43 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-04 17:44 774,656 --a------ C:\WINDOWS\system32\mmc.exe 2007-05-04 17:26 2007-05-04 17:01 2007-05-04 16:56 73,728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-05-04 16:56 679,936 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-05-04 16:56 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-05-04 16:56 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-05-04 16:56 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-05-04 16:56 196,608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-05-04 16:56 155,648 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-05-04 16:56 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-05-04 16:55 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-05-04 16:55 2007-05-02 18:18 2007-04-29 23:38 2007-04-29 23:31 77,824 --a------ C:\WINDOWS\system32\mplaw7.dll 2007-04-29 23:31 77,824 --a------ C:\WINDOWS\system32\mplaa6.dll 2007-04-29 23:31 65,536 --a------ C:\WINDOWS\system32\mplapx.dll 2007-04-29 23:31 65,536 --a------ C:\WINDOWS\system32\mplam6.dll 2007-04-29 23:31 1,650,688 --a------ C:\WINDOWS\system32\mplva6.dll 2007-04-29 23:31 1,581,056 --a------ C:\WINDOWS\system32\mplvw7.dll 2007-04-29 23:31 1,552,384 --a------ C:\WINDOWS\system32\mplvm6.dll 2007-04-29 23:31 1,122,304 --a------ C:\WINDOWS\system32\mplvpx.dll 2007-04-29 20:28 2007-04-28 18:18 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-04-28 18:18 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-04-28 18:18 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-04-28 17:47 2007-04-27 16:30 2007-04-27 15:39 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-27 15:16 2007-04-27 12:26 2007-04-27 12:20 2007-04-26 14:32 2007-04-25 19:34 2007-04-25 19:02 2007-04-25 18:15 2007-04-25 18:14 2007-04-23 23:08 2007-04-23 23:07 2007-04-23 23:07 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-11 13:24:26 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-05-09 19:30:52 -------- d-----w C:\Program Files\Creative 2007-05-09 19:29:58 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Creative 2007-04-27 09:03:00 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-04-23 21:08:13 4,908 ----a-w C:\WINDOWS\mozver.dat 2007-04-21 11:18:00 -------- d-----w C:\Program Files\Soulseek 2007-04-10 08:45:58 -------- d-----w C:\Program Files\FxTrading 2007-04-01 22:41:11 -------- d-----w C:\Program Files\KodyPocztowe 2007-04-01 22:40:29 74,230 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-04-01 22:40:29 448,004 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-04-01 20:16:32 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\AdobeUM 2007-04-01 20:16:32 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\AdobeAUM 2007-04-01 17:58:28 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-03-30 12:22:11 -------- d-----w C:\Program Files\activePDF 2007-03-30 12:19:34 -------- d-----w C:\Program Files\pdf995 2007-03-30 12:16:49 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll 2007-03-30 12:16:49 122,880 ----a-w C:\WINDOWS\system32\pdfmona.dll 2007-03-30 12:10:45 -------- d-----w C:\Program Files\PDF4Free 2007-03-30 10:43:17 -------- d–h--w C:\Program Files\WindowsUpdate 2007-03-27 12:56:59 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\PTC 2007-03-27 12:54:50 -------- d-----w C:\Program Files\proeWildfire 2.0 2007-03-20 19:59:02 -------- d-----w C:\Program Files\Pando Networks 2007-03-19 11:29:54 -------- d-----w C:\Program Files\Ahead 2007-03-19 11:29:53 -------- d-----w C:\Program Files\Common Files\Ahead 2007-03-15 13:49:28 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\GanymedeNet 2007-03-15 13:19:18 -------- d-----w C:\Program Files\Ganymede 2007-03-15 10:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll 2007-03-15 10:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll 2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll 2007-03-15 09:04:24 -------- d-----w C:\Program Files\Gadu-Gadu 2007-03-14 16:54:07 -------- d-----w C:\Program Files\Microsoft.NET 2007-03-14 16:37:26 -------- d-----w C:\Program Files\D-Tools 2007-03-14 11:10:53 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Talkback 2007-03-14 11:10:47 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Thunderbird 2007-03-07 15:13:38 81 ----a-w C:\CTX.DAT 2007-03-07 15:08:31 -------- d-----w C:\Program Files\MultiResource Client 2007-03-07 15:08:26 737,280 ----a-w C:\WINDOWS\iun6002.exe 2007-03-06 23:05:06 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Help 2007-03-06 21:05:36 -------- d-----w C:\Program Files\Common Files\DirectX 2007-03-06 20:57:05 -------- d-----w C:\Program Files\SCi Games 2007-03-06 17:14:35 -------- d-----w C:\Program Files\Python 2007-03-05 12:44:48 4 ----a-w C:\WINDOWS\system32\proc1795523372.bin 2007-03-01 18:34:58 0 ----a-w C:\WINDOWS\nsreg.dat 2007-03-01 11:14:50 0 --sha-r C:\MSDOS.SYS 2007-03-01 11:14:50 0 --sha-r C:\IO.SYS 2007-03-01 11:14:50 0 ----a-w C:\CONFIG.SYS 2007-03-01 11:14:50 0 ----a-w C:\AUTOEXEC.BAT 2007-03-01 11:11:59 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] “{53707962-6F74-2D53-2644-206D7942484F}”=“C:\PROGRA~1\SPYBOT~1\SDHelper.dll” “{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}”=“C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “NVMixerTray”="“C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”" “Adobe Photo Downloader”="“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” “SunJavaUpdateSched”="“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”" “DAEMON Tools-1033”="“C:\Program Files\D-Tools\daemon.exe” -lang 1033" “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “TkBellExe”="“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot" “SpywareBot”=“C:\Program Files\SpywareBot\SpywareBot.exe -boot” “nod32kui”="“C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE" “CTHelper”=“CTHELPER.EXE” “!AVG Anti-Spyware”="“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" @="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “NoColorChoice”=dword:00000000 “NoSizeChoice”=dword:00000000 “NoDispScrSavPage”=dword:00000000 “NoDispCPL”=dword:00000000 “NoVisualStyleChoice”=dword:00000000 “NoDispSettingsPage”=dword:00000000 “NoDispAppearancePage”=dword:00000000 “NoDispBackgroundPage”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoActiveDesktopChanges”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSaveSettings”=dword:00000000 “NoThemesTab”=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^menu start^programy^autostart^adobe reader speed launch.lnk C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^menu start^programy^autostart^adobe reader synchronizer.lnk C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^ja^menu start^programy^autostart^openoffice.org 2.0.lnk C:\PROGRA~1\OPENOF~1.0\program\QUICKS~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pando “C:\Program Files\Pando Networks\Pando\Pando.exe” /Minimized HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20070510-214221-788 O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm backup-20070510-214221-936 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\RegCure Program Check.job C:\WINDOWS\tasks\RegCure.job C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job C:\WINDOWS\tasks\XoftSpySE 2.job C:\WINDOWS\tasks\XoftSpySE.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-11 15:27:07 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 2007-05-11 15:27:15 C:\ComboFix-quarantined-files.txt … 2007-05-11 15:27

