Strasznie wolny internet


(Tropek22) #1
Logfile of HijackThis v1.99.1

Scan saved at 11:07:03, on 2007-08-12

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\Neostrada TP\Watch.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\Tomek\USTAWI~1\Temp\Rar$EX00.940\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{1D964859-B644-4BB0-9346-F8CA128442A8}: NameServer = 194.204.152.34 217.98.63.164

O17 - HKLM\System\CS1\Services\Tcpip\..\{1D964859-B644-4BB0-9346-F8CA128442A8}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

(jessica) #2

W tym logu nie widzę nic podejrzanego.

Możesz dać jeszcze log z ComboFixa:

(na dole tej strony z linku) -

Log wklej na http://wklej.org/, a w poście daj tylko link.

.


(Tropek22) #3

"Tomek" - 2007-08-13 21:45:24 - ComboFix 07-07-14.6 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\VirusProtectPro 3.5

C:\Program Files\VirusProtectPro 3.5\ignored.lst

C:\Program Files\VirusProtectPro 3.5\VirusProtectPro 3.5.exe

C:\Program Files\VirusProtectPro 3.5\vpp.ini

((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))

2007-07-28 08:44

2007-07-25 13:19 155,648 --a------ C:\WINDOWS\system32\adadix32.dll

2007-07-25 13:19 127,456 --a------ C:\WINDOWS\system32\ipdetect.exe

2007-07-25 13:19 127,065 --a------ C:\WINDOWS\system32\drivers\adiusbaw.sys

2007-07-25 13:18 50,007 --a------ C:\WINDOWS\system32\drivers\adildr.sys

2007-07-25 13:18 46,892 --a------ C:\WINDOWS\system32\adadix16.dll

2007-07-25 13:18 4,981 --a------ C:\WINDOWS\system32\adadix2k.dll

2007-07-25 13:18 22,395 --a------ C:\WINDOWS\system32\drivers\fpga.bin

2007-07-25 13:18 126,976 --a------ C:\WINDOWS\system32\coclassfast.dll

2007-07-25 13:18 114,688 --a------ C:\WINDOWS\system32\unaddrv.exe

2007-07-25 13:18

2007-07-25 13:18

2007-07-25 12:44 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll

2007-07-24 22:18 2,662 --a------ C:\DOCUME~1\Tomek\FIX.BAT

2007-07-22 23:20

2007-07-13 21:18

2007-07-13 12:15

2007-07-13 12:14

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-13 18:53:44 -------- d-----w C:\Program Files\Neostrada TP

2007-07-25 13:25:38 9,216 --s-a-w C:\WINDOWS\system32\zpuwriz.dll

2007-07-25 11:19:14 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg

2007-07-22 11:50:41 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-07-13 10:15:18 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll

2007-07-06 08:22:18 -------- d-----w C:\DOCUME~1\Tomek\DANEAP~1\Real

2007-07-02 05:01:45 -------- d-----w C:\Program Files\Google

2007-06-23 06:52:03 -------- d-----w C:\DOCUME~1\Tomek\DANEAP~1\Google

2007-06-16 22:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe

2007-02-23 11:51:41 124,112 ----a-w C:\DOCUME~1\Tomek\DANEAP~1\drvcleaner.exe

2006-10-29 07:18:52 315,392 ----a-w C:\Program Files\Uninstall My Web Search.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2003-11-04 01:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 18:07]

"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 18:07]

"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [2003-10-16 18:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

"C:\Program Files\Gadu-Gadu\gg.exe" /tray

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}

rundll32 iesetup.dll,IEAccessUserInst

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-13 21:46:52

Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-13 21:47:57

C:\ComboFix-quarantined-files.txt ... 2007-08-13 21:47

--- E O F ---


(qrczak13) #4

Ściągasz Pocket Killbox,

zaznaczasz Delete on reboot , w polu Full Path of File to Delete wklej ścieżkę:

C:\WINDOWS\system32\zpuwriz.dll

i naciskasz X czerwony. Program poprosi o restart kompa, co robisz.

Usuń plik.

Nowy log z combofix'a.


(lazikar) #5

tomek1234123412 wstawiaj logi w znaczniki Code.


(Tropek22) #6

"Tomek" - 2007-08-15 13:34:27 - ComboFix 07-07-14.6 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\5_exception.nls

C:\WINDOWS\system32\drivers\runtime2.sys

C:\WINDOWS\system32\drivers\secdrv.sys

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_RUNTIME

-------\LEGACY_RUNTIME2

-------\runtime

((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 )))))))))))))))))))))))))))))))

2007-07-28 08:44

2007-07-25 13:19 155,648 --a------ C:\WINDOWS\system32\adadix32.dll

2007-07-25 13:19 127,456 --a------ C:\WINDOWS\system32\ipdetect.exe

2007-07-25 13:19 127,065 --a------ C:\WINDOWS\system32\drivers\adiusbaw.sys

2007-07-25 13:18 50,007 --a------ C:\WINDOWS\system32\drivers\adildr.sys

2007-07-25 13:18 46,892 --a------ C:\WINDOWS\system32\adadix16.dll

2007-07-25 13:18 4,981 --a------ C:\WINDOWS\system32\adadix2k.dll

2007-07-25 13:18 22,395 --a------ C:\WINDOWS\system32\drivers\fpga.bin

2007-07-25 13:18 126,976 --a------ C:\WINDOWS\system32\coclassfast.dll

2007-07-25 13:18 114,688 --a------ C:\WINDOWS\system32\unaddrv.exe

2007-07-25 13:18

2007-07-25 13:18

2007-07-25 12:44 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll

2007-07-24 22:18 2,662 --a------ C:\DOCUME~1\Tomek\FIX.BAT

2007-07-22 23:20

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-15 11:31:12 -------- d-----w C:\Program Files\Neostrada TP

2007-07-25 11:19:14 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg

2007-07-22 11:50:41 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-07-14 08:53:00 -------- d-----w C:\Program Files\Deer Drive

2007-07-13 11:46:23 -------- d-----w C:\Program Files\BitComet

2007-07-13 10:15:18 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll

2007-07-06 08:22:18 -------- d-----w C:\DOCUME~1\Tomek\DANEAP~1\Real

2007-07-02 05:01:45 -------- d-----w C:\Program Files\Google

2007-06-23 06:52:03 -------- d-----w C:\DOCUME~1\Tomek\DANEAP~1\Google

2007-06-16 22:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe

2007-02-23 11:51:41 124,112 ----a-w C:\DOCUME~1\Tomek\DANEAP~1\drvcleaner.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2003-11-04 01:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 18:07]

"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 18:07]

"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [2003-10-16 18:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

"C:\Program Files\Gadu-Gadu\gg.exe" /tray

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}

rundll32 iesetup.dll,IEAccessUserInst

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-15 13:38:07

Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-15 13:40:38 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-08-15 13:40

--- E O F ---


(jessica) #7

Miałeś Rootkita "Runtime", ale ComboFix już go usunął.

Na kilku zagranicznych forach "wirusowych" zauważyłam, że to usuwają.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AANF&VSect=T

Z tego drugiego linku można wyczytać, że to jest "fałszywy" program, udający dobry - czyli po prostu Trojan "detected as ADW_WINFIXER.EU".

Byłoby dobrze sprawdzić ten plik:

Sprawdź go na http://virusscan.jotti.org/

Opis, jak korzystać z JOTTI --> http://otfans.pl/forums/showthread.php?tid=552

albo na http://www.virustotal.com/en/indexf.html

(korzysta się podobnie jak z JOTTI).

Nic więcej podejrzanego w logu nie widzę.

jessi