Your privacy is in danger


(Kolka77) #1

Czerwone tło a na nim "Your privacy is in danger" był juz taki temat ale trzeba podać swoje HJT :cry:

Logfile of HijackThis v1.99.1

Scan saved at 23:42:54, on 2007-08-25

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

d:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

D:\programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

d:\Program Files\TurboFTP\tftpsvc.exe

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Java\jre1.6.0\bin\jusched.exe

D:\programy\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RaConfig.exe

C:\WINDOWS\system32\winlogin.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\user\Pulpit\Smieci\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)

O2 - BHO: MSVPS System - {208D7BCC-9857-4C9E-823B-D04E72490A67} - C:\WINDOWS\mxduo.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: (no name) - {A6984C00-C6EB-11D4-B4A4-080000180323} - C:\PROGRA~1\Rapidown\rapi310.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll (file missing)

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe

O4 - HKLM\..\Run: [HP Software Update] "D:\programy\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AVP] "D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKLM\..\Run: [nod32kui] "d:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\PROGRAMY\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Rapidown.lnk = C:\Program Files\Rapidown\rapidown.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

O4 - Global Startup: winlogin.exe.lnk = C:\WINDOWS\system32\winlogin.exe

O8 - Extra context menu item: Download all by Rapidown... - C:\Program Files\Rapidown\RapidownGetAll.htm

O8 - Extra context menu item: Download by Rapidown... - C:\Program Files\Rapidown\RapidownGet.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\Rapidown.exe (file missing)

O9 - Extra 'Tools' menuitem: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\Rapidown.exe (file missing)

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3C38DEE8-BE1A-4DEC-B232-2C78706CC7EA} (GUpdate Class) - http://ps.itv.mop.com/update/update/GUpdate-1.0.0.10-signed.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{429B97B2-A613-4A72-898E-A37B2FD90172}: NameServer = 85.255.115.34 85.255.112.112

O17 - HKLM\System\CCS\Services\Tcpip\..\{C0D946A4-8DB8-42F5-A32F-8091FD8A8EDD}: NameServer = 85.255.115.34,85.255.112.112

O17 - HKLM\System\CCS\Services\Tcpip\..\{C70F5906-EF03-4FD0-8CE1-F0E6EBDC9DEB}: NameServer = 85.255.115.34,85.255.112.112

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.112

O17 - HKLM\System\CS1\Services\Tcpip\..\{429B97B2-A613-4A72-898E-A37B2FD90172}: NameServer = 85.255.115.34 85.255.112.112

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.112

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.112

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: wmphost - {35FB6E6A-A3E5-48FC-A7D2-4E8C47A03C20} - C:\WINDOWS\wmphost.dll

O21 - SSODL: wmpdev - {F04B9285-D348-4F30-BC7F-EF4EE703DE5B} - C:\WINDOWS\wmpdev.dll

O23 - Service: ArcaBit FileMonitor (ABFileMon) - Unknown owner - D:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - d:\Program Files\Ares\chatServer.exe

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - d:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TurboFTP Sync Service (TBFTPSyncService) - TurboSoft,Inc - d:\Program Files\TurboFTP\tftpsvc.exe

Bardzo proszę o pomoc

Skanowałem Kasperskim i wykryło dwa wirusy ale je skasowałem i nic więcej nie było jest jakiś lepszy program antywirusowy ?? :cry:


(jessica) #2

Najpierw zajmij się usuwaniem Rootkita:

Użyj FixWareout

Po jego użyciu może zajść potrzeba ustawiania od nowa DNS Twojego dostawcy internetowego.

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Tego typu infekcję najlepiej byłoby usuwać przy pomocy SmitfraudFixa, ale sprawdziłam w jego bazie: jeszcze nie ma tego w bazie .

Trzeba będzie więc usuwać okrężną drogą.

