Złpałem Adware.Virtumonde

Yaris2709 · 15 Kwiecień 2007 20:07

złapałem brzydkiego trojana, jak go usunąć.

to są logi z hijackthis, pojawia się też próba połączenia z jakąś stroną ale NOD32 go blokuje i rozłącza, to jest Spy.VBStat.J

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 21:59:30, on 2007-04-15

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\usr\MYSQL\bin\mysqld.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\carpserv.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\VIAudioi\SBADeck\ADeck.exe

D:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Kalendarz XP\Kalendarz.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Download\HiJackThis_v2\HiJackThis_v2.exe


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.piotrkow.net.pl:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: Shell=explorer.exe 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {287FF496-118D-4455-A33C-3E8C8BAF1477} - C:\WINDOWS\system32\rqronnk.dll

O2 - BHO: (no name) - {30814D14-F676-4AF3-8E1A-16444E710BB7} - C:\WINDOWS\system32\tkjbkgwp.dll

O2 - BHO: (no name) - {3B05702E-4DD8-4913-BB11-3C81C1D78A40} - C:\WINDOWS\system32\mljjk.dll (file missing)

O2 - BHO: (no name) - {42E2538F-578B-45CA-ABD1-D08D1FDC9F7A} - C:\WINDOWS\system32\vturr.dll (file missing)

O2 - BHO: (no name) - {5848A170-DB4A-4D7D-AF6A-E755395CEA1B} - C:\WINDOWS\system32\pmnlk.dll (file missing)

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\ytusfpgb.dll (file missing)

O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll

O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Pobierz przez Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html

O8 - Extra context menu item: Pobierz wszystko przez Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html

O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\ZendStudio-5.2.0\bin\ZendIEToolbar.dll/DebugCurrent.html

O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\ZendStudio-5.2.0\bin\ZendIEToolbar.dll/DebugNext.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL

O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.mks.com.pl

O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099666990515

O20 - Winlogon Notify: rqronnk - C:\WINDOWS\SYSTEM32\rqronnk.dll

O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: MySql - Unknown owner - c:\usr/MYSQL/bin/mysqld.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


--

End of file - 7595 bytes

Złączono Posta : 15.04.2007 (Nie) 22:13

serwer z którym próbuje się połaczyć ma adres http://82.98.235.61/ms_s_2.dll?uid=0B2341E6EB4F11DB9C62003048895BFC&guid=f4b5e4cf+A5A3A20360384759A1E7959D8C8C8FFD Win32/Spy.VBStat.J trojan Połączenie zostało przerwane to jest wpis z NOD32

adam9870 · 15 Kwiecień 2007 20:32

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINDOWS\system32\rqronnk.dll

C:\WINDOWS\system32\tkjbkgwp.dll

Po wklejeniu każdej ścieżki z osobna kliknij na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgódź się na restart. Jeśli po wklejeniu którejś ze ścieżek pojawi się jakiś błąd, nie przejmuj się nim tylko przejdź do wykonywania dalszych czynności.

F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: (no name) - {287FF496-118D-4455-A33C-3E8C8BAF1477} - C:\WINDOWS\system32\rqronnk.dll O2 - BHO: (no name) - {30814D14-F676-4AF3-8E1A-16444E710BB7} - C:\WINDOWS\system32\tkjbkgwp.dll O2 - BHO: (no name) - {3B05702E-4DD8-4913-BB11-3C81C1D78A40} - C:\WINDOWS\system32\mljjk.dll (file missing) O2 - BHO: (no name) - {42E2538F-578B-45CA-ABD1-D08D1FDC9F7A} - C:\WINDOWS\system32\vturr.dll (file missing) O2 - BHO: (no name) - {5848A170-DB4A-4D7D-AF6A-E755395CEA1B} - C:\WINDOWS\system32\pmnlk.dll (file missing) O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\ytusfpgb.dll (file missing) O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp (file missing) O20 - Winlogon Notify: rqronnk - C:\WINDOWS\SYSTEM32\rqronnk.dll

Usuń wpisy HJT.

Użyj VundoFix + FixVundo + VirtumundoBeGone. Wszystkie narzędzia należy uruchomić w trybie awaryjnym.

Po wykonaniu pokaż nowy log z hjt, SilentRunners + log numer 1 z L2Mfix.

Yaris2709 · 15 Kwiecień 2007 20:54

które są u nie wpisy HJT?

