Załapałem trojana

ironbutt · 17 Lipiec 2007 12:04

Witam. zalapalem jakiegos trojana, moja zdolna matka odpalila jakiegos maila z tym shitem. i teraz co nastepuje, ZoneAlarm wylapal ze services.exe chce powysylac kilka maili ok. 5 na sec. i go blokuje, ale co chwila jak staram sie uruchomic jakis program (Opera, Norton, Mks, AdAware) robi mi restarty… jedyny moj ratunek na tym forum… udalo mi sie loga strzelic:

Logfile of HijackThis v1.99.1 Scan saved at 14:03:45, on 2007-07-17 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\Program Files\D4\D4.exe C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe C:\Program Files\ISTsvc\istsvc.exe C:\Program Files\SurfAccuracy\SAcc.exe C:\Program Files\Internet Optimizer\optimize.exe C:\WINDOWS\vedrtcs.exe C:\WINDOWS\hgsndkto.exe C:\WINDOWS\logon.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Internet Optimizer\actalert.exe D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe D:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe D:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe D:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Psi\psi.exe D:\Program Files\Norton AntiVirus\navapsvc.exe d:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe d:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE d:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazeta.pl/0,0.html?p1 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idg.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM…\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM…\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM…\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM…\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM…\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM…\Run: [Dimension4] D:\Program Files\D4\D4.exe O4 - HKLM…\Run: [serviceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe O4 - HKLM…\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe O4 - HKLM…\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM…\Run: [HHhF] C:\WINDOWS\hgsndkto.exe O4 - HKLM…\Run: [surfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O4 - HKLM…\Run: [internet Optimizer] “C:\Program Files\Internet Optimizer\optimize.exe” O4 - HKLM…\Run: [ReJf5vH] C:\WINDOWS\vedrtcs.exe O4 - HKLM…\Run: [HHh$vůőš/‚˛ĆßfĎNbC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\hgsndkto.exe O4 - HKLM…\Run: [WinLogon] C:\WINDOWS\logon.exe O4 - HKLM…\Run: [iTunesHelper] “D:\Program Files\iTunes\iTunesHelper.exe” O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [RemoteControl] “d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [LGODDFU] “d:\Program Files\lg_fwupdate\fwupdate.exe” O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [VoipCheapCom] “C:\program files\voipcheapcom\voipcheapcom.exe” -nosplash -minimized O4 - HKCU…\Run: [Gadu-Gadu] “D:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Startup: Psi.lnk = C:\Program Files\Psi\psi.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ? O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ? O4 - Global Startup: Uruchamianie pakietu Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O8 - Extra context menu item: &Clean Traces - d:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.idg.pl O16 - DPF: {00000000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int21.exe O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

wiem ze mam nasmiecone troche ale priorytetowo musze wywalic tego bydlaka, tylko nie wiem gdzie on siedzi …

help needet

anon32303829 · 17 Lipiec 2007 12:12

Więc te pliki są według hijackthis podejrzane (najprawdopodibneij jakis wirus):

C:\Program Files\ISTsvc\istsvc.exe

C:\Program Files\SurfAccuracy\SAcc.exe

C:\Program Files\Internet Optimizer\optimize.exe

C:\WINDOWS\logon.exe

C:\Program Files\Internet Optimizer\actalert.exe

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll

O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll

O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [HHhF] C:\WINDOWS\hgsndkto.exe

O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\vedrtcs.exe

O4 - HKLM\..\Run: [HHh$vůőš/‚˛ĆßfĎNbC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\hgsndkto.exe

O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe

O16 - DPF: {00000000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int21.exe

Jeśli wiesz, że coś nie jest wirusem to nie fixuj.

Jeżeli nie uda się wszywstkiego skasować, to wejdź w tryb awarjny i skaskuj to.

Możesz jeszcze przeskanować kompa AVG Anti-Spyware po aktualizacji i ComboFix’em i daj logi.

Możesz jeszcze przeskanować Spybot - Search & Destroy.

Kuba11 · 17 Lipiec 2007 12:31

W logach:

C:\Program Files\ISTsvc\istsvc.exe C:\Program Files\SurfAccuracy\SAcc.exe C:\Program Files\Internet Optimizer\optimize.exe C:\WINDOWS\vedrtcs.exe C:\WINDOWS\hgsndkto.exe C:\WINDOWS\logon.exe C:\Program Files\Internet Optimizer\actalert.exe O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll O4 - HKLM…\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM…\Run: [HHhF] C:\WINDOWS\hgsndkto.exe O4 - HKLM…\Run: [surfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O4 - HKLM…\Run: [internet Optimizer] “C:\Program Files\Internet Optimizer\optimize.exe” O4 - HKLM…\Run: [ReJf5vH] C:\WINDOWS\vedrtcs.exe O4 - HKLM…\Run: [HHh$vůőš/‚˛ĆßfĎNbC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\hgsndkto.exe O4 - HKLM…\Run: [WinLogon] C:\WINDOWS\logon.exe O16 - DPF: {00000000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int21.exe

Zastosuj na początek SmitFraudFix z opcji nr 2 w trybie awaryjnym,pokaż z niego raport(C:\raport.txt )

Następnie zastosuj ComboFix

Pokaż następnie logi z HijackThis,Silentrunners,ComboFix.

ironbutt · 17 Lipiec 2007 12:48

jak odpalam ComboFixa to mi robi resa odrazu… a co do tego pierwszego to jeszcze sie nim nigdy nie bawilem… . mam tam kilka plików ale nie czaje narazie jak sie tego uzywa… poczytam zaraz.