Złączono Posta : 11.05.2007 (Pią) 15:33

sorki za dwa razy to samo :oops:

Gutek · 11 Maj 2007 15:04

Pobierz The Avenger. Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:

kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).

Po wszytskim nowy log

mms · 11 Maj 2007 15:35

lipa… nod32 dalej wysyła te informacje. Zrobiłem wszystko jak napisałeś. może ten trojan nie działa bez przerwy bo nod nie wysyła mi tych wiadomości co chwilę tylko tak różnie - raz częściej, raz rzadziej?

Gutek · 11 Maj 2007 15:37

Daj screena z raportu noda

mms · 11 Maj 2007 15:42

Muszę poczeka aż się jakiś wyświetli.

Złączono Posta : 11.05.2007 (Pią) 17:53

Czas Moduł Obiekt Nazwa Wirus Czynność Użytkownik Informacje 2007-05-11 17:29:50 AMON plik C:\WINDOWS\system32\age.exe odmiana IRC/SdBot trojan Kwarantanna - usunięty ZARZĄDZANIE NT\SYSTEM Zdarzenie miało miejsce podczas próby tworzenia nowego pliku przez program: C:\WINDOWS\system32\svchost.exe. Plik został przeniesiony do kwarantanny. 2007-05-11 17:29:49 AMON plik C:\WINDOWS\system32\cez.exe odmiana IRC/SdBot trojan Kwarantanna - usunięty ZARZĄDZANIE NT\SYSTEM Zdarzenie miało miejsce podczas próby tworzenia nowego pliku przez program: C:\WINDOWS\system32\svchost.exe. Plik został przeniesiony do kwarantanny. 2007-05-11 15:59:08 AMON plik C:\WINDOWS\system32\rdu.exe odmiana IRC/SdBot trojan Kwarantanna - usunięty ZARZĄDZANIE NT\SYSTEM Zdarzenie miało miejsce podczas próby tworzenia nowego pliku przez program: C:\WINDOWS\system32\svchost.exe. Plik został przeniesiony do kwarantanny. 2007-05-10 22:44:29 AMON plik C:\WINDOWS\system32\tjy.exe odmiana IRC/SdBot trojan Kwarantanna - usunięty ZARZĄDZANIE NT\SYSTEM Zdarzenie miało miejsce podczas próby tworzenia nowego pliku przez program: C:\WINDOWS\system32\svchost.exe. Plik został przeniesiony do kwarantanny. 2007-05-10 22:41:57 AMON plik C:\WINDOWS\system32\lru.exe odmiana IRC/SdBot trojan Kwarantanna - usunięty ZARZĄDZANIE NT\SYSTEM Zdarzenie miało miejsce podczas próby tworzenia nowego pliku przez program: C:\WINDOWS\system32\svchost.exe. Plik został przeniesiony do kwarantanny. 2007-05-10 21:26:06 AMON plik C:\WINDOWS\system32\jdm.exe odmiana IRC/SdBot trojan Kwarantanna - usunięty ZARZĄDZANIE NT\SYSTEM Zdarzenie miało miejsce podczas próby tworzenia nowego pliku przez program: C:\WINDOWS\system32\svchost.exe. Plik został przeniesiony do kwarantanny. 2007-05-10 21:26:04 AMON plik C:\WINDOWS\system32\uvb.exe odmiana IRC/SdBot trojan Kwarantanna - usunięty ZARZĄDZANIE NT\SYSTEM Zdarzenie miało miejsce podczas próby tworzenia nowego pliku przez program: C:\WINDOWS\system32\svchost.exe. Plik został przeniesiony do kwarantanny. 2007-05-10 21:26:01 AMON plik C:\WINDOWS\system32\drg.exe odmiana IRC/SdBot trojan Kwarantanna - usunięty ZARZĄDZANIE NT\SYSTEM Zdarzenie miało miejsce podczas próby tworzenia nowego pliku przez program: C:\WINDOWS\system32\svchost.exe. Plik został przeniesiony do kwarantanny. 2007-05-10 19:12:45 AMON plik C:\WINDOWS\system32\ncb.exe odmiana IRC/SdBot trojan Kwarantanna - usunięty ZARZĄDZANIE NT\SYSTEM Zdarzenie miało miejsce podczas próby tworzenia nowego pliku przez program: C:\WINDOWS\system32\svchost.exe. Plik został przeniesiony do kwarantanny. 2007-05-10 18:35:17 AMON plik C:\WINDOWS\system32\jvg.exe odmiana IRC/SdBot trojan Kwarantanna - usunięty ZARZĄDZANIE NT\SYSTEM Zdarzenie miało miejsce podczas próby tworzenia nowego pliku przez program: C:\WINDOWS\system32\svchost.exe. Plik został przeniesiony do kwarantanny. 2007-05-10 18:34:22 AMON plik C:\WINDOWS\system32\ikt.exe odmiana IRC/SdBot trojan Kwarantanna - usunięty ZARZĄDZANIE NT\SYSTEM Zdarzenie miało miejsce podczas próby tworzenia nowego pliku przez program: C:\WINDOWS\system32\svchost.exe. Plik został przeniesiony do kwarantanny.

