Logfile of HijackThis v1.99.1
Scan saved at 11:07:03, on 2007-08-12
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Neostrada TP\NeostradaTP.exe
C:\Program Files\Neostrada TP\ComComp.exe
C:\Program Files\Neostrada TP\Watch.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Tomek\USTAWI~1\Temp\Rar$EX00.940\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D964859-B644-4BB0-9346-F8CA128442A8}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D964859-B644-4BB0-9346-F8CA128442A8}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exeW tym logu nie widzę nic podejrzanego.
Możesz dać jeszcze log z ComboFixa:
http://forum.dobreprogramy.pl/viewtopic.php?t=36654(na dole tej strony z linku) -
Log wklej na http://wklej.org/, a w poście daj tylko link.
.
“Tomek” - 2007-08-13 21:45:24 - ComboFix 07-07-14.6 NTFS
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\VirusProtectPro 3.5
C:\Program Files\VirusProtectPro 3.5\ignored.lst
C:\Program Files\VirusProtectPro 3.5\VirusProtectPro 3.5.exe
C:\Program Files\VirusProtectPro 3.5\vpp.ini
((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))
2007-07-28 08:44
2007-07-25 13:19 155,648 --a------ C:\WINDOWS\system32\adadix32.dll
2007-07-25 13:19 127,456 --a------ C:\WINDOWS\system32\ipdetect.exe
2007-07-25 13:19 127,065 --a------ C:\WINDOWS\system32\drivers\adiusbaw.sys
2007-07-25 13:18 50,007 --a------ C:\WINDOWS\system32\drivers\adildr.sys
2007-07-25 13:18 46,892 --a------ C:\WINDOWS\system32\adadix16.dll
2007-07-25 13:18 4,981 --a------ C:\WINDOWS\system32\adadix2k.dll
2007-07-25 13:18 22,395 --a------ C:\WINDOWS\system32\drivers\fpga.bin
2007-07-25 13:18 126,976 --a------ C:\WINDOWS\system32\coclassfast.dll
2007-07-25 13:18 114,688 --a------ C:\WINDOWS\system32\unaddrv.exe
2007-07-25 13:18
2007-07-25 13:18
2007-07-25 12:44 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll
2007-07-24 22:18 2,662 --a------ C:\DOCUME~1\Tomek\FIX.BAT
2007-07-22 23:20
2007-07-13 21:18
2007-07-13 12:15
2007-07-13 12:14
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-13 18:53:44 -------- d-----w C:\Program Files\Neostrada TP
2007-07-25 13:25:38 9,216 --s-a-w C:\WINDOWS\system32\zpuwriz.dll
2007-07-25 11:19:14 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2007-07-22 11:50:41 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-13 10:15:18 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-07-06 08:22:18 -------- d-----w C:\DOCUME~1\Tomek\DANEAP~1\Real
2007-07-02 05:01:45 -------- d-----w C:\Program Files\Google
2007-06-23 06:52:03 -------- d-----w C:\DOCUME~1\Tomek\DANEAP~1\Google
2007-06-16 22:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
2007-02-23 11:51:41 124,112 ----a-w C:\DOCUME~1\Tomek\DANEAP~1\drvcleaner.exe
2006-10-29 07:18:52 315,392 ----a-w C:\Program Files\Uninstall My Web Search.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-04 01:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 18:07]
“WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 18:07]
“WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 18:07]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
“C:\Program Files\Gadu-Gadu\gg.exe” /tray
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
rundll32 iesetup.dll,IEAccessUserInst
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 21:46:52
Windows 5.1.2600 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
**************************************************************************
Completion time: 2007-08-13 21:47:57
C:\ComboFix-quarantined-files.txt … 2007-08-13 21:47
— E O F —
Ściągasz Pocket Killbox,
zaznaczasz Delete on reboot , w polu Full Path of File to Delete wklej ścieżkę:
C:\WINDOWS\system32\zpuwriz.dll
i naciskasz X czerwony. Program poprosi o restart kompa, co robisz.
Usuń plik.
Nowy log z combofix’a.
tomek1234123412 wstawiaj logi w znaczniki Code.
“Tomek” - 2007-08-15 13:34:27 - ComboFix 07-07-14.6 NTFS
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\5_exception.nls
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\drivers\secdrv.sys
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\runtime
((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 )))))))))))))))))))))))))))))))
2007-07-28 08:44
2007-07-25 13:19 155,648 --a------ C:\WINDOWS\system32\adadix32.dll
2007-07-25 13:19 127,456 --a------ C:\WINDOWS\system32\ipdetect.exe
2007-07-25 13:19 127,065 --a------ C:\WINDOWS\system32\drivers\adiusbaw.sys
2007-07-25 13:18 50,007 --a------ C:\WINDOWS\system32\drivers\adildr.sys
2007-07-25 13:18 46,892 --a------ C:\WINDOWS\system32\adadix16.dll
2007-07-25 13:18 4,981 --a------ C:\WINDOWS\system32\adadix2k.dll
2007-07-25 13:18 22,395 --a------ C:\WINDOWS\system32\drivers\fpga.bin
2007-07-25 13:18 126,976 --a------ C:\WINDOWS\system32\coclassfast.dll
2007-07-25 13:18 114,688 --a------ C:\WINDOWS\system32\unaddrv.exe
2007-07-25 13:18
2007-07-25 13:18
2007-07-25 12:44 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll
2007-07-24 22:18 2,662 --a------ C:\DOCUME~1\Tomek\FIX.BAT
2007-07-22 23:20
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-15 11:31:12 -------- d-----w C:\Program Files\Neostrada TP
2007-07-25 11:19:14 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2007-07-22 11:50:41 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-14 08:53:00 -------- d-----w C:\Program Files\Deer Drive
2007-07-13 11:46:23 -------- d-----w C:\Program Files\BitComet
2007-07-13 10:15:18 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-07-06 08:22:18 -------- d-----w C:\DOCUME~1\Tomek\DANEAP~1\Real
2007-07-02 05:01:45 -------- d-----w C:\Program Files\Google
2007-06-23 06:52:03 -------- d-----w C:\DOCUME~1\Tomek\DANEAP~1\Google
2007-06-16 22:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
2007-02-23 11:51:41 124,112 ----a-w C:\DOCUME~1\Tomek\DANEAP~1\drvcleaner.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-04 01:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 18:07]
“WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 18:07]
“WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 18:07]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
“C:\Program Files\Gadu-Gadu\gg.exe” /tray
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
rundll32 iesetup.dll,IEAccessUserInst
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-15 13:38:07
Windows 5.1.2600 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
**************************************************************************
Completion time: 2007-08-15 13:40:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt … 2007-08-15 13:40
— E O F —
Miałeś Rootkita “Runtime”, ale ComboFix już go usunął.
Na kilku zagranicznych forach “wirusowych” zauważyłam, że to usuwają.
http://www.lavasoftsupport.com/index.php?showtopic=7062&mode=threaded&pid=33596
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AANF&VSect=T
Z tego drugiego linku można wyczytać, że to jest “fałszywy” program, udający dobry - czyli po prostu Trojan “detected as ADW_WINFIXER.EU”.
Byłoby dobrze sprawdzić ten plik:
Sprawdź go na http://virusscan.jotti.org/
Opis, jak korzystać z JOTTI --> http://otfans.pl/forums/showthread.php?tid=552
albo na http://www.virustotal.com/en/indexf.html
(korzysta się podobnie jak z JOTTI).
Nic więcej podejrzanego w logu nie widzę.
jessi