Kuba11 · 17 Lipiec 2007 12:54

Wykonaj to co napisałem,sama “fixacja” tych wpisów nic nie da…

ironbutt · 17 Lipiec 2007 13:00

ehh… niemoge tego Combofixa odpalic … resty mi smiga odrazu

Złączono Posta : 17.07.2007 (Wto) 15:14

SmitFraudFix v2.204

Scan done at 15:13:56,15, 2007-07-17 Run from D:\SmitFix\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\Program Files\D4\D4.exe C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe D:\Program Files\iTunes\iTunesHelper.exe D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe D:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe D:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe D:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\Psi\psi.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe D:\Program Files\Norton AntiVirus\navapsvc.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE d:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe d:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE C:\WINDOWS\System32\svchost.exe d:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Banaszynski »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Banaszynski\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BANASZ~1\Ulubione »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] “Source”=“About:Home” “SubscribedURL”=“About:Home” “FriendlyName”=“Moja bieľĄca strona g˘wna” »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] “AppInit_DLLs”="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Karta Realtek RTL8139 Family PCI Fast Ethernet NIC - Sterownik miniport Harmonogramu pakietów DNS Server Search Order: 194.204.159.1 DNS Server Search Order: 217.98.63.164 HKLM\SYSTEM\CCS\Services\Tcpip…{FC46F361-7C25-4E20-AA0B-480E933372B0}: DhcpNameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CS1\Services\Tcpip…{FC46F361-7C25-4E20-AA0B-480E933372B0}: DhcpNameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CS2\Services\Tcpip…{FC46F361-7C25-4E20-AA0B-480E933372B0}: DhcpNameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.204.159.1 217.98.63.164 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End LOG Z SmitFraudFix’a Złączono Posta: 17.07.2007 (Wto) 15:28 a to po zastosowaniu opcji2 w awaryjnym: SmitFraudFix v2.204 Scan done at 15:28:06,10, 2007-07-17 Run from D:\SmitFix\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Karta Realtek RTL8139 Family PCI Fast Ethernet NIC - Sterownik miniport Harmonogramu pakietów DNS Server Search Order: 194.204.159.1 DNS Server Search Order: 217.98.63.164 HKLM\SYSTEM\CCS\Services\Tcpip…{FC46F361-7C25-4E20-AA0B-480E933372B0}: DhcpNameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CS1\Services\Tcpip…{FC46F361-7C25-4E20-AA0B-480E933372B0}: DhcpNameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CS2\Services\Tcpip…{FC46F361-7C25-4E20-AA0B-480E933372B0}: DhcpNameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.204.159.1 217.98.63.164 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" Złączono Posta: 17.07.2007 (Wto) 15:32 a tu jescze z ComboFix’a “Banaszynski” - 2007-07-17 15:32:46 - ComboFix 07-07-14.6 - Dodatek Service Pack. 1 NTFS [sAFE MODE] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\BANASZ~1\Pulpit.\internet explorer.lnk C:\Program Files\internet optimizer C:\Program Files\internet optimizer\actalert.exe C:\Program Files\internet optimizer\optimize.exe C:\Program Files\internet optimizer\update\actalert.exe C:\Program Files\ISTsvc C:\Program Files\ISTsvc\istsvc.exe C:\Program Files\SideFind C:\Program Files\SideFind\sfbho.dll C:\Program Files\SurfAccuracy C:\Program Files\SurfAccuracy\License.lnk C:\Program Files\SurfAccuracy\SAcc.cfg C:\Program Files\SurfAccuracy\SAcc.exe C:\Program Files\SurfAccuracy\SAccU.exe C:\WINDOWS\DOWNLO~1.