"Trojan-Downloader.BAT..."

[dareqJG]

mam problem..kaspersky wykrywa mi "Trojan-Downloader.BAT.Ftp.ab" ale nie daje rady go usunac ..jezeli znacie jakis program za pomoca którego usune tego wirusa to prosze o podanie nazwy...pzdr.

[niunka]

Killbox , max_delete
Usuwasz przy wylaczonym przywracaniu systemu i w awaryjnym.
dobrze by bylo gdybys wkleil logo.

Nie ten dzial

[dareqJG]

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesKaspersky LabKaspersky Internet Security 6.0avp.exe
C:WINDOWSSOUNDMAN.EXE
C:Program FilesAdobePhotoshop Album Starter Edition3.0Appsapdproxy.exe
C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE
C:WINDOWSSystem32ctfmon.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesGadu-Gadugg.exe
C:Program FilesNokiaNokia PC Suite 6PcSync2.exe
C:PROGRA~1COMMON~1PCSuiteServicesSERVIC~1.EXE
C:Program FilesSpyware Doctorswdoctor.exe
C:WINDOWSBricoPacksVista InspiratYzToolbarYzToolBar.exe
C:PROGRA~1COMMON~1NokiaMPAPIMPAPI3s.exe
C:Program FilesKaspersky LabKaspersky Internet Security 6.0avp.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSsystem32cmd.exe
C:WINDOWSsystem32ftp.exe
C:Program FilesSpyware Doctorsdhelp.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesQuickTimeqttask.exe
C:PROGRA~1COMMON~1PCSuiteDATALA~1DATALA~1.EXE
C:PROGRA~1NokiaNOKIAP~1SEUPDA~1.EXE
C:Program FilesOperaOpera.exe
C:WINDOWSSystem32wuauclt.exe
C:Documents and SettingsDarekPulpithijackthisHijackThis.exe
C:WINDOWSSystem32wbemwmiprvse.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:PROGRA~1SPYWAR~1 oolsiesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:PROGRA~1SPYWAR~1 oolsiesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O4 - HKLM..Run: [kis] "C:Program FilesKaspersky LabKaspersky Internet Security 6.0avp.exe"
O4 - HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..Run: [Adobe Photo Downloader] "C:Program FilesAdobePhotoshop Album Starter Edition3.0Appsapdproxy.exe"
O4 - HKLM..Run: [PCSuiteTrayApplication] C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE -onlytray
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [Gadu-Gadu] "C:Program FilesGadu-Gadugg.exe" /tray
O4 - HKCU..Run: [PcSync] C:Program FilesNokiaNokia PC Suite 6PcSync2.exe /NoDialog
O4 - HKCU..Run: [Spyware Doctor] "C:Program FilesSpyware Doctorswdoctor.exe" /Q
O4 - Startup: Stardock ObjectDock.lnk = C:WINDOWSBricoPacksVista InspiratObjectDockObjectDock.exe
O4 - Startup: Y'z ToolBar.lnk = C:WINDOWSBricoPacksVista InspiratYzToolbarYzToolBar.exe
O8 - Extra context menu item: Dodaj do Kaspersky Anti-Banner - C:Program FilesKaspersky LabKaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:Program FilesKaspersky LabKaspersky Internet Security 6.0scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:PROGRA~1SPYWAR~1 oolsiesdpb.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSweb elated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSweb elated.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 7567485843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7567463375
O17 - HKLMSystemCCSServicesTcpip..{41919DAC-F245-438B-A874-FE8B8EC1A385}: NameServer = 217.30.129.149,217.30.187.200
O17 - HKLMSystemCS1ServicesTcpip..{41919DAC-F245-438B-A874-FE8B8EC1A385}: NameServer = 217.30.129.149,217.30.187.200
O17 - HKLMSystemCS2ServicesTcpip..{41919DAC-F245-438B-A874-FE8B8EC1A385}: NameServer = 217.30.129.149,217.30.187.200
O20 - AppInit_DLLs: C:PROGRA~1KASPER~1KASPER~1.0adialhk.dll
O20 - Winlogon Notify: klogon - C:WINDOWSSystem32klogon.dll
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:Program FilesKaspersky LabKaspersky Internet Security 6.0avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:Program FilesSpyware Doctorsdhelp.exe

[pp3088]

Witaj log wygląda składnie. Mam jedno pytani: czy ty to tam umieściłes??

C:WINDOWSsystem32ftp.exe

Wklej jeszce loga z tego http://www.silentrunners.org/ (śćiagasz>>dajesz "n[nie]" i czkeasz na komunikat done!)

