Trojan prosze o pomoc.. jak go usunac..!?


(Kingarken) #1

Witam mam taki program mam wirusa trojana..;/ usuwalem go przez programy:

Avast:(wszytsko znalazl i wszystko niby usunol ale gdy uruchomilem komputer na nowo to avast znowu go wykrywal i tak do skutku)

SpeactorDoctor( na takiej samej zasadzie co avast)

KillBox(ten progrma sam usuwa wybrane pliki usunolo mi jednego trojana jak mu podalem sciezke lecz nastepnych niechial usuwac nieznam powodu :()

Kaspesky(akurat amm ten program zainstalowany skanuje nim codizennie i tez niby usuwa a po uruchomieniu na nowo kopa znowu go widzi:))

wiec probowalem prawie wszystkiego mam nadzieje ze mi ktos ztym pomoze:) bo formatu dysku C narazie niemoge zrobic to jak juz to ostatecznosc...

Logfile of HijackThis v1.99.1

Scan saved at 13:43:55, on 2007-06-08

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\Programy\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\AGEIA Technologies\TrayIcon.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\atlmurep.exe

C:\WINDOWS\system32\schtvfxm.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\sysnlwgy.exe

C:\Programy\Kalendarz XP\Kalendarz.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\Program Files\Opera\Opera.exe

D:\Arek\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM..\Run: [skyTel] SkyTel.EXE

O4 - HKLM..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM..\Run: [i downloaded pirated Software from P2P and now I post my Hijack log] C:\WINDOWS\system32\warez.exe

O4 - HKLM..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe

O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM..\Run: [ksyscmd] C:\WINDOWS\system32\atlmurep.exe

O4 - HKLM..\Run: [dmsloop] C:\WINDOWS\system32\umcujfvy.exe

O4 - HKLM..\Run: [ifperx] C:\WINDOWS\system32\schtvfxm.exe

O4 - HKLM..\Run: [scmplay] C:\WINDOWS\system32\schtvfxm.exe

O4 - HKLM..\Run: [dbidmme] sysnlwgy.exe

O4 - HKLM..\Run: [imcssl] C:\WINDOWS\system32\schtvfxm.exe

O4 - HKLM..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

O4 - HKLM..\Run: [wpxmls] C:\WINDOWS\system32\schtvfxm.exe

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

O4 - HKCU..\Run: [Free Download Manager] D:\Arek\Free Download Manager\fdm.exe -autorun

O4 - HKCU..\Run: [service Pack 1] C:\WINDOWS\system32\vexg6ame4.exe

O4 - HKCU..\Run: [ipWins] C:\Program Files\Ipwindows\ipwins.exe

O4 - HKCU..\Run: [ksyscmd] C:\WINDOWS\system32\atlmurep.exe

O4 - HKCU..\Run: [dmsloop] C:\WINDOWS\system32\umcujfvy.exe

O4 - HKCU..\Run: [ifperx] C:\WINDOWS\system32\schtvfxm.exe

O4 - HKCU..\Run: [scmplay] C:\WINDOWS\system32\schtvfxm.exe

O4 - HKCU..\Run: [dbidmme] sysnlwgy.exe

O4 - HKCU..\Run: [imcssl] C:\WINDOWS\system32\schtvfxm.exe

O4 - HKCU..\Run: [wpxmls] C:\WINDOWS\system32\schtvfxm.exe

O4 - Startup: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: BlueSoleil.lnk = ?

O4 - Global Startup: Kalendarz XP.lnk = C:\Programy\Kalendarz XP\Kalendarz.exe

O8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2A781DED-C22D-4153-9812-CEA98A32981C} (GameDesire Makao) - http://67.15.101.3/g_bin/pl/cardsmakao_2_0_0_24.cab

O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/pl/boards_2_0_0_30.cab

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_43.cab

O16 - DPF: {881290B9-F53C-4676-8DAF-3DBEFC297308} (GameDesire Makao) - http://67.15.101.3/g_bin/pl/makao_2_0_0_21.cab

O17 - HKLM\System\CCS\Services\Tcpip..{CC33EC00-AA12-40D1-B895-88547F18DCD3}: NameServer = 194.204.159.1

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Dokumenty\Settings\bot.dll (file missing)

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe (file missing)

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programy\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

to mi zanjduje Kaspersky: http://img505.imageshack.us/my.php?imag ... tuubg1.jpg

jeszcze jak uruchomie kompa na nowo to znajduje mi Trojan.Genetic. czy jakos tak nic niemozna znim zrobic ani usunac ani dac kwarantanna ani nic

bardzo was prosze o pomoc..

pzdr zgory dziekuje :slight_smile:

aha jestem ciemny wtych sprawach jak co to objasniajcie dobze :slight_smile:

pdr


(Gutek) #2

Użyj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone.

