daniellson
(Danielllson)
23 Kwiecień 2008 16:51
#1
Witam
Mam problem mam zaisnatlowanego w32 Spybot Worm i sie pozbyc tego niemoge jak to norton wykrywa automatycznie usuwa i powraca ten robak po czasie,prosze o pomoc.ZAblokowałem już porty programem Windows Worms Door Cleaner.
Mój system operacyjny: Windows Xp SP2
Antivisus:Norton Internet Secturity 2007
Poniżej wklejam log z Hijackthis
Prosze o pomoc.Z góry dzieki i pozdrawiam
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:39, on 2008-04-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.20772) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\DiskMagik\DiskMgkS.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\lxdicoms.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\TP-LINK\TWCU\TWCU.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe E:\Kalendarz XP\Kalendarz.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\BlazeVideo\BlazeDTV 2.5a\MediaDetector.exe C:\Program Files\Opera\Opera.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - F:\flashget\jccatch.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MegauploadToolbar\megauploadtoolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\flashget\getflash.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MegauploadToolbar\megauploadtoolbar.dll O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file) O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O3 - Toolbar: (no name) - {00000000-5736-4205-0008-f7ed0776fb27} - (no file) O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [TWCU] “C:\Program Files\TP-LINK\TWCU\TWCU.exe” -nogui O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM…\Run: [securDisc] C:\Program Files\Nero\Nero8\InCD\NBHGui.exe O4 - HKLM…\Run: [inCD] C:\Program Files\Nero\Nero8\InCD\InCD.exe O4 - HKLM…\Run: [NBKeyScan] “C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe” O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [osCheck] “E:\Program Files\osCheck.exe” O4 - HKLM…\Run: [symantec PIF AlertEng] “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” /a /m “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll” O4 - HKLM…\Run: [lxdimon.exe] “C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe” O4 - HKLM…\Run: [lxdiamon] “C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe” O4 - HKLM…\Run: [FaxCenterServer] “C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s O4 - HKLM…\Run: [Kalendarz XP] “E:\Kalendarz XP\Kalendarz.exe” O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [c0.exe] “C:\aidualc3\c0.exe” O4 - HKLM…\Run: [bearShare] “D:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe” O4 - HKLM…\RunServices: [Microsoft Updates] svehost.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe” ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O4 - HKCU…\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun O4 - HKCU…\Run: [sIA2006] “C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe” -boot O4 - HKCU…\Run: [blazeServoTool] “C:\Program Files\BlazeVideo\BlazeDTV 2.5a\MediaDetector.exe” O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-19…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-19…\RunOnce: [sIA2006] “C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe” -firstboot (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-20…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS\S-1-5-18…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - HKUS.DEFAULT…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘Default user’) O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe O8 - Extra context menu item: &Download All with FlashGet - F:\flashget\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - F:\flashget\jc_link.htm O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://F:\Program Files\Microsoft Office\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\flashget\FlashGet.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\flashget\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab O17 - HKLM\System\CCS\Services\Tcpip…{C721A3D2-DE83-4CB2-A55B-A1FB38E7B368}: NameServer = 194.204.152.34 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - e:\Program Files\Ares\chatServer.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: DiskMagik Service (DiskMgkS) - RoseCity Software - C:\Program Files\DiskMagik\DiskMgkS.exe O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - E:\Program Files\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe – End of file - 10968 bytes
huber2t
(huber2t)
23 Kwiecień 2008 17:42
#2
fix w hijackthis
Pobierz ComboFix , ale nie uruchamiaj
Wklej do notatnika:
Folder::
C:\aidualc3
Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->
Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.
