Your privacy is in danger

bananik232 · 28 Grudzień 2007 22:01

Moj komputer co 12 minut informuje mnie o ataku -Intrusion.Win.MSSQL.worm.Helkern. Nie wiem o co chodzi,na domiar złego otwiera mi jakąś strone internetową informując mnie przed tym że moja prywatność jest zagrożona…chyba.Szlak mnie trafia bo nie moge nic zrobić na kompie,ccleaner też nie pomaga… Prosze o pomoc!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:57:08, on 2007-12-28

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\vsnp325.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wpisz własny tekst który ukaże się na belce Internet Explorera

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www.interia.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: BDEX System - {87EF7048-8905-4E82-862E-65004D4DFA80} - C:\WINDOWS\domnftwwrn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: The emlkdvo - {13EDA0D4-F00D-43B9-8EF2-6313909D3143} - C:\WINDOWS\emlkdvo.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [tsnp325] C:\WINDOWS\tsnp325.exe

O4 - HKLM\..\Run: [snp325] C:\WINDOWS\vsnp325.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm

O8 - Extra context menu item: Wyślij do urządzenia Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2A781DED-C22D-4153-9812-CEA98A32981C} (GameDesire Makao) - http://67.15.101.33/g_bin/pl/cardsmakao_2_0_0_28.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab

O16 - DPF: {631FF594-EC25-4CFF-B869-402DF294E1D6} (Instalator oprogramowania Onet.pl) - http://slimak.onet.pl/_m/kamerzysta/OnetInstalator012s.ocx

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.33/g_bin/pl/poker_2_0_0_49.cab

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

O21 - SSODL: alxvdvm - {A4FE78D7-63AC-46E3-9B94-AA47E992FAFF} - C:\WINDOWS\alxvdvm.dll

O21 - SSODL: bvtqfvx - {14CC048D-8FB3-4179-BED4-02522E889975} - (no file)

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Kaspersky Internet Security Home Edition 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe


--

End of file - 8425 bytes

Gutek · 28 Grudzień 2007 22:09

Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym - Daj log z ComboFix

bananik232 · 29 Grudzień 2007 01:19

dzieki za pomoc

tak to wyglądało

SmitFraudFix v2.274


Scan done at 2:00:15,89, 2007-12-29

Run from C:\Documents and Settings\r\Pulpit\z netu\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode


»»»»»»»»»»»»»»»»»»»»»»»» Process


C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\cmd.exe


»»»»»»»»»»»»»»»»»»»»»»»» hosts



»»»»»»»»»»»»»»»»»»»»»»»» C:\



»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


C:\WINDOWS\privacy_danger FOUND !


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system



»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web



»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32



»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles



»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\r



»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\r\Application Data



»»»»»»»»»»»»»»»»»»»»»»»» Start Menu



»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\r\Ulubione



»»»»»»»»»»»»»»»»»»»»»»»» Desktop



»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 



»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys



»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Moja bieľĄca strona g˘wna"



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!Attention, following keys are not inevitably infected!


IEDFix.exe by S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="C:\\PROGRA~1\\KASPER~1\\KASPER~1.0\\adialhk.dll"

"LoadAppInit_DLLs"=dword:00000001



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""



»»»»»»»»»»»»»»»»»»»»»»»» Rustock




»»»»»»»»»»»»»»»»»»»»»»»» DNS


HKLM\SYSTEM\CCS\Services\Tcpip\..\{607EB6F9-38C8-4AC3-AA29-CBDEE314FC4D}: DhcpNameServer=62.179.1.62 62.179.1.60

HKLM\SYSTEM\CS1\Services\Tcpip\..\{607EB6F9-38C8-4AC3-AA29-CBDEE314FC4D}: DhcpNameServer=62.179.1.62 62.179.1.60

HKLM\SYSTEM\CS2\Services\Tcpip\..\{607EB6F9-38C8-4AC3-AA29-CBDEE314FC4D}: DhcpNameServer=62.179.1.62 62.179.1.60