Jak sie pojawi raport, wrzucę screen’a

Złączono Posta : 11.05.2007 (Pią) 20:27

faoma,8v1swdogs

nie wiem czy to zadziała

Gutek · 11 Maj 2007 18:39

Daj log z Combo

mms · 11 Maj 2007 18:45

“ja” - 2007-05-11 20:42:39 Dodatek Service Pack. 1 ComboFix 07-05.09.V - Running from: “C:\Documents and Settings\ja\Pulpit” ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-11 )))))))))))))))))))))))))))))))))) 2007-05-11 17:09 2007-05-11 15:27 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-10 21:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-05-10 19:44 2007-05-09 21:30 9,856 --a------ C:\WINDOWS\system32\drivers\gameenum.sys 2007-05-09 21:30 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-05-09 21:30 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-05-09 21:29 10,240 --a------ C:\WINDOWS\CTDCRES.DLL 2007-05-09 21:26 2007-05-09 21:26 2007-05-09 21:26 2007-05-09 21:20 75,264 --a------ C:\WINDOWS\system32\MACDec.dll 2007-05-09 21:20 61,440 --a------ C:\WINDOWS\system32\libfaac.dll 2007-05-09 21:20 45,568 --a------ C:\WINDOWS\system32\huffyuv.dll 2007-05-09 21:20 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll 2007-05-09 21:20 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll 2007-05-09 21:20 421,888 --a------ C:\WINDOWS\system32\OpenQuicktimeLib.dll 2007-05-09 21:20 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll 2007-05-09 21:20 245,408 --a------ C:\WINDOWS\system32\unicows.dll 2007-05-09 21:20 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll 2007-05-09 15:57 4,096 --a------ C:\WINDOWS\system32\vsv.exe 2007-05-09 14:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-05-09 14:00 2007-05-09 14:00 2007-05-09 14:00 2007-05-09 01:57 2007-05-08 22:17 0 --a------ C:\WINDOWS\system32\SBRC.dat 2007-05-08 22:17 0 --a------ C:\WINDOWS\system32\SBFC.dat 2007-05-08 21:51 2007-05-08 20:00 2007-05-08 19:04 2007-05-08 18:38 2007-05-08 18:18 2007-05-08 14:43 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-04 17:44 774,656 --a------ C:\WINDOWS\system32\mmc.exe 2007-05-04 17:26 2007-05-04 17:01 2007-05-04 16:56 73,728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-05-04 16:56 679,936 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-05-04 16:56 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-05-04 16:56 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-05-04 16:56 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-05-04 16:56 196,608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-05-04 16:56 155,648 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-05-04 16:56 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-05-04 16:55 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-05-04 16:55 2007-05-02 18:18 2007-04-29 23:38 2007-04-29 23:31 77,824 --a------ C:\WINDOWS\system32\mplaw7.dll 2007-04-29 23:31 77,824 --a------ C:\WINDOWS\system32\mplaa6.dll 2007-04-29 23:31 65,536 --a------ C:\WINDOWS\system32\mplapx.dll 2007-04-29 23:31 65,536 --a------ C:\WINDOWS\system32\mplam6.dll 2007-04-29 23:31 1,650,688 --a------ C:\WINDOWS\system32\mplva6.dll 2007-04-29 23:31 1,581,056 --a------ C:\WINDOWS\system32\mplvw7.dll 2007-04-29 23:31 1,552,384 --a------ C:\WINDOWS\system32\mplvm6.dll 2007-04-29 23:31 1,122,304 --a------ C:\WINDOWS\system32\mplvpx.dll 2007-04-29 20:28 2007-04-28 18:18 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-04-28 18:18 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-04-28 18:18 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-04-28 17:47 2007-04-27 16:30 2007-04-27 15:39 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-27 15:16 2007-04-27 12:26 2007-04-27 12:20 2007-04-26 14:32 2007-04-25 19:34 2007-04-25 19:02 2007-04-25 18:15 2007-04-25 18:14 2007-04-23 23:08 2007-04-23 23:07 2007-04-23 23:07 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-11 16:01:02 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-05-09 19:30:52 -------- d-----w C:\Program Files\Creative 2007-05-09 19:29:58 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Creative 2007-04-27 09:03:00 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-04-23 21:08:13 4,908 ----a-w C:\WINDOWS\mozver.dat 2007-04-21 11:18:00 -------- d-----w C:\Program Files\Soulseek 2007-04-10 08:45:58 -------- d-----w C:\Program Files\FxTrading 2007-04-01 22:41:11 -------- d-----w C:\Program Files\KodyPocztowe 2007-04-01 22:40:29 74,230 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-04-01 22:40:29 448,004 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-04-01 20:16:32 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\AdobeUM 2007-04-01 20:16:32 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\AdobeAUM 