daniellson
(Danielllson)
23 Kwiecień 2008 19:08
#3
Zrobiłęm według wskazówek,niżej log z Combofix’a
ComboFix 08-04-22.5 - Daniel 2008-04-23 21:01:25.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.233 [GMT 2:00] Running from: C:\Documents and Settings\Daniel\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Daniel\Pulpit\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\aidualc3 C:\aidualc3\c0.exe C:\aidualc3\c0.txt C:\aidualc3\m0.txt C:\WINDOWS\system32\systeminfo.dll . ---- Previous Run ------- . C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\svehost.exe C:\WINDOWS\system32\systeminfo.dll C:\WINDOWS\system32\wpcap.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_NPF -------\Service_Binary file SvcDump matches ((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 ))))))))))))))))))))))))))))))) . 2008-04-22 22:02 . 2008-04-22 22:07 2008-04-22 17:05 . 2004-08-04 00:44 21,504 --a------ C:\WINDOWS\system32\hidserv.dll 2008-04-22 17:05 . 2004-08-04 00:38 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys 2008-04-20 12:43 . 2008-04-22 21:11 2008-04-19 21:28 . 2008-04-19 21:28 2008-04-19 21:28 . 2008-04-19 21:28 2008-04-19 21:22 . 2008-04-19 21:22 2008-04-19 19:46 . 2008-04-19 19:46 2008-04-18 14:06 . 2008-03-01 14:35 6,067,712 --------- C:\WINDOWS\system32\dllcache\ieframe.dll 2008-04-18 14:06 . 2008-03-01 14:35 3,593,216 --------- C:\WINDOWS\system32\dllcache\mshtml.dll 2008-04-18 14:06 . 2008-03-01 14:35 827,392 --------- C:\WINDOWS\system32\dllcache\wininet.dll 2008-04-18 14:06 . 2008-03-01 14:35 347,136 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll 2008-04-18 14:06 . 2008-03-01 14:35 233,472 --------- C:\WINDOWS\system32\dllcache\webcheck.dll 2008-04-18 14:06 . 2008-03-01 14:35 214,528 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll 2008-04-18 14:06 . 2008-02-15 07:44 161,792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll 2008-04-18 14:06 . 2008-03-01 14:35 124,928 --------- C:\WINDOWS\system32\dllcache\advpack.dll 2008-04-18 14:06 . 2008-03-01 14:35 105,984 --------- C:\WINDOWS\system32\dllcache\url.dll 2008-04-18 14:06 . 2008-03-01 14:35 44,544 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll 2008-04-17 18:49 . 2008-04-17 18:49 2008-04-17 18:48 . 2008-04-17 18:48 399 --a------ C:\WINDOWS\AudioConverter.INI 2008-04-17 18:47 . 2008-04-17 18:47 2008-04-17 14:39 . 2008-04-17 14:39 2008-04-15 18:00 . 2008-04-15 18:55 2008-04-15 17:59 . 2008-04-15 18:54 2008-04-15 17:59 . 2005-03-25 23:49 363,520 --a------ C:\WINDOWS\system32\psisdecd.dll 2008-04-15 17:59 . 2004-08-04 00:44 56,832 --a------ C:\WINDOWS\system32\msdvbnp.ax 2008-04-15 17:59 . 2004-08-04 00:44 33,280 --a------ C:\WINDOWS\system32\psisrndr.ax 2008-04-13 17:59 . 2008-04-13 18:02 2008-04-13 17:59 . 2008-04-13 17:59 520,192 --a------ C:\WINDOWS\system32\Grand Theft Auto IV Screenshot.scr 2008-04-10 21:23 . 2008-04-16 16:30 2008-04-10 21:23 . 2008-04-10 21:23 32 --a------ C:\WINDOWS\go 2008-04-10 19:58 . 2008-04-11 13:25 2008-04-10 19:58 . 2008-04-11 13:25 2008-04-09 17:27 . 2008-04-10 16:02 2008-04-09 17:27 . 2008-04-09 17:27 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat 2008-04-09 17:25 . 2008-04-09 17:25 2008-04-09 17:25 . 2008-04-09 17:25 2008-04-09 17:25 . 2008-04-10 16:19 2008-04-09 17:24 . 2008-04-09 17:25 2008-04-05 14:14 . 2008-04-05 14:14 2008-04-02 21:36 . 2008-04-02 21:36 2008-03-29 10:20 . 2008-04-15 21:39 2008-03-28 17:54 . 2008-03-28 17:54 2008-03-25 22:54 . 2008-03-25 22:54 2008-03-24 14:00 . 2008-04-15 20:17 2008-03-24 14:00 . 2008-04-15 20:22 2008-03-24 11:49 . 2008-03-24 11:49 2008-03-24 11:49 . 2008-03-24 11:49 2008-03-24 11:49 . 2008-03-24 11:49 2008-03-24 11:49 . 2008-03-24 11:49 2008-03-23 18:27 . 2008-03-23 18:27 2008-03-23 18:12 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-03-23 18:11 . 2008-03-23 18:11 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-23 18:06 --------- d-----w C:\Documents and Settings\Daniel\Dane aplikacji\MegauploadToolbar 2008-04-23 18:06 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Symantec 2008-04-23 17:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-04-23 15:39 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2008-04-23 10:57 8,189,985 ----a-w C:\WINDOWS\java\2.dll 2008-04-23 10:49 1,744,144 ----a-w C:\WINDOWS\java\1.dll 2008-04-21 14:31 3,225,600 ----a-w C:\WINDOWS\java\mpg.dll 2008-04-21 14:31 1,517,675 ----a-w C:\WINDOWS\java\wmv.dll 2008-04-14 18:28 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help 2008-04-10 19:27 --------- d-----w C:\Program Files\Hide IP Platinum 2008-04-10 19:20 --------- d-----w C:\Program Files\Hide IP NG 2008-03-29 19:05 --------- d-----w C:\Program Files\Opera 2008-03-23 16:12 --------- d-----w C:\Program Files\Java 2008-03-22 17:54 --------- d-----w C:\Program