bardzo prosze o sprawdzenie

[TRUNKS]

Witam

Ostatnimi czasy (3 ostatnie dni) miałem problemy z vundo.trojan'em. Usunolem go po wielkich trudach (jako że w tej kwestii jestem noobem) programem VirtumundoBeGone i zrobiłem format dla pewnosci, że na dysku będzie czysto. Jak narazie wszystko jest ok i nic sie nie dzieje ale prosze o sprawdzenie logów z programu ComboFix:

Kod: Zaznacz wszystko

ComboFix 07-11-08.1 - Matthew 2007-11-15 19:59:41.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.697 [GMT 1:00]
Running from: C:\Documents and Settings\Matthew\Pulpit\ComboFix.exe
* Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2007-10-15 to 2007-11-15  )))))))))))))))))))))))))))))))
.

2007-11-15 19:59   51,200   --a------   C:\WINNT\NirCmd.exe
2007-11-15 19:53   <DIR>   d--------   C:\Program Files\Last.fm
2007-11-15 19:53   <DIR>   d--------   C:\Documents and Settings\All Users\Dane aplikacji\Last.fm
2007-11-15 19:47   <DIR>   d--------   C:\Program Files\foobar2000
2007-11-15 19:47   <DIR>   d--------   C:\Documents and Settings\Matthew\Dane aplikacji\foobar2000
2007-11-15 19:40   <DIR>   d--------   C:\Documents and Settings\Matthew\Dane aplikacji\Creative
2007-11-15 19:39   41,984   ---------   C:\WINNT\Ctregrun.exe
2007-11-15 19:37   44,032   ---------   C:\WINNT\system32\CTSVCCDA.EXE
2007-11-15 19:37   25,088   ---------   C:\WINNT\system32\CTSVCCTL.EXE
2007-11-15 19:34   <DIR>   d--------   C:\WINNT\system32\Data
2007-11-15 19:34   11,264   --a------   C:\WINNT\INRES.DLL
2007-11-15 19:32   <DIR>   d--------   C:\Program Files\Creative

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 18:59   ---------   d-----w   C:\Program Files\Neostrada TP
2007-11-15 18:38   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-11-15 18:31   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2007-11-15 15:22   ---------   d-----w   C:\Documents and Settings\Matthew\Dane aplikacji\Talkback
2007-11-15 15:08   ---------   d-----w   C:\Program Files\Ashampoo
2007-11-15 15:02   512,096   ----a-w   C:\WINNT\system32\drivers\amon.sys
2007-11-15 15:02   298,104   ----a-w   C:\WINNT\system32\imon.dll
2007-11-15 15:02   15,424   ----a-w   C:\WINNT\system32\drivers\nod32drv.sys
2007-11-15 15:01   ---------   d-----w   C:\Documents and Settings\Matthew\Dane aplikacji\Tlen.pl
2007-11-15 15:00   ---------   d-----w   C:\Program Files\Tlen.pl
2007-11-15 14:55   23   ----a-w   C:\WINNT\system32\drivers\adidsl.cfg
2007-11-15 14:55   ---------   d-----w   C:\Program Files\SAGEM
2007-11-15 14:55   ---------   d-----w   C:\Program Files\Java
2007-11-15 14:49   ---------   d-----w   C:\Program Files\Usługi online
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [2003-10-16 18:07]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2003-10-16 18:07]
"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [2003-10-16 18:07]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-15 16:02]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [2006-08-11 14:43]
"nwiz"="nwiz.exe" [2006-08-11 14:43 C:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [2006-08-11 14:43]
"Ashampoo FireWall"="C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" [2007-04-05 14:57]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10]
"P17Helper"="P17.dll" [2005-05-03 12:38 C:\WINNT\system32\P17.dll]
"UpdReg"="C:\WINNT\UpdReg.EXE" [2000-05-11 01:00]
"CTRegRun"="C:\WINNT\CTRegRun.EXE" [1999-10-11 02:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:44]
"Komunikator"="C:\Program Files\Tlen.pl\tlen.exe" [2007-11-07 15:33]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" [2004-11-30 11:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-11-15 15:55:42]

R3 P17;Sound Blaster Audigy;C:\WINNT\system32\drivers\P17.sys

*Newly Created Service* - CATCHME
*Newly Created Service* - UMWDF
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 20:00:19
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 20:00:34
.
   --- E O F ---


[Dzi@dek]

Pokaż jeszcze HJ.

[TRUNKS]

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:21:19, on 2007-11-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\wscntfy.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\Rundll32.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe
C:\PROGRA~1\NEOSTR~1\ComComp.exe
C:\PROGRA~1\NEOSTR~1\Watch.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINNT\CTRegRun.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{183B0C4E-86DE-41FA-8E4C-5D69EC96F566}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{183B0C4E-86DE-41FA-8E4C-5D69EC96F566}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

--
End of file - 4779 bytes


Prosze

[Dzi@dek]

Czysto.

Autor postu otrzymał pochwałę

[TRUNKS]

Dzięki wielkie nawet nie wiesz jak odetchnołem z ulgą. Ostatnie 3 dni nic tylko mordęga z vundo