proszę o sprawdzenie kolejnego loga.

**Posty:** 262 · przez **kubucza** 30 Sty 2008, 22:50

Na drugim komputerze nod32 wywalił mi komunikat o trojanach, a dokładnie to o czterech. Pomyślałem, że od razu zastosuje się do rady z mojego poprzedniego tematu:

wojtas napisał(a):Wykonaj to co jest podane w tym temacie

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt + log z combofixa oraz z hijacka

SDFix:

Kod: Zaznacz wszystko: SDFix: Version 1.133 Run by Administrator on 2008-01-30 at 21:31 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files... ADS Check: Final Check: catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-30 21:35:50 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools Lite" "h0"=dword:00000000 "khjeh"=hex:10,57,ef,d9,0c,83,34,bf,67,c6,b7,36,c5,8e,7c,fd,96,35,bd,0d,cd,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,6e,96,28,01,07,da,d3,15,1a,68,52,89,4e,43,70,d5,80,.. "khjeh"=hex:59,65,02,5f,d2,55,4f,59,f8,26,0d,36,a9,ba,f1,23,3d,11,e9,eb,77,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:df,54,77,05,77,ed,3d,bb,81,65,3c,35,db,13,4d,94,77,20,11,53,ff,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:75,be,ab,9a,e8,70,4b,2c,ee,64,cd,28,ff,bc,08,8a,04,2a,1a,fb,53,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools Lite" "h0"=dword:00000000 "khjeh"=hex:10,57,ef,d9,0c,83,34,bf,67,c6,b7,36,c5,8e,7c,fd,96,35,bd,0d,cd,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,6e,96,28,01,07,da,d3,15,1a,68,52,89,4e,43,70,d5,80,.. "khjeh"=hex:59,65,02,5f,d2,55,4f,59,f8,26,0d,36,a9,ba,f1,23,3d,11,e9,eb,77,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:df,54,77,05,77,ed,3d,bb,81,65,3c,35,db,13,4d,94,77,20,11,53,ff,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:75,be,ab,9a,e8,70,4b,2c,ee,64,cd,28,ff,bc,08,8a,04,2a,1a,fb,53,.. scanning hidden registry entries ... [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] "Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,.. scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook" "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove" "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote" "C:\\Documents and Settings\\Admin\\Pulpit\\AppelMos 8.0\\AppelMos.exe"="C:\\Documents and Settings\\Admin\\Pulpit\\AppelMos 8.0\\AppelMos.exe:*:Enabled:AppelMos" "C:\\Program Files\\Counter-Strike 1.6\\hl.exe"="C:\\Program Files\\Counter-Strike 1.6\\hl.exe:*:Enabled:Half-Life Launcher" "C:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"="C:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe:*:Enabled:Speed" "C:\\Documents and Settings\\Admin\\Pulpit\\nfsu_lan.0.9.9\\nfsuserver.0.9.9.exe"="C:\\Documents and Settings\\Admin\\Pulpit\\nfsu_lan.0.9.9\\nfsuserver.0.9.9.exe:*:Enabled:nfsuserver.0.9.9" "C:\\Documents and Settings\\Admin\\Pulpit\\nfsu_lan.0.9.9\\nfsuclient.exe"="C:\\Documents and Settings\\Admin\\Pulpit\\nfsu_lan.0.9.9\\nfsuclient.exe:*:Enabled:nfsuclient" "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:Bluetooth Application" "C:\\WINDOWS\\inf\\isprnt.exe"="C:\\WINDOWS\\inf\\isprnt.exe:*:Enabled:isprnt" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- Files with Hidden Attributes: Tue 25 Dec 2007 9,924,115 A..H. --- "C:\Documents and Settings\Admin\Pulpit\tibia. 7.6\tibia76.exe" Finished!

Combofix:

Kod: Zaznacz wszystko: ComboFix 08-01-31.1 - Admin 2008-01-30 21:42:58.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1592 [GMT 1:00] Running from: C:\Documents and Settings\Admin\Pulpit\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\cfx32.ocx C:\WINDOWS\system32\drivers\services.exe . ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 ))))))))))))))))))))))))))))))) . 2008-01-30 21:16 . 2008-01-30 21:16 <DIR> d-------- C:\WINDOWS\ERUNT 2008-01-30 21:16 . 2004-08-04 00:44 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll 2008-01-30 21:15 . 2007-12-22 16:27 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne 2008-01-30 21:15 . 2007-12-22 16:27 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione 2008-01-30 21:15 . 2007-12-22 09:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony 2008-01-30 21:15 . 2008-01-30 21:31 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit 2008-01-30 21:15 . 2007-12-22 16:27 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty 2008-01-30 21:15 . 2007-12-22 16:27 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start 2008-01-30 21:15 . 2007-12-22 16:27 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji 2008-01-30 21:11 . 2008-01-30 21:11 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-24 14:50 . 2008-01-24 14:50 4,096 --a------ C:\WINDOWS\d3dx.dat 2008-01-24 14:30 . 2008-01-24 14:50 <DIR> d-------- C:\Program Files\Gothic PL 2008-01-19 13:50 . 2008-01-19 13:50 <DIR> d-------- C:\Program Files\Tibia6 2008-01-19 08:29 . 2008-01-19 08:29 <DIR> d-------- C:\Program Files\Tibia4 2008-01-18 18:27 . 2008-01-18 18:27 <DIR> d-------- C:\Program Files\Tibia5 2008-01-18 16:04 . 2008-01-18 16:04 <DIR> d-------- C:\Program Files\OniGames 2008-01-18 15:01 . 2008-01-18 15:01 <DIR> d-------- C:\Documents and Settings\Admin\Dane aplikacji\Media Player Classic 2008-01-18 15:01 . 2008-01-18 15:01 69 --a------ C:\WINDOWS\NeroDigital.ini 2008-01-18 12:08 . 2008-01-18 12:08 <DIR> d-------- C:\Program Files\Tibia1 2008-01-16 18:44 . 2008-01-16 18:44 <DIR> d-------- C:\Program Files\Sony Ericsson 2008-01-16 18:44 . 2008-01-16 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Sony Ericsson 2008-01-16 15:09 . 2004-09-21 18:18 148,830 --a------ C:\WINDOWS\system32\drivers\bcbthub.sys 2008-01-12 13:07 . 2008-01-15 15:56 <DIR> d-------- C:\Program Files\Tibia3 2008-01-09 19:18 . 2008-01-12 11:52 <DIR> d-------- C:\Program Files\Tibia2 2008-01-09 19:13 . 2008-01-09 19:17 <DIR> d-------- C:\Program Files\Tibia 2 2008-01-08 19:19 . 2008-01-08 19:19 <DIR> d---s---- C:\Documents and Settings\Admin\UserData 2008-01-03 19:08 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2008-01-03 19:08 . 2001-10-26 16:57 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys 2007-12-27 18:41 . 2007-12-27 18:41 <DIR> d-------- C:\Documents and Settings\Admin\Dane aplikacji\AdobeUM 2007-12-27 18:10 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys 2007-12-27 18:04 . 2008-01-09 18:00 13,030 --a------ C:\PDOXUSRS.NET 2007-12-27 18:03 . 2007-12-27 18:03 <DIR> d-------- C:\Program Files\Common Files\Borland Shared 2007-12-27 18:03 . 2001-05-11 00:00 183,808 --a------ C:\WINDOWS\system32\BDEADMIN.CPL 2007-12-27 18:02 . 2007-12-27 18:02 <DIR> d-------- C:\Documents and Settings\Admin\WINDOWS 2007-12-27 18:02 . 1998-02-06 21:37 299,520 --a------ C:\WINDOWS\uninst.exe 2007-12-27 17:59 . 2008-01-09 16:57 2,657 --a------ C:\WINDOWS\system32\config.hsp 2007-12-27 10:48 . 2007-12-27 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\NFS Underground 2007-12-27 10:45 . 2007-12-27 10:45 <DIR> d-------- C:\Program Files\EA GAMES 2007-12-27 10:35 . 2007-12-27 10:36 <DIR> d-------- C:\Program Files\WinRAR2 2007-12-26 20:21 . 2007-12-27 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\WinZip 2007-12-26 13:41 . 2007-12-26 13:41 <DIR> d-------- C:\WINDOWS\nview 2007-12-26 13:41 . 2007-06-29 00:43 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe 2007-12-26 13:41 . 2007-12-26 13:44 127,254 --a------ C:\WINDOWS\system32\nvapps.xml 2007-12-26 13:41 . 2007-06-29 00:43 17,463 --a------ C:\WINDOWS\system32\nvdisp.nvu 2007-12-26 12:00 . 2007-12-26 12:00 <DIR> d-------- C:\Program Files\DAEMON Tools Lite 2007-12-26 12:00 . 2007-12-26 12:00 <DIR> d-------- C:\Documents and Settings\Admin\Dane aplikacji\DAEMON Tools 2007-12-26 11:56 . 2007-12-26 11:56 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-12-26 10:57 . 2007-12-26 10:57 <DIR> d-------- C:\Program Files\Common Files\DirectX 2007-12-25 10:19 . 2008-01-12 08:41 <DIR> d-------- C:\Program Files\Tibia 2007-12-25 10:19 . 2008-01-26 11:48 <DIR> d-------- C:\Documents and Settings\Admin\Dane aplikacji\Tibia 2007-12-23 17:18 . 2007-12-24 09:12 <DIR> d-------- C:\Program Files\Counter-Strike 1.6 2007-12-23 15:53 . 2007-12-23 15:53 <DIR> d-------- C:\WINDOWS\system32\Futuremark 2007-12-23 15:53 . 2007-12-23 15:53 262,144 --a------ C:\WINDOWS\system32\wrap_oal.dll 2007-12-23 15:53 . 2007-12-23 15:53 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll 2007-12-23 15:53 . 2004-10-25 20:02 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys 2007-12-23 15:53 . 1999-11-02 10:01 6,173 --a------ C:\WINDOWS\system32\drivers\Entech.vxd 2007-12-23 15:53 . 2004-06-22 15:44 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys 2007-12-23 15:53 . 2001-11-19 19:05 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys 2007-12-23 15:52 . 2007-12-23 15:52 <DIR> d-------- C:\Program Files\Futuremark 2007-12-23 10:11 . 2008-01-26 09:48 <DIR> d-------- C:\Program Files\No-IP 2007-12-23 09:55 . 