Ściągnij ComboFix (na dole tej strony z linku) -

Wklej do Notatnika :

File::

C:\WINDOWS\system32\winlogin.exe

C:\WINDOWS\wmphost.dll

C:\WINDOWS\wmpdev.dll

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie,

jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

(czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Potem daj tu:

1) raportz C:\FixWareout.txt

2) log z Hijacka

3) log z ComboFixa

Log wklej na http://wklej.org/, a w poście daj tylko link.

jessi


(Kolka77) #3

Cz y FixWareout miał się uruchomic sam bo mi sie tak uruchimił tzn. zrobił restart komputera i gdy sie wlonczyl wyskoczylo ze finish i taki oto log

Username "user" - 2007-08-26 0:52:46 [Fixwareout edited 2007/07/05]


»»»»»Prerun check


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

"nameserver"="85.255.115.34 85.255.112.112" 
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{429B97B2-A613-4A72-898E-A37B2FD90172} 

"nameserver"="85.255.115.34" 
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C0D946A4-8DB8-42F5-A32F-8091FD8A8EDD} 

"nameserver"="85.255.115.34,85.255.112.112" 
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C70F5906-EF03-4FD0-8CE1-F0E6EBDC9DEB} 

"nameserver"="85.255.115.34,85.255.112.112" 
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{97E9EDBF-CB47-4A96-94BD-FB9B1DF143F1}

"DhcpNameServer"="85.255.115.34,85.255.112.112" 

Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS.



System was rebooted successfully. 


»»»»» Postrun check 

HKLM\SOFTWARE\~\Winlogon\ "System"="" 

....

....

»»»»» Misc files. 

....

»»»»» Checking for older varients.

....


»»»»» Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

"nwiz"="nwiz.exe /install"

"RemoteControl"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""

"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe"

"HP Software Update"="\"D:\\programy\\HP\\HP Software Update\\HPWuSchd2.exe\""

"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"

"AVP"="\"D:\\Programy\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe\""

"nod32kui"="\"d:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

"P2kAutostart"=""

"PowerBar"="\"C:\\Program Files\\CyberLink DVD Solution\\Multimedia Launcher\\PowerBar.exe\" /AtBootTime"

"Gadu-Gadu"="\"D:\\PROGRAMY\\Gadu-Gadu\\gg.exe\" /tray"

"ares"="\"D:\\Program Files\\Ares\\Ares.exe\" -h"

....

Hosts file was reset, If you use a custom hosts file please replace it

»»»»» End report »»»»»

czy takie cos miało być ??


(jessica) #4

Tak, tak miało być.

Teraz bierz się za następne zalecenia z mojego poprzedniego postu.

jessi


(Kolka77) #5

Jest mały problemik bo teraz tak jakbym miał inny log i nie mam tych paru linijek co miałem usunac :? Teraz log wygląda tak:

Logfile of HijackThis v1.99.1

Scan saved at 01:06, on 2007-08-26

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

d:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

D:\programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

d:\Program Files\TurboFTP\tftpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Java\jre1.6.0\bin\jusched.exe

D:\programy\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\RaConfig.exe

C:\WINDOWS\system32\winlogin.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\user\Pulpit\Smieci\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)

O2 - BHO: MSVPS System - {208D7BCC-9857-4C9E-823B-D04E72490A67} - C:\WINDOWS\mxduo.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: (no name) - {A6984C00-C6EB-11D4-B4A4-080000180323} - C:\PROGRA~1\Rapidown\rapi310.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll (file missing)

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe

O4 - HKLM\..\Run: [HP Software Update] "D:\programy\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVP] "D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKLM\..\Run: [nod32kui] "d:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\PROGRAMY\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

O4 - Global Startup: winlogin.exe.lnk = C:\WINDOWS\system32\winlogin.exe

O8 - Extra context menu item: Download all by Rapidown... - C:\Program Files\Rapidown\RapidownGetAll.htm

O8 - Extra context menu item: Download by Rapidown... - C:\Program Files\Rapidown\RapidownGet.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\Rapidown.exe (file missing)

O9 - Extra 'Tools' menuitem: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\Rapidown.exe (file missing)