\ysbactivex.dll C:\WINDOWS\NDNuninstall6_38.exe ((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 ))))))))))))))))))))))))))))))) 2007-07-17 15:32 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-17 15:27 2007-07-17 15:14 4,540 --a------ C:\WINDOWS\system32\tmp.reg 2007-07-17 12:02 2007-07-17 10:52 4,608 --a------ C:\sysqkxx.exe 2007-07-17 10:52 158,208 --a------ C:\WINDOWS\system32\vdo_3678-4f34.sys 2007-07-12 22:44 4,608 --a------ C:\sysagcy.exe (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-17 13:09:07 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-07-17 11:33:17 -------- d-----w C:\Program Files\SkanerOnline 2007-07-16 22:51:06 -------- d-----w C:\DOCUME~1\BANASZ~1\DANEAP~1\Skype 2007-07-12 05:04:39 -------- d-----w C:\DOCUME~1\BANASZ~1\DANEAP~1\Azureus 2007-05-21 10:32:58 -------- d-----w C:\DOCUME~1\BANASZ~1\DANEAP~1\AdobeUM 2004-10-01 14:00:16 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2004-06-25 22:59:11 49,152 --sha-w C:\WINDOWS\lbbho.dll 2005-07-25 07:35:15 56 -csh–r C:\WINDOWS\system32\F43FDD1FB4.sys 2005-07-25 07:35:15 10,022 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2003-05-12 00:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{AA58ED58-01DD-4d91-8333-CF10577473F7}] 2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar2.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] 2007-06-12 00:22 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{BDF3E430-B101-42AD-A544-FADC6B084872}] 2002-11-15 00:09 112248 --a------ D:\Program Files\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{EFD84954-6B46-42f4-81F3-94CE9A77052D}] 2004-06-26 00:59 49152 --ahs---- C:\WINDOWS\lbbho.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “nwiz”=“nwiz.exe” [2003-11-17 10:33 C:\WINDOWS\system32\nwiz.exe] “Zone Labs Client”=“C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe” [2003-12-15 14:57] “REGSHAVE”=“C:\Program Files\REGSHAVE\REGSHAVE.exe” [2002-02-04 22:32] “HP Component Manager”=“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [2003-12-22 09:38] “SSC_UserPrompt”=“C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe” [2004-11-02 16:59] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe” [2005-03-04 03:36] “SpeedTouch USB Diagnostics”=“C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” [2002-06-06 11:15] “ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2002-08-19 22:22] “ccRegVfy”=“C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe” [2002-08-19 22:23] “Advanced Tools Check”=“D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE” [2002-08-26 22:35] “Symantec NetDriver Monitor”=“C:\PROGRA~1\SYMNET~1\SNDMon.exe” [2005-10-06 10:23] “Dimension4”=“D:\Program Files\D4\D4.exe” [2004-02-04 01:26] “ServiceLayer”=“C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe” [2002-10-16 09:43] “Nokia Tray Application”=“C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe” [2002-10-22 09:52] “iTunesHelper”=“D:\Program Files\iTunes\iTunesHelper.exe” [2006-09-25 14:54] “RemoteControl”=“d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 20:24] “LGODDFU”=“d:\Program Files\lg_fwupdate\fwupdate.exe” [2006-02-20 11:40] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-11-15 16:18] “Steam”="" [] “VoipCheapCom”=“C:\program files\voipcheapcom\voipcheapcom.exe” [] “Gadu-Gadu”=“D:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 16:58] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-06-12 00:22] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0] “C:\Program Files\Web_Rebates\WebRebates0.exe” *Newly Created Service* - ADILOADER Contents of the ‘Scheduled Tasks’ folder 2007-07-16 20:09:12 C:\WINDOWS\tasks\Symantec NetDetect.job ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-17 15:33:58 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-17 15:34:22 C:\ComboFix-quarantined-files.txt … 2007-07-17 15:34 — E O F — Złączono Posta: 17.07.2007 (Wto) 15:41 no niestety caly czas mi smiga rstarta… ale juz nie odrazu przy wlaczeniu opery tylko po minucie zwiedzania stronek …