2007-12-24 12:27 <DIR> d-------- C:\Program Files\Asprate 2007-12-23 08:17 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2007-12-23 08:17 . 2001-08-17 22:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys 2007-12-22 16:29 . 2004-08-04 00:44 77,312 --a------ C:\WINDOWS\system32\usbui.dll 2007-12-22 16:29 . 2004-08-04 00:35 58,624 --a------ C:\WINDOWS\system32\drivers\redbook.sys 2007-12-22 16:29 . 2001-08-17 21:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys 2007-12-22 16:27 . 2008-01-27 08:32 <DIR> d-------- C:\WINDOWS\system32\CatRoot2 2007-12-22 16:27 . 2007-12-22 16:27 <DIR> dr-h----- C:\Documents and Settings\Default User\Ustawienia lokalne 2007-12-22 16:27 . 2007-12-22 16:27 <DIR> d-------- C:\Documents and Settings\Default User\Ulubione 2007-12-22 16:27 . 2007-12-22 09:33 <DIR> d--h----- C:\Documents and Settings\Default User\Szablony 2007-12-22 16:27 . 2007-12-22 16:27 <DIR> d-------- C:\Documents and Settings\Default User\Pulpit 2007-12-22 16:27 . 2007-12-22 16:27 <DIR> d-------- C:\Documents and Settings\Default User\Moje dokumenty 2007-12-22 16:27 . 2007-12-22 16:27 <DIR> dr------- C:\Documents and Settings\Default User\Menu Start 2007-12-22 16:27 . 2007-12-22 16:27 <DIR> dr-h----- C:\Documents and Settings\Default User\Dane aplikacji 2007-12-22 16:27 . 2007-12-22 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Ulubione 2007-12-22 16:27 . 2007-12-22 16:27 <DIR> d--h----- C:\Documents and Settings\All Users\Szablony 2007-12-22 16:27 . 2008-01-19 18:14 <DIR> d-------- C:\Documents and Settings\All Users\Pulpit 2007-12-22 16:27 . 2007-12-27 10:25 <DIR> dr------- C:\Documents and Settings\All Users\Menu Start 2007-12-22 16:27 . 2007-12-22 10:34 <DIR> dr------- C:\Documents and Settings\All Users\Dokumenty 2007-12-22 16:27 . 2008-01-16 18:44 <DIR> dr-h----- C:\Documents and Settings\All Users\Dane aplikacji 2007-12-22 16:26 . 2008-01-30 21:15 <DIR> d-------- C:\Documents and Settings 2007-12-22 12:16 . 2007-12-22 12:16 <DIR> d-------- C:\Program Files\Common Files\HP 2007-12-22 12:15 . 2007-12-22 12:15 <DIR> d-------- C:\Program Files\Hewlett-Packard 2007-12-22 12:15 . 2007-12-22 12:15 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Hewlett-Packard 2007-12-22 12:15 . 2004-05-11 10:53 1,230,336 -ra------ C:\WINDOWS\system32\MSXML4.dll 2007-12-22 12:15 . 2004-05-11 10:53 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll 2007-12-22 12:15 . 2004-05-11 10:53 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll 2007-12-22 12:15 . 2004-05-11 10:53 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll 2007-12-22 12:15 . 2004-05-11 10:53 82,432 -ra------ C:\WINDOWS\system32\MSXML4r.dll 2007-12-22 12:15 . 2004-05-11 10:53 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll 2007-12-22 12:14 . 2007-12-22 12:14 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard 2007-12-22 12:13 . 2007-12-22 12:13 <DIR> d-------- C:\WINDOWS\system32\URTTEMP 2007-12-22 12:12 . 2004-06-21 21:35 51,088 -ra------ C:\WINDOWS\system32\drivers\hpzid412.sys 2007-12-22 12:12 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-12-22 12:12 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-12-22 12:12 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2007-12-22 12:12 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys 2007-12-22 12:12 . 2004-06-21 21:35 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys 2007-12-22 12:12 . 2004-06-21 21:35 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys 2007-12-22 12:12 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-26 17:32 2,238,016 ----a-w C:\WINDOWS\inf\isprnt.exe 2007-12-27 09:46 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-12-22 10:06 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll 2007-12-22 09:44 315,392 ----a-w C:\WINDOWS\HideWin.exe 2007-12-22 08:36 --------- d-----w C:\Program Files\microsoft frontpage 2007-12-22 08:33 --------- d-----w C:\Program Files\Usługi online 2007-10-22 02:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll 2007-10-22 02:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll 2007-10-12 14:14 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll 2007-10-12 14:14 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll 2007-10-02 08:56 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 11:12 139264] "DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-19 21:13 486856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-22 10:39 921600] "RTHDCPL"="RTHDCPL.EXE" [2007-06-13 07:49 16377344 C:\WINDOWS\RTHDCPL.exe] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432] "nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360] C:\Documents and Settings\Admin\Menu Start\Programy\Autostart\ Stardock ObjectDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe [2005-02-21 14:56:00 1826885] Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632] Y'z ToolBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe [2002-09-29 14:41:00 90112] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664] HP Image Zone - szybkie uruchamianie.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248] S3 BTNetFilter;Bluetooth Network Filter;C:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 16:32] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-31 21:43:37 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180] -> C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\DockShellHook.dll . Completion time: 2008-01-31 21:43:45 ComboFix-quarantined-files.txt 2008-01-31 20:43:44

