Skocz do zawartości


Zdjęcie

Logi - Wyskakujące okienka


  • Zamknięty Temat jest zamknięty
23 odpowiedzi w tym temacie

#1 jack64vp

jack64vp

    Początkujący

  • 40 postów

Napisano 12 08 2008 - 18:14

Bardzo proszę o sprawdzenie logów. Komputer bardzo muli od pewnego czasu i caly czas wyskakują różne dziwne okienka.
Oprócz tego nie mam wogóle dźwięku.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:49:57, on 2008-08-12
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:/WINDOWS/System32/smss.exe
 C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/services.exe
 C:/WINDOWS/system32/lsass.exe
C:/WINDOWS/system32/svchost.exe
 C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/system32/spoolsv.exe
 C:/WINDOWS/system32/svchost.exe
C:/WINDOWS/System32/svchost.exe
 C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/System32/svchost.exe
 C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/Explorer.exe
 C:/Program Files/Thomson/SpeedTouch USB/Dragdiag.exe
C:/Program Files/Java/jre1.5.0_10/bin/jusched.exe
 C:/Program Files/HP/HP Software Update/HPWuSchd2.exe
C:/Program Files/Messenger/msmsgs.exe
 C:/Program Files/Gadu-Gadu/gg.exe
C:/Program Files/HP/Digital Imaging/bin/hpqtra08.exe
 C:/Program Files/HP/Digital Imaging/bin/hpqSTE08.exe
C:/Program Files/Java/jre1.5.0_10/bin/jucheck.exe
 C:/Program Files/Opera/Opera.exe
C:/Program Files/Trend Micro/HijackThis/HijackThis.exe