2007-04-01 17:58:28 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-03-30 12:22:11 -------- d-----w C:\Program Files\activePDF 2007-03-30 12:19:34 -------- d-----w C:\Program Files\pdf995 2007-03-30 12:16:49 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll 2007-03-30 12:16:49 122,880 ----a-w C:\WINDOWS\system32\pdfmona.dll 2007-03-30 12:10:45 -------- d-----w C:\Program Files\PDF4Free 2007-03-30 10:43:17 -------- d–h--w C:\Program Files\WindowsUpdate 2007-03-27 12:56:59 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\PTC 2007-03-27 12:54:50 -------- d-----w C:\Program Files\proeWildfire 2.0 2007-03-20 19:59:02 -------- d-----w C:\Program Files\Pando Networks 2007-03-19 11:29:54 -------- d-----w C:\Program Files\Ahead 2007-03-19 11:29:53 -------- d-----w C:\Program Files\Common Files\Ahead 2007-03-15 13:49:28 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\GanymedeNet 2007-03-15 13:19:18 -------- d-----w C:\Program Files\Ganymede 2007-03-15 10:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll 2007-03-15 10:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll 2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll 2007-03-15 09:04:24 -------- d-----w C:\Program Files\Gadu-Gadu 2007-03-14 16:54:07 -------- d-----w C:\Program Files\Microsoft.NET 2007-03-14 16:37:26 -------- d-----w C:\Program Files\D-Tools 2007-03-14 11:10:53 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Talkback 2007-03-14 11:10:47 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Thunderbird 2007-03-07 15:13:38 81 ----a-w C:\CTX.DAT 2007-03-07 15:08:31 -------- d-----w C:\Program Files\MultiResource Client 2007-03-07 15:08:26 737,280 ----a-w C:\WINDOWS\iun6002.exe 2007-03-06 23:05:06 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Help 2007-03-06 21:05:36 -------- d-----w C:\Program Files\Common Files\DirectX 2007-03-06 20:57:05 -------- d-----w C:\Program Files\SCi Games 2007-03-06 17:14:35 -------- d-----w C:\Program Files\Python 2007-03-05 12:44:48 4 ----a-w C:\WINDOWS\system32\proc1795523372.bin 2007-03-01 18:34:58 0 ----a-w C:\WINDOWS\nsreg.dat 2007-03-01 11:14:50 0 --sha-r C:\MSDOS.SYS 2007-03-01 11:14:50 0 --sha-r C:\IO.SYS 2007-03-01 11:14:50 0 ----a-w C:\CONFIG.SYS 2007-03-01 11:14:50 0 ----a-w C:\AUTOEXEC.BAT 2007-03-01 11:11:59 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] “{53707962-6F74-2D53-2644-206D7942484F}”=“C:\PROGRA~1\SPYBOT~1\SDHelper.dll” “{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}”=“C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “NVMixerTray”="“C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”" “Adobe Photo Downloader”="“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” “SunJavaUpdateSched”="“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”" “DAEMON Tools-1033”="“C:\Program Files\D-Tools\daemon.exe” -lang 1033" “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “TkBellExe”="“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot" “SpywareBot”=“C:\Program Files\SpywareBot\SpywareBot.exe -boot” “nod32kui”="“C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE" “CTHelper”=“CTHELPER.EXE” “!AVG Anti-Spyware”="“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" @="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “NoColorChoice”=dword:00000000 “NoSizeChoice”=dword:00000000 “NoDispScrSavPage”=dword:00000000 “NoDispCPL”=dword:00000000 “NoVisualStyleChoice”=dword:00000000 “NoDispSettingsPage”=dword:00000000 “NoDispAppearancePage”=dword:00000000 “NoDispBackgroundPage”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoActiveDesktopChanges”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSaveSettings”=dword:00000000 “NoThemesTab”=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^menu start^programy^autostart^adobe reader speed launch.lnk C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^menu start^programy^autostart^adobe reader synchronizer.lnk C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^ja^menu start^programy^autostart^openoffice.org 2.0.lnk C:\PROGRA~1\OPENOF~1.0\program\QUICKS~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pando “C:\Program Files\Pando Networks\Pando\Pando.exe” /Minimized HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\RegCure Program Check.job C:\WINDOWS\tasks\RegCure.job C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job C:\WINDOWS\tasks\XoftSpySE 2.job C:\WINDOWS\tasks\XoftSpySE.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-11 20:44:28 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 2007-05-11 20:44:35 C:\ComboFix-quarantined-files.txt … 2007-05-11 20:44 C:\ComboFix2.txt … 2007-05-11 15:27