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3C38DEE8-BE1A-4DEC-B232-2C78706CC7EA} (GUpdate Class) - http://ps.itv.mop.com/update/update/GUpdate-1.0.0.10-signed.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{429B97B2-A613-4A72-898E-A37B2FD90172}: NameServer = 85.255.115.34 85.255.112.112

O17 - HKLM\System\CS1\Services\Tcpip\..\{429B97B2-A613-4A72-898E-A37B2FD90172}: NameServer = 85.255.115.34 85.255.112.112

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: wmphost - {35FB6E6A-A3E5-48FC-A7D2-4E8C47A03C20} - C:\WINDOWS\wmphost.dll

O21 - SSODL: wmpdev - {F04B9285-D348-4F30-BC7F-EF4EE703DE5B} - C:\WINDOWS\wmpdev.dll

O23 - Service: ArcaBit FileMonitor (ABFileMon) - Unknown owner - D:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - d:\Program Files\Ares\chatServer.exe

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - d:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TurboFTP Sync Service (TBFTPSyncService) - TurboSoft,Inc - d:\Program Files\TurboFTP\tftpsvc.exe

(jessica) #6

W takim razie sfiksuj te powyższe:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Ponieważ przybył Ci następny wirus, więc dodałam go do usuwania:

Wklej do Notatnika :

File::

C:\WINDOWS\system32\winlogin.exe

C:\WINDOWS\wmphost.dll 

C:\WINDOWS\wmpdev.dll

C:\WINDOWS\mxduo.dll

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie,

jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

(czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po użyciu ComboFixa sfiksuj także te powyższe w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Potem daj logi z Hijacka i ComboFixa.

Log z ComboFixa wklej na http://wklej.org/, a w poście daj tylko link.

jessi


(Kolka77) #7

Log z Hijacka

Logfile of HijackThis v1.99.1

Scan saved at 12:01:08, on 2007-08-26

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe

D:\programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

d:\Program Files\TurboFTP\tftpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Java\jre1.6.0\bin\jusched.exe

D:\programy\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\RaConfig.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\user\Pulpit\Smieci\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe

O4 - HKLM\..\Run: [HP Software Update] "D:\programy\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVP] "D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\PROGRAMY\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

O8 - Extra context menu item: Download all by Rapidown... - C:\Program Files\Rapidown\RapidownGetAll.htm

O8 - Extra context menu item: Download by Rapidown... - C:\Program Files\Rapidown\RapidownGet.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\Rapidown.exe (file missing)

O9 - Extra 'Tools' menuitem: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\Rapidown.exe (file missing)

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3C38DEE8-BE1A-4DEC-B232-2C78706CC7EA} (GUpdate Class) - http://ps.itv.mop.com/update/update/GUpdate-1.0.0.10-signed.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{429B97B2-A613-4A72-898E-A37B2FD90172}: NameServer = 85.255.115.34 85.255.112.112

O17 - HKLM\System\CS1\Services\Tcpip\..\{429B97B2-A613-4A72-898E-A37B2FD90172}: NameServer = 85.255.115.34 85.255.112.112

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O23 - Service: ArcaBit FileMonitor (ABFileMon) - Unknown owner - D:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - d:\Program Files\Ares\chatServer.exe

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TurboFTP Sync Service (TBFTPSyncService) - TurboSoft,Inc - d:\Program Files\TurboFTP\tftpsvc.exe

log z ComboFixa

http://wklej.org/id/9acccaa1de

I jak jest teraz ?? :?


(jessica) #8

Ciągle są te wpisy Rootkita .

Sfiksuj je w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

A jeśli zauważysz, że ciągle jest coś "nie tak", to zastosuj powtórnie FixWareout , bo może Rootkit powtórnie się do Ciebie "wkręcił".

Log z ComboFixa jest czysty, choć nie wiem dlaczego nie było usuwania "C:\WINDOWS\mxduo.dll".

Ale ponieważ w logach już go nie widzę, więc to zostawiamy w spokoju.

