Witam. Mam taki problem. Bo po skanie spyware doctor’em okazało się że mam trojana o nazwie Trojan.Generic. I jak mógłbym go usunąć ? Skanowałem też Combo Fixem ale nic nie dało.
Tutaj są wyniki ze skanowania Combo Fixem
ComboFix 11-01-31.02 - yo 2011-02-05 14:20:30.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.2047.802 [GMT 1:00]
Uruchomiony z: c:\documents and settings\yo\Pulpit\ComboFix.exe
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\yo\Dane aplikacji\Desktopicon
c:\documents and settings\yo\Dane aplikacji\Desktopicon\config.ini
c:\documents and settings\yo\Dane aplikacji\Desktopicon\eBayShortcuts.exe
c:\documents and settings\yo\Dane aplikacji\PriceGong
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\1.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\a.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\b.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\c.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\d.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\e.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\f.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\g.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\h.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\i.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\J.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\k.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\l.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\m.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\mru.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\n.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\o.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\p.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\q.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\r.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\s.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\t.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\u.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\v.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\w.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\x.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\y.xml
c:\documents and settings\yo\Dane aplikacji\PriceGong\Data\z.xml
c:\documents and settings\yo\metin2.bin
c:\documents and settings\yo\Pulpit\04 basshunter - I miss you
c:\documents and settings\yo\Pulpit\05 basshunter - Angel in the night
c:\documents and settings\yo\Pulpit\06 basshunter - In her eyes
c:\documents and settings\yo\Pulpit\Doda - Dwie bajki
c:\documents and settings\yo\Pulpit\Drossel - Chcialbym oddac tobie moje sny
c:\documents and settings\yo\Pulpit\Dukat-Góraleczka
c:\documents and settings\yo\Pulpit\Focus - Powiedz gdzie jestes gdzie [new 2009]
c:\documents and settings\yo\Pulpit\Magnum - Ty tego nie wiesz
c:\documents and settings\yo\Pulpit\Mega Dance - Kochać Całym Sercem
c:\documents and settings\yo\Pulpit\Paparazzi - Nadzieję w sobie mieć
c:\windows\settings.reg
c:\windows\system32\Data
.
((((((((((((((((((((((((( Pliki utworzone od 2011-01-05 do 2011-02-05 )))))))))))))))))))))))))))))))
.
2011-01-23 14:12 . 2011-01-23 14:12 -------- d-----w- c:\program files\METIN2
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-26 18:31 . 2010-11-26 18:31 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{00000000-6E41-4FD3-8538-502F5495E5FC}”= “c:\program files\Ask.com\GenericAskToolbar.dll” [2011-01-02 1487240]
“{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}”= “c:\program files\Winamp Toolbar\winamptb.dll” [2009-02-19 1262888]
“{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}”= “c:\program files\4shared.com\tb4sh1.dll” [2011-01-10 3911776]
[HKEY_CLASSES_ROOT\clsid{00000000-6e41-4fd3-8538-502f5495e5fc}]
[HKEY_CLASSES_ROOT\clsid{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
[HKEY_CLASSES_ROOT\clsid{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}]
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}]
2011-01-10 17:38 3911776 ----a-w- c:\program files\4shared.com\tb4sh1.dll
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-10 17:38 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngin0.dll
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-01-02 18:15 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}”= “c:\program files\4shared.com\tb4sh1.dll” [2011-01-10 3911776]
“{D4027C7F-154A-4066-A1AD-4243D8127440}”= “c:\program files\Ask.com\GenericAskToolbar.dll” [2011-01-02 1487240]
“{30F9B915-B755-4826-820B-08FBA6BD249D}”= “c:\program files\ConduitEngine\ConduitEngin0.dll” [2011-01-10 3911776]
[HKEY_CLASSES_ROOT\clsid{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}]
[HKEY_CLASSES_ROOT\clsid{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CLASSES_ROOT\clsid{30f9b915-b755-4826-820b-08fba6bd249d}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{09EC805C-CB2E-4D53-B0D3-A75A428B81C7}”= “c:\program files\4shared.com\tb4sh1.dll” [2011-01-10 3911776]