R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = c:/secure32.html
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Default_Search_URL = [url="http://searchbar.findthewebsiteyouneed.com"]http://searchbar.findthewebsiteyouneed.com[/url]
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Search Bar = [url="http://search.bearshare.com/sidebar.html?src=ssb"]http://search.bearshare.com/sidebar.html?src=ssb[/url]
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Search Page = [url="http://searchbar.findthewebsiteyouneed.com"]http://searchbar.findthewebsiteyouneed.com[/url]
R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Start Page = [url="http://search.bearshare.com/pl/"]http://search.bearshare.com/pl/[/url]
R1 - HKLM/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = c:/secure32.html
R1 - HKLM/Software/Microsoft/Internet Explorer/Main,Search Page = [url="http://searchbar.findthewebsiteyouneed.com"]http://searchbar.findthewebsiteyouneed.com[/url]
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Start Page = c:/secure32.html
R0 - HKLM/Software/Microsoft/Internet Explorer/Search,SearchAssistant = [url="http://searchbar.findthewebsiteyouneed.com"]http://searchbar.findthewebsiteyouneed.com[/url]
R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Local Page = c:/secure32.html
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Local Page = c:/secure32.html
R0 - HKCU/Software/Microsoft/Internet Explorer/Toolbar,LinksFolderName = 
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:/Program Files/Deskbar/deskbar.dll (file missing)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:/Program Files/MyWebSearch/SrchAstt/1.bin/MWSSRCAS.DLL (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:/WINDOWS/system32/4.tmp
F2 - REG:system.ini: UserInit=C:/WINDOWS/System32/userinit.exe,userinit.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:/Program Files/HP/Smart Web Printing/hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:/Program Files/HP/Smart Web Printing/hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/Program Files/Adobe/Acrobat 7.0/ActiveX/AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:/Program Files/MyWebSearch/bar/1.bin/MWSBAR.DLL
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:/WINDOWS/System32/hgdcy.dll (file missing)
O2 - BHO: InfoDocReader Object - {295BA105-3506-4D25-B0DD-54346320BDC5} - C:/WINDOWS/System32/yabbx.dll (file missing)
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:/Program Files/BearShare Applications/BearShare MediaBar/BearShareIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:/Program Files/Java/jre1.5.0_10/bin/ssv.dll
O2 - BHO: (no name) - {9D8F2A20-4F84-48BE-818C-77E5B40B47D6} - C:/WINDOWS/System32/xadeovns.dll (file missing)
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:/Program Files/Deskbar/deskbar.dll (file missing)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:/Program Files/ToolBar888/MyToolBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:/WINDOWS/System32/msdxm.ocx
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:/Program Files/ToolBar888/MyToolBar.dll (file missing)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:/Program Files/MyWebSearch/bar/1.bin/MWSBAR.DLL
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:/Program Files/BearShare Applications/BearShare MediaBar/BearShareMediaBar.dll
O4 - HKLM/../Run: [Microsoft Office Startup] expl0rer.exe
O4 - HKLM/../Run: [Microsoft ? Windows Vista/NT Runtime Compatibility Service] C:/WINDOWS/NT/nrcs.exe
O4 - HKLM/../Run: [SysTray] C:/Program Files/sueiixgf.exe
O4 - HKLM/../Run: [updwebmin] c:/windows/system32/updwebmin.exe
O4 - HKLM/../Run: [rpcc] rpcc.exe
O4 - HKLM/../Run: [Windows Task Manager] c:/windows/system32/taskmgn.exe
O4 - HKLM/../Run: [Windows Core Kernel Update] C:/WINDOWS/System32/win32bootcfg.exe
O4 - HKLM/../Run: [msconfig38] mssvcc.exe
O4 - HKLM/../Run: [secures23] mssecure.exe
O4 - HKLM/../Run: [DRam prosesor] uwdzqwl.exe
O4 - HKLM/../Run: [KernelFaultCheck] %systemroot%/system32/dumprep 0 -k
O4 - HKLM/../Run: [Microsoft ? Windows Network Security Management Service] C:/WINDOWS/system32/4.tmp
O4 - HKLM/../Run: [Task Manager Win32] C:/WINDOWS/System32/taskmngr32.exe
O4 - HKLM/../Run: [winsystems25] winsystems.exe
O4 - HKLM/../Run: [msvcc25] svcchost.exe
O4 - HKLM/../Run: [Win Tasks 32] wintasks32.exe
O4 - HKLM/../Run: [ml34] C:/WINDOWS/system32/mlm4.exe
O4 - HKLM/../Run: [SpeedTouch USB Diagnostics] "C:/Program Files/Thomson/SpeedTouch USB/Dragdiag.exe" /icon
O4 - HKLM/../Run: [SunJavaUpdateSched] "C:/Program Files/Java/jre1.5.0_10/bin/jusched.exe"
O4 - HKLM/../Run: [My Web Search Bar] rundll32 C:/PROGRA~1/MYWEBS~1/bar/1.bin/MWSBAR.DLL,S
O4 - HKLM/../Run: [MyWebSearch Email Plugin] C:/PROGRA~1/MYWEBS~1/bar/1.bin/mwsoemon.exe
O4 - HKLM/../Run: [Nero Pro] neropro.exe
O4 - HKLM/../Run: [AdobeReaderPro] <a href="http://www.download.net.pl/123/WinZip/">winzip</a>.exe
O4 - HKLM/../Run: [BearShare] "C:/Program Files/BearShare/BearShare.exe" /pause
O4 - HKLM/../Run: [BearFlix] "C:/Program Files/BearFlix/bearflix.exe" /pause
O4 - HKLM/../Run: [HP Software Update] C:/Program Files/HP/HP Software Update/HPWuSchd2.exe
O4 - HKLM/../Run: [PCTAVApp] "C:/Program Files/PC Tools AntiVirus/PCTAV.exe" /MONITORSCAN
O4 - HKLM/../RunServices: [Microsoft Office Startup] expl0rer.exe
O4 - HKLM/../RunServices: [updwebmin] c:/windows/system32/updwebmin.exe
O4 - HKLM/../RunServices: [msconfig38] mssvcc.exe
O4 - HKLM/../RunServices: [secures23] mssecure.exe
O4 - HKLM/../RunServices: [DRam prosesor] uwdzqwl.exe
O4 - HKLM/../RunServices: [winsystems25] winsystems.exe
O4 - HKLM/../RunServices: [msvcc25] svcchost.exe
O4 - HKLM/../RunServices: [Win Tasks 32] wintasks32.exe
O4 - HKLM/../RunServices: [Nero Pro] neropro.exe
O4 - HKLM/../RunServices: [AdobeReaderPro] <a href="http://www.download.net.pl/123/WinZip/">winzip</a>.exe
O4 - HKCU/../Run: [updwebmin] c:/windows/system32/updwebmin.exe
O4 - HKCU/../Run: [Win Tasks 32] wintasks32.exe
O4 - HKCU/../Run: [ml34] C:/WINDOWS/system32/mlm4.exe
O4 - HKCU/../Run: [MyWebSearch Email Plugin] C:/PROGRA~1/MYWEBS~1/bar/1.bin/mwsoemon.exe
O4 - HKCU/../Run: [Komunikator] C:/Program Files/Tlen.pl/tlen.exe
O4 - HKCU/../Run: [MSMSGS] "C:/Program Files/Messenger/msmsgs.exe" /background
O4 - HKCU/../Run: [Gadu-Gadu] "C:/Program Files/Gadu-Gadu/gg.exe" /tray
O4 - HKCU/../Run: [LimeWire Acceleration Patch] "D:/LimeWire/LimeWire Acceleration Patch/LimeWire Acceleration Patch.exe" -tray
O4 - HKUS/S-1-5-19/../Run: [CTFMON.EXE] C:/WINDOWS/System32/CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS/S-1-5-20/../Run: [CTFMON.EXE] C:/WINDOWS/System32/CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS/S-1-5-18/../Run: [CTFMON.EXE] C:/WINDOWS/System32/CTFMON.EXE (User 'SYSTEM')
O4 - HKUS/S-1-5-18/../Run: [Win Tasks 32] wintasks32.exe (User 'SYSTEM')
O4 - HKUS/.DEFAULT/../Run: [CTFMON.EXE] C:/WINDOWS/System32/CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire Acceleration Patch.lnk = D:/LimeWire/LimeWire Acceleration Patch/LimeWire Acceleration Patch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:/Program Files/Adobe/Acrobat 7.0/Reader/reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:/Program Files/HP/Digital Imaging/bin/hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:/Program Files/Microsoft Office/Office10/OSA.EXE
O8 - Extra context menu item: &Search - [url="http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000"]http://edits.mywebsearch.com/toolbaredits/...html?p=ZJfox000[/url]
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:/PROGRA~1/MICROS~2/Office10/EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:/Program Files/Java/jre1.5.0_10/bin/ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:/Program Files/Java/jre1.5.0_10/bin/ssv.dll
O9 - Extra button: Kolekcja wycinków HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:/Program Files/HP/Smart Web Printing/hpswp_extensions.dll
O9 - Extra button: Zaznaczanie HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:/Program Files/HP/Smart Web Printing/hpswp_extensions.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:/WINDOWS/web/related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:/WINDOWS/web/related.htm
O17 - HKLM/System/CCS/Services/Tcpip/../{369502E0-37A4-4469-862B-16E1B9AAA0C1}: NameServer = 83.238.255.76 213.241.79.37
O17 - HKLM/System/CS1/Services/Tcpip/../{369502E0-37A4-4469-862B-16E1B9AAA0C1}: NameServer = 83.238.255.76 213.241.79.37
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:/PROGRA~1/COMMON~1/Skype/SKYPE4~1.DLL
O20 - Winlogon Notify: hgdcy - hgdcy.dll (file missing)
O20 - Winlogon Notify: rpcc - C:/WINDOWS/System32/rpcc.dll
O20 - Winlogon Notify: yabbx - C:/WINDOWS/System32/yabbx.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:/WINDOWS/Qm+vZW5zYSA8SGFoYWhoYWFcLj4+Pg/command.exe (file missing)
O23 - Service: l2 - Unknown owner - C:/WINDOWS/system32/ll2.exe (file missing)
O23 - Service: mnew2win - Unknown owner - C:/WINDOWS/system32/mnew2win.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:/Program Files/Network Monitor/netmon.exe (file missing)
O23 - Service: Windows Network Security Management Service (nsms) - Unknown owner - C:/WINDOWS/system32/4.tmp (file missing)
O23 - Service: Windows Vista/NT Runtime Compatibility Service (ntrcs) - Unknown owner - C:/WINDOWS/NT/nrcs.exe (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:/Program Files/PC Tools AntiVirus/PCTAVSvc.exe (file missing)
O23 - Service: Remote Map Manager - Unknown owner - C:/WINDOWS/system32/lssc.exe (file missing)
O23 - Service: Remote Reader Machine - Unknown owner - C:/WINDOWS/system32/ssmc.exe (file missing)
O23 - Service: Print Spooler Service (SpoolSvc213) - Unknown owner - C:/WINDOWS/System32/dior4f4vpjeytok.exe (file missing)
O23 - Service: Time Service (Time) - Unknown owner - C:/WINDOWS/System32/cjnr4r4eavqkfa.exe (file missing)
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:/WINDOWS/System32/wgareg.exe (file missing)
O23 - Service: Win32 Login Service (Win32 Login) - Unknown owner - C:/WINDOWS/win32logon.exe (file missing)
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:/WINDOWS/win32host.exe (file missing)