Zajmij się tylko tym Rootkitem.

jessi


(Kolka77) #9
Logfile of HijackThis v1.99.1

Scan saved at 12:23:39, on 2007-08-26

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe

D:\programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

d:\Program Files\TurboFTP\tftpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Java\jre1.6.0\bin\jusched.exe

D:\programy\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\RaConfig.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\user\Pulpit\Smieci\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe

O4 - HKLM\..\Run: [HP Software Update] "D:\programy\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVP] "D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\PROGRAMY\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

O8 - Extra context menu item: Download all by Rapidown... - C:\Program Files\Rapidown\RapidownGetAll.htm

O8 - Extra context menu item: Download by Rapidown... - C:\Program Files\Rapidown\RapidownGet.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\Rapidown.exe (file missing)

O9 - Extra 'Tools' menuitem: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\Rapidown.exe (file missing)

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3C38DEE8-BE1A-4DEC-B232-2C78706CC7EA} (GUpdate Class) - http://ps.itv.mop.com/update/update/GUpdate-1.0.0.10-signed.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O23 - Service: ArcaBit FileMonitor (ABFileMon) - Unknown owner - D:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - d:\Program Files\Ares\chatServer.exe

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TurboFTP Sync Service (TBFTPSyncService) - TurboSoft,Inc - d:\Program Files\TurboFTP\tftpsvc.exe

tak wygląda teraz log z Hijacka po skasowaniu tych dwóch rzeczy a podpowiedz mi jeszcze jak się dobrze zabezpieczyć czyli jakich antywirusów ozywać itp itd


(jessica) #10

Teraz jest dobrze: log wygląda na czysty.

Antivirusa masz - Kaspersky. Zdaje się, że gdzieś mi mignęło też, że masz także ArcaVir, anie wolno mieć dwóch Antivirusów na komputerze.

Nie pamiętam, czy masz Firewalla, ale pewnie masz. Ja mam Kerio Personal Firewall.

Nie zauważyłam natomiast u Ciebie programu AntiSpy - być może tylko źle patrzyłam. :slight_smile:

Ale jeśli nie masz to możesz zainstalować np.

SuperAntiSpyware.

jessi


(Kolka77) #11

tak antyspyware nie miałem a mam tylko Kasperskiego tego drugiego odinstalowałem ale widać coś po nim zostało :slight_smile: Dziękuje za pozbycie się tamtych wirusów :slight_smile:


(jessica) #12

W takim razie pozbądź się usługi Arki:

>>Start >>> Uruchom >>> wybierz (lub wpisz) cmd >> zastosować te komendy (po każdej wciśnij "ENTER"):

jessi


(Kolka77) #13

Dziekuje usunołem tego drugiego w cmd :slight_smile: może ci sie wydać głupie pytanie ale jak sprawdzić czy ma się firewala ??


(qrczak13) #14

W panelu sterownia > zapora systemu windows. Jeżeli nie instalowałeś nic np z tych > http://dobreprogramy.pl/index.php?dz=1&t=84 to będzie włączona systemowa.


(Kolka77) #15

Minęło parę dni i chciałbym sprawdzić czy mój komp nie złapał żadnego syfu :slight_smile: :slight_smile: LOG Hijack

Logfile of HijackThis v1.99.1

Scan saved at 19:48:49, on 2007-08-31

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

D:\programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

d:\Program Files\TurboFTP\tftpsvc.exe

C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Java\jre1.6.0\bin\jusched.exe

D:\programy\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\RaConfig.exe

C:\Documents and Settings\user\Pulpit\ALLPlayer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\user\Pulpit\Smieci\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe

O4 - HKLM\..\Run: [HP Software Update] "D:\programy\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVP] "D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime

O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\PROGRAMY\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Download all by Rapidown... - C:\Program Files\Rapidown\RapidownGetAll.htm

O8 - Extra context menu item: Download by Rapidown... - C:\Program Files\Rapidown\RapidownGet.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\Rapidown.exe (file missing)

O9 - Extra 'Tools' menuitem: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\Rapidown.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3C38DEE8-BE1A-4DEC-B232-2C78706CC7EA} (GUpdate Class) - http://ps.itv.mop.com/update/update/GUpdate-1.0.0.10-signed.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{429B97B2-A613-4A72-898E-A37B2FD90172}: NameServer = 85.255.115.34 85.255.112.112

O17 - HKLM\System\CS1\Services\Tcpip\..\{429B97B2-A613-4A72-898E-A37B2FD90172}: NameServer = 85.255.115.34 85.255.112.112

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - d:\Program Files\Ares\chatServer.exe

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TurboFTP Sync Service (TBFTPSyncService) - TurboSoft,Inc - d:\Program Files\TurboFTP\tftpsvc.exe

(qrczak13) #16

Usuń w HJT.

