[log] proszę o sprawdzenie, avast wyłapuje mi trojana

**Posty:** 13 · przez **michau** 10 Sie 2007, 16:31

ochrona rezydentalna avasta wyłapuje mi trojana w c:\windows\system32\ddabxxv.ddl czasami inne praktycznie przy co drugim uruchomieniu firefoxa.

Log z Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 16:20:08, on 2007-08-10
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\D-Link\AirPlusG+\AirPlus.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\michau\Dane aplikacji\tmp20.tmp.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Programy\hijack199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4959121a-25b8-412d-829e-6fe0e1cb6633} - C:\WINDOWS\system32\fsutput.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmpD5.tmp.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\oponlj.dll",forkonce
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Utility.lnk = ?
O4 - Global Startup: D-Link AirPlus.lnk = ?
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ddabxxv.dll
O20 - Winlogon Notify: fsutput - C:\WINDOWS\SYSTEM32\fsutput.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Proszę o pomoc.

**Posty:** 433 · przez **Pawsonek** 10 Sie 2007, 17:09

ustaw w avast skanowanie systemu podczas rozruchu i po klopocie zawsze pomaga

wyczysci z najdrobniejszych wirusków kompa...

**Posty:** 13 · przez **michau** 10 Sie 2007, 17:16

skanuje Avastem, usuwam co znajdzie, skanowałem on-line ewido.com oraz mks_vir. Wywaliłem co znalazłem, ale po jakimś czasie avast znowu informuje mnie o wirusie Win32:conhool-BS.
W logu z Hijacka nic podejrzanego nie widać?

**Posty:** 671 · przez **oklahoma** 10 Sie 2007, 17:20

michau napisał(a):ochrona rezydentalna avasta wyłapuje mi trojana w c:\windows\system32\ddabxxv.ddl

michau napisał(a):O20 - AppInit_DLLs: c:\windows\system32\ddabxxv.dll

Nic nie rób tylko czekaj az ktos kto sie zna na logach ci odpowie

**Posty:** 18165 · przez **wojtas** 10 Sie 2007, 18:12

zastosuj:

smitfraudfix z opcji 2:

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

oraz te skanery po kilka razy

VundoFix
http://www.atribune.org/ccount/click.php?id=4

VirtumundoBeGone
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

FixVundo
http://securityresponse.symantec.com/avcenter/FixVundo.exe

**Posty:** 13 · przez **michau** 10 Sie 2007, 18:54

Dzięki za pomoc. Zrobiłem jak pisałeś i system wydaje się czysty. Czy mam dać loga z hijacka do sprawdzenia?

**Posty:** 3854 · przez **Dzi@dek** 10 Sie 2007, 19:19

michau napisał(a):Czy mam dać loga z hijacka do sprawdzenia?

Poprosimy.

**Posty:** 13 · przez **michau** 10 Sie 2007, 21:11

Logfile of HijackThis v1.99.1
Scan saved at 21:06:19, on 2007-08-10
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\D-Link\AirPlusG+\AirPlus.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
D:\Programy\hijack199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Utility.lnk = ?
O4 - Global Startup: D-Link AirPlus.lnk = ?
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ddabxxv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

**Posty:** 18165 · przez **wojtas** 10 Sie 2007, 21:42

Pobierz i uruchom narzędzie
The Avenger
Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Drivers to unload:

DomainService

Files to delete:

C:\WINDOWS\system32\qwerty12.exe
c:\windows\system32\ddabxxv.dll
C:\WINDOWS\WebAssist.dll
C:\Updater.exe

Klikasz Done, a następnie zielone światełko i zgadzasz się na restart klikając OK.
Po restarcie w HijackThis usuwasz wpis/y

O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O20 - AppInit_DLLs: c:\windows\system32\ddabxxv.dll
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe (file missing)

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt + log z hijacka oraz z combofixa

**Posty:** 13 · przez **michau** 10 Sie 2007, 22:05

Raport avenger.txt

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tirfufhj

*******************

Script file located at: \??\C:\WINDOWS\adqwbrce.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver DomainService unloaded successfully.

File C:\WINDOWS\system32\qwerty12.exe not found!
Deletion of file C:\WINDOWS\system32\qwerty12.exe failed!

Could not process line:
C:\WINDOWS\system32\qwerty12.exe
Status: 0xc0000034

File c:\windows\system32\ddabxxv.dll not found!
Deletion of file c:\windows\system32\ddabxxv.dll failed!

Could not process line:
c:\windows\system32\ddabxxv.dll
Status: 0xc0000034

File C:\WINDOWS\WebAssist.dll deleted successfully.
File C:\Updater.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Log z Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 21:58:33, on 2007-08-10
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\D-Link\AirPlusG+\AirPlus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Programy\hijack199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Utility.lnk = ?
O4 - Global Startup: D-Link AirPlus.lnk = ?
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Log z Combofix

ComboFix 07-08-09.3 - "michau" 2007-08-10 21:59:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.231 [GMT 2:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\michau\DANEAP~1\tmp1EF.tmp.exe
C:\DOCUME~1\michau\DANEAP~1\tmp1F0.tmp.exe
C:\DOCUME~1\michau\DANEAP~1\tmp1F1.tmp.exe
C:\DOCUME~1\michau\DANEAP~1\tmp20.tmp.exe
C:\DOCUME~1\michau\DANEAP~1\tmp3.tmp.exe
C:\DOCUME~1\michau\DANEAP~1\tmp4.tmp.exe
C:\DOCUME~1\michau\DANEAP~1\tmpBA.tmp.exe
C:\DOCUME~1\michau\DANEAP~1\tmpD3.tmp.exe
C:\DOCUME~1\michau\DANEAP~1\tmpD4.tmp.exe
C:\DOCUME~1\michau\DANEAP~1\tmpD5.tmp.exe
C:\WINDOWS\system32\dne8349f91.dat
C:\WINDOWS\system32\tmp1F1.tmp.dll
C:\WINDOWS\system32\tmpBA.tmp.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))