Złączono Posta : 11.05.2007 (Pią) 20:48

“ja” - 2007-05-11 20:42:39 Dodatek Service Pack. 1 ComboFix 07-05.09.V - Running from: “C:\Documents and Settings\ja\Pulpit” ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-11 )))))))))))))))))))))))))))))))))) 2007-05-11 17:09 2007-05-11 15:27 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-10 21:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-05-10 19:44 2007-05-09 21:30 9,856 --a------ C:\WINDOWS\system32\drivers\gameenum.sys 2007-05-09 21:30 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-05-09 21:30 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-05-09 21:29 10,240 --a------ C:\WINDOWS\CTDCRES.DLL 2007-05-09 21:26 2007-05-09 21:26 2007-05-09 21:26 2007-05-09 21:20 75,264 --a------ C:\WINDOWS\system32\MACDec.dll 2007-05-09 21:20 61,440 --a------ C:\WINDOWS\system32\libfaac.dll 2007-05-09 21:20 45,568 --a------ C:\WINDOWS\system32\huffyuv.dll 2007-05-09 21:20 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll 2007-05-09 21:20 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll 2007-05-09 21:20 421,888 --a------ C:\WINDOWS\system32\OpenQuicktimeLib.dll 2007-05-09 21:20 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll 2007-05-09 21:20 245,408 --a------ C:\WINDOWS\system32\unicows.dll 2007-05-09 21:20 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll 2007-05-09 15:57 4,096 --a------ C:\WINDOWS\system32\vsv.exe 2007-05-09 14:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-05-09 14:00 2007-05-09 14:00 2007-05-09 14:00 2007-05-09 01:57 2007-05-08 22:17 0 --a------ C:\WINDOWS\system32\SBRC.dat 2007-05-08 22:17 0 --a------ C:\WINDOWS\system32\SBFC.dat 2007-05-08 21:51 2007-05-08 20:00 2007-05-08 19:04 2007-05-08 18:38 2007-05-08 18:18 2007-05-08 14:43 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-04 17:44 774,656 --a------ C:\WINDOWS\system32\mmc.exe 2007-05-04 17:26 2007-05-04 17:01 2007-05-04 16:56 73,728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-05-04 16:56 679,936 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-05-04 16:56 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-05-04 16:56 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-05-04 16:56 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-05-04 16:56 196,608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-05-04 16:56 155,648 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-05-04 16:56 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-05-04 16:55 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-05-04 16:55 2007-05-02 18:18 2007-04-29 23:38 2007-04-29 23:31 77,824 --a------ C:\WINDOWS\system32\mplaw7.dll 2007-04-29 23:31 77,824 --a------ C:\WINDOWS\system32\mplaa6.dll 2007-04-29 23:31 65,536 --a------ C:\WINDOWS\system32\mplapx.dll 2007-04-29 23:31 65,536 --a------ C:\WINDOWS\system32\mplam6.dll 2007-04-29 23:31 1,650,688 --a------ C:\WINDOWS\system32\mplva6.dll 2007-04-29 23:31 1,581,056 --a------ C:\WINDOWS\system32\mplvw7.dll 2007-04-29 23:31 1,552,384 --a------ C:\WINDOWS\system32\mplvm6.dll 2007-04-29 23:31 1,122,304 --a------ C:\WINDOWS\system32\mplvpx.dll 2007-04-29 20:28 2007-04-28 18:18 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-04-28 18:18 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-04-28 18:18 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-04-28 17:47 2007-04-27 16:30 2007-04-27 15:39 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-27 15:16 2007-04-27 12:26 2007-04-27 12:20 2007-04-26 14:32 2007-04-25 19:34 2007-04-25 19:02 2007-04-25 18:15 2007-04-25 18:14 2007-04-23 23:08 2007-04-23 23:07 2007-04-23 23:07 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-11 16:01:02 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-05-09 19:30:52 -------- d-----w C:\Program Files\Creative 2007-05-09 19:29:58 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Creative 2007-04-27 09:03:00 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-04-23 21:08:13 4,908 ----a-w C:\WINDOWS\mozver.dat 2007-04-21 11:18:00 -------- d-----w C:\Program Files\Soulseek 2007-04-10 08:45:58 -------- d-----w C:\Program Files\FxTrading 2007-04-01 22:41:11 -------- d-----w C:\Program Files\KodyPocztowe 2007-04-01 22:40:29 74,230 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-04-01 22:40:29 448,004 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-04-01 20:16:32 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\AdobeUM 2007-04-01 20:16:32 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\AdobeAUM 2007-04-01 17:58:28 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-03-30 12:22:11 -------- d-----w C:\Program Files\activePDF 2007-03-30 12:19:34 -------- d-----w C:\Program Files\pdf995 2007-03-30 12:16:49 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll 2007-03-30 12:16:49 122,880 ----a-w C:\WINDOWS\system32\pdfmona.dll 2007-03-30 12:10:45 -------- d-----w C:\Program Files\PDF4Free 2007-03-30 10:43:17 -------- d–h--w C:\Program Files\WindowsUpdate 2007-03-27 12:56:59 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\PTC 2007-03-27 12:54:50 -------- d-----w C:\Program Files\proeWildfire 2.0 2007-03-20 19:59:02 -------- d-----w C:\Program Files\Pando Networks 2007-03-19 11:29:54 -------- d-----w C:\Program Files\Ahead 2007-03-19 11:29:53 -------- d-----w C:\Program Files\Common Files\Ahead 2007-03-15 13:49:28 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\GanymedeNet 2007-03-15 13:19:18 -------- d-----w C:\Program Files\Ganymede 2007-03-15 10:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll 2007-03-15 10:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll 2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll 2007-03-15 09:04:24 -------- d-----w C:\Program Files\Gadu-Gadu 2007-03-14 16:54:07 -------- d-----w C:\Program Files\Microsoft.NET 2007-03-14 16:37:26 -------- d-----w C:\Program Files\D-Tools 2007-03-14 11:10:53 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Talkback 2007-03-14 11:10:47 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Thunderbird 2007-03-07 15:13:38 81 ----a-w C:\CTX.DAT 2007-03-07 15:08:31 -------- d-----w C:\Program Files\MultiResource Client 2007-03-07 15:08:26 737,280 ----a-w C:\WINDOWS\iun6002.exe 2007-03-06 23:05:06 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Help 2007-03-06 21:05:36 -------- d-----w C:\Program Files\Common Files\DirectX 2007-03-06 20:57:05 -------- d-----w C:\Program Files\SCi Games 2007-03-06 17:14:35 -------- d-----w C:\Program Files\Python 2007-03-05 12:44:48 4 ----a-w C:\WINDOWS\system32\proc1795523372.bin 2007-03-01 18:34:58 0 ----a-w C:\WINDOWS\nsreg.dat 2007-03-01 11:14:50 0 --sha-r C:\MSDOS.SYS 2007-03-01 11:14:50 0 --sha-r C:\IO.SYS 2007-03-01 11:14:50 0 ----a-w C:\CONFIG.SYS 2007-03-01 11:14:50 0 ----a-w C:\AUTOEXEC.BAT 2007-03-01 11:11:59 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] “{53707962-6F74-2D53-2644-206D7942484F}”=“C:\PROGRA~1\SPYBOT~1\SDHelper.dll” “{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}”=“C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “NVMixerTray”="“C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”" “Adobe Photo Downloader”="“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” “SunJavaUpdateSched”="“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”" “DAEMON Tools-1033”="“C:\Program Files\D-Tools\daemon.exe” -lang 1033" “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “TkBellExe”="“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot" “SpywareBot”=“C:\Program Files\SpywareBot\SpywareBot.exe -boot” “nod32kui”="“C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE" “CTHelper”=“CTHELPER.EXE” “!AVG Anti-Spyware”="“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" @="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “NoColorChoice”=dword:00000000 “NoSizeChoice”=dword:00000000 “NoDispScrSavPage”=dword:00000000 “NoDispCPL”=dword:00000000 “NoVisualStyleChoice”=dword:00000000 “NoDispSettingsPage”=dword:00000000 “NoDispAppearancePage”=dword:00000000 “NoDispBackgroundPage”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoActiveDesktopChanges”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSaveSettings”=dword:00000000 “NoThemesTab”=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^menu start^programy^autostart^adobe reader speed launch.lnk C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^menu start^programy^autostart^adobe reader synchronizer.lnk C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^ja^menu start^programy^autostart^openoffice.org 2.0.lnk C:\PROGRA~1\OPENOF~1.0\program\QUICKS~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pando “C:\Program Files\Pando Networks\Pando\Pando.exe” /Minimized HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\RegCure Program Check.job C:\WINDOWS\tasks\RegCure.job C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job C:\WINDOWS\tasks\XoftSpySE 2.job C:\WINDOWS\tasks\XoftSpySE.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-11 20:44:28 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 2007-05-11 20:44:35 C:\ComboFix-quarantined-files.txt … 2007-05-11 20:44 C:\ComboFix2.txt … 2007-05-11 15:27