Files\DiskMagik 2008-03-21 20:40 --------- d-----w C:\Program Files\K-Lite Codec Pack 2008-03-21 17:08 --------- d-----w C:\Program Files\3D Driving-School 2008-03-21 14:56 --------- d-----w C:\Program Files\Ashampoo 2008-03-21 14:52 --------- d-----w C:\Program Files\CCleaner 2008-03-21 14:51 --------- d-----w C:\Program Files\GG Skin Manager 2008-03-21 14:42 --------- d-----w C:\Program Files\TechSmith 2008-03-21 14:42 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\TechSmith 2008-03-21 14:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-03-20 13:09 --------- d-----w C:\Program Files\Gadu-Gadu 2008-03-20 08:01 1,846,144 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-20 08:01 1,846,144 ------w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-17 14:48 --------- d-----w C:\Documents and Settings\Daniel\Dane aplikacji\BearShare 2008-03-15 15:14 --------- d-----w C:\Program Files\BearShare Applications 2008-03-14 19:55 --------- d-----w C:\Program Files\Trend Micro 2008-03-14 18:52 --------- d-----w C:\Documents and Settings\Daniel\Dane aplikacji\POLENG4 2008-03-14 16:20 --------- d-----w C:\Program Files\OniGames 2008-03-13 20:17 --------- d-----w C:\Documents and Settings\Daniel\Dane aplikacji\Hide IP NG 2008-03-13 20:10 --------- d-----w C:\Documents and Settings\Daniel\Dane aplikacji\HideIP 2008-03-13 19:29 --------- d-----w C:\Program Files\MegauploadToolbar 2008-03-13 15:29 --------- d-----w C:\Program Files\cFos 2008-03-12 18:32 --------- d-----w C:\Program Files\DAEMON Tools Lite 2008-03-12 18:14 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-03-12 18:14 --------- d-----w C:\Documents and Settings\Daniel\Dane aplikacji\DAEMON Tools 2008-03-11 18:50 --------- d-----w C:\Program Files\Steam 2008-03-11 18:36 --------- d-----w C:\Program Files\cFosSpeed 2008-03-09 13:17 --------- d-----w C:\Program Files\SuperTux 2008-03-09 10:06 --------- d-----w C:\Program Files\Quake III Arena 2008-03-09 09:59 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles 2008-03-06 20:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf 2008-03-06 20:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys 2008-03-06 20:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat 2008-03-04 20:12 --------- d-----w C:\Program Files\TubeMaster 2008-02-29 16:08 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-26 08:08 --------- d-----w C:\Documents and Settings\Daniel\Dane aplikacji\FaxCtr 2008-02-25 19:34 5,984,268 ----a-w C:\WINDOWS\java\explorer.dll 2008-02-25 15:22 --------- d-----w C:\Program Files\PITy 2008-02-25 12:08 --------- d-----w C:\Documents and Settings\Daniel\Dane aplikacji\Lexmark Imaging Studio 2008-02-25 11:59 --------- d-----w C:\Program Files\Lexmark 3500-4500 Series 2008-02-25 11:58 --------- d-----w C:\Program Files\Lexmark Fax Solutions 2008-02-25 11:57 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint 2008-02-25 11:57 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\FaxCtr 2008-02-22 21:51 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2008-02-22 09:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-02-22 09:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-02-22 09:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-02-20 18:53 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-20 18:53 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll 2008-02-20 06:53 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 06:53 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll 2008-02-20 05:23 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll . ------- Sigcheck ------- 2007-07-10 15:06 642560 ce594e18fe0d0af804f1f3694921ce62 C:\WINDOWS\system32\user32.dll 2007-10-16 01:19 360576 0fb6743e937c7bb248b2530a5a77abc6 C:\WINDOWS\system32\drivers\tcpip.sys 2007-10-19 00:19 2066816 9aa8aeee2c77b68af93691758eb0a78b C:\WINDOWS\system32\ntkrnlpa.exe 2007-10-19 00:19 2189824 1aeb1a9aa55de24bda1d441989ae4492 C:\WINDOWS\system32\ntoskrnl.exe . ((((((((((((((((((((((((((((( snapshot_2008-04-23_18.08.55.04 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-23 15:57:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-23 17:23:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt] @={8D2223A2-B3C6-4e32-B096-CDD11F628C60} [HKEY_CLASSES_ROOT\CLSID{8D2223A2-B3C6-4e32-B096-CDD11F628C60}] 2007-12-13 23:02 96552 --a------ C:\Program Files\Nero\Nero8\InCD\NBHShx.