Kuba11 · 17 Lipiec 2007 14:07

w tym logu co pokazałeś zostały do zeskanowania 2 pliki:

skanujesz je na http://www.virustotal.com

Do wyrzucenia plik zaznaczony na czerwono

C:\WINDOWS\ lbbho.dll

Dodatkowo otwórz notatnik i wklej w nim:

Plik>>zapisz jako>>zmien rozszerzenie z TXT na wszystkie pliki i zapisz pod nazwa FIX.REG dwuklik na powstały plik i dodaj go do rejestru.

Nie wiem od czego jest ten sterownik:

Miałes dac wszystkie logi Hijackthis,Silentrunners i ComboFix a nie tylko ComboFix :?

Dajesz nowe logi z Hijackthis,Silentrunners,ComboFix +

Ściągasz Gmer-a

* Rootkit >>> zaznaczone Pokaż wszystko >>> wskazane tylko Usługi >>> Szukaj >>> Kopiuj >>> CTRL+V na http://www.wklej.org

* Rootkit >>> odznaczone Pokaż wszystko >>> wskazane wszystkie obiekty do skanu >>> Szukaj>>> Kopiuj >>> CTRL+V na http://www.wklej.org

Dostaniesz 2 logi.

POdsumowując wracasz z Hijackthis,Silentrunners,ComboFix,2 logi z Gmer-a,raport ze skanów z tych 2 plików co Ci podałem.

ironbutt · 17 Lipiec 2007 14:09

dobra kierowniku

Złączono Posta : 17.07.2007 (Wto) 16:24

Plik sysqkxx.exe otrzymany 17.07.2007 16:15:40 (CET) Obecny status: skanowanie Twój plik jest obecnie skanowany, wyniki będą pojawiać się stopniowo. Antywirus Wersja Ostatnia aktualizacja Wynik AhnLab-V3 2007.7.14.0 2007.07.17 Win-Trojan/Downloader.4608.JS AntiVir 7.4.0.42 2007.07.17 TR/Dldr.Dorfdo.A Authentium 4.93.8 2007.07.17 Possibly a new variant of W32/Threat-HLLSI-based!Maximus Avast 4.7.997.0 2007.07.16 Win32:Small-GXE AVG 7.5.0.476 2007.07.16 Downloader.Small.NU BitDefender 7.2 2007.07.17 Trojan.Downloader.Dorfdo.A CAT-QuickHeal 9.00 2007.07.16 TrojanDownloader.Small.evy ClamAV devel-20070416 2007.07.17 Trojan.Downloader-10773 DrWeb 4.33 2007.07.17 Trojan.DownLoader.26504 eSafe 7.0.15.0 2007.07.17 no virus found eTrust-Vet 30.8.3789 2007.07.17 Win32/DlSintun Ewido 4.0 2007.07.17 Downloader.Small.evy FileAdvisor 1 2007.07.17 no virus found Fortinet 2.91.0.0 2007.07.17 W32/Small.HL!tr.dldr F-Prot 4.3.2.48 2007.07.17 W32/Threat-HLLSI-based!Maximus Ikarus T3.1.1.8 2007.07.17 Trojan-Downloader.Win32.Small.evy Kaspersky 4.0.2.24 2007.07.17 Trojan-Downloader.Win32.Small.evy McAfee 5075 2007.07.16 Generic Downloader.k Microsoft 1.2704 2007.07.17 TrojanDownloader:Win32/Small!5851 NOD32v2 2402 2007.07.17 Win32/TrojanDownloader.Small.EVY Norman 5.80.02 2007.07.17 W32/Downloader Panda 9.0.0.4 2007.07.17 Suspicious file Sophos 4.19.0 2007.07.16 Troj/Dorfdo-A Sunbelt 2.2.907.0 2007.07.16 no virus found Dodatkowe informacje File size: 4608 bytes MD5: b40dd3d4062516ce02d0bf8b8f12ce23 SHA1: 53027f80b6038b67545a968f523f8c94347b4308 norman sandbox: [General information] * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**. * File length: 4608 bytes. [Changes to filesystem] * Creates file C:\WINDOWS\gop.exe. [Network services] * Connects to “74.67.63.139” on port 80 (TCP). * Opens URL: 74.67.63.139gop.exe. [Security issues] * Starting downloaded file - potential security problem.

pytanko… nie wiem skad ten plik wyszukac co na czerwono mi dales… nie mam go tam mam lbbho.ini ale .dll nie ma

ide robic teraz logi, zaraz powklejam,

GMER 1)log. http://wklej.org/id/73e8aa0688

2)log. http://www.wklej.org/id/6df57dc57c

Złączono Posta : 17.07.2007 (Wto) 17:07

Logfile of HijackThis v1.99.1 Scan saved at 17:07, on 2007-07-17 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\Program Files\D4\D4.exe C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe D:\Program Files\iTunes\iTunesHelper.exe D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe D:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe D:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe D:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\Psi\psi.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE D:\Program Files\Norton AntiVirus\navapsvc.exe d:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe d:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE C:\WINDOWS\System32\svchost.exe d:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe D:\hijackthis\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM…\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM…\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” O4 - HKLM…\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM…\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM…\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM…\Run: [Dimension4] D:\Program Files\D4\D4.exe O4 - HKLM…\Run: [serviceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe O4 - HKLM…\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe O4 - HKLM…\Run: [iTunesHelper] “D:\Program Files\iTunes\iTunesHelper.exe” O4 - HKLM…\Run: [RemoteControl] “d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [LGODDFU] “d:\Program Files\lg_fwupdate\fwupdate.exe” O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [VoipCheapCom] “C:\program files\voipcheapcom\voipcheapcom.exe” -nosplash -minimized O4 - HKCU…\Run: [Gadu-Gadu] “D:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Startup: Psi.lnk = C:\Program Files\Psi\psi.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ? O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ? O4 - Global Startup: Uruchamianie pakietu Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O8 - Extra context menu item: &Clean Traces - d:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.idg.pl O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Co do SilentRunners to nie czaje czemu ale tylko cos takiego mam:

(pewnie cos nie tak zrobilem … )

Kuba11 · 17 Lipiec 2007 15:31

Teraz musisz wyłączyc przywracanie systemu i wejsc w tryb awaryjny

Kasujesz zaznaczone na czerwono pliki:

C:\ sysqkxx.exe

C:\ sysagcy.exe

Dodtakowo w HijackThis “fixujesz” poniższe wpis,a pliki zaznaczone na czerwono usuwasz ręcznie z dysku.(włącz wcześniej pokazywanie ukrytych plików)

Gmer 1 czysty

Gmer 2 niepełny…

Silentrunners nie pełny.

ComboFix-a nie dałeś :?