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.62 62.179.1.60

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.62 62.179.1.60

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.62 62.179.1.60



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection



»»»»»»»»»»»»»»»»»»»»»»»» End

[/code]

mam nadzieje że już będzie ok.Jeszcze raz dzięki

Gutek · 29 Grudzień 2007 15:28

Daj jeszcze log z Combo

bananik232 · 29 Grudzień 2007 16:12

ComboFix 07-12-21.4 - r 2007-12-29 12:07:50.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.198 [GMT 1:00] Running from: C:\Documents and Settings\r\Pulpit\z netu\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 ))))))))))))))))))))))))))))))) . 2007-12-29 01:54 . 2004-08-03 23:44 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-12-29 01:47 . 2007-12-29 02:03 2,206 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-29 01:25 . 2007-12-29 01:25 2007-12-28 23:09 . 2006-06-01 19:49 163,840 -----c— C:\WINDOWS\system32\dllcache\jgdw400.dll 2007-12-28 23:09 . 2006-06-01 19:49 27,648 -----c— C:\WINDOWS\system32\dllcache\jgpl400.dll 2007-12-28 21:55 . 2007-12-28 21:55 2007-12-28 00:18 . 2007-12-28 01:34 2007-12-28 00:18 . 2007-12-28 00:18 2,015 -r-h----- C:\WINDOWS\system32\drivers\hosts 2007-12-28 00:11 . 2007-12-28 00:11 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS 2007-12-28 00:04 . 2007-12-28 00:06 2007-12-27 18:23 . 2007-12-27 18:32 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat 2007-12-27 18:23 . 2007-12-27 18:32 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-12-27 18:22 . 2007-12-27 18:22 2007-12-27 18:22 . 2007-12-29 12:13 2007-12-27 18:22 . 2007-12-29 12:13 3,496,224 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-27 18:22 . 2007-12-29 12:11 106,272 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-12-27 18:22 . 2007-12-29 12:10 47,804 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-27 18:22 . 2007-12-29 12:10 11,012 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-12-27 18:19 . 2007-12-27 18:19 2007-12-27 14:09 . 2007-12-27 14:09 2007-12-27 13:56 . 2007-12-27 13:56 2007-12-27 13:47 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll 2007-12-27 01:22 . 2007-12-26 19:33 245,760 --a------ C:\WINDOWS\alxvdvm.dll 2007-12-27 01:22 . 2007-12-26 19:34 172,032 --a------ C:\WINDOWS\emlkdvo.dll 2007-12-27 01:22 . 2007-12-26 19:34 77,824 --a------ C:\WINDOWS\fvkwdrt.exe 2007-12-22 17:57 . 2007-12-29 11:43 2007-12-22 17:57 . 2007-12-22 17:58 2007-12-18 00:09 . 2007-12-26 12:29 230,424 --a–c— C:\img2-001.raw 2007-12-17 19:09 . 2007-12-17 19:09 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-28 22:19 --------- d-----w C:\Documents and Settings\r\Dane aplikacji\Skype 2007-12-28 20:38 --------- d-----w C:\Documents and Settings\r\Dane aplikacji\Business Logic 2007-12-27 16:31 --------- d-----w C:\Documents and Settings\r\Dane aplikacji\Temporary 2007-12-02 16:31 --------- d-----w C:\Documents and Settings\r\Dane aplikacji\iMesh 2007-11-18 18:59 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-15 16:30 --------- d-----w C:\Program Files\Winamp 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-02 18:03 --------- d-----w C:\Program Files\Google 2007-11-01 18:06 --------- d-----w C:\Program Files\Skype 2007-11-01 18:06 --------- d-----w C:\Program Files\Common Files\Skype 2007-11-01 18:06 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype 2007-10-31 15:13 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-31 15:13 --------- d-----w C:\Documents and Settings\r\Dane aplikacji\Ahead 2007-10-31 15:04 --------- d-----w