--
End of file - 11669 bytes


"Silent Runners.vbs", revision 58, [url="http://www.silentrunners.org/"]http://www.silentrunners.org/[/url]
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"updwebmin" = "c:\windows\system32\updwebmin.exe" [file not found]
"Win Tasks 32" = "wintasks32.exe" [file not found]
"ml34" = "C:\WINDOWS\system32\mlm4.exe" [file not found]
"MyWebSearch Email Plugin" = "C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" ["MyWebSearch.com"]
"Komunikator" = "C:\Program Files\Tlen.pl\tlen.exe" [file not found]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"LimeWire Acceleration Patch" = ""D:\LimeWire\LimeWire Acceleration Patch\LimeWire Acceleration Patch.exe" -tray" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Microsoft Office Startup" = "expl0rer.exe" [file not found]
"Microsoft ? Windows Vista/NT Runtime Compatibility Service" = "C:\WINDOWS\NT\nrcs.exe" [file not found]
"SysTray" = "C:\Program Files\sueiixgf.exe" [file not found]
"updwebmin" = "c:\windows\system32\updwebmin.exe" [file not found]
"rpcc" = "rpcc.exe" [file not found]
"Windows Task Manager" = "c:\windows\system32\taskmgn.exe" [file not found]
"Windows Core Kernel Update" = "C:\WINDOWS\System32\win32bootcfg.exe" [file not found]
"msconfig38" = "mssvcc.exe" [file not found]
"secures23" = "mssecure.exe" [file not found]
"DRam prosesor" = "uwdzqwl.exe" [file not found]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"Microsoft ? Windows Network Security Management Service" = "C:\WINDOWS\system32\4.tmp" [file not found]
"Task Manager Win32" = "C:\WINDOWS\System32\taskmngr32.exe" [file not found]
"winsystems25" = "winsystems.exe" [file not found]
"msvcc25" = "svcchost.exe" [file not found]
"Win Tasks 32" = "wintasks32.exe" [file not found]
"ml34" = "C:\WINDOWS\system32\mlm4.exe" [file not found]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"My Web Search Bar" = "rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S" [MS]
"MyWebSearch Email Plugin" = "C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" ["MyWebSearch.com"]
"Nero Pro" = "neropro.exe" [file not found]
"AdobeReaderPro" = "<a href="http://www.download.net.pl/123/WinZip/">winzip</a>.exe" [file not found]
"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" [file not found]
"BearFlix" = ""C:\Program Files\BearFlix\bearflix.exe" /pause" [file not found]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"PCTAVApp" = ""C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN" [file not found]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
									   \StubPath   = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0347C33E-8762-4905-BF09-768834316C61}\(Default) = "HP Print Enhancer"
  -> {HKLM...CLSID} = "HP Print Enhancer"
				   \InProcServer32\(Default) = "C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll" ["Hewlett-Packard Co."]
{053F9267-DC04-4294-A72C-58F732D338C0}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "HP Print Clips"
				   \InProcServer32\(Default) = "C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll" ["Hewlett-Packard Co."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AcroIEHlprObj Class"
				   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{07B18EA1-A523-4961-B6BB-170DE4475CCA}\(Default) = "mwsBar BHO"
  -> {HKLM...CLSID} = "mwsBar BHO"
				   \InProcServer32\(Default) = "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL" ["MyWebSearch.com"]
{20D57A66-F7DF-467d-907B-9B7F4A118AB7}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
				   \InProcServer32\(Default) = "C:\WINDOWS\System32\hgdcy.dll" [file not found]
{295BA105-3506-4D25-B0DD-54346320BDC5}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "InfoDocReader Object"
				   \InProcServer32\(Default) = "C:\WINDOWS\System32\yabbx.dll" [file not found]
{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "UrlHelper Class"
				   \InProcServer32\(Default) = "C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
				   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9D8F2A20-4F84-48BE-818C-77E5B40B47D6}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
				   \InProcServer32\(Default) = "C:\WINDOWS\System32\xadeovns.dll" [file not found]
{A8B28872-3324-4CD2-8AA3-7D555C872D96}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "DeskbarBHO"
				   \InProcServer32\(Default) = "C:\Program Files\Deskbar\deskbar.dll" [file not found]
{CBCC61FA-0221-4ccc-B409-CEE865CACA3A}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "ToolBar888"
				   \InProcServer32\(Default) = "C:\Program Files\ToolBar888\MyToolBar.dll" [file not found]