2007-08-10 21:59 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 18:36 <DIR> d-------- C:\VundoFix Backups
2007-08-10 18:14 2,770 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-10 10:36 <DIR> d-------- C:\Program Files\SkanerOnline
2007-08-06 11:08 25,152 --a------ C:\WINDOWS\system32\37hiMrLM.exe
2007-08-02 19:37 <DIR> d-------- C:\Hooligans
2007-08-02 19:20 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-02 19:19 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-08-02 19:12 278,528 --a------ C:\WINDOWS\system32\iFPSP.dll
2007-08-02 19:12 14,531 --a------ C:\WINDOWS\system32\drivers\N10.SYS
2007-08-02 19:12 14,531 --a------ C:\WINDOWS\system32\drivers\ifpusb.sys
2007-08-02 19:12 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp900.sys
2007-08-02 19:12 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp800.sys
2007-08-02 19:12 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp700.sys
2007-08-02 19:12 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp500.sys
2007-08-02 19:12 14,531 --a------ C:\WINDOWS\system32\drivers\ifp300.sys
2007-08-02 19:12 14,531 --a------ C:\WINDOWS\system32\drivers\Ifp1000.sys
2007-08-02 19:12 <DIR> d-------- C:\Program Files\iriver
2007-07-26 22:36 <DIR> d-------- C:\Program Files\Porta
2007-07-24 19:18 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-07-24 19:18 638,976 --a------ C:\WINDOWS\system32\divx.dll
2007-07-24 19:18 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-07-24 19:18 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-07-24 19:18 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-07-24 19:18 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-07-24 19:18 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-07-24 19:18 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-07-24 19:18 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-07-24 19:18 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-07-24 19:18 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-07-24 19:18 <DIR> d-------- C:\Program Files\AVSMedia
2007-07-23 11:51 <DIR> d-------- C:\DOCUME~1\michau\DANEAP~1\WinRAR
2007-07-18 12:46 <DIR> d---s---- C:\DOCUME~1\michau\UserData
2007-07-10 23:10 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-07-10 23:10 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-07-10 23:10 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-07-10 23:10 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 16:29 --------- d-------- C:\DOCUME~1\michau\DANEAP~1\Skype
2007-08-09 14:19 --------- d-------- C:\DOCUME~1\michau\DANEAP~1\foobar2000
2007-08-02 19:12 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-28 00:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-28 00:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 00:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 00:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 23:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 23:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 23:57 95608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-12 09:17 49910 --a------ C:\WINDOWS\system32\perfc015.dat
2007-07-12 09:17 356068 --a------ C:\WINDOWS\system32\perfh015.dat
2007-06-19 21:07 --------- d-------- C:\DOCUME~1\michau\DANEAP~1\Help
2007-06-15 10:01 --------- d-------- C:\DOCUME~1\michau\DANEAP~1\Real
2007-06-15 09:59 --------- d-------- C:\Program Files\Real
2007-06-15 09:59 --------- d-------- C:\Program Files\Common Files\xing shared
2007-06-15 09:59 --------- d-------- C:\Program Files\Common Files\Real
2007-06-15 09:54 --------- d-------- C:\Program Files\Real Alternative
2007-06-11 23:25 1809 --a------ C:\WINDOWS\mozver.dat
2007-05-23 16:27 1726 --a------ C:\WINDOWS\ndinst.exe
2007-05-23 16:03 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-23 00:20 0 -rahs---- C:\MSDOS.SYS
2007-05-23 00:20 0 -rahs---- C:\IO.SYS
2007-05-23 00:20 0 --a------ C:\CONFIG.SYS
2007-05-23 00:20 0 --a------ C:\AUTOEXEC.BAT
2007-05-23 00:17 21856 --a------ C:\WINDOWS\system32\emptyregdb.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 18:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 16:02]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 11:20 C:\WINDOWS\AGRSMMSG.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 12:41]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-30 11:58]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-30 11:55]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-30 11:59]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 00:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-15 09:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
D-Link AirPlus G+ Wireless Utility.lnk - C:\D-Link\AirPlusG+\AirPlus.exe [2007-05-23 18:29:16]
D-Link AirPlus.lnk - C:\Program Files\D-Link AirPlus\AirPlus.exe [2007-05-23 14:08:43]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

R1 WmiAcpi;Interfejs zarządzania Microsoft Windows dla ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys
R3 TNET1130;D-Link AirPlus G+ Wireless Adapter;C:\WINDOWS\system32\DRIVERS\GPLUS.sys

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 22:02:02
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 22:03:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-10 22:02

--- E O F ---

**Posty:** 18165 · przez **wojtas** 10 Sie 2007, 22:16

skasuj ten plik i bedzie czysto:

C:\WINDOWS\system32\37hiMrLM.exe

Autor postu otrzymał pochwałę

**Posty:** 13 · przez **michau** 10 Sie 2007, 22:20

uff

Wojtas19162 - Serdeczne dzięki za pomoc!

Jak mogę Ci zgłosić pochwałę?

**Posty:** 3854 · przez **Dzi@dek** 10 Sie 2007, 22:46

michau napisał(a):Jak mogę Ci zgłosić pochwałę

zielony plus przy jego poscie w prawym górnym rogu.

**Posty:** 13 · przez **michau** 10 Sie 2007, 23:24

dzięki

[log] proszę o sprawdzenie, avast wyłapuje mi trojana

[log] proszę o sprawdzenie, avast wyłapuje mi trojana

Kto jest na forum