Złączono Posta : 11.05.2007 (Pią) 20:50

“ja” - 2007-05-11 20:42:39 Dodatek Service Pack. 1 ComboFix 07-05.09.V - Running from: “C:\Documents and Settings\ja\Pulpit” ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-11 )))))))))))))))))))))))))))))))))) 2007-05-11 17:09 2007-05-11 15:27 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-10 21:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-05-10 19:44 2007-05-09 21:30 9,856 --a------ C:\WINDOWS\system32\drivers\gameenum.sys 2007-05-09 21:30 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-05-09 21:30 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-05-09 21:29 10,240 --a------ C:\WINDOWS\CTDCRES.DLL 2007-05-09 21:26 2007-05-09 21:26 2007-05-09 21:26 2007-05-09 21:20 75,264 --a------ C:\WINDOWS\system32\MACDec.dll 2007-05-09 21:20 61,440 --a------ C:\WINDOWS\system32\libfaac.dll 2007-05-09 21:20 45,568 --a------ C:\WINDOWS\system32\huffyuv.dll 2007-05-09 21:20 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll 2007-05-09 21:20 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll 2007-05-09 21:20 421,888 --a------ C:\WINDOWS\system32\OpenQuicktimeLib.dll 2007-05-09 21:20 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll 2007-05-09 21:20 245,408 --a------ C:\WINDOWS\system32\unicows.dll 2007-05-09 21:20 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll 2007-05-09 15:57 4,096 --a------ C:\WINDOWS\system32\vsv.exe 2007-05-09 14:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-05-09 14:00 2007-05-09 14:00 2007-05-09 14:00 2007-05-09 01:57 2007-05-08 22:17 0 --a------ C:\WINDOWS\system32\SBRC.dat 2007-05-08 22:17 0 --a------ C:\WINDOWS\system32\SBFC.dat 2007-05-08 21:51 2007-05-08 20:00 2007-05-08 19:04 2007-05-08 18:38 2007-05-08 18:18 2007-05-08 14:43 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-04 17:44 774,656 --a------ C:\WINDOWS\system32\mmc.exe 2007-05-04 17:26 2007-05-04 17:01 2007-05-04 16:56 73,728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-05-04 16:56 679,936 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-05-04 16:56 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-05-04 16:56 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-05-04 16:56 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-05-04 16:56 196,608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-05-04 16:56 155,648 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-05-04 16:56 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-05-04 16:55 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-05-04 16:55 2007-05-02 18:18 2007-04-29 23:38 2007-04-29 23:31 77,824 --a------ C:\WINDOWS\system32\mplaw7.dll 2007-04-29 23:31 77,824 --a------ C:\WINDOWS\system32\mplaa6.dll 2007-04-29 23:31 65,536 --a------ C:\WINDOWS\system32\mplapx.dll 2007-04-29 23:31 65,536 --a------ C:\WINDOWS\system32\mplam6.dll 2007-04-29 23:31 1,650,688 --a------ C:\WINDOWS\system32\mplva6.dll 2007-04-29 23:31 1,581,056 --a------ C:\WINDOWS\system32\mplvw7.dll 2007-04-29 23:31 1,552,384 --a------ C:\WINDOWS\system32\mplvm6.dll 2007-04-29 23:31 1,122,304 --a------ C:\WINDOWS\system32\mplvpx.dll 2007-04-29 20:28 2007-04-28 18:18 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-04-28 18:18 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-04-28 18:18 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-04-28 17:47 2007-04-27 16:30 2007-04-27 15:39 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-27 15:16 2007-04-27 12:26 2007-04-27 12:20 2007-04-26 14:32 2007-04-25 19:34 2007-04-25 19:02 2007-04-25 18:15 2007-04-25 18:14 2007-04-23 23:08 2007-04-23 23:07 2007-04-23 23:07 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-11 16:01:02 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-05-09 19:30:52 -------- d-----w C:\Program Files\Creative 2007-05-09 19:29:58 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Creative 2007-04-27 09:03:00 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-04-23 21:08:13 4,908 ----a-w C:\WINDOWS\mozver.dat 2007-04-21 11:18:00 -------- d-----w C:\Program Files\Soulseek 2007-04-10 08:45:58 -------- d-----w C:\Program Files\FxTrading 2007-04-01 22:41:11 -------- d-----w C:\Program Files\KodyPocztowe 2007-04-01 22:40:29 74,230 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-04-01 22:40:29 448,004 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-04-01 20:16:32 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\AdobeUM 2007-04-01 20:16:32 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\AdobeAUM 2007-04-01 17:58:28 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-03-30 12:22:11 -------- d-----w C:\Program Files\activePDF 2007-03-30 12:19:34 -------- d-----w C:\Program Files\pdf995 2007-03-30 12:16:49 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll 2007-03-30 12:16:49 122,880 ----a-w C:\WINDOWS\system32\pdfmona.dll 2007-03-30 12:10:45 -------- d-----w C:\Program Files\PDF4Free 2007-03-30 10:43:17 -------- d–h--w C:\Program Files\WindowsUpdate 2007-03-27 12:56:59 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\PTC 2007-03-27 12:54:50 -------- d-----w C:\Program Files\proeWildfire 2.0 2007-03-20 19:59:02 -------- d-----w C:\Program Files\Pando Networks 2007-03-19 11:29:54 -------- d-----w C:\Program Files\Ahead 2007-03-19 11:29:53 -------- d-----w C:\Program Files\Common Files\Ahead 2007-03-15 13:49:28 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\GanymedeNet 2007-03-15 13:19:18 -------- d-----w C:\Program Files\Ganymede 2007-03-15 10:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll 2007-03-15 10:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll 2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll 2007-03-15 09:04:24 -------- d-----w C:\Program Files\Gadu-Gadu 2007-03-14 16:54:07 -------- d-----w C:\Program Files\Microsoft.NET 2007-03-14 16:37:26 -------- d-----w C:\Program Files\D-Tools 2007-03-14 11:10:53 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Talkback 2007-03-14 11:10:47 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Thunderbird 2007-03-07 15:13:38 81 ----a-w C:\CTX.DAT 2007-03-07 15:08:31 -------- d-----w C:\Program Files\MultiResource Client 2007-03-07 15:08:26 737,280 ----a-w C:\WINDOWS\iun6002.exe 2007-03-06 23:05:06 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Help 2007-03-06 21:05:36 -------- d-----w C:\Program Files\Common Files\DirectX 2007-03-06 20:57:05 -------- d-----w C:\Program Files\SCi Games 2007-03-06 17:14:35 -------- d-----w C:\Program Files\Python 2007-03-05 12:44:48 4 ----a-w C:\WINDOWS\system32\proc1795523372.bin 2007-03-01 18:34:58 0 ----a-w C:\WINDOWS\nsreg.dat 2007-03-01 11:14:50 0 --sha-r C:\MSDOS.SYS 2007-03-01 11:14:50 0 --sha-r C:\IO.SYS 2007-03-01 11:14:50 0 ----a-w C:\CONFIG.SYS 2007-03-01 11:14:50 0 ----a-w C:\AUTOEXEC.BAT 2007-03-01 11:11:59 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] “{53707962-6F74-2D53-2644-206D7942484F}”=“C:\PROGRA~1\SPYBOT~1\SDHelper.dll” “{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}”=“C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “NVMixerTray”="“C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”" “Adobe Photo Downloader”="“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” “SunJavaUpdateSched”="“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”" “DAEMON Tools-1033”="“C:\Program Files\D-Tools\daemon.exe” -lang 1033" “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “TkBellExe”="“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot" “SpywareBot”=“C:\Program Files\SpywareBot\SpywareBot.exe -boot” “nod32kui”="“C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE" “CTHelper”=“CTHELPER.EXE” “!AVG Anti-Spyware”="“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" @="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “NoColorChoice”=dword:00000000 “NoSizeChoice”=dword:00000000 “NoDispScrSavPage”=dword:00000000 “NoDispCPL”=dword:00000000 “NoVisualStyleChoice”=dword:00000000 “NoDispSettingsPage”=dword:00000000 “NoDispAppearancePage”=dword:00000000 “NoDispBackgroundPage”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoActiveDesktopChanges”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSaveSettings”=dword:00000000 “NoThemesTab”=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^menu start^programy^autostart^adobe reader speed launch.lnk C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^menu start^programy^autostart^adobe reader synchronizer.lnk C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^ja^menu start^programy^autostart^openoffice.org 2.0.lnk C:\PROGRA~1\OPENOF~1.0\program\QUICKS~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pando “C:\Program Files\Pando Networks\Pando\Pando.exe” /Minimized HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\RegCure Program Check.job C:\WINDOWS\tasks\RegCure.job C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job C:\WINDOWS\tasks\XoftSpySE 2.job C:\WINDOWS\tasks\XoftSpySE.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-11 20:44:28 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 2007-05-11 20:44:35 C:\ComboFix-quarantined-files.txt … 2007-05-11 20:44 C:\ComboFix2.txt … 2007-05-11 15:27

