CentrumXP Forum Tematyka portalu CentrumXP.pl Bezpieczeństwo Problemy z dziwnym winlogon.exe

Problemy z dziwnym winlogon.exe

Witam Od jakiegos czasu moj komp zupelnie sie posypal. Problemem jest winlogon.exe ale nie wiem jak sobie z nim poradzic. Dodam ze komp caly czas wysyla mi maile co widze po statusie nortona natywirusa Pod spodem aplikuje logi i uprzejmie prosze o pomoc.... hijack this: [quote]Logfile of HijackThis v1.99.1 Scan saved at 11:12:14, on 2007-10-25 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\skrzynka bogiego\skrzynka.exe C:\Program Files\AIM\aim.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\CAPRPCSK.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\juszczykj\Pulpit\hijackthis_199\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\hhupd.exe,C:\WINDOWS\system32\actcontroller.exe, O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE O4 - HKCU\..\Run: [skrzynka bogiego] C:\Program Files\skrzynka bogiego\skrzynka.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\JUSZCZ~1\USTAWI~1\Temp\winlogon.exe O4 - Global Startup: Canon LBP-810 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{3D6E590C-B3BD-44DC-9FC3-7848EAF7C5F6}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip\..\{62EC48F3-5F79-43B5-B2E0-D25BEFB9632F}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip\..\{C8FA7CE4-C8B5-4E18-8D7E-7841C34DFAA3}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip\..\{EF844062-55EA-4C47-9620-0B0D0A0A67B2}: NameServer = 194.204.152.34,194.204.159.1 O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\fci.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Usługa Auto-Protect w programie Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe [/quote] COMBOFIX [quote]ComboFix 07-10-23.1 - juszczykj 2007-10-25 11:20:10.1 - [color=red][b]FAT32[/b][/color]x86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.652 [GMT 2:00] Running from: G:\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\6.tmp C:\A.tmp C:\WINDOWS\hosts C:\WINDOWS\system32\4_exception.nls C:\WINDOWS\system32\cemetrix.dll C:\WINDOWS\system32\DefLib.sys C:\WINDOWS\system32\drivers\Amyk78.sys C:\WINDOWS\system32\drivers\Dbag36.sys C:\WINDOWS\system32\drivers\protect.sys C:\WINDOWS\system32\drivers\runtime2.sy_ C:\WINDOWS\system32\drivers\runtime2.sys C:\WINDOWS\system32\drivers\symavc32.sys C:\WINDOWS\system32\kr_done1 C:\WINDOWS\system32\rk.bin C:\WINDOWS\system32\rlls.dll C:\WINDOWS\system32\rlvknlg.exe C:\WINDOWS\system32\RunOnce3.t__ C:\WINDOWS\system32\RunOnce3.tmp C:\WINDOWS\system32\update118.exe C:\WINDOWS\system32\update125.exe C:\WINDOWS\system32\update177.exe C:\WINDOWS\system32\update281.exe C:\WINDOWS\system32\update285.exe C:\WINDOWS\system32\update288.exe C:\WINDOWS\system32\update289.exe C:\WINDOWS\system32\xpdx.sys C:\WINDOWS\Temp\26109718.exe C:\WINDOWS\tsitra801.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DBAG36 -------\LEGACY_FCI -------\LEGACY_MICROSOFT_INTERNET_EXPLORER -------\LEGACY_PROTECT -------\LEGACY_RUNTIME -------\LEGACY_RUNTIME2 -------\LEGACY_SYSLIBRARY -------\FCI -------\Microsoft Internet Explorer -------\protect ((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 ))))))))))))))))))))))))))))))) . 2007-10-25 11:19 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-25 10:28 d-------- C:\!KillBox 2007-10-17 09:40 46,080 --a------ C:\WINDOWS\system32\actcontroller.exe 2007-10-17 09:40 41,984 --a------ C:\WINDOWS\system32\wupdsvc0.exe 2007-10-17 09:40 24,064 --a------ C:\WINDOWS\system32\fci.exe 2007-10-17 09:40 20,992 --a------ C:\WINDOWS\system32\wupdsvc4.exe 2007-10-17 09:30 46,080 --a------ C:\WINDOWS\system32\hhupd.exe 2007-10-15 10:02 d-------- C:\Program Files\Enigma Software Group 2007-10-10 16:18 7,680 --a------ C:\Documents and Settings\juszczykj\ie_update3r.exe 2007-10-01 09:03 d--hs---- C:\FOUND.010 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-04-12 11:30 123,744 ----a-w C:\Documents and Settings\juszczykj\Dane aplikacji\GDIPFONTCACHEV1.DAT 2003-08-27 09:49 3,424 ----a-w C:\WINDOWS\inf\OTHER\cmiainfo.sys 2006-05-15 12:58:24 32 --sha-w C:\WINDOWS\{B5FFE0C9-C221-4F4F-8DA5-F8D25BB84ABC}.dat 2006-05-15 12:58:24 32 --sha-w C:\WINDOWS\system32\{3100DAE0-828E-4263-A6E2-0B3934F0EA67}.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 12:15] "ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-09-23 10:56] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-09-23 10:56] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-16 09:58] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50] "CAPON"="C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE" [2007-06-22 13:28] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "skrzynka bogiego"="C:\Program Files\skrzynka bogiego\skrzynka.exe" [2001-11-05 18:06] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 17:33] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 15:03] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 11:02] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW] rundll32.exe nview.dll,nViewLoadHook [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RelevantKnowledge] c:\windows\system32\rlvknlg.exe -boot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA844-CC51-11CF-AAFA-AABBCCDDEE02}] rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\skrzynka.inf,profil.i.nt . Contents of the 'Scheduled Tasks' folder "2007-10-24 14:40:52 C:\WINDOWS\Tasks\Symantec NetDetect.job" . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-25 11:24:24 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-25 11:25:39 - machine was rebooted . --- E O F --- [/quote]