C:\Program Files\blcorp 2007-10-28 12:50 --------- d-----w C:\Program Files\Windows Live Safety Center 2007-10-25 09:00 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll . ((((((((((((((((((((((((((((( snapshot@2007-12-29_ 2.33.50.98 ))))))))))))))))))))))))))))))))))))))))) . + 2006-05-05 09:41:45 453,120 ------w C:\WINDOWS\Driver Cache\i386\mrxsmb.sys + 2006-05-05 09:41:45 453,120 -c----w C:\WINDOWS\system32\dllcache\mrxsmb.sys - 2004-08-03 21:20:08 176,512 -c–a-w C:\WINDOWS\system32\dllcache\rdbss.sys + 2006-05-05 09:47:57 174,592 -c–a-w C:\WINDOWS\system32\dllcache\rdbss.sys - 2004-08-03 22:44:28 32,256 -c–a-w C:\WINDOWS\system32\dllcache\snmp.exe + 2006-11-21 10:26:48 32,768 -c–a-w C:\WINDOWS\system32\dllcache\snmp.exe - 2004-08-03 21:15:18 451,456 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys + 2006-05-05 09:41:45 453,120 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys - 2004-08-03 21:20:08 176,512 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys + 2006-05-05 09:47:57 174,592 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys - 2007-12-29 01:31:58 193,389 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2007-12-29 11:12:19 193,399 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin - 2004-08-03 22:44:28 32,256 ----a-w C:\WINDOWS\system32\snmp.exe + 2006-11-21 10:26:48 32,768 ----a-w C:\WINDOWS\system32\snmp.exe - 2006-01-19 19:30:18 16,096 ------w C:\WINDOWS\system32\spmsg.dll + 2005-10-12 23:21:28 16,096 ------w C:\WINDOWS\system32\spmsg.dll + 2007-12-29 11:12:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_760.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {2318C2B1-4965-11D4-9B18-009027A5CD4F} {37B85A29-692B-4205-9CAD-2626E4993404} {13EDA0D4-F00D-43B9-8EF2-6313909D3143} [HKEY_CLASSES_ROOT\clsid{13eda0d4-f00d-43b9-8ef2-6313909d3143}] [HKEY_CLASSES_ROOT\emlkdvo.ToolBar.1] [HKEY_CLASSES_ROOT\TypeLib{B69A82F2-0528-4F67-ADDB-FA4215B5797F}] [HKEY_CLASSES_ROOT\emlkdvo.ToolBar] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24] “ccleaner”=“C:\Program Files\CCleaner\CCleaner.exe” [2007-11-22 17:10] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “High Definition Audio Property Page Shortcut”=“CHDAudPropShortcut.exe” [2006-02-03 09:43 C:\WINDOWS\system32\CHDAudPropShortcut.exe] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2005-09-30 15:09] “nwiz”=“nwiz.exe” [2005-12-15 10:42 C:\WINDOWS\system32\nwiz.exe] “Tweak UI”=“RUNDLL32.exe” [2004-08-03 23:44 C:\WINDOWS\system32\rundll32.exe] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 00:11] “tsnp325”=“C:\WINDOWS\tsnp325.exe” [2007-04-21 08:30] “snp325”=“C:\WINDOWS\vsnp325.exe” [2007-04-25 14:36] “NvCplDaemon”=“RUNDLL32.exe” [2004-08-03 23:44 C:\WINDOWS\system32\rundll32.exe] “AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe” [2007-06-28 12:51] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 23:44] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “ACU”=C:\Program Files\IEEE 802.11 Wireless LAN\ACU.exe -nogui “GC75-Manager-Class”=“C:\Program Files\Sony Ericsson\GC79 Manager\GC79 Manager.exe” -startup R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2006-10-31 21:40] R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58] R3 SNP325;USB PC Camera (SNPSTD325);C:\WINDOWS\system32\DRIVERS\snp325.sys [2007-04-26 10:03] S2 SMTPSVC;Simple Mail Transport Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2001-10-26 18:29] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10] . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-29 12:14:09 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes …

Gutek · 29 Grudzień 2007 16:26

Wklej do Notatnika:

File::

C:\WINDOWS\alxvdvm.dll

C:\WINDOWS\emlkdvo.dll

C:\WINDOWS\fvkwdrt.exe


Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{37B85A29-692B-4205-9CAD-2626E4993404}"=-

"{13EDA0D4-F00D-43B9-8EF2-6313909D3143}"=-

[-HKEY_CLASSES_ROOT\clsid\{13eda0d4-f00d-43b9-8ef2-6313909d3143}]

[-HKEY_CLASSES_ROOT\emlkdvo.ToolBar.1]

[-HKEY_CLASSES_ROOT\TypeLib\{B69A82F2-0528-4F67-ADDB-FA4215B5797F}]

[-HKEY_CLASSES_ROOT\emlkdvo.ToolBar]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

bananik232 · 29 Grudzień 2007 17:19

Ok zrobiłem jak kazałeś- DZIEKI ZA ZAINTERESOWANIE.przepraszam że zawróce Ci jeszcze głowe ale po zrestartowaniu, KASPERSKY poinformował ze cos próbuje usunąć mi zabezpieczenia :o

czy to normalne? Oczywiście zablokowałem ![-o<

Gutek · 29 Grudzień 2007 18:18

Daj nowy log z Combo

bananik232 · 29 Grudzień 2007 19:25

ComboFix 07-12-21.4 - r 2007-12-29 17:39:23.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.102 [GMT 1:00] Running from: C:\Documents and Settings\r\Pulpit\z netu\ComboFix.exe Command switches used :: C:\Documents and Settings\r\Pulpit\z netu\CFScript.txt * Created a new restore point FILE C:\WINDOWS\alxvdvm.dll C:\WINDOWS\emlkdvo.dll C:\WINDOWS\fvkwdrt.exe . ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 ))))))))))))))))))))))))))))))) . 2007-12-29 14:00 . 2007-12-29 17:48 2007-12-29 13:58 . 2007-12-29 14:07 2007-12-29 13:58 . 2007-12-29 13:58 2007-12-29 13:58 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-12-29 13:58 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-12-29 13:58 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-12-29 13:58 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-12-29 13:58 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-12-29 01:54 . 2004-08-03 23:44 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-12-29 01:47 . 2007-12-29 02:03 2,206 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-29 01:25 . 2007-12-29 01:25 2007-12-28 23:09 . 2006-06-01 19:49 163,840 -----c— C:\WINDOWS\system32\dllcache\jgdw400.dll 2007-12-28 23:09 . 2006-06-01 19:49 27,648 -----c— C:\WINDOWS\system32\dllcache\jgpl400.dll 2007-12-28 21:55 . 2007-12-28 21:55 2007-12-28 00:18 . 2007-12-29 13:56 2007-12-28 00:18 . 2007-12-28 00:18 2,015 -r-h----- C:\WINDOWS\system32\drivers\hosts 2007-12-28 00:11 . 2007-12-28 00:11 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS 2007-12-28 00:04 . 2007-12-29 13:56 2007-12-27 18:23 . 2007-12-27 18:32 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat 2007-12-27 18:23 . 2007-12-27 18:32 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-12-27 18:22 . 2007-12-27 18:22 2007-12-27 18:22 . 2007-12-29 17:53 2007-12-27 18:22 . 2007-12-29 17:52 3,636,000 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-27 18:22 . 2007-12-29 17:48 113,184 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-12-27 18:22 . 2007-12-29 17:46 49,580 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-27 18:22 . 2007-12-29 17:46 11,564 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-12-27 18:19 . 2007-12-27 18:19 2007-12-27 14:09 . 2007-12-27 14:09 2007-12-27 13:56 . 2007-12-27 13:56 2007-12-27 13:47 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll 2007-12-22 17:57 . 2007-12-29 11:43 2007-12-22 17:57 . 2007-12-22 17:58 2007-12-18 00:09 . 2007-12-26 12:29 230,424 --a–c— C:\img2-001.raw 2007-12-17 19:09 . 2007-12-17 19:09 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-28 22:19 --------- d-----w C:\Documents and Settings\r\Dane aplikacji\Skype 2007-12-28 20:38 --------- d-----w C:\Documents and Settings\r\Dane aplikacji\Business Logic 2007-12-27 16:31 --------- d-----w C:\Documents and Settings\r\Dane aplikacji\Temporary 2007-12-02 16:31 --------- d-----w C:\Documents and Settings\r\Dane aplikacji\iMesh 2007-11-18 18:59 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-15 16:30 --------- d-----w C:\Program Files\Winamp 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-02 18:03 --------- d-----w C:\Program Files\Google 2007-11-01 18:06 --------- d-----w C:\Program Files\Skype 2007-11-01 18:06 --------- d-----w C:\Program Files\Common Files\Skype 2007-11-01 18:06 