  • 0

#2 ordynat

ordynat

    Zaawansowany użytkownik

  • 804 postów

Napisano 12 08 2008 - 19:48

R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = c:/secure32.html
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU/Software/Microsoft/Internet Explorer/Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM/Software/Microsoft/Internet Explorer/Main,Default_Page_URL = c:/secure32.html
R1 - HKLM/Software/Microsoft/Internet Explorer/Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Start Page = c:/secure32.html
R0 - HKLM/Software/Microsoft/Internet Explorer/Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Local Page = c:/secure32.html
R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Local Page = c:/secure32.html
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:/Program Files/Deskbar/deskbar.dll (file missing)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:/Program Files/MyWebSearch/SrchAstt/1.bin/MWSSRCAS.DLL (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:/WINDOWS/system32/4.tmp
F2 - REG:system.ini: UserInit=C:/WINDOWS/System32/userinit.exe,userinit.exe
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:/Program Files/MyWebSearch/bar/1.bin/MWSBAR.DLL
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:/WINDOWS/System32/hgdcy.dll (file missing)
O2 - BHO: InfoDocReader Object - {295BA105-3506-4D25-B0DD-54346320BDC5} - C:/WINDOWS/System32/yabbx.dll (file missing)
O2 - BHO: (no name) - {9D8F2A20-4F84-48BE-818C-77E5B40B47D6} - C:/WINDOWS/System32/xadeovns.dll (file missing)
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:/Program Files/Deskbar/deskbar.dll (file missing)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:/Program Files/ToolBar888/MyToolBar.dll (file missing)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:/Program Files/ToolBar888/MyToolBar.dll (file missing)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:/Program Files/MyWebSearch/bar/1.bin/MWSBAR.DLL
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:/Program Files/BearShare Applications/BearShare MediaBar/BearShareMediaBar.dll
O4 - HKLM/../Run: [Microsoft Office Startup] expl0rer.exe
O4 - HKLM/../Run: [Microsoft ? Windows Vista/NT Runtime Compatibility Service] C:/WINDOWS/NT/nrcs.exe
O4 - HKLM/../Run: [SysTray] C:/Program Files/sueiixgf.exe
O4 - HKLM/../Run: [updwebmin] c:/windows/system32/updwebmin.exe
O4 - HKLM/../Run: [rpcc] rpcc.exe
O4 - HKLM/../Run: [Windows Task Manager] c:/windows/system32/taskmgn.exe
O4 - HKLM/../Run: [Windows Core Kernel Update] C:/WINDOWS/System32/win32bootcfg.exe
O4 - HKLM/../Run: [msconfig38] mssvcc.exe
O4 - HKLM/../Run: [secures23] mssecure.exe
O4 - HKLM/../Run: [DRam prosesor] uwdzqwl.exe
O4 - HKLM/../Run: [KernelFaultCheck] %systemroot%/system32/dumprep 0 -k
O4 - HKLM/../Run: [Microsoft ? Windows Network Security Management Service] C:/WINDOWS/system32/4.tmp
O4 - HKLM/../Run: [Task Manager Win32] C:/WINDOWS/System32/taskmngr32.exe
O4 - HKLM/../Run: [winsystems25] winsystems.exe
O4 - HKLM/../Run: [msvcc25] svcchost.exe
O4 - HKLM/../Run: [Win Tasks 32] wintasks32.exe
O4 - HKLM/../Run: [ml34] C:/WINDOWS/system32/mlm4.exe
O4 - HKLM/../Run: [My Web Search Bar] rundll32 C:/PROGRA~1/MYWEBS~1/bar/1.bin/MWSBAR.DLL,S
O4 - HKLM/../Run: [MyWebSearch Email Plugin] C:/PROGRA~1/MYWEBS~1/bar/1.bin/mwsoemon.exe
O4 - HKLM/../Run: [Nero Pro] neropro.exe
O4 - HKLM/../Run: [AdobeReaderPro] winzip.exe
O4 - HKLM/../Run: [BearShare] "C:/Program Files/BearShare/BearShare.exe" /pause
O4 - HKLM/../Run: [BearFlix] "C:/Program Files/BearFlix/bearflix.exe" /pause
O4 - HKLM/../Run: [PCTAVApp] "C:/Program Files/PC Tools AntiVirus/PCTAV.exe" /MONITORSCAN
O4 - HKLM/../RunServices: [Microsoft Office Startup] expl0rer.exe
O4 - HKLM/../RunServices: [updwebmin] c:/windows/system32/updwebmin.exe
O4 - HKLM/../RunServices: [msconfig38] mssvcc.exe
O4 - HKLM/../RunServices: [secures23] mssecure.exe
O4 - HKLM/../RunServices: [DRam prosesor] uwdzqwl.exe
O4 - HKLM/../RunServices: [winsystems25] winsystems.exe
O4 - HKLM/../RunServices: [msvcc25] svcchost.exe
O4 - HKLM/../RunServices: [Win Tasks 32] wintasks32.exe
O4 - HKLM/../RunServices: [Nero Pro] neropro.exe
O4 - HKLM/../RunServices: [AdobeReaderPro] winzip.exe
O4 - HKCU/../Run: [updwebmin] c:/windows/system32/updwebmin.exe
O4 - HKCU/../Run: [Win Tasks 32] wintasks32.exe
O4 - HKCU/../Run: [ml34] C:/WINDOWS/system32/mlm4.exe
O4 - HKCU/../Run: [MyWebSearch Email Plugin] C:/PROGRA~1/MYWEBS~1/bar/1.bin/mwsoemon.exe
O4 - HKUS/S-1-5-18/../Run: [Win Tasks 32] wintasks32.exe (User 'SYSTEM')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZJfox000
O4 - HKCU/../Run: [Komunikator] C:/Program Files/Tlen.pl/tlen.exe
O4 - HKCU/../Run: [LimeWire Acceleration Patch] \"D:/LimeWire/LimeWire Acceleration Patch/LimeWire Acceleration Patch.exe\" -tray
O20 - Winlogon Notify: hgdcy - hgdcy.dll (file missing)
O20 - Winlogon Notify: rpcc - C:/WINDOWS/System32/rpcc.dll
O20 - Winlogon Notify: yabbx - C:/WINDOWS/System32/yabbx.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:/WINDOWS/Qm+vZW5zYSA8SGFoYWhoYWFcLj4+Pg/command.exe (file missing)
O23 - Service: l2 - Unknown owner - C:/WINDOWS/system32/ll2.exe (file missing)
O23 - Service: mnew2win - Unknown owner - C:/WINDOWS/system32/mnew2win.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:/Program Files/Network Monitor/netmon.exe (file missing)
O23 - Service: Windows Network Security Management Service (nsms) - Unknown owner - C:/WINDOWS/system32/4.tmp (file missing)
O23 - Service: Windows Vista/NT Runtime Compatibility Service (ntrcs) - Unknown owner - C:/WINDOWS/NT/nrcs.exe (file missing)
O23 - Service: Remote Map Manager - Unknown owner - C:/WINDOWS/system32/lssc.exe (file missing)
O23 - Service: Remote Reader Machine - Unknown owner - C:/WINDOWS/system32/ssmc.exe (file missing)
O23 - Service: Print Spooler Service (SpoolSvc213) - Unknown owner - C:/WINDOWS/System32/dior4f4vpjeytok.exe (file missing)
O23 - Service: Time Service (Time) - Unknown owner - C:/WINDOWS/System32/cjnr4r4eavqkfa.exe (file missing)
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:/WINDOWS/System32/wgareg.exe (file missing)
O23 - Service: Win32 Login Service (Win32 Login) - Unknown owner - C:/WINDOWS/win32logon.exe (file missing)
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:/WINDOWS/win32host.exe (file missing)