Daj log z Combofix

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE


(Kingarken) #3

hej te 3 programy cos mi niedzialaj co wloncze ejden to jakis prblem mi wyskoakuje…;/;/ a combofix mysli i mysli :frowning:


(Gutek) #4

Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz Microsoft ASPI Manager , pliki i folder w trybie awaryjnym usuń ręcznie, a wpsiy HJT.

Skan AVG Anti-Spyware 7.5 po update :wink:


(Kingarken) #5

a takie glupie pytanie jak wylonczyc Microsoft ASPI Manager?


(Gutek) #6

:slight_smile:


(Kingarken) #7

jeszcze jedno takie pytanie aj sem ciemny jak niewiem co zrobilem tak

wlonczylem tryb awaryjny wylonczylem tego Microsoft ASPI Manager

pliki i folder w trybie awaryjnym usuń ręcznie, a wpsiy HJT. a nierozuemiem oco tu chodzi…;/ mam zeskanowac teraz komputer i usunac wirusy ?


(Gutek) #8

Przechodzisz np. do folderu C:\Program Files\Ipwindows i usuń Ipwindows , nie mów, że nic nie kasowałęś i nie wyrzucałeś do kosza


(Kingarken) #9

no ok chyba kumam zrobilem to co napsiales

Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz Microsoft ASPI Manager, pliki i folder w trybie awaryjnym usuń ręcznie, a wpsiy HJT.

tylko ze szuakm tego folderu np. C:\Program Files\Ipwindows\ipwins.exe

niestety go niema ani zadnego plisku zaznaczonego na czerwono w wtowim poscie… a kaspersky wykrywa mi wirusa…;/

prosze o pomoc :frowning:


(Gutek) #10

poczekaj cierpliwie długo to trwa


(Kingarken) #11

“Czakus” - 2007-06-08 19:20:53 Dodatek Service Pack 2 NTFS

ComboFix 07-06-3B - Running from: “D:\Arek”

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\wpcjmd.log

((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 )))))))))))))))))))))))))))))))

2007-06-08 17:04

2007-06-08 16:56 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-08 16:44

2007-06-08 16:17

2007-06-08 15:59

2007-06-08 12:25

2007-06-07 19:06 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat

2007-06-07 19:06 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat

2007-06-07 19:06 36,640 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2007-06-07 19:06 3,985,440 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2007-06-07 19:06

2007-06-07 19:06

2007-06-07 19:04

2007-06-07 16:53

2007-06-07 16:53

2007-06-07 09:02 57,387 --a------ C:\WINDOWS\fgreghtrhjtre.exe

2007-06-06 12:59

2007-06-06 12:51

2007-06-06 12:51

2007-06-06 12:50

2007-06-06 10:11 49,995 --a------ C:\WINDOWS\hntrgryh.exe

2007-06-05 10:22 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-06-05 09:39

2007-05-11 14:45

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 06:53:54 -------- d-----w C:\Program Files\Winamp

2007-06-07 17:14:33 14,336 ----a-w C:\WINDOWS\system32\svchost.exe

2007-05-22 08:11:03 -------- d–h--w C:\Program Files\InstallShield Installation Information

2007-04-21 12:09:57 -------- d-----w C:\Program Files\Handset Manager

2007-04-17 18:37:21 -------- d-----w C:\Program Files\Futuremark

2007-04-16 20:11:53 -------- d-----w C:\Program Files\Microsoft Works

2007-04-16 20:11:42 -------- d-----w C:\Program Files\MSBuild

2007-04-16 20:10:42 -------- d-----w C:\Program Files\Microsoft.NET

2007-04-16 20:06:59 -------- d-----w C:\Program Files\Microsoft Visual Studio 8

2007-04-15 10:29:20 -------- d-----w C:\Program Files\Gadu-Gadu

2007-04-12 09:40:40 -------- d-----w C:\DOCUME~1\Czakus\DANEAP~1\Command & Conquer 3 Tiberium Wars

2007-04-10 17:24:56 -------- d-----w C:\Program Files\Electronic Arts

2007-04-04 10:36:19 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-03-31 18:35:57 80,862 ----a-w C:\WINDOWS\system32\perfc015.dat

2007-03-31 18:35:57 460,790 ----a-w C:\WINDOWS\system32\perfh015.dat

2007-03-29 17:24:03 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2007-03-09 18:52:52 200,768 ----a-w C:\WINDOWS\system32\klogon.dll

2004-08-03 22:44:20 49,995 --sh–r C:\WINDOWS\system32\atlmurep.exe

2003-08-16 18:56:00 579,584 --sha-r C:\WINDOWS\system32\cd.exe

2004-08-03 22:44:20 45,357 --sh–r C:\WINDOWS\system32\cmdwphlr.exe

2004-08-03 22:44:20 47,019 --sh–r C:\WINDOWS\system32\regyowip.exe

2004-08-03 22:44:20 45,357 --sh–r C:\WINDOWS\system32\schtvfxm.exe

2004-08-03 22:44:20 91,315 --sh–r C:\WINDOWS\system32\sysnlwgy.exe

2004-08-03 22:44:20 51,575 --sh–r C:\WINDOWS\system32\umcujfvy.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll [2005-04-14 00:20]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-05-12 01:47]