Gutek · 15 Kwiecień 2007 21:12

F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: (no name) - {287FF496-118D-4455-A33C-3E8C8BAF1477} - C:\WINDOWS\system32\rqronnk.dll O2 - BHO: (no name) - {30814D14-F676-4AF3-8E1A-16444E710BB7} - C:\WINDOWS\system32\tkjbkgwp.dll O2 - BHO: (no name) - {3B05702E-4DD8-4913-BB11-3C81C1D78A40} - C:\WINDOWS\system32\mljjk.dll (file missing) O2 - BHO: (no name) - {42E2538F-578B-45CA-ABD1-D08D1FDC9F7A} - C:\WINDOWS\system32\vturr.dll (file missing) O2 - BHO: (no name) - {5848A170-DB4A-4D7D-AF6A-E755395CEA1B} - C:\WINDOWS\system32\pmnlk.dll (file missing) O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\ytusfpgb.dll (file missing) O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp (file missing) O20 - Winlogon Notify: rqronnk - C:\WINDOWS\SYSTEM32\rqronnk.dll

Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Później zrób to o co poprosił adam

Yaris2709 · 15 Kwiecień 2007 21:30

ok tak, też zrobiłem, teraz chodzi VundoFix

Złączono Posta : 16.04.2007 (Pon) 20:31

czy może ktoś teraz sprawdzić loga

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 20:28:45, on 2007-04-16

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\usr\MYSQL\bin\mysqld.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

C:\Program Files\SpywareDetector\SDService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\carpserv.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\VIAudioi\SBADeck\ADeck.exe

D:\Program Files\QuickTime\qttask.exe

C:\Program Files\SpywareDetector\SDSystemTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Kalendarz XP\Kalendarz.exe

C:\WINDOWS\system32\wuauclt.exe

D:\Download\HiJackThis_v2\HiJackThis_v2.exe


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.piotrkow.net.pl:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO

O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Pobierz przez Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html

O8 - Extra context menu item: Pobierz wszystko przez Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html

O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\ZendStudio-5.2.0\bin\ZendIEToolbar.dll/DebugCurrent.html

O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\ZendStudio-5.2.0\bin\ZendIEToolbar.dll/DebugNext.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)

O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL

O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099666990515

O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: MySql - Unknown owner - c:\usr/MYSQL/bin/mysqld.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe


--

End of file - 6781 bytes

Gutek · 31 Maj 2007 20:33

Daj log z Combofix

Yaris2709 · 1 Czerwiec 2007 17:20

oto log z combofix

“AREK” - 2007-06-01 19:15:42 Dodatek Service Pack 2 ComboFix 07-05.27.BV - Running from: “D:\Download” ADS removed - svchost.exe: deleted 0 bytes in 1 streams. (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) “C:\WINDOWS\system32\oledb32.dll” “C:\WINDOWS\system32\taskmgr.com” “C:\WINDOWS\regedit.com” ((((((((((((((((((((((((((((((( Files Created from 2007-05-01 to 2007-06-01 )))))))))))))))))))))))))))))))))) 2007-05-26 23:32 2007-05-26 23:28 2007-05-26 07:23 2,560 --a------ C:\WINDOWS_MSRSTRT.EXE 2007-05-24 19:06 2007-05-24 19:05 2007-05-22 21:36 1,048,576 --ah----- C:\DOCUME~1\Ania\NTUSER.DAT 2007-05-22 21:36 2007-05-22 21:36 2007-05-22 21:36 2007-05-22 21:36 2007-05-22 21:36 2007-05-22 21:36 2007-05-22 21:36 2007-05-17 21:46 2007-05-17 21:37 2007-05-17 21:28 2007-05-17 21:27 2007-05-17 21:17 2007-05-02 22:21 2007-05-02 22:15 36,624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-05-02 22:15 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-05-02 22:15 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-05-02 22:15 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2007-05-02 22:15 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe 2007-05-02 22:15 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe 2007-05-02 22:06 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-01 17:13:17 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-05-31 19:18:21 -------- d-----w C:\Program Files\Kalendarz XP 2007-05-30 10:26:45 -------- d-----w C:\DOCUME~1\AREK\DANEAP~1\Skype 2007-05-29 21:31:59 -------- d-----w C:\Program Files\FTP Commander 2007-05-29 18:58:32 -------- d-----w C:\DOCUME~1\AREK\DANEAP~1\HateML 2007-05-26 21:31:04 -------- d-----w C:\Program Files\GIMP-2.0 2007-05-26 05:23:03 2,560 ----a-w C:\WINDOWS_MSRSTRT.EXE 2007-05-26 05:21:16 -------- d-----w C:\Program Files\Common Files\Agnitum Shared 2007-05-24 19:35:23 -------- d-----w C:\DOCUME~1\AREK\DANEAP~1\Vso 2007-05-19 14:12:21 -------- d-----w C:\Program Files\Odkurzacz 2007-05-18 19:19:42 -------- d-----w C:\Program Files\The Bat! 2007-05-16 19:31:32 -------- d-----w C:\Program Files\DivX 2007-05-07 20:18:57 -------- d-----w C:\Program Files\KoolMoves Ekspert V3.60.2 2007-04-29 19:14:33 -------- d-----w C:\Program Files\Spyware Doctor 2007-04-29 10:10:35 -------- d-----w C:\Program Files\ffdshow 2007-04-29 07:31:51 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-04-26 21:58:19 83,536 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys 2007-04-26 21:57:59 59,984 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys 2007-04-26 21:55:39 26,064 ----a-w C:\WINDOWS\system32\drivers\kcom.sys 2007-04-26 21:55:23 52,304 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-04-26 21:55:20 39,248 ----a-w C:\WINDOWS\system32\drivers\ikfileflt.sys 2007-04-26 21:52:57 -------- d-----w C:\DOCUME~1\AREK\DANEAP~1\PC Tools 2007-04-26 19:25:07 -------- d-----w C:\Program Files\SkanerOnline 2007-04-24 17:48:28 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-04-24 05:56:36 10,752 ----a-w C:\WINDOWS\system32\ff_vfw.dll 2007-04-24 05:15:22 60,273 ----a-w C:\WINDOWS\system32\pthreadGC2.dll 2007-04-18 16:14:32 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-14 19:53:21 -------- d-----w C:\Program Files\PRO100 2007-04-12 21:38:04 -------- d-----w C:\DOCUME~1\AREK\DANEAP~1\MySQL 2007-04-11 13:23:36 1,011,712 ----a-w C:\WINDOWS\system32\VchReg.dll 2007-04-01 18:26:06 -------- d-----w C:\DOCUME~1\AREK\DANEAP~1\Ripit4me 2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll 2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll 2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll 2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll 2007-03-25 09:52:19 56,712 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-03-25 09:52:19 374,702 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-03-22 19:42:32 10,935 ----a-w C:\WINDOWS\mozver.dat 2007-03-17 13:45:36 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-16 22:04:59 13 ----a-w C:\DOCUME~1\AREK\DANEAP~1\tidy_cfg.dat 2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll 2007-03-08 15:38:47 579,072 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:38:47 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:38:47 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 15:37:33 1,843,840 ----a-w C:\WINDOWS\system32\win32k.sys 2006-11-24 21:03:16 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys 2005-10-23 19:02:51 56 --sh–r C:\WINDOWS\system32\1C838C96E8.sys (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “nwiz”=“nwiz.exe” [2003-07-28 14:19 C:\WINDOWS\system32\nwiz.exe] “CARPService”=“carpserv.exe” [2002-11-19 13:17 C:\WINDOWS\system32\carpserv.exe] “HPHUPD05”=“C:\Program Files\Hewlett-Packard{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe” [2004-04-01 16:51] “HP Component Manager”=“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [2003-12-22 09:38] “HP Software Update”=“C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe” [2004-09-13 16:49] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” [2006-12-15 03:23] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2006-01-02 21:39] “AudioDeck”=“C:\Program Files\VIAudioi\SBADeck\ADeck.exe” [2005-04-08 13:00] “QuickTime Task”=“D:\Program Files\QuickTime\qttask.exe” [2006-06-03 22:54] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe” [2005-10-28 16:25] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2006-08-03 00:46] “NvMediaCenter”=“C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit” [] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* Contents of the ‘Scheduled Tasks’ folder 2007-05-31 18:36:01 C:\WINDOWS\tasks\HP Usg Daily.job ******************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-01 19:18:29 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-06-01 19:19:22 C:\ComboFix-quarantined-files.txt … 2007-06-01 19:19 — E O F —

Złączono Posta : 01.06.2007 (Pią) 19:22

i jeszcze coś takiego

2000-06-08 17:00 483600 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\OLEDB32.DLL.vir

2004-08-04 01:44 139776 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\TASKMGR.COM.vir

2004-08-04 01:44 149504 --a------ C:\Qoobox\Quarantine\C\WINDOWS\REGEDIT.COM.vir



Zmienna PATH folderu dla woluminu Instalki

Numer seryjny woluminu: F4B5-E4CF

C:\QOOBOX

\---Quarantine

    +---C

    | \---WINDOWS

    | | REGEDIT.COM.vir

    | |   

    | \---system32

    | OLEDB32.DLL.vir

    | TASKMGR.COM.vir

    |               

    \---Registry_backups

Gutek · 1 Czerwiec 2007 23:54

Już powinno być Ok