Ależ zaśmiecone logi!
Te w/w wpisy sfiksuj w Hijacku:
>>Hijack>>scan(Do a system scan only)>>zaznacz je >>Fix checked.

Zaznaczony na czerwono plik - do usunięcia!

Daj log z ComboFixa:
(do wyboru)
-->ComboFix
-->ComboFix.
-->ComboFix.
Opis użycia ComboFix jest na dole tej strony z linku.

ordynat

  • 0

#3 karolkuich

karolkuich

    Początkujący

  • 141 postów

Napisano 12 08 2008 - 19:54

Nie wygląda to ciekawie. Jest tego trochę, więc na początek automaty :

1. http://cybertrash.pl/Tata/TESTY/Dr.Web%20C...%20CureIt_.html
2. http://cybertrash.pl/images/tata/SDFix.html
3. http://cybertrash.pl/Tata/MBAM/Malwarebyte...ti-Malware.html
I na końcu : Wklej loga z ComboFix

EDIT Pisałem prawie równo z Ordynatem , więc spamu nie ma... :) Zastosuj się do wskazówek Ordynata, moje pomiń. xD
  • 0

#4 jack64vp

jack64vp

    Początkujący

  • 40 postów

Napisano 16 08 2008 - 12:56

Dzięki bardzo za odpowiedzi, przepraszam, że długo nie pisałem, ale komp nie jest mój, wklejam loga z combofixa i czekam na dalsze wskazówki, pozdrawiam.

ComboFix 08-08-15.03 - Administrator 2008-08-16 12:30:06.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1250.1.1045.18.249 [GMT 2:00]
 * Created a new restore point

[color="red"][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]
.
[color="red"][b] Rootkit driver pe386 is present. ... attempting disinfection [/b][/color]
[color="blue"] pe386 ...... driver unloaded successfully.[/color]
[i] ADS - system32: deleted 68524 bytes in 1 streams. [/i]