Uważam , że to jest ster od BT

ironbutt · 17 Lipiec 2007 15:32

“Banaszynski” - 2007-07-17 17:23:17 - ComboFix 07-07-14.6 - Dodatek Service Pack. 1 NTFS [sAFE MODE] ((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 ))))))))))))))))))))))))))))))) 2007-07-17 15:32 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-17 15:27 2007-07-17 15:14 4,540 --a------ C:\WINDOWS\system32\tmp.reg 2007-07-17 12:02 2007-07-17 10:52 4,608 --a------ C:\sysqkxx.exe 2007-07-17 10:52 158,208 --a------ C:\WINDOWS\system32\vdo_3678-4f34.sys 2007-07-12 22:44 4,608 --a------ C:\sysagcy.exe (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-17 15:07:16 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-07-17 14:04:29 49,712 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-07-17 14:04:29 355,830 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-07-17 11:33:17 -------- d-----w C:\Program Files\SkanerOnline 2007-07-16 22:51:06 -------- d-----w C:\DOCUME~1\BANASZ~1\DANEAP~1\Skype 2007-07-12 05:04:39 -------- d-----w C:\DOCUME~1\BANASZ~1\DANEAP~1\Azureus 2007-05-21 10:32:58 -------- d-----w C:\DOCUME~1\BANASZ~1\DANEAP~1\AdobeUM 2004-10-01 14:00:16 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2004-06-25 22:59:11 49,152 --sha-w C:\WINDOWS\lbbho.dll 2005-07-25 07:35:15 56 -csh–r C:\WINDOWS\system32\F43FDD1FB4.sys 2005-07-25 07:35:15 10,022 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2003-05-12 00:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{AA58ED58-01DD-4d91-8333-CF10577473F7}] 2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar2.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] 2007-06-12 00:22 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{BDF3E430-B101-42AD-A544-FADC6B084872}] 2002-11-15 00:09 112248 --a------ D:\Program Files\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{EFD84954-6B46-42f4-81F3-94CE9A77052D}] 2004-06-26 00:59 49152 --ahs---- C:\WINDOWS\lbbho.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “nwiz”=“nwiz.exe” [2003-11-17 10:33 C:\WINDOWS\system32\nwiz.exe] “Zone Labs Client”=“C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe” [2003-12-15 14:57] “REGSHAVE”=“C:\Program Files\REGSHAVE\REGSHAVE.exe” [2002-02-04 22:32] “HP Component Manager”=“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [2003-12-22 09:38] “SSC_UserPrompt”=“C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe” [2004-11-02 16:59] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe” [2005-03-04 03:36] “SpeedTouch USB Diagnostics”=“C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” [2002-06-06 11:15] “ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2002-08-19 22:22] “ccRegVfy”=“C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe” [2002-08-19 22:23] “Advanced Tools Check”=“D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE” [2002-08-26 22:35] “Symantec NetDriver Monitor”=“C:\PROGRA~1\SYMNET~1\SNDMon.exe” [2005-10-06 10:23] “Dimension4”=“D:\Program Files\D4\D4.exe” [2004-02-04 01:26] “ServiceLayer”=“C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe” [2002-10-16 09:43] “Nokia Tray Application”=“C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe” [2002-10-22 09:52] “iTunesHelper”=“D:\Program Files\iTunes\iTunesHelper.exe” [2006-09-25 14:54] “RemoteControl”=“d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 20:24] “LGODDFU”=“d:\Program Files\lg_fwupdate\fwupdate.exe” [2006-02-20 11:40] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-11-15 16:18] “Steam”="" [] “VoipCheapCom”=“C:\program files\voipcheapcom\voipcheapcom.exe” [] “Gadu-Gadu”=“D:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 16:58] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-06-12 00:22] Contents of the ‘Scheduled Tasks’ folder 2007-07-16 20:09:12 C:\WINDOWS\tasks\Symantec NetDetect.job ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-17 17:25:16 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-17 17:25:55 C:\ComboFix-quarantined-files.txt … 2007-07-17 17:25 C:\ComboFix2.txt … 2007-07-17 15:34 — E O F —

Złączono Posta : 17.07.2007 (Wto) 17:33

Wiem ze to troche trwa w moim przypadku… ale caly czas mam te resy , i latam pomiedzy tymi trybami… dlatego troszkje mi to zajmuje… a pokazywanie ukrytych plików mam wlaczone, mimo to nie moge tego pliku odnalezc…

Gutek · 17 Lipiec 2007 15:37

Użyj TrendMicro - http://pl.trendmicro-europe.com/consume … launch.php i powiedz co znalazł. Daj log z Combofix

