Witam,
Mam straszny problem z tym… dziadostwem! A przynajmniej ESET Smart Security (3.0.636; aktualizowany na biezaco) wciaz zglasza mi obecnosc tego! Niby komunikuje, ze usunie przy nastepnym uruchomieniu komputera, ale… cos mu nie wychodzi. Czytalem juz wszedzie… m.in. takze na forum dobreprogramy… i probowalem wielu cudow: HiJackThis (nizej podaje moj log), ComboFix (nie dziala; nie moge znalezc wersji, ktora nie zglasza mi uplywu czasu i aktualizacji do najnowszej! jakis link?). Czy to mozliwe, ze ten szkodnik przy kazdym uruchomieniu komputera wylacza mi automatyczne aktualizacje Windows?! No i ESET SS zauwaza, ze ta cholera siedzi w System Volume Information na partycji systemowej (czy wyczyszczenie folderu poprzez wylaczenie uslugi punktow przywracania - NTFS; brak dostepu do folderu - automatycznie skasuje pliki szkodnika?). Moze tutaj znajde jakas pomoc:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:11:20, on 2008-07-02
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
D:\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Nero\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
D:\HP Photosmart\HP Software Update\HPWuSchd2.exe
D:\Creative Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
D:\Cyberlink PowerDVD\PDVDServ.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
D:\Vista Drive Icon\DrvIcon.exe
D:\Adobe Acrobat Professional\Acrobat\Acrotray.exe
C:\WINDOWS\system32\oodtray.exe
D:\GENIUS~1\SyTray.exe
D:\ESET Smart Security\egui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
D:\StrokeIt\strokeit.exe
D:\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\CursorXP\CursorXP.exe
D:\eMule Xtreme\emule.exe
D:\HP Photosmart\Digital Imaging\bin\hpqtra08.exe
D:\Logitech SetPoint\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
D:\Miranda IM\miranda32.exe
D:\Wallpaper Calendar\WallCal3.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
D:\Maxthon\Maxthon.exe
D:\HP Photosmart\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\cidaemon.exe
D:\Microsoft Office\Office12\EXCEL.EXE
D:\Microsoft Office\Office12\WINWORD.EXE
J:\STUDIA\DYPLOM\KLINGENBURG\KB_KPL.exe
C:\WINDOWS\system32\cidaemon.exe
D:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcworld.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\SnagIt\SnagItBHO.dll
O2 - BHO: (no name) - {0DEF072C-6FA4-46F6-8F96-EDCAF51CD60F} - C:\WINDOWS\system32\cbXPjJyv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {F0E738CA-4E59-446F-B34A-6BC26FB2C735} - C:\WINDOWS\system32\rqRHxxuT.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe Acrobat Professional\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\SnagIt\SnagItIEAddin.dll
O4 - HKLM…\Run: [iMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM…\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM…\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM…\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [nwiz] nwiz.exe /install
O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKLM…\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM…\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM…\Run: [HPHUPD08] D:\HP Photosmart\Digital Imaging{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM…\Run: [HP Software Update] D:\HP Photosmart\HP Software Update\HPWuSchd2.exe
O4 - HKLM…\Run: [VolPanel] “D:\Creative Sound Blaster X-Fi\Volume Panel\VolPanel.exe” /r
O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM…\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM…\Run: [RemoteControl] “D:\Cyberlink PowerDVD\PDVDServ.exe”
O4 - HKLM…\Run: [LanguageShortcut] “D:\Cyberlink PowerDVD\Language\Language.exe”
O4 - HKLM…\Run: [bDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM…\Run: [NBKeyScan] “D:\Nero\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”
O4 - HKLM…\Run: [DrvIcon] D:\Vista Drive Icon\DrvIcon.exe
O4 - HKLM…\Run: [Acrobat Assistant 8.0] “D:\Adobe Acrobat Professional\Acrobat\Acrotray.exe”
O4 - HKLM…\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM…\Run: [LogonStudio] “D:\LogonStudio\logonstudio.exe” /RANDOM
O4 - HKLM…\Run: [ErgoMedia] D:\GENIUS~1\SyTray.exe
O4 - HKLM…\Run: [egui] “D:\ESET Smart Security\egui.exe” /hide /waitservice
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [strokeIt] D:\StrokeIt\strokeit.exe
O4 - HKCU…\Run: [DAEMON Tools Lite] “D:\DAEMON Tools Lite\daemon.exe” -autorun
O4 - HKCU…\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe” ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU…\Run: [CursorXP] D:\CursorXP\CursorXP.exe
O4 - HKCU…\Run: [eMuleAutoStart] D:\eMule Xtreme\emule.exe -AutoStart
O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Miranda IM.lnk = D:\Miranda IM\miranda32.exe
O4 - Startup: Wallpaper Calendar.lnk = D:\Wallpaper Calendar\WallCal3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP Photosmart\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Logitech SetPoint\SetPoint\SetPoint.exe
O4 - Global Startup: Wyszukiwanie z pulpitu systemu Windows.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://D:\Adobe Acrobat Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Adobe Acrobat Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Adobe Acrobat Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Adobe Acrobat Professional\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Adobe Acrobat Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Adobe Acrobat Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Adobe Acrobat Professional\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Adobe Acrobat Professional\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Pasek Narzędzi RoboForm - file://D:\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Personalizuj Menu - file://D:\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Wypełnij Pola - file://D:\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Zapisz Pola - file://D:\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Wypełnij pola - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\AI RoboForm\RoboFormComFillForms.html
O9 - Extra ‘Tools’ menuitem: Wypełnij Pola - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Zapisz - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\AI RoboForm\RoboFormComSavePass.html
O9 - Extra ‘Tools’ menuitem: Zapisz Pola - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra ‘Tools’ menuitem: Pasek Narzędzi RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow … eqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i … ection.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip…{6A734C70-7B92-487F-90F6-9FEBA922FE01}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: rqRHxxuT - C:\WINDOWS\SYSTEM32\rqRHxxuT.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Ad-Aware\aawservice.exe
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Nero\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
–
End of file - 14649 bytes
To mi sie wydaje najbardziej podejrzane:
O2 - BHO: (no name) - {0DEF072C-6FA4-46F6-8F96-EDCAF51CD60F} - C:\WINDOWS\system32\cbXPjJyv.dll
O2 - BHO: (no name) - {F0E738CA-4E59-446F-B34A-6BC26FB2C735} - C:\WINDOWS\system32\rqRHxxuT.dll
O20 - Winlogon Notify: rqRHxxuT - C:\WINDOWS\SYSTEM32\rqRHxxuT.dll
ESET SS zglasza mi szkodnika w tych plikach. Ale fiksowanie tego nie pomaga!
Jakies sugestie? Jakas porada? Bede bardzo wdzieczny z pomoc.
Pozdrawiam,
D.