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[1].txt
C:\Documents and Settings\Administrator\Dane aplikacji\FunWebProducts
C:\Documents and Settings\Administrator\Dane aplikacji\FunWebProducts\Data\Administrator\avatar.dat
C:\Documents and Settings\Administrator\Dane aplikacji\searchtoolbarcorp
C:\Documents and Settings\Administrator\Dane aplikacji\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\Documents and Settings\Administrator\Dane aplikacji\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Documents and Settings\LocalService\Dane aplikacji\NetMon
C:\Documents and Settings\LocalService\Dane aplikacji\NetMon\domains.txt
C:\Documents and Settings\LocalService\Dane aplikacji\NetMon\log.txt
C:\Program Files\Common Files\{FCCB8~1
C:\Program Files\Common Files\inetget
C:\Program Files\cowabanga
C:\Program Files\cowabanga\License.txt
C:\Program Files\deskbar
C:\Program Files\deskbar\basis.xml
C:\Program Files\deskbar\deskbar.crc
C:\Program Files\deskbar\deskbar.inf
C:\Program Files\deskbar\icons.bmp
C:\Program Files\deskbar\inst.bat
C:\Program Files\deskbar\mbback.bmp
C:\Program Files\deskbar\mbbigopen.bmp
C:\Program Files\deskbar\mbclose.bmp
C:\Program Files\deskbar\mbfwd.bmp
C:\Program Files\deskbar\mblogo.bmp
C:\Program Files\deskbar\mbsep.bmp
C:\Program Files\deskbar\options.html
C:\Program Files\deskbar\softomate.gif
C:\Program Files\deskbar\version.txt
C:\Program Files\dns
C:\Program Files\dns\affid.dat
C:\Program Files\dns\cwebpage.dll
C:\Program Files\dns\uid.dat
C:\Program Files\dns\urls.dat
C:\Program Files\dns\version.txt
C:\Program Files\dns\x.bmp
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.htmlx
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.htmlx
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\History\search
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\close.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\htmlctrl.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\login.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\unmax.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\wardrobe.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0025760
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0073396
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]008E5E2
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]04C33A8.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]04C3A09.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]04C3C94.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]04C4041.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0B478E2.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0B4AFA7.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0B4E67F.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0B530D2.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0B57367.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\network monitor
C:\Program Files\toolbar888
C:\Program Files\toolbar888\Uninst.exe
C:\Program Files\vsadd-in
C:\Program Files\windows
C:\WINDOWS\adaway.lic
C:\WINDOWS\dh.ini
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\keyboard12.exe
C:\WINDOWS\keyboard191.dat
C:\WINDOWS\keyboard91.dat
C:\WINDOWS\mousepad12.exe
C:\WINDOWS\newname.dat
C:\WINDOWS\Qm+vZW5zYSA8SGFoYWhoYWFcLj4+Pg\
C:\WINDOWS\Qm+vZW5zYSA8SGFoYWhoYWFcLj4+Pg\\kA7StqcWsmEfm3ICsq1CsqIwM3b7j0.vbs
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\beryqtsd.ini
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\gfktacke.ini
C:\WINDOWS\system32\haiyftcq.ini
C:\WINDOWS\system32\hgjtssbb.ini
C:\WINDOWS\system32\jiettsbc.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pkxafmxy.ini
C:\WINDOWS\system32\qttwekeq.ini
C:\WINDOWS\system32\recsl.exe
C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\system32\setup.ini
C:\WINDOWS\system32\uhsyxqud.ini
C:\WINDOWS\system32\wfhjxmas.ini
C:\WINDOWS\system32\X64
C:\WINDOWS\system32\X64\ITEXP64.exe
C:\WINDOWS\system32\X64\K8M800XP64.exe
C:\WINDOWS\system32\X64\readme.txt
C:\WINDOWS\system32\X64\SII3114ATAXP64.exe
C:\WINDOWS\system32\X64\SII3114RAIDXP64.exe
C:\WINDOWS\system32\xbbay.bak1
C:\WINDOWS\system32\xbbay.bak2
C:\WINDOWS\system32\xbbay.ini
C:\WINDOWS\system32\xbbay.ini2
C:\WINDOWS\system32\xbbay.tmp
C:\WINDOWS\system32\ycsfmbhj.ini
C:\WINDOWS\teller2.chk
C:\WINDOWS\uninstall_nmon.vbs

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_DOMAINSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_NTIO256
-------\Service_cmdService
-------\Service_Network Monitor
-------\Service_ntio256


(((((((((((((((((((((((((   Files Created from 2008-07-16 to 2008-08-16  )))))))))))))))))))))))))))))))
.

2008-08-13 13:54 . 2008-08-13 13:54	<DIR>	d--------	C:\Program Files\Google
2008-08-13 13:53 . 2008-08-13 13:57	<DIR>	d--------	C:\Program Files\Picasa2
2008-08-12 17:47 . 2008-08-12 17:48	<DIR>	d--------	C:\Program Files\a-squared HiJackFree

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 07:40	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2008-08-12 15:49	---------	d-----w	C:\Program Files\Trend Micro
2007-10-13 14:51	17,144	----a-w	C:\Documents and Settings\Administrator\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-02-20 11:02	31	----a-w	C:\Documents and Settings\Administrator\getfile.dat
2007-01-10 02:58	16	----a-w	C:\Documents and Settings\Administrator\fdfg.exe
2006-10-22 15:55	102,400	----a-w	C:\Documents and Settings\ASIA\ccaap.exe
2006-10-13 16:52	7,168	----a-w	C:\Documents and Settings\ASIA\v91.exe
2006-10-07 22:20	67,584	----a-w	C:\Documents and Settings\ASIA\yb2.exe
2006-08-17 12:52	62,436	----a-w	C:\Documents and Settings\ASIA\woa32.exe
2006-08-17 12:52	40,656	----a-w	C:\Documents and Settings\ASIA\tam32.exe
2006-08-16 13:49	38,913	----a-w	C:\Documents and Settings\ASIA\lat.exe
2006-07-16 15:02	31	----a-w	C:\Documents and Settings\ASIA\getfile.dat
2006-05-13 16:39	52,933	----a-w	C:\Documents and Settings\ASIA\ch32.exe
2006-04-08 14:13	32	----a-w	C:\Documents and Settings\ASIA\x.bat
2006-10-09 14:18	2,048	--sh--w	C:\WINDOWS\system32\helperl1svchost.exe
2006-11-13 14:57	2,048	--sh--w	C:\WINDOWS\system32\helperl4svchost.exe
2006-06-24 15:08	2,048	--sh--w	C:\WINDOWS\system32\helperll6.exe
2006-05-21 08:45	2,048	--sh--w	C:\WINDOWS\system32\helpermnew2win.exe
.