Złączono Posta : 11.05.2007 (Pią) 20:52

“ja” - 2007-05-11 20:42:39 Dodatek Service Pack. 1 ComboFix 07-05.09.V - Running from: “C:\Documents and Settings\ja\Pulpit” ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-11 )))))))))))))))))))))))))))))))))) 2007-05-11 17:09 2007-05-11 15:27 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-10 21:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-05-10 19:44 2007-05-09 21:30 9,856 --a------ C:\WINDOWS\system32\drivers\gameenum.sys 2007-05-09 21:30 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-05-09 21:30 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-05-09 21:29 10,240 --a------ C:\WINDOWS\CTDCRES.DLL 2007-05-09 21:26 2007-05-09 21:26 2007-05-09 21:26 2007-05-09 21:20 75,264 --a------ C:\WINDOWS\system32\MACDec.dll 2007-05-09 21:20 61,440 --a------ C:\WINDOWS\system32\libfaac.dll 2007-05-09 21:20 45,568 --a------ C:\WINDOWS\system32\huffyuv.dll 2007-05-09 21:20 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll 2007-05-09 21:20 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll 2007-05-09 21:20 421,888 --a------ C:\WINDOWS\system32\OpenQuicktimeLib.dll 2007-05-09 21:20 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll 2007-05-09 21:20 245,408 --a------ C:\WINDOWS\system32\unicows.dll 2007-05-09 21:20 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll 2007-05-09 15:57 4,096 --a------ C:\WINDOWS\system32\vsv.exe 2007-05-09 14:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-05-09 14:00 2007-05-09 14:00 2007-05-09 14:00 2007-05-09 01:57 2007-05-08 22:17 0 --a------ C:\WINDOWS\system32\SBRC.dat 2007-05-08 22:17 0 --a------ C:\WINDOWS\system32\SBFC.dat 2007-05-08 21:51 2007-05-08 20:00 2007-05-08 19:04 2007-05-08 18:38 2007-05-08 18:18 2007-05-08 14:43 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-08 14:43 2007-05-04 17:44 774,656 --a------ C:\WINDOWS\system32\mmc.exe 2007-05-04 17:26 2007-05-04 17:01 2007-05-04 16:56 73,728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-05-04 16:56 679,936 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-05-04 16:56 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-05-04 16:56 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-05-04 16:56 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-05-04 16:56 196,608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-05-04 16:56 155,648 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-05-04 16:56 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-05-04 16:55 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-05-04 16:55 2007-05-02 18:18 2007-04-29 23:38 2007-04-29 23:31 77,824 --a------ C:\WINDOWS\system32\mplaw7.dll 2007-04-29 23:31 77,824 --a------ C:\WINDOWS\system32\mplaa6.dll 2007-04-29 23:31 65,536 --a------ C:\WINDOWS\system32\mplapx.dll 2007-04-29 23:31 65,536 --a------ C:\WINDOWS\system32\mplam6.dll 2007-04-29 23:31 1,650,688 --a------ C:\WINDOWS\system32\mplva6.dll 2007-04-29 23:31 1,581,056 --a------ C:\WINDOWS\system32\mplvw7.dll 2007-04-29 23:31 1,552,384 --a------ C:\WINDOWS\system32\mplvm6.dll 2007-04-29 23:31 1,122,304 --a------ C:\WINDOWS\system32\mplvpx.dll 2007-04-29 20:28 2007-04-28 18:18 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-04-28 18:18 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-04-28 18:18 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-04-28 17:47 2007-04-27 16:30 2007-04-27 15:39 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-27 15:16 2007-04-27 12:26 2007-04-27 12:20 2007-04-26 14:32 2007-04-25 19:34 2007-04-25 19:02 2007-04-25 18:15 2007-04-25 18:14 2007-04-23 23:08 2007-04-23 23:07 2007-04-23 23:07 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-11 16:01:02 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-05-09 19:30:52 -------- d-----w C:\Program Files\Creative 2007-05-09 19:29:58 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Creative 2007-04-27 09:03:00 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-04-23 21:08:13 4,908 ----a-w C:\WINDOWS\mozver.dat 2007-04-21 11:18:00 -------- d-----w C:\Program Files\Soulseek 2007-04-10 08:45:58 -------- d-----w C:\Program Files\FxTrading 2007-04-01 22:41:11 -------- d-----w C:\Program Files\KodyPocztowe 2007-04-01 22:40:29 74,230 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-04-01 22:40:29 448,004 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-04-01 20:16:32 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\AdobeUM 2007-04-01 20:16:32 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\AdobeAUM 2007-04-01 17:58:28 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-03-30 12:22:11 -------- d-----w C:\Program Files\activePDF 2007-03-30 12:19:34 -------- d-----w C:\Program Files\pdf995 2007-03-30 12:16:49 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll 2007-03-30 12:16:49 122,880 ----a-w C:\WINDOWS\system32\pdfmona.dll 2007-03-30 12:10:45 -------- d-----w C:\Program Files\PDF4Free 2007-03-30 10:43:17 -------- d–h--w C:\Program Files\WindowsUpdate 2007-03-27 12:56:59 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\PTC 2007-03-27 12:54:50 -------- d-----w C:\Program Files\proeWildfire 2.0 2007-03-20 19:59:02 -------- d-----w C:\Program Files\Pando Networks 2007-03-19 11:29:54 -------- d-----w C:\Program Files\Ahead 2007-03-19 11:29:53 -------- d-----w C:\Program Files\Common Files\Ahead 2007-03-15 13:49:28 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\GanymedeNet 2007-03-15 13:19:18 -------- d-----w C:\Program Files\Ganymede 2007-03-15 10:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll 2007-03-15 10:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll 2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll 2007-03-15 09:04:24 -------- d-----w C:\Program Files\Gadu-Gadu 2007-03-14 16:54:07 -------- d-----w C:\Program Files\Microsoft.NET 2007-03-14 16:37:26 -------- d-----w C:\Program Files\D-Tools 2007-03-14 11:10:53 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Talkback 2007-03-14 11:10:47 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Thunderbird 2007-03-07 15:13:38 81 ----a-w C:\CTX.DAT 2007-03-07 15:08:31 -------- d-----w C:\Program Files\MultiResource Client 2007-03-07 15:08:26 737,280 ----a-w C:\WINDOWS\iun6002.exe 2007-03-06 23:05:06 -------- d-----w C:\DOCUME~1\ja\DANEAP~1\Help 2007-03-06 21:05:36 -------- d-----w C:\Program Files\Common Files\DirectX 2007-03-06 20:57:05 -------- d-----w C:\Program Files\SCi Games 2007-03-06 17:14:35 -------- d-----w C:\Program Files\Python 2007-03-05 12:44:48 4 ----a-w C:\WINDOWS\system32\proc1795523372.bin 2007-03-01 18:34:58 0 ----a-w C:\WINDOWS\nsreg.dat 2007-03-01 11:14:50 0 --sha-r C:\MSDOS.SYS 2007-03-01 11:14:50 0 --sha-r C:\IO.SYS 2007-03-01 11:14:50 0 ----a-w C:\CONFIG.SYS 2007-03-01 11:14:50 0 ----a-w C:\AUTOEXEC.BAT 2007-03-01 11:11:59 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] “{53707962-6F74-2D53-2644-206D7942484F}”=“C:\PROGRA~1\SPYBOT~1\SDHelper.dll” “{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}”=“C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “NVMixerTray”="“C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”" “Adobe Photo Downloader”="“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” “SunJavaUpdateSched”="“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”" “DAEMON Tools-1033”="“C:\Program Files\D-Tools\daemon.exe” -lang 1033" “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “TkBellExe”="“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot" “SpywareBot”=“C:\Program Files\SpywareBot\SpywareBot.exe -boot” “nod32kui”="“C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE" “CTHelper”=“CTHELPER.EXE” “!AVG Anti-Spyware”="“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" @="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “NoColorChoice”=dword:00000000 “NoSizeChoice”=dword:00000000 “NoDispScrSavPage”=dword:00000000 “NoDispCPL”=dword:00000000 “NoVisualStyleChoice”=dword:00000000 “NoDispSettingsPage”=dword:00000000 “NoDispAppearancePage”=dword:00000000 “NoDispBackgroundPage”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoActiveDesktopChanges”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSaveSettings”=dword:00000000 “NoThemesTab”=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^menu start^programy^autostart^adobe reader speed launch.lnk C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^menu start^programy^autostart^adobe reader synchronizer.lnk C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^ja^menu start^programy^autostart^openoffice.org 2.0.lnk C:\PROGRA~1\OPENOF~1.0\program\QUICKS~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pando “C:\Program Files\Pando Networks\Pando\Pando.exe” /Minimized HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\RegCure Program Check.job C:\WINDOWS\tasks\RegCure.job C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job C:\WINDOWS\tasks\XoftSpySE 2.job C:\WINDOWS\tasks\XoftSpySE.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-11 20:44:28 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 2007-05-11 20:44:35 C:\ComboFix-quarantined-files.txt … 2007-05-11 20:44 C:\ComboFix2.txt … 2007-05-11 15:27