[dareqJG]

ja tam nic sam nie umieszczałem

[dareqJG]

zbytnio nie wiem co mam wkleic a co nie..to wkleje wszystko..

"Silent Runners.vbs", revision 47, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun {++}
"CTFMON.EXE" = "C:WINDOWSSystem32CTFMON.EXE" [MS]
"Spyware Doctor" = ""C:Program FilesSpyware Doctorswdoctor.exe" /Q" ["PC Tools Research Pty Ltd"]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun {++}
"kis" = ""C:Program FilesKaspersky LabKaspersky Internet Security 6.0avp.exe"" ["Kaspersky Lab"]
"(Default)" = (empty string)
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"Adobe Photo Downloader" = ""C:Program FilesAdobePhotoshop Album Starter Edition3.0Appsapdproxy.exe"" ["Adobe Systems Incorporated"]
"PCSuiteTrayApplication" = "C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE -onlytray" ["Nokia"]
"QuickTime Task" = ""C:Program FilesQuickTimeqttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLMSoftwareMicrosoftActive SetupInstalled Components
>{26923b43-4d38-484f-9b9e-de460746276c}(Default) = "Internet Explorer"
StubPath = "C:WINDOWSsystem32shmgrate.exe OCInstallUserConfigIE" [MS]
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS(Default) = "Dostosowywanie przeglądarki"
StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = "Outlook Express"
StubPath = "C:WINDOWSsystem32shmgrate.exe OCInstallUserConfigOE" [MS]
{2C7339CF-2B09-4501-B3F3-F3508C9228ED}(Default) = "Themes Setup"
StubPath = "C:WINDOWSsystem32 egsvr32.exe /s /n /i:/UserInstall C:WINDOWSsystem32 hemeui.dll" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}(Default) = "Microsoft Outlook Express 6"
StubPath = ""C:Program FilesOutlook Expresssetup50.exe" /APP:OE /CALLER:WINNT /user /install" [MS]
{5945c046-1e7d-11d1-bc44-00c04fd912be}(Default) = "Windows Messenger 4.7"
StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFmsmsgs.inf,BLC.QuietInstall.PerUser" [MS]
{6BF52A52-394A-11d3-B153-00C04F79FAA6}(Default) = "Microsoft Windows Media Player"
StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFwmp.inf,PerUserStub" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}(Default) = "Książka adresowa 6"
StubPath = ""C:Program FilesOutlook Expresssetup50.exe" /APP:WAB /CALLER:WINNT /user /install" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4340}(Default) = "Aktualizacja pulpitu Windows"
StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4383}(Default) = "Internet Explorer 6"
StubPath = "C:WINDOWSsystem32ie4uinit.exe" [MS]

HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided)
{HKLM...CLSID} = "Yahoo! Toolbar Helper"
InProcServer32(Default) = "C:Program FilesYahoo!CompanionInstallscpnyt.dll" ["Yahoo! Inc."]
{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)
{HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesSpybot - Search & DestroySDHelper.dll" ["Safer Networking Limited"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}(Default) = (no title provided)
{HKLM...CLSID} = "PCTools Site Guard"
InProcServer32(Default) = "C:PROGRA~1SPYWAR~1 oolsiesdsg.dll" ["PC Tools"]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}(Default) = (no title provided)
{HKLM...CLSID} = "PCTools Browser Monitor"
InProcServer32(Default) = "C:PROGRA~1SPYWAR~1 oolsiesdpb.dll" ["PC Tools"]

HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
{HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
{HKLM...CLSID} = "HyperTerminal Icon Ext"
InProcServer32(Default) = "C:WINDOWSSystem32hticons.dll" ["Hilgraeve, Inc."]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Ochrona WWW"
{HKLM...CLSID} = "Ochrona WWW"
InProcServer32(Default) = "C:Program FilesKaspersky LabKaspersky Internet Security 6.0scieplugin.dll" ["Kaspersky Lab"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
{HKLM...CLSID} = "Microsoft Office Outlook"
InProcServer32(Default) = "C:PROGRA~1MICROS~2OFFICE11MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
{HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
InProcServer32(Default) = "C:PROGRA~1MICROS~2OFFICE11OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
{HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesMicrosoft OfficeOFFICE11msohev.dll" [MS]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
{HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "C:Program FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]
"{ABC70703-32AF-11d4-90C4-D483A70F4825}" = "CMenuExtender"
{HKLM...CLSID} = "CMenuExtender"
InProcServer32(Default) = "C:WINDOWSBricoPacksVista InspiratiColorFolderCMExt.dll" ["Revenger inc."]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"
{HKLM...CLSID} = "Nokia Phone Browser"
InProcServer32(Default) = "C:Program FilesNokiaNokia PC Suite 6PhoneBrowser.dll" ["Nokia"]
"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"
{HKLM...CLSID} = "Message View"
InProcServer32(Default) = "C:Program FilesNokiaNokia PC Suite 6MessageView.dll" ["Nokia"]