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

ironbutt · 17 Lipiec 2007 15:54

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Steam” = “(empty string)” [file not found] “VoipCheapCom” = ““C:\program files\voipcheapcom\voipcheapcom.exe” -nosplash -minimized” [file not found] “Gadu-Gadu” = ““D:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “swg” = “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [“Google Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “Zone Labs Client” = “C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe” [“Zone Labs Inc.”] “REGSHAVE” = “C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN” [“FUJI PHOTO FILM CO., LTD.”] “HP Component Manager” = ““C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”” [“Hewlett-Packard Company”] “SSC_UserPrompt” = “C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe” [“Symantec Corporation”] “SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe” [“Sun Microsystems, Inc.”] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON multimedia”] “ccApp” = “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [“Symantec Corporation”] “ccRegVfy” = “C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe” [“Symantec Corporation”] “Advanced Tools Check” = “D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE” [“Symantec Corporation”] “Symantec NetDriver Monitor” = “C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer” [“Symantec Corporation”] “Dimension4” = “D:\Program Files\D4\D4.exe” [“Thinking Man Software”] “ServiceLayer” = “C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe” [“Nokia Mobile Phones”] “Nokia Tray Application” = “C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe” [“Nokia Mobile Phones”] “iTunesHelper” = ““D:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Computer, Inc.”] “RemoteControl” = ““d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “LGODDFU” = ““d:\Program Files\lg_fwupdate\fwupdate.exe”” [null data] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Notifier BHO” \InProcServer32(Default) = “C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll” [“Google Inc.”] {BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = “NAV Helper” -> {HKLM…CLSID} = “CNavExtBho Class” \InProcServer32(Default) = “D:\Program Files\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Unbind” -> {HKLM…CLSID} = “Microsoft Office Binder Unbind” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL” [MS] “{30E573DD-ED36-11D4-AA7E-00902709370B}” = “HexShellExt” -> {HKLM…CLSID} = “HexShellExt Class” \InProcServer32(Default) = “D:\Nowy Philek\HexEdit\HexExt.dll” [file not found] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{6af09ec9-b429-11d4-a1fb-0090960218cb}” = “My Bluetooth Places” -> {HKLM…CLSID} = “My Bluetooth Places” \InProcServer32(Default) = “C:\WINDOWS\System32\BTNEIG~1.DLL” [“WIDCOMM, Inc.”] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “D:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”] “{7CDDBD23-1B50-47b2-B28D-1B84D9A40ED1}” = “Sony Digital Voice File Shell Extention Module” -> {HKLM…CLSID} = “Sony Digital Voice File Shell Extention Module” \InProcServer32(Default) = “IcdShlex.dll” [“Sony Corporation”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “D:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] HexShellExt(Default) = “{30E573DD-ED36-11D4-AA7E-00902709370B}” -> {HKLM…CLSID} = “HexShellExt Class” \InProcServer32(Default) = “D:\Nowy Philek\HexEdit\HexExt.dll” [file not found] Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” -> {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “D:\Program Files\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “D:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” -> {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “D:\Program Files\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

i ComboFix

“Banaszynski” - 2007-07-17 17:23:17 - ComboFix 07-07-14.6 - Dodatek Service Pack. 1 NTFS [sAFE MODE] ((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 ))))))))))))))))))))))))))))))) 2007-07-17 15:32 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-17 15:27 2007-07-17 15:14 4,540 --a------ C:\WINDOWS\system32\tmp.reg 2007-07-17 12:02 2007-07-17 10:52 4,608 --a------ C:\sysqkxx.exe 2007-07-17 10:52 158,208 --a------ C:\WINDOWS\system32\vdo_3678-4f34.sys 2007-07-12 22:44 4,608 --a------ C:\sysagcy.exe (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-17 15:07:16 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-07-17 14:04:29 49,712 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-07-17 14:04:29 355,830 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-07-17 11:33:17 -------- d-----w C:\Program Files\SkanerOnline 2007-07-16 22:51:06 -------- d-----w C:\DOCUME~1\BANASZ~1\DANEAP~1\Skype 2007-07-12 05:04:39 -------- d-----w C:\DOCUME~1\BANASZ~1\DANEAP~1\Azureus 2007-05-21 10:32:58 -------- d-----w C:\DOCUME~1\BANASZ~1\DANEAP~1\AdobeUM 2004-10-01 14:00:16 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2004-06-25 22:59:11 49,152 --sha-w C:\WINDOWS\lbbho.dll 2005-07-25 07:35:15 56 -csh–r C:\WINDOWS\system32\F43FDD1FB4.sys 2005-07-25 07:35:15 10,022 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2003-05-12 00:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{AA58ED58-01DD-4d91-8333-CF10577473F7}] 2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar2.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] 2007-06-12 00:22 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{BDF3E430-B101-42AD-A544-FADC6B084872}] 2002-11-15 00:09 112248 --a------ D:\Program Files\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{EFD84954-6B46-42f4-81F3-94CE9A77052D}] 2004-06-26 00:59 49152 --ahs---- C:\WINDOWS\lbbho.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “nwiz”=“nwiz.exe” [2003-11-17 10:33 C:\WINDOWS\system32\nwiz.exe] “Zone Labs Client”=“C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe” [2003-12-15 14:57] “REGSHAVE”=“C:\Program Files\REGSHAVE\REGSHAVE.exe” [2002-02-04 22:32] “HP Component Manager”=“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [2003-12-22 09:38] “SSC_UserPrompt”=“C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe” [2004-11-02 16:59] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe” [2005-03-04 03:36] “SpeedTouch USB Diagnostics”=“C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” [2002-06-06 11:15] “ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2002-08-19 22:22] “ccRegVfy”=“C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe” [2002-08-19 22:23] “Advanced Tools Check”=“D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE” [2002-08-26 22:35] “Symantec NetDriver Monitor”=“C:\PROGRA~1\SYMNET~1\SNDMon.exe” [2005-10-06 10:23] “Dimension4”=“D:\Program Files\D4\D4.exe” [2004-02-04 01:26] “ServiceLayer”=“C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe” [2002-10-16 09:43] “Nokia Tray Application”=“C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe” [2002-10-22 09:52] “iTunesHelper”=“D:\Program Files\iTunes\iTunesHelper.exe” [2006-09-25 14:54] “RemoteControl”=“d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 20:24] “LGODDFU”=“d:\Program Files\lg_fwupdate\fwupdate.exe” [2006-02-20 11:40] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-11-15 16:18] “Steam”="" [] “VoipCheapCom”=“C:\program files\voipcheapcom\voipcheapcom.exe” [] “Gadu-Gadu”=“D:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 16:58] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-06-12 00:22] Contents of the ‘Scheduled Tasks’ folder 2007-07-16 20:09:12 C:\WINDOWS\tasks\Symantec NetDetect.job ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-17 17:25:16 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-17 17:25:55 C:\ComboFix-quarantined-files.txt … 2007-07-17 17:25 C:\ComboFix2.txt … 2007-07-17 15:34 — E O F —