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype 2007-10-31 15:13 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-31 15:13 --------- d-----w C:\Documents and Settings\r\Dane aplikacji\Ahead 2007-10-31 15:04 --------- d-----w C:\Program Files\blcorp 2007-10-28 12:50 --------- d-----w C:\Program Files\Windows Live Safety Center 2007-10-25 09:00 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll . ((((((((((((((((((((((((((((( snapshot@2007-12-29_ 2.33.50.98 ))))))))))))))))))))))))))))))))))))))))) . + 2006-05-05 09:41:45 453,120 ------w C:\WINDOWS\Driver Cache\i386\mrxsmb.sys + 2006-05-05 09:41:45 453,120 -c----w C:\WINDOWS\system32\dllcache\mrxsmb.sys - 2004-08-03 21:20:08 176,512 -c–a-w C:\WINDOWS\system32\dllcache\rdbss.sys + 2006-05-05 09:47:57 174,592 -c–a-w C:\WINDOWS\system32\dllcache\rdbss.sys - 2004-08-03 22:44:28 32,256 -c–a-w C:\WINDOWS\system32\dllcache\snmp.exe + 2006-11-21 10:26:48 32,768 -c–a-w C:\WINDOWS\system32\dllcache\snmp.exe - 2004-08-03 21:15:18 451,456 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys + 2006-05-05 09:41:45 453,120 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys - 2004-08-03 21:20:08 176,512 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys + 2006-05-05 09:47:57 174,592 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys - 2007-12-29 01:31:58 193,389 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2007-12-29 16:50:10 193,385 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin - 2007-12-29 01:10:31 83,212 ----a-w C:\WINDOWS\system32\perfc009.dat + 2007-12-29 13:01:35 83,212 ----a-w C:\WINDOWS\system32\perfc009.dat - 2007-12-29 01:10:31 102,590 ----a-w C:\WINDOWS\system32\perfc015.dat + 2007-12-29 13:01:35 102,590 ----a-w C:\WINDOWS\system32\perfc015.dat - 2007-12-29 01:10:31 453,104 ----a-w C:\WINDOWS\system32\perfh009.dat + 2007-12-29 13:01:35 453,104 ----a-w C:\WINDOWS\system32\perfh009.dat - 2007-12-29 01:10:31 512,638 ----a-w C:\WINDOWS\system32\perfh015.dat + 2007-12-29 13:01:35 512,638 ----a-w C:\WINDOWS\system32\perfh015.dat - 2004-08-03 22:44:28 32,256 ----a-w C:\WINDOWS\system32\snmp.exe + 2006-11-21 10:26:48 32,768 ----a-w C:\WINDOWS\system32\snmp.exe - 2006-01-19 19:30:18 16,096 ------w C:\WINDOWS\system32\spmsg.dll + 2005-10-12 23:21:28 16,096 ------w C:\WINDOWS\system32\spmsg.dll + 2007-12-29 16:48:15 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_110.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24] “ccleaner”=“C:\Program Files\CCleaner\CCleaner.exe” [2007-11-22 17:10] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “High Definition Audio Property Page Shortcut”=“CHDAudPropShortcut.exe” [2006-02-03 09:43 C:\WINDOWS\system32\CHDAudPropShortcut.exe] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2005-09-30 15:09] “nwiz”=“nwiz.exe” [2005-12-15 10:42 C:\WINDOWS\system32\nwiz.exe] “Tweak UI”=“RUNDLL32.exe” [2004-08-03 23:44 C:\WINDOWS\system32\rundll32.exe] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 00:11] “tsnp325”=“C:\WINDOWS\tsnp325.exe” [2007-04-21 08:30] “snp325”=“C:\WINDOWS\vsnp325.exe” [2007-04-25 14:36] “NvCplDaemon”=“RUNDLL32.exe” [2004-08-03 23:44 C:\WINDOWS\system32\rundll32.exe] “AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe” [2007-06-28 12:51] “SDTray”=“C:\Program Files\Spyware Doctor\SDTrayApp.exe” [2007-11-02 17:24] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 23:44] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “ACU”=C:\Program Files\IEEE 802.11 Wireless LAN\ACU.exe -nogui “GC75-Manager-Class”=“C:\Program Files\Sony Ericsson\GC79 Manager\GC79 Manager.exe” -startup R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2006-10-31 21:40] R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58] R3 SNP325;USB PC Camera (SNPSTD325);C:\WINDOWS\system32\DRIVERS\snp325.sys [2007-04-26 10:03] S2 SMTPSVC;Simple Mail Transport Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2001-10-26 18:29] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10] . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-29 17:51:54 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-29 17:55:37 - machine was rebooted [r] . 2007-12-29 10:30:32 — E O F —

Gutek · 29 Grudzień 2007 20:15

Już powinno być Ok