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 04:44 15360] “IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe” [2007-12-13 20:10 1688872] “DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” [2008-02-14 01:09 486856] “SIA2006”=“C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe” [] “BlazeServoTool”=“C:\Program Files\BlazeVideo\BlazeDTV 2.5a\MediaDetector.exe” [2007-03-07 17:30 270336] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2007-10-17 20:20 577536 C:\WINDOWS\SOUNDMAN.EXE] “TWCU”=“C:\Program Files\TP-LINK\TWCU\TWCU.exe” [2006-03-29 17:12 364544] “NeroFilterCheck”=“C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe” [2007-03-01 15:57 153136] “SecurDisc”=“C:\Program Files\Nero\Nero8\InCD\NBHGui.exe” [2007-12-13 23:02 2048808] “InCD”=“C:\Program Files\Nero\Nero8\InCD\InCD.exe” [2007-12-13 23:02 1082152] “NBKeyScan”=“C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe” [2007-12-03 15:21 2213160] “ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2006-09-03 03:04 84640] “osCheck”=“E:\Program Files\osCheck.exe” [2006-09-05 21:22 26248] “Symantec PIF AlertEng”=“C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” [2007-03-12 12:22 517768] “lxdimon.exe”=“C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe” [2007-03-06 16:43 435120] “lxdiamon”=“C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe” [2007-03-05 20:40 20480] “FaxCenterServer”=“C:\Program Files\Lexmark Fax Solutions\fm3032.exe” [2007-03-06 16:51 312240] “Kalendarz XP”=“E:\Kalendarz XP\Kalendarz.exe” [2007-05-06 18:41 1194496] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 14:06 40048] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-08-02 17:35 7110656] “nwiz”=“nwiz.exe” [2005-08-02 17:35 1519616 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2005-08-02 17:35 86016] “BearShare”=“D:\Program Files\BearShare\BearShare.exe” [2006-08-01 17:04 3313664] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 05:25 144784] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2007-10-10 07:28 36352] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 04:44 15360] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] “nltide_3”=“advpack.dll” [2008-03-01 14:35 124928 C:\WINDOWS\system32\advpack.dll] “SIA2006”=“C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe” [] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 12:11:48 6395464] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] “DisableStatusMessages”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoWelcomeScreen”= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSMMyPictures”= 1 (0x1) “NoSMConfigurePrograms”= 1 (0x1) “NoSMHelp”= 1 (0x1) “ForceClassicControlPanel”= 0 (0x0) “NoInstrumentation”= 0 (0x0) [HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer] “NoSMMyPictures”= 1 (0x1) “NoSMConfigurePrograms”= 1 (0x1) “NoSMHelp”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] “DisableMonitoring”=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] “DisableMonitoring”=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] “DisableMonitoring”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\Network Diagnostic\xpnetdiag.exe”= “%windir%\system32\sessmgr.exe”= “C:\WINDOWS\system32\lxdicoms.exe”= “C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe”= “C:\Program Files\Lexmark 3500-4500 Series\App4R.exe”= “F:\flashget\flashget.exe”= “C:\Program Files\Skype\Phone\Skype.exe”= “C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe”= “C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdipswx.exe”= “C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdijswx.exe”= R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-10-17 20:23] R2 DiskMgkS;DiskMagik Service;“C:\Program Files\DiskMagik\DiskMgkS.exe” [2007-12-14 02:34] R2 Harmonogram automatycznej usługi LiveUpdate;Harmonogram automatycznej usługi LiveUpdate;“C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe” [2006-09-13 16:54] R2 lxdi_device;lxdi_device;C:\WINDOWS\system32\lxdicoms.exe [2007-03-06 16:45] R2 NeroRegInCDSrv;Nero Registry InCD Service;C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2007-12-13 23:02] R3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58] R3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08] *Newly Created Service* - COMHOST . Contents of the ‘Scheduled Tasks’ folder “2008-04-18 18:12:36 C:\WINDOWS\Tasks\Norton Internet Security - Uruchom pełne skanowanie systemu - Daniel.job” - E:\PROGRA~1\NORTON~1\Navw32.exef/TASK: . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-23 21:03:36 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … ************************************************************************** . Completion time: 2008-04-23 21:06:03 ComboFix-quarantined-files.txt 2008-04-23 19:04:58 ComboFix2.txt 2008-03-24 12:46:23 ComboFix3.txt 2008-03-23 13:48:33 Pre-Run: 538,816,512 bajtów wolnych Post-Run: 530,673,664 bajtów wolnych 265 — E O F — 2008-04-22 21:27:54
Gutek
(Gutek)
23 Kwiecień 2008 20:27
#4
Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350
Pobierz program SDFix
daniellson
(Danielllson)
24 Kwiecień 2008 12:42
#5
w odpowiedzi . Nizej podaje report z sdfix’a
Gutek
(Gutek)
24 Kwiecień 2008 21:21
#6