{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23]

{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“SkyTel”=“SkyTel.EXE” [2006-05-16 12:04 C:\WINDOWS\SkyTel.exe]

“NWEReboot”="" []

“BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 00:44 C:\WINDOWS\system32\bthprops.cpl]

“RTHDCPL”=“RTHDCPL.EXE” [2006-07-21 10:56 C:\WINDOWS\RTHDCPL.exe]

“SoundMan”=“SOUNDMAN.EXE” [2006-07-21 10:14 C:\WINDOWS\SoundMan.exe]

“AlcWzrd”=“ALCWZRD.EXE” [2006-05-04 10:26 C:\WINDOWS\alcwzrd.exe]

“Alcmtr”=“ALCMTR.EXE” [2005-05-03 12:43 C:\WINDOWS\Alcmtr.exe]

“AGEIA PhysX SysTray”=“C:\Program Files\AGEIA Technologies\TrayIcon.exe” [2006-03-20 21:43]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” [2006-12-15 03:23]

“GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-27 00:47]

“nwiz”=“nwiz.exe” [2006-08-11 15:43 C:\WINDOWS\system32\nwiz.exe]

“dbidmme”=“sysnlwgy.exe” [2004-08-04 00:44 C:\WINDOWS\system32\sysnlwgy.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe” []

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-08-04 01:55]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” []

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2006-10-10 17:51]

“EA Core”=“C:\Program Files\Electronic Arts\EA Link\Core.exe” [2007-02-19 14:39]

“Free Download Manager”=“D:\Arek\Free Download Manager\fdm.exe” []

“dbidmme”=“sysnlwgy.exe” [2004-08-04 00:44 C:\WINDOWS\system32\sysnlwgy.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoLowDiskSpaceChecks”=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

“{B5A7F190-DDA6-4420-B3BA-52453494E6CD}”=“C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [2006-10-27 00:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“appinit_dlls”=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs BthServ

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the ‘Scheduled Tasks’ folder

2007-05-09 19:05:00 C:\WINDOWS\tasks\At1.job

2007-03-09 20:28:00 C:\WINDOWS\tasks\At10.job

2007-03-15 20:28:00 C:\WINDOWS\tasks\At12.job

2007-05-19 07:20:45 C:\WINDOWS\tasks\At13.job

2007-05-19 07:20:45 C:\WINDOWS\tasks\At15.job

2007-05-15 19:05:00 C:\WINDOWS\tasks\At3.job

2007-05-09 19:07:00 C:\WINDOWS\tasks\At4.job

2007-05-15 19:07:00 C:\WINDOWS\tasks\At6.job

2007-03-09 20:27:00 C:\WINDOWS\tasks\At7.job

2007-03-15 20:27:00 C:\WINDOWS\tasks\At9.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-08 19:23:02

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001000-0000-1000-8000-00805f9b34fb}]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001105-0000-1000-8000-00805f9b34fb}]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001115-0000-1000-8000-00805f9b34fb}]

Completion time: 2007-06-08 19:25:04

C:\ComboFix-quarantined-files.txt … 2007-06-08 19:25

C:\ComboFix2.txt … 2007-06-08 16:56

— E O F —


(Gutek) #12

Pobierz The Avenger. Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:

kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).


(Kingarken) #13

chopie jestes boski :smiley: kaspersky nic narazie niewykrywa :smiley: chyba usunolem to ********** :smiley: wielkie dzieki !!


(Agatonster) #14

Armin997

Jesteś pierwszy dzień na Forum, a Forum to nie rynsztok - radzę więc na przyszłość- panuj nad słownictwem - następnej takiej rady nie będzie :?


(adam9870) #15

Proszę wykonać i wkleić tu nowy log z ComboFix’a.