Hijack:

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:44:39, on 2008-01-31 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Opera\Opera.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe O4 - Startup: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Startup: Y'z ToolBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone - szybkie uruchamianie.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O17 - HKLM\System\CCS\Services\Tcpip\..\{9F21F299-A50F-450F-9D66-21DCC65A3809}: NameServer = 192.168.2.1 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 4863 bytes

Z góry dzięki za pomoc.

**Posty:** 3854 · przez **Dzi@dek** 31 Sty 2008, 00:17

kubucza napisał(a):a dokładnie to o czterech.

Napisz jakie i lokalizację.
Proponuje odinstalować DAEMON Tools Lite

**Posty:** 262 · przez **kubucza** 31 Sty 2008, 12:38

Moja pomyłka, te komunikaty mnie zmyliły. Są 2 takie same, jeden wykryty o 15:03, drugi 20:56.

Kod: Zaznacz wszystko: c:\windows\system32\config\services.exe prawdopodobnie odmiana Win32/PSW.OnLineGames trojan

**Posty:** 18165 · przez **wojtas** 31 Sty 2008, 12:57

sciagnij killbox’a

Odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżkę

c:\windows\system32\config\services.exe

i nacisnij x
Program będzie pytał o restart (oczywiście zgadzasz się)

**Posty:** 262 · przez **kubucza** 31 Sty 2008, 16:15

Jakiś błąd.

**Posty:** 3854 · przez **Dzi@dek** 31 Sty 2008, 16:45

kubucza napisał(a):Jakiś błąd.

Zrestartuj system.

that error occurs occasionally when using the "Delete on reboot" option in KillBox. Its not a problem, but only thing is that the System is not rebooted automatically by KillBox and should be done manually. Did you reboot the PC after getting that error in KillBox?

And, HijackThis log looks clean. But, as a final check, please download WinPFind and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here.

proszę o sprawdzenie kolejnego loga.

Proszę o sprawdzenie kolejnego loga.

Kto jest na forum