Złączono Posta : 11.05.2007 (Pią) 20:54

nie kumam tego - w podglądzie było raz

Gutek · 11 Maj 2007 19:16

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżkę

C:\WINDOWS\system32\vsv.exe i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz.

mms · 11 Maj 2007 20:20

Niestety dalej jest to samo… to chyba nie ma sensu… masz w ogóle jakiś pomysł na to co się u mnie dzieje i czym to grozi?? Z tego co czytałem o SdBot to wynika, że ktoś mi się może na kompa wbić. Nie ukrywam, że komp jest mi potrzebny bo piszę na nim dyplom i szkoda mi czasu na stawianie nowego systemu. Z drugiej strony na trojana straciłem już tyle czasu, że bym tych systemów z 10 postawił.

Szczerze, to nie kumam dlaczego nod wykrywa pliki tworzone przez svhost - przecież to jest proces windy - jako wirusa. Czy ten trojan się tak maskuje, czy to w ogóle może jakoś inaczej działa??

Generalnie załamka…

Jaśli masz jakiś pomysł to proszę o odp.

pozdrawiam

Gutek · 11 Maj 2007 20:31

Zerknij - http://forum.centrumxp.pl/Default.aspx?g=posts&t=108100 na podmianę svchost.exe

M_i_r · 11 Maj 2007 21:50

Przepraszam Gutek2222 ale może jest to reakcja NOD32 -a

na śmiecia RealOne Player -a.Wpis

należy zafixować w HijackThis i zmienić rozszerzenie pliku

C:\Program Files\Common Files\Real\Update_OB\ ralsched.exe

z .exe na .old bo inaczej wróci.

Gutek · 11 Maj 2007 22:35

ale to nie jest syf ten Real jest ciężki i poleca się odinstalować RealOne playera i zastąpić Real Alternative TU - to kosmetyka