Gutek · 17 Lipiec 2007 15:59

Pobierz program SDFix

ironbutt · 17 Lipiec 2007 16:16

SDFix: Version 1.92 Run by Banaszynski on 2007-07-17 at 18:10 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: vdo_3678-4f34 ImagePath: ??\C:\WINDOWS\System32\vdo_3678-4f34.sys vdo_3678-4f34 - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\system32\vdo_3678-4f34.sys - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Backups Folder: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: C:\RECYCLER\S-1-5-21-725345543-2111687655-839522115-1003\Dc3.dll C:\WINDOWS\system32\F43FDD1FB4.sys C:\WINDOWS\system32\KGyGaAvL.sys C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL0003.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL0004.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL0087.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL0109.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL0275.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL0657.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL0663.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL0857.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL1812.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL1853.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL1940.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL2363.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL2608.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL2712.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL2758.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL2855.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL2896.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL3260.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL3585.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL4011.tmp C:\Documents and Settings\Banaszynski\Dane aplikacji\Microsoft\Word~WRL4081.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty~WRL3504.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0037.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0052.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0057.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0101.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0111.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0175.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0253.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0321.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0422.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0423.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0495.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0496.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0533.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0542.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0609.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0645.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0667.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0708.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0719.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0801.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0804.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0849.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0856.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0867.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0905.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL0939.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1008.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1139.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1150.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1184.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1308.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1338.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1420.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1492.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1515.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1530.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1584.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1642.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1666.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1677.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1725.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1736.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1749.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1755.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1895.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1896.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1934.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1935.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL1984.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2024.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2063.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2144.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2195.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2257.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2259.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2307.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2325.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2400.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2521.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2522.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2523.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2538.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2569.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2595.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2603.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2635.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2642.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2673.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2697.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2705.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2715.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2737.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2835.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2838.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2879.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2936.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL2951.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3107.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3135.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3192.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3245.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3362.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3403.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3449.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3493.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3495.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3682.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3742.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3752.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3787.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3836.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3855.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3863.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL3996.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL4053.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG~WRL4082.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG\BG~WRL0001.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG\BG~WRL0003.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG\BG~WRL0257.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG\BG~WRL1121.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG\BG~WRL1240.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG\BG~WRL1256.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG\BG~WRL1617.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG\BG~WRL1878.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG\BG~WRL2032.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG\BG~WRL2473.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG\BG~WRL4029.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG???~WRL0001.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG???~WRL0003.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG???~WRL0005.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG???~WRL0632.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG???~WRL0733.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG???~WRL1690.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG???~WRL2485.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG???~WRL3510.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Anketa BG???~WRL3633.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\KURSY~WRL3596.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL0318.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL0459.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL1108.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL1171.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL1177.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL1197.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL1419.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL1653.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL1754.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL1783.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL1983.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL2393.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL2740.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL2752.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL2755.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL2906.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL2907.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL2912.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL3192.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL3306.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL3409.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL3479.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL3507.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL3606.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\MOLITWI~WRL3878.tmp C:\Documents and Settings\Banaszynski\Moje dokumenty\Wladycy~WRL2825.tmp C:\WINDOWS\LastGood.Tmp\INF\oem0.inf C:\WINDOWS\LastGood.Tmp\INF\oem0.PNF Finished