Użyj FixWareOut

Po wykonaniu w/w daj log z ComboFix (opis zrobienia loga na samym dole strony). Combo już działa.


(Kolka77) #17

ComboFix:

http://wklej.org/id/71b939a25e

Po Sfixowaniu tych dwóch Hijack:

Logfile of HijackThis v1.99.1

Scan saved at 11:36:06, on 2007-09-01

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

D:\programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

d:\Program Files\TurboFTP\tftpsvc.exe

C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Java\jre1.6.0\bin\jusched.exe

D:\programy\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\RaConfig.exe

D:\PROGRAMY\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\user\Pulpit\Smieci\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe

O4 - HKLM\..\Run: [HP Software Update] "D:\programy\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVP] "D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime

O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\PROGRAMY\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

O8 - Extra context menu item: Download all by Rapidown... - C:\Program Files\Rapidown\RapidownGetAll.htm

O8 - Extra context menu item: Download by Rapidown... - C:\Program Files\Rapidown\RapidownGet.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\Rapidown.exe (file missing)

O9 - Extra 'Tools' menuitem: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\Rapidown.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3C38DEE8-BE1A-4DEC-B232-2C78706CC7EA} (GUpdate Class) - http://ps.itv.mop.com/update/update/GUpdate-1.0.0.10-signed.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - d:\Program Files\Ares\chatServer.exe

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - D:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TurboFTP Sync Service (TBFTPSyncService) - TurboSoft,Inc - d:\Program Files\TurboFTP\tftpsvc.exe

FixwareOut log:

Username "user" - 2007-09-01 11:37:33 [Fixwareout edited 2007/07/05]


»»»»»Prerun check


Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS.



System was rebooted successfully. 


»»»»» Postrun check 

HKLM\SOFTWARE\~\Winlogon\ "System"="" 

....

....

»»»»» Misc files. 

....

»»»»» Checking for older varients.

....


»»»»» Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

"nwiz"="nwiz.exe /install"

"RemoteControl"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""

"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe"

"HP Software Update"="\"D:\\programy\\HP\\HP Software Update\\HPWuSchd2.exe\""

"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"

"AVP"="\"D:\\Programy\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe\""


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

"P2kAutostart"=""

"PowerBar"="\"C:\\Program Files\\CyberLink DVD Solution\\Multimedia Launcher\\PowerBar.exe\" /AtBootTime"

"SUPERAntiSpyware"="D:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

"Gadu-Gadu"="\"D:\\PROGRAMY\\Gadu-Gadu\\gg.exe\" /tray"

"ares"="\"D:\\Program Files\\Ares\\Ares.exe\" -h"

....

Hosts file was reset, If you use a custom hosts file please replace it

»»»»» End report »»»»»

zrobiłem trochę w złej kolejności bo najpierw Hijack potem ComboFix a na końcu FixWareOut....


(jessica) #18

Logi wyglądają na czyste.

Trochę natomiast dziwi mnie to, że FixWareout nie wykazał w raporcie DNSów Rootkita.

Czyźyś już wcześniej go usuwał i w Hijacku były tylko puste wpisy?

jessi


(Kolka77) #19

To znzcy jak był ten problem "Your privacy is danger" to ja użyłem przywracania systemu i dopiero później napisałem tu o tym bo cały czas była podejrzana akcja której nie wykonywałem dopiero po twoich wskazówkach nie było juz żadnego problemu a komputer bardzo przyspieszył :slight_smile: :slight_smile: Pozrdrawiam


(Gutek) #20

martinos2 post KOSz