“{D4027C7F-154A-4066-A1AD-4243D8127440}”= “c:\program files\Ask.com\GenericAskToolbar.dll” [2011-01-02 1487240]
[HKEY_CLASSES_ROOT\clsid{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}]
[HKEY_CLASSES_ROOT\clsid{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“DAEMON Tools Lite”=“c:\program files\DAEMON Tools Lite\daemon.exe” [2008-12-10 216520]
“BitComet”=“c:\program files\BitComet\BitComet.exe” [2009-03-09 2564408]
“IPLA!”=“c:\program files\ipla\ipla.exe” [2010-11-15 18633728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NVMixerTray”=“c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” [2004-06-03 131072]
“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2007-12-05 8523776]
“nwiz”=“nwiz.exe” [2007-12-05 1626112]
“NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2007-12-05 81920]
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2009-02-27 35696]
“ISTray”=“c:\program files\Spyware Doctor\pctsTray.exe” [2008-12-08 1173384]
“WinampAgent”=“d:\winamp\winampa.exe” [2009-04-10 37888]
“NeroFilterCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]
“P17Helper”=“P17.dll” [2005-05-03 64512]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-03 15360]
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2009-2-5 1205840]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“8461:TCP”= 8461:TCP:GoD High Port
“8462:TCP”= 8462:TCP:GoD Low Port
“17109:TCP”= 17109:TCP:BitComet 17109 TCP
“17109:UDP”= 17109:UDP:BitComet 17109 UDP
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-14 130936]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-12-24 717296]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-04-14 348752]
R3 e4usbaw;USB ADSL2 WAN Adapter;c:\windows\system32\drivers\e4usbaw.sys [2009-02-05 104344]
S2 E4LOADER;General Purpose USB Driver (e4ldr.sys);c:\windows\system32\drivers\e4ldr.sys [2009-02-05 69656]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-08-01 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-08-01 7680]
— Inne Usługi/Sterowniki w Pamięci —
*Deregistered* - mchInjDrv
.
Zawartość folderu ‘Zaplanowane zadania’
2011-02-05 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-01-02 18:15]
2011-02-05 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-31 20:18]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.ask.com?o=15510&l=dis
uInternet Connection Wizard,ShellNext = iexplore
IE: &Download All using 4shared Desktop - d:\program files\4shared Desktop\down_all.htm
IE: &Winamp Search - c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&ksport do programu Microsoft Excel - d:\office11\EXCEL.EXE/3000
IE: Pobierz wszystkie VIdeo za pomocą BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Pobierz wszystko za pomocą BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Pobierz za pomocą BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
FF - ProfilePath - c:\documents and settings\yo\Dane aplikacji\Mozilla\Firefox\Profiles\u5421dw1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as … ource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=15510&l=dis
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/sli … pab&query=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Winamp Toolbar: {0b38152b-1b20-484d-a11f-5e04a9b0661f} - %profile%\extensions{0b38152b-1b20-484d-a11f-5e04a9b0661f}
FF - Ext: 4shared.com Community Toolbar: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - %profile%\extensions{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
.
-
-
-
- USUNIĘTO PUSTE WPISY - - - -
-
-
AddRemove-conduitEngine - c:\program files\ConduitEngine\ConduitEngineUninstall.exe
AddRemove-Crate Man - d:\progra~1\Crateman\UNWISE.EXE
AddRemove-Dziobas Rar Player_is1 - c:\program files\Dziobas Rar Player\unins000.exe
AddRemove-Gadu-Gadu - c:\program files\Gadu-Gadu\Setup.exe
AddRemove-Longju99_is1 - d:\program files\Longju99\unins000.exe
AddRemove-Marine Sharpshooter 4_is1 - c:\program files\City Interactive\Marine Sharpshooter 4\unins000.exe
AddRemove-Metin2.us_is1 - d:\program files\Z8games\Metin2\unins000.exe
AddRemove-Teamspeak 2 RC2_is1 - d:\program files\Teamspeak2_RC2\unins000.exe
AddRemove-{244959C3-43BF-4A30-A769-466DA2D5F647}_is1 - d:\ířâçóîď·\´´ĘŔÁúľÔ\unins000.exe
AddRemove-{4E9FA283-79B0-42CF-BD0D-FA2A42C15348}_is1 - d:\downloads\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-05 14:29
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
-
-
-
-
-
-
- > ‘explorer.exe’(1752)
-
-
-
-
-
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\Rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Czas ukończenia: 2011-02-05 14:34:28 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2011-02-05 13:34
Przed: 4 740 812 800 bajtów wolnych
Po: 9 311 207 424 bajtów wolnych
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
UnsupportedDebug=“do not select this” /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect
-
- End Of File - - F44D0452DAED0D7C3DF36C52EFB5791A
Z góry dzięki za pomoc