11.04.2007, 14:11
Witam! Mam problem a mianowicie mój Antywirus (mam KIS 6.0) cały czas mi wykrywa wirusa w pliku eraseme####.exe (ten krzyzyk oznacza numer) co chwila ten plik jest usuwany przez antywirus ale ten plik zaraz się znowu pojawia i zmienia numer co dzien mam takich nawet kilkanascie albo i kilkadziesiąt komunikatów i nie wiem jak tego się na stałe pozbyć. Prosze o pomoc Dodam że ten wirus to koń Trojański i jest bardzo złosliwy bo nie chce się usunąć w antywirusie jest on wykrywany pod nazwą: Backdoor.Win32.SdBot.aad
Oto logi z HJT i SR:
Oto logi z HJT i SR:
Cytat: Logfile of HijackThis v1.99.1
Scan saved at 14:48:31, on 2007-04-11
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:WINNTSystem32smss.exe
C:WINNTsystem32winlogon.exe
C:WINNTsystem32services.exe
C:WINNTsystem32lsass.exe
C:WINNTsystem32svchost.exe
C:WINNTsystem32spoolsv.exe
Crogram FilesKaspersky LabKaspersky Internet Security 6.0avp.exe
C:WINNTsystem32svchost.exe
C:WINNTsystem32mgabg.exe
C:WINNTsystem32regsvc.exe
C:WINNTSystem32WBEMWinMgmt.exe
C:WINNTsystem32svchost.exe
C:WINNTExplorer.EXE
C:WINNTsystem32PDeskPDesk.exe
Crogram FilesKaspersky LabKaspersky Internet Security 6.0avp.exe
Crogram FileseMuleemule.exe
Crogram FilesMozilla Firefoxfirefox.exe
Crogram FilesMarBitALLPlayerALLPlayer.exe
Cocuments and SettingsMarcin BinekPulpitHijackThis.exe
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =[Aby zobaczyć linki, zarejestruj się tutaj]
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Ĺącza
O4 - HKLM..Run: [Matrox Powerdesk]C:WINNTsystem32PDeskPDesk.exe /Autolaunch
O4 - HKLM..Run: [Synchronization Manager]mobsync.exe /logon
O4 - HKLM..Run: [AVP]"Crogram FilesKaspersky LabKaspersky Internet Security 6.0avp.exe"
O4 - HKCU..Run: [Gadu-Gadu]"Crogram FilesGadu-Gadugg.exe" /tray
O4 - HKCU..Run: [eMuleAutoStart]Crogram FileseMuleemule.exe -AutoStart
O8 - Extra context menu item: Dodaj do blokowanych banerów - Crogram FilesKaspersky LabKaspersky Internet Security 6.0ie_banner_deny.htm
O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - Crogram FilesKaspersky LabKaspersky Internet Security 6.0scieplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -[Aby zobaczyć linki, zarejestruj się tutaj]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - CROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O20 - AppInit_DLLs: CROGRA~1KASPER~1KASPER~1.0adialhk.dll
O20 - Winlogon Notify: klogon - C:WINNTsystem32klogon.dll
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - Crogram FilesKaspersky LabKaspersky Internet Security 6.0avp.exe" -r (file missing)
O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:WINNTSystem32dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:WINNTsystem32mgabg.exe
Cytat: "Silent Runners.vbs", revision R50,[Aby zobaczyć linki, zarejestruj się tutaj]
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"Gadu-Gadu" = ""Crogram FilesGadu-Gadugg.exe" /tray" ["Gadu-Gadu S.A."]
"eMuleAutoStart" = "Crogram FileseMuleemule.exe -AutoStart" ["http://www.emule-project.net"]
HKLMSoftwareMicrosoftWindowsCurrentVersionRun {++}
"Matrox Powerdesk" = "C:WINNTsystem32PDeskPDesk.exe /Autolaunch" ["Matrox Graphics Inc."]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"AVP" = ""Crogram FilesKaspersky LabKaspersky Internet Security 6.0avp.exe"" ["Kaspersky Lab"]
HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
InProcServer32(Default) = "C:WINNTsystem32hticons.dll" ["Hilgraeve, Inc."]
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" = "WebCheck"
-> {HKLM...CLSID} = "WebCheck"
InProcServer32(Default) = "C:WINNTsystem32dllcachecheckweb.dll" [null data]
"{4A741382-48B4-11d2-AD84-00A024D24BF3}" = "Matrox PowerDesk Properties"
-> {HKLM...CLSID} = "Matrox PowerDesk Properties"
InProcServer32(Default) = "C:WINNTsystem32PDeskPDPAGES.DLL" ["Matrox Graphics Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statystyki ochrony WWW"
-> {HKLM...CLSID} = "Statystyki ochrony WWW"
InProcServer32(Default) = "Crogram FilesKaspersky LabKaspersky Internet Security 6.0scieplugin.dll" ["Kaspersky Lab"]
HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> {HKLM...CLSID} = "WebCheck"
InProcServer32(Default) = "C:WINNTsystem32dllcachecheckweb.dll" [null data]
HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows
<<!>> "AppInit_DLLs" = "CROGRA~1KASPER~1KASPER~1.0adialhk.dll" ["Kaspersky Lab"]
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify
<<!>> klogonDLLName = "C:WINNTsystem32klogon.dll" ["Kaspersky Lab"]
HKLMSoftwareClasses*shellexContextMenuHandlers
Kaspersky Anti-Virus(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "Crogram FilesKaspersky LabKaspersky Internet Security 6.0ShellEx.dll" ["Kaspersky Lab"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]
HKLMSoftwareClassesDirectoryshellexContextMenuHandlers
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]
HKLMSoftwareClassesFoldershellexContextMenuHandlers
Kaspersky Anti-Virus(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "Crogram FilesKaspersky LabKaspersky Internet Security 6.0ShellEx.dll" ["Kaspersky Lab"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be enabled at this entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral
"Wallpaper" = "C:WINNTWebWallpaperwindow~1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCUControl PanelDesktop
"Wallpaper" = "C:WINNTWebWallpaperwindow~1.bmp"
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLMSystemCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32rnr20.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
Transport Service Providers
HKLMSystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name] , (at) ## range:
%SystemRoot%system32msafd.dll [MS] , 01 - 03, 06 - 11
%SystemRoot%system32rsvpsp.dll [MS] , 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLMSoftwareMicrosoftInternet ExplorerExplorer Bars
HKLMSoftwareClassesCLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = "Statystyki ochrony WWW"
Implemented Categories{00021493-0000-0000-C000-000000000046} [vertical bar]
InProcServer32(Default) = "Crogram FilesKaspersky LabKaspersky Internet Security 6.0scieplugin.dll" ["Kaspersky Lab"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLMSoftwareMicrosoftInternet ExplorerExtensions
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}
"ButtonText" = "Statystyki ochrony WWW"
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Kaspersky Internet Security 6.0, AVP, ""Crogram FilesKaspersky LabKaspersky Internet Security 6.0avp.exe" -r" ["Kaspersky Lab"]
MGABGEXE, MGABGEXE, "C:WINNTsystem32mgabg.exe" ["Matrox Graphics Inc."]
System zdarzeń COM+, EventSystem, "C:WINNTsystem32svchost.exe -k netsvcs" {"C:WINNTsystem32es.dll" [null data] }
----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 216 seconds, including 14 seconds for message boxes)