(Kingarken) #16

“Czakus” - 2007-06-09 8:12:24 Dodatek Service Pack 2 NTFS

ComboFix 07-06-3B - Running from: “D:\Arek”

((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))

2007-06-08 19:51

2007-06-08 17:04

2007-06-08 16:56 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-08 16:17

2007-06-07 19:06 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat

2007-06-07 19:06 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat

2007-06-07 19:06 42,016 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2007-06-07 19:06 4,094,752 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2007-06-07 19:06

2007-06-07 19:06

2007-06-07 19:04

2007-06-07 16:53

2007-06-07 09:02 57,387 --a------ C:\WINDOWS\fgreghtrhjtre.exe

2007-06-06 12:59

2007-06-06 12:51

2007-06-06 12:51

2007-06-06 12:50

2007-06-05 10:22 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-06-05 09:39

2007-05-11 14:45

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 06:53:54 -------- d-----w C:\Program Files\Winamp

2007-06-07 17:14:33 14,336 ----a-w C:\WINDOWS\system32\svchost.exe

2007-05-22 08:11:03 -------- d–h--w C:\Program Files\InstallShield Installation Information

2007-04-21 12:09:57 -------- d-----w C:\Program Files\Handset Manager

2007-04-17 18:37:21 -------- d-----w C:\Program Files\Futuremark

2007-04-16 20:11:53 -------- d-----w C:\Program Files\Microsoft Works

2007-04-16 20:11:42 -------- d-----w C:\Program Files\MSBuild

2007-04-16 20:10:42 -------- d-----w C:\Program Files\Microsoft.NET

2007-04-16 20:06:59 -------- d-----w C:\Program Files\Microsoft Visual Studio 8

2007-04-15 10:29:20 -------- d-----w C:\Program Files\Gadu-Gadu

2007-04-12 09:40:40 -------- d-----w C:\DOCUME~1\Czakus\DANEAP~1\Command & Conquer 3 Tiberium Wars

2007-04-10 17:24:56 -------- d-----w C:\Program Files\Electronic Arts

2007-04-04 10:36:19 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-03-31 18:35:57 80,862 ----a-w C:\WINDOWS\system32\perfc015.dat

2007-03-31 18:35:57 460,790 ----a-w C:\WINDOWS\system32\perfh015.dat

2007-03-29 17:24:03 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2007-03-09 18:52:52 200,768 ----a-w C:\WINDOWS\system32\klogon.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll [2005-04-14 00:20]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-05-12 01:47]

{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23]

{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“SkyTel”=“SkyTel.EXE” [2006-05-16 12:04 C:\WINDOWS\SkyTel.exe]

“NWEReboot”="" []

“BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 00:44 C:\WINDOWS\system32\bthprops.cpl]

“RTHDCPL”=“RTHDCPL.EXE” [2006-07-21 10:56 C:\WINDOWS\RTHDCPL.exe]

“SoundMan”=“SOUNDMAN.EXE” [2006-07-21 10:14 C:\WINDOWS\SoundMan.exe]

“AlcWzrd”=“ALCWZRD.EXE” [2006-05-04 10:26 C:\WINDOWS\alcwzrd.exe]

“Alcmtr”=“ALCMTR.EXE” [2005-05-03 12:43 C:\WINDOWS\Alcmtr.exe]

“AGEIA PhysX SysTray”=“C:\Program Files\AGEIA Technologies\TrayIcon.exe” [2006-03-20 21:43]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” [2006-12-15 03:23]

“GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-27 00:47]

“nwiz”=“nwiz.exe” [2006-08-11 15:43 C:\WINDOWS\system32\nwiz.exe]

“dbidmme”=“sysnlwgy.exe” []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe” []

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-08-04 01:55]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” []

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2006-10-10 17:51]

“EA Core”=“C:\Program Files\Electronic Arts\EA Link\Core.exe” [2007-02-19 14:39]

“Free Download Manager”=“D:\Arek\Free Download Manager\fdm.exe” []

“dbidmme”=“sysnlwgy.exe” []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoLowDiskSpaceChecks”=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

“{B5A7F190-DDA6-4420-B3BA-52453494E6CD}”=“C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [2006-10-27 00:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“appinit_dlls”=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs BthServ

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the ‘Scheduled Tasks’ folder

2007-05-09 19:05:00 C:\WINDOWS\tasks\At1.job

2007-03-09 20:28:00 C:\WINDOWS\tasks\At10.job

2007-03-15 20:28:00 C:\WINDOWS\tasks\At12.job

2007-05-19 07:20:45 C:\WINDOWS\tasks\At13.job

2007-05-19 07:20:45 C:\WINDOWS\tasks\At15.job

2007-05-15 19:05:00 C:\WINDOWS\tasks\At3.job

2007-05-09 19:07:00 C:\WINDOWS\tasks\At4.job

2007-05-15 19:07:00 C:\WINDOWS\tasks\At6.job

2007-03-09 20:27:00 C:\WINDOWS\tasks\At7.job

2007-03-15 20:27:00 C:\WINDOWS\tasks\At9.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-09 08:14:17

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001000-0000-1000-8000-00805f9b34fb}]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001105-0000-1000-8000-00805f9b34fb}]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001115-0000-1000-8000-00805f9b34fb}]

Completion time: 2007-06-09 8:15:05

C:\ComboFix-quarantined-files.txt … 2007-06-08 19:25

C:\ComboFix2.txt … 2007-06-08 19:25

C:\ComboFix3.txt … 2007-06-08 16:56

— E O F —