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows
INFECTION WARNING! "AppInit_DLLs" = "C:PROGRA~1KASPER~1KASPER~1.0adialhk.dll" ["Kaspersky Lab"]

HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify
INFECTION WARNING! klogonDLLName = "C:WINDOWSSystem32klogon.dll" ["Kaspersky Lab"]

HKLMSoftwareClassesPROTOCOLSFilter
INFECTION WARNING! text/xmlCLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
{HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesCommon FilesMicrosoft SharedOFFICE11MSOXMLMF.DLL" [MS]

HKLMSoftwareClasses*shellexContextMenuHandlers
Kaspersky Anti-Virus(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
{HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesKaspersky LabKaspersky Internet Security 6.0shellex.dll" ["Kaspersky Lab"]

HKLMSoftwareClassesDirectoryshellexContextMenuHandlers
CMenuExtender(Default) = "{ABC70703-32AF-11d4-90C4-D483A70F4825}"
{HKLM...CLSID} = "CMenuExtender"
InProcServer32(Default) = "C:WINDOWSBricoPacksVista InspiratiColorFolderCMExt.dll" ["Revenger inc."]
jetAudio(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
{HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "C:Program FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]

HKLMSoftwareClassesFoldershellexContextMenuHandlers
jetAudio(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
{HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "C:Program FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]
Kaspersky Anti-Virus(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
{HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesKaspersky LabKaspersky Internet Security 6.0shellex.dll" ["Kaspersky Lab"]


Active Desktop and Wallpaper:
-----------------------------

HKCUControl PanelDesktop
"Wallpaper" = "(Brak)"


Enabled Screen Saver:
---------------------

HKCUControl PanelDesktop
"SCRNSAVE.EXE" = "logon.scr" [MS]


Startup items in "Darek" & "All Users" startup folders:
-------------------------------------------------------

C:Documents and SettingsDarekMenu StartProgramyAutostart
"Stardock ObjectDock" shortcut to: "C:WINDOWSBricoPacksVista InspiratObjectDockObjectDock.exe" ["Stardock"]
"Y'z ToolBar" shortcut to: "C:WINDOWSBricoPacksVista InspiratYzToolbarYzToolBar.exe" ["Y'z@Home"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]

Transport Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%system32mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%system32 svpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLMSoftwareMicrosoftInternet ExplorerToolbar
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
{HKLM...CLSID} = "Yahoo! Toolbar"
InProcServer32(Default) = "C:Program FilesYahoo!CompanionInstallscpnyt.dll" ["Yahoo! Inc."]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLMSoftwareClassesCLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = "Ochrona WWW"
Implemented Categories{00021493-0000-0000-C000-000000000046} [vertical bar]
InProcServer32(Default) = "C:Program FilesKaspersky LabKaspersky Internet Security 6.0scieplugin.dll" ["Kaspersky Lab"]

HKLMSoftwareClassesCLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = "&Badanie"
Implemented Categories{00021493-0000-0000-C000-000000000046} [vertical bar]
InProcServer32(Default) = "C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLMSoftwareMicrosoftInternet ExplorerExtensions
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}
"ButtonText" = "Ochrona WWW"

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
{HKLM...CLSID} = "PCTools Browser Monitor"
InProcServer32(Default) = "C:PROGRA~1SPYWAR~1 oolsiesdpb.dll" ["PC Tools"]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}
"ButtonText" = "Badanie"

{FB5F1910-F110-11D2-BB9E-00C04F795683}
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:Program FilesMessengermsmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Kaspersky Internet Security 6.0, AVP, "C:Program FilesKaspersky LabKaspersky Internet Security 6.0avp.exe -r" ["Kaspersky Lab"]
Machine Debug Manager, MDM, ""C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE"" [MS]
PC Tools Spyware Doctor, SDhelper, "C:Program FilesSpyware Doctorsdhelp.exe" ["PC Tools Research Pty Ltd"]


Print Monitors:
---------------

HKLMSystemCurrentControlSetControlPrintMonitors
Microsoft Document Imaging Writer MonitorDriver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 72 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 25 seconds.
---------- (total run time: 140 seconds)

[pp3088]

Log wygląda całkiem dobrze. Mógłbyś podac lokalizcje gdzie wykryto wirusa??

[dareqJG]

juz jest wszystko dobrze...uporałem sie sam jakos z tym...ale dzieki za pomoc