------- Sigcheck -------

2002-09-20 19:05  23040  4187d9d4d94fcd138ce9ae352d5a9f3c	C:\WINDOWS\system32\ctfmon.exe
2002-09-20 19:05  23040  07f4a458e913beb87f1b75bc99987efd	C:\WINDOWS\system32\dllcache\ctfmon.exe

2002-09-20 19:05  152064  23c0106b37d81b6e2606b500677e9061	C:\WINDOWS\system32\wuauclt.exe
2002-09-20 19:05  152064  b42ad01455d2c18351b95d45c813b1ad	C:\WINDOWS\system32\dllcache\wuauclt.exe

2002-09-20 19:05  32256  0d55bb6aec2e7361cad1d396b98f5a35	C:\WINDOWS\system32\userinit.exe
2002-09-20 19:05  32256  edbe5fd297b5fdae18c2e29a3b9f1ad9	C:\WINDOWS\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45080112-43D4-4B43-A8BC-7F1DFBFDCEAF}]
2008-08-16 12:43	3584	--a------	C:\WINDOWS\System32\MYBHO.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2007-12-02 16:13	394680	--a------	C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-08-06 10:45 877568]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 49263]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 19:05 23040]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Time]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-01-29 16:51 25451048 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-11-21 19:38 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"firewalldisableoverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"wmssvc.exe"= wmssvc.exe:SYSTEM

R2 NET Service;NET Service;C:\WINDOWS\wmssvc.exe [2008-08-16 12:43]
S2 DP1112;DP1112;C:\WINDOWS\System32\Drivers\DP.sys []
S2 nsms;Windows Network Security Management Service;C:\WINDOWS\system32\4.tmp []
S2 ntrcs;Windows Vista/NT Runtime Compatibility Service;C:\WINDOWS\NT\nrcs.exe []
S2 SpoolSvc213;Print Spooler Service;C:\WINDOWS\System32\dior4f4vpjeytok.exe []
S2 Time;Time Service;C:\WINDOWS\System32\cjnr4r4eavqkfa.exe []
S2 wgareg;Windows Genuine Advantage Registration Service;C:\WINDOWS\System32\wgareg.exe []
S2 Win32 Login;Win32 Login Service;C:\WINDOWS\win32logon.exe []
S2 Win32Kernel;Win32 Kernel Update;C:\WINDOWS\win32host.exe []
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\KS-959.sys [2005-10-09 05:26]
S3 WTime;WTime;C:\WINDOWS\System32\timedrv26.sys []
S4 l2;l2;C:\WINDOWS\system32\ll2.exe []
S4 mnew2win;mnew2win;C:\WINDOWS\system32\mnew2win.exe []
S4 Remote Map Manager;Remote Map Manager;C:\WINDOWS\system32\lssc.exe []
S4 Remote Reader Machine;Remote Reader Machine;C:\WINDOWS\system32\ssmc.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc

*Newly Created Service* - IPNAT
*Newly Created Service* - NET_SERVICE
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Gadu-Gadu - C:\Program Files\Gadu-Gadu\gg.exe
HKU-Default-Run-Printer - C:\WINDOWS\System32\vmmon32.exe
HKU-Default-Run-zomq - C:\PROGRA~1\COMMON~1\zomq\zomqm.exe
MSConfigStartUp-BearShare - C:\Program Files\BearShare\BearShare.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\nj48p0v6.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2008-08-16 12:38:02
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes ... 

C:\WINDOWS\wmssvc.exe [1380] 0x829E03C0
C:\WINDOWS\wuaucpl.exe [2836] 0x826244E0
scanning hidden autostart entries ...

scanning hidden files ... 


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nsms]
"ImagePath"="C:\WINDOWS\system32\4.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\mrofinu1001186.exexe
.
**************************************************************************
.
Completion time: 2008-08-16 12:46:18 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-16 10:45:11

Pre-Run: 5,748,625,408 bajtów wolnych
Post-Run: 6,254,682,112 bajt˘w wolnych

331

  • 0

#5 ordynat

ordynat

    Zaawansowany użytkownik

  • 804 postów

Napisano 16 08 2008 - 13:36

Ależ tu było infekcji - Rootkity, VUNDO, jakiś strumień podpięty pod folder Systemowy, itd...!

Wklej do Notatnika:
File::
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\mrofinu1001186.exexe
C:\WINDOWS\wmssvc.exe
C:\WINDOWS\System32\MYBHO.DLL
C:\WINDOWS\wuaucpl.exe
C:\Documents and Settings\Administrator\fdfg.exe
C:\Documents and Settings\ASIA\ccaap.exe
C:\Documents and Settings\ASIA\v91.exe
C:\Documents and Settings\ASIA\yb2.exe
C:\Documents and Settings\ASIA\woa32.exe
C:\Documents and Settings\ASIA\tam32.exe
C:\Documents and Settings\ASIA\lat.exe
C:\Documents and Settings\ASIA\ch32.exe
C:\Documents and Settings\ASIA\x.bat
C:\WINDOWS\system32\helperl1svchost.exe
C:\WINDOWS\system32\helperl4svchost.exe
C:\WINDOWS\system32\helperll6.exe
C:\WINDOWS\system32\helpermnew2win.exe

Driver::
nsms
"NET Service"
DP1112
ntrcs
SpoolSvc213
Time
wgareg
Win32 Login
Win32Kernel
WTime
l2
mnew2win
"Remote Map Manager"
"Remote Reader Machine"