Odpowiedzi: 5

Proszę bardzo :)
Żółty
Dodano
25.10.2007 18:01:37
te 3 pliki znalazlem nie moge znalezc tego winlogona ale moze usunalem go jakos inaczej przy wczesniejszych probach - uzywalem killboxa i innego softu anyway teraz wszystko chodzi normalnie dziekuje ci serdecznie za pomoc !!!
jot
Dodano
25.10.2007 18:00:16
W logu Combofixa widać jeszcze nieusunięty plik C:\WINDOWS\system32\actcontroller.exe Te pliki co ich "nie ma" - nakaż w opcjach folderów -> widok pokazywanie ukrytych plików i folderów oraz każ pokazać pliki chronione przez system.
Żółty
Dodano
25.10.2007 16:33:16
Po pierwsze dziekuje. Po drugie tego pliku: O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\JUSZCZ~1\USTAWI~1\Temp\winlogon.exe oraz tych: C:\WINDOWS\{B5FFE0C9-C221-4F4F-8DA5-F8D25BB84ABC}.dat C:\WINDOWS\system32\{3100DAE0-828E-4263-A6E2-0B3934F0EA67}.dat nie moge znalezc na dysku - reszte usunalem, klucz w rejestrze rowniez. Po trzecie logi hijackthis [quote]Logfile of HijackThis v1.99.1 Scan saved at 12:21:13, on 2007-10-25 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\skrzynka bogiego\skrzynka.exe C:\Program Files\AIM\aim.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE C:\WINDOWS\system32\CAPRPCSK.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\juszczykj\Pulpit\hijackthis_199\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE O4 - HKCU\..\Run: [skrzynka bogiego] C:\Program Files\skrzynka bogiego\skrzynka.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Global Startup: Canon LBP-810 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{3D6E590C-B3BD-44DC-9FC3-7848EAF7C5F6}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip\..\{62EC48F3-5F79-43B5-B2E0-D25BEFB9632F}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip\..\{C8FA7CE4-C8B5-4E18-8D7E-7841C34DFAA3}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip\..\{EF844062-55EA-4C47-9620-0B0D0A0A67B2}: NameServer = 194.204.152.34,194.204.159.1 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Usługa Auto-Protect w programie Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe [/quote] COMBOFIX [quote]ComboFix 07-10-23.1 - juszczykj 2007-10-25 12:22:12.2 - [color=red][b]FAT32[/b][/color]x86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.684 [GMT 2:00] Running from: C:\Documents and Settings\juszczykj\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 ))))))))))))))))))))))))))))))) . 2007-10-25 11:19 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-17 09:40 46,080 --a------ C:\WINDOWS\system32\actcontroller.exe 2007-10-15 10:02 d-------- C:\Program Files\Enigma Software Group 2007-10-01 09:03 d--hs---- C:\FOUND.010 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-04-12 11:30 123,744 ----a-w C:\Documents and Settings\juszczykj\Dane aplikacji\GDIPFONTCACHEV1.DAT 2003-08-27 09:49 3,424 ----a-w C:\WINDOWS\inf\OTHER\cmiainfo.sys 2006-05-15 12:58:24 32 --sha-w C:\WINDOWS\{B5FFE0C9-C221-4F4F-8DA5-F8D25BB84ABC}.dat 2006-05-15 12:58:24 32 --sha-w C:\WINDOWS\system32\{3100DAE0-828E-4263-A6E2-0B3934F0EA67}.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 12:15] "ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-09-23 10:56] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-09-23 10:56] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-16 09:58] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50] "CAPON"="C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE" [2007-06-22 13:28] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "skrzynka bogiego"="C:\Program Files\skrzynka bogiego\skrzynka.exe" [2001-11-05 18:06] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 17:33] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 15:03] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 11:02] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW] rundll32.exe nview.dll,nViewLoadHook [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RelevantKnowledge] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe R2 RapidPort;RapidPort;\??\C:\WINDOWS\system32\Drivers\CAPLPTN.SYS R3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA844-CC51-11CF-AAFA-AABBCCDDEE02}] rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\skrzynka.inf,profil.i.nt . Contents of the 'Scheduled Tasks' folder "2007-10-24 14:40:52 C:\WINDOWS\Tasks\Symantec NetDetect.job" . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-25 12:24:31 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-25 12:25:01 . --- E O F --- [/quote]
jot
Dodano
25.10.2007 14:30:21
Troche Combofix pokasował. Do fixa. Pliki wyboldowane wylatują z dysku. [quote]F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\[b]hhupd.exe[/b],C:\WINDOWS\system32\[b]actcontroller.exe[/b], O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\JUSZCZ~1\USTAWI~1\Temp\[b]winlogon.exe[/b] O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll (file missing) [/quote] Dodatkowo do kasacji pliki [quote]C:\WINDOWS\system32\wupdsvc0.exe C:\WINDOWS\system32\fci.exe C:\WINDOWS\system32\wupdsvc4.exe C:\Documents and Settings\juszczykj\ie_update3r.exe C:\WINDOWS\{B5FFE0C9-C221-4F4F-8DA5-F8D25BB84ABC}.dat C:\WINDOWS\system32\{3100DAE0-828E-4263-A6E2-0B3934F0EA67}.dat[/quote] Do kasacji wpis w rejestrze i plik [quote] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RelevantKnowledge] c:\windows\system32\[b]rlvknlg.exe[/b] -boot [/quote] Po robocie logi nowe pokaż.
Żółty
Dodano
25.10.2007 13:59:28
jot
Dodano:
25.10.2007 13:49:45
Komentarzy:
5
Strona 1 / 1