Złączono Posta : 17.07.2007 (Wto) 18:26

“Banaszynski” - 2007-07-17 18:23:14 - ComboFix 07-07-14.6 - Dodatek Service Pack. 1 NTFS ((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 ))))))))))))))))))))))))))))))) 2007-07-17 18:10 2007-07-17 18:01 2007-07-17 15:32 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-17 15:27 2007-07-17 15:14 4,540 --a------ C:\WINDOWS\system32\tmp.reg 2007-07-17 12:02 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-17 16:22:06 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-07-17 16:17:36 49,828 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-07-17 16:17:36 356,164 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-07-17 11:33:17 -------- d-----w C:\Program Files\SkanerOnline 2007-07-16 22:51:06 -------- d-----w C:\DOCUME~1\BANASZ~1\DANEAP~1\Skype 2007-07-12 05:04:39 -------- d-----w C:\DOCUME~1\BANASZ~1\DANEAP~1\Azureus 2007-05-21 10:32:58 -------- d-----w C:\DOCUME~1\BANASZ~1\DANEAP~1\AdobeUM 2004-10-01 14:00:16 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2005-07-25 07:35:15 56 -csh–r C:\WINDOWS\system32\F43FDD1FB4.sys 2005-07-25 07:35:15 10,022 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2003-05-12 00:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{AA58ED58-01DD-4d91-8333-CF10577473F7}] 2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar2.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] 2007-06-12 00:22 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{BDF3E430-B101-42AD-A544-FADC6B084872}] 2002-11-15 00:09 112248 --a------ D:\Program Files\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “nwiz”=“nwiz.exe” [2003-11-17 10:33 C:\WINDOWS\system32\nwiz.exe] “Zone Labs Client”=“C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe” [2003-12-15 14:57] “REGSHAVE”=“C:\Program Files\REGSHAVE\REGSHAVE.exe” [2002-02-04 22:32] “HP Component Manager”=“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [2003-12-22 09:38] “SSC_UserPrompt”=“C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe” [2004-11-02 16:59] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe” [2005-03-04 03:36] “SpeedTouch USB Diagnostics”=“C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” [2002-06-06 11:15] “ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2002-08-19 22:22] “ccRegVfy”=“C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe” [2002-08-19 22:23] “Advanced Tools Check”=“D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE” [2002-08-26 22:35] “Symantec NetDriver Monitor”=“C:\PROGRA~1\SYMNET~1\SNDMon.exe” [2005-10-06 10:23] “Dimension4”=“D:\Program Files\D4\D4.exe” [2004-02-04 01:26] “ServiceLayer”=“C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe” [2002-10-16 09:43] “Nokia Tray Application”=“C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe” [2002-10-22 09:52] “iTunesHelper”=“D:\Program Files\iTunes\iTunesHelper.exe” [2006-09-25 14:54] “RemoteControl”=“d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 20:24] “LGODDFU”=“d:\Program Files\lg_fwupdate\fwupdate.exe” [2006-02-20 11:40] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-11-15 16:18] “Steam”="" [] “VoipCheapCom”=“C:\program files\voipcheapcom\voipcheapcom.exe” [] “Gadu-Gadu”=“D:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 16:58] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-06-12 00:22] Contents of the ‘Scheduled Tasks’ folder 2007-07-16 20:09:12 C:\WINDOWS\tasks\Symantec NetDetect.job ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-17 18:24:34 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-17 18:25:13 C:\ComboFix-quarantined-files.txt … 2007-07-17 18:24 — E O F —

Nowy Log z ComboFixa

narazie sie jeszcze nie zrestartowal

Prosze o podanie mi na PW adresów korespondencyjnych Panów: Kuba1 i Gutek2222 , wysyłam browary

DZIEKUJE PANOM

Kuba11 · 17 Lipiec 2007 16:57

Log z Combo jest czysty.

Tzn, że to nie był ster od BT

Tylko syf.

Opróżnij kosz.

Przeskanuj ten plik na http://www.virustotal.com ,chodz nie wiem czy to bedzie miarodajne :? i wklej raport.

ironbutt · 17 Lipiec 2007 17:49

spoko, nic w nim nie znalazl.

i wszystko narazie chodzi jak malynka

Złączono Posta : 17.07.2007 (Wto) 19:52

jak sobie sledzilem te logi pierwsze i przeczytalem o ostatnoi stworzonych plikach

to juz potem wiedzialem ze to nie stery do BT bo stery do niego insatlowalem z rok temu

Kuba dziekufka wielka dla Ciebie i Gutka … uratowaliscie mi dupe przed stawianiem nowego XP …

Kuba11 · 17 Lipiec 2007 17:59

To wiedziałem, ze jest syfem.

Tu mój błąd nie zwróciłem uwagi ze weszło w tym samym czasie co syf :-x

Ogólnie ten plik uważam za czysty,wszedł wtedy kiedy podobny sterownik od Divx.

ironbutt · 17 Lipiec 2007 18:08

ogólnie to niezle zakrzaczony mam ten system … i przydalby sie jakis reinstal ale duzo roboty a czasu malo

Monczkin · 17 Lipiec 2007 18:14

ironbutt byleś proszony o coś. Popraw posty z logami. Za chwilę temat wyleci.

Gutek · 17 Lipiec 2007 21:30

Daj nowy log do kontroli z Combo