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nsms]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"wmssvc.exe"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Time]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45080112-43D4-4B43-A8BC-7F1DFBFDCEAF}]
>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
--> Dołączona grafika
Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Po restarcie usuń ręcznie folder C:\Qoobox.

ordynat
  • 0

#6 jack64vp

jack64vp

    Początkujący

  • 40 postów

Napisano 17 08 2008 - 17:49

Wielkie dzięki, wklejam loga i czekam na dalsze wskazówki. Pozdrawiam

ComboFix 08-08-16.01 - Administrator 2008-08-17 17:07:02.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1250.1.1045.18.107 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
 * Created a new restore point

[color="red"][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]

FILE ::
C:\Documents and Settings\Administrator\fdfg.exe
C:\Documents and Settings\ASIA\ccaap.exe
C:\Documents and Settings\ASIA\ch32.exe
C:\Documents and Settings\ASIA\lat.exe
C:\Documents and Settings\ASIA\tam32.exe
C:\Documents and Settings\ASIA\v91.exe
C:\Documents and Settings\ASIA\woa32.exe
C:\Documents and Settings\ASIA\x.bat
C:\Documents and Settings\ASIA\yb2.exe
C:\WINDOWS\mrofinu1001186.exexe
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\helperl1svchost.exe
C:\WINDOWS\system32\helperl4svchost.exe
C:\WINDOWS\system32\helperll6.exe
C:\WINDOWS\system32\helpermnew2win.exe
C:\WINDOWS\System32\MYBHO.DLL
C:\WINDOWS\wmssvc.exe
C:\WINDOWS\wuaucpl.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Dane aplikacji\Microsoft\SystemCertificates\My
C:\Documents and Settings\Administrator\fdfg.exe
C:\Documents and Settings\ASIA\ccaap.exe
C:\Documents and Settings\ASIA\ch32.exe
C:\Documents and Settings\ASIA\Dane aplikacji\Microsoft\SystemCertificates\My
C:\Documents and Settings\ASIA\lat.exe
C:\Documents and Settings\ASIA\tam32.exe
C:\Documents and Settings\ASIA\v91.exe
C:\Documents and Settings\ASIA\woa32.exe
C:\Documents and Settings\ASIA\x.bat
C:\Documents and Settings\ASIA\yb2.exe
C:\Documents and Settings\LocalService\Dane aplikacji\Microsoft\SystemCertificates\My
C:\Documents and Settings\NetworkService\Dane aplikacji\Microsoft\SystemCertificates\My
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\ppatch~1\??pPatch\
C:\Program Files\Common Files\ppatch~1\fast.exe
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe
C:\Program Files\inetget2
C:\WINDOWS\17PHolmes1001186.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\mrofinu1001186.exe.tmp
C:\WINDOWS\system32\ciadmi.dll
C:\WINDOWS\system32\helperl1svchost.exe
C:\WINDOWS\system32\helperl4svchost.exe
C:\WINDOWS\system32\helperll6.exe
C:\WINDOWS\system32\helpermnew2win.exe
C:\WINDOWS\System32\MYBHO.DLL
C:\WINDOWS\wmssvc.exe
C:\WINDOWS\wuaucpl.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DP1112
-------\Legacy_L2
-------\Legacy_MNEW2WIN
-------\Legacy_NET_SERVICE
-------\Legacy_NSMS
-------\Legacy_NTRCS
-------\Legacy_REMOTE_MAP_MANAGER
-------\Legacy_REMOTE_READER_MACHINE
-------\Legacy_SPOOLSVC213
-------\Legacy_TIME
-------\Legacy_WGAREG
-------\Legacy_WIN32KERNEL
-------\Legacy_WIN32_LOGIN
-------\Legacy_WTIME
-------\Service_DP1112
-------\Service_l2
-------\Service_mnew2win
-------\Service_NET Service
-------\Service_nsms
-------\Service_ntrcs
-------\Service_Remote Map Manager
-------\Service_Remote Reader Machine
-------\Service_SpoolSvc213
-------\Service_Time
-------\Service_wgareg
-------\Service_Win32 Login
-------\Service_Win32Kernel
-------\Service_WTime


(((((((((((((((((((((((((   Files Created from 2008-07-17 to 2008-08-17  )))))))))))))))))))))))))))))))
.

2008-08-16 12:44 . 2008-08-16 12:44	46,080	--ah-----	C:\WINDOWS\system32\zkumy.exe
2008-08-16 12:43 . 2008-08-16 12:43	0	--a------	C:\WINDOWS\system32\B.tmp
2008-08-13 13:54 . 2008-08-13 13:54	<DIR>	d--------	C:\Program Files\Google
2008-08-13 13:53 . 2008-08-13 13:57	<DIR>	d--------	C:\Program Files\Picasa2
2008-08-12 17:47 . 2008-08-12 17:48	<DIR>	d--------	C:\Program Files\a-squared HiJackFree

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-17 13:54	---------	d-----w	C:\Program Files\Tlen.pl
2008-08-16 14:35	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2008-08-12 15:49	---------	d-----w	C:\Program Files\Trend Micro
2007-10-13 14:51	17,144	----a-w	C:\Documents and Settings\Administrator\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-02-20 11:02	31	----a-w	C:\Documents and Settings\Administrator\getfile.dat
2006-07-16 15:02	31	----a-w	C:\Documents and Settings\ASIA\getfile.dat
.

------- Sigcheck -------

2002-09-20 19:05  1015296  925387582296260489564ae2aa284322	C:\WINDOWS\explorer.exe
2002-09-20 19:05  1015296  1a99a4e504e5cbaa19d554b42f034594	C:\WINDOWS\system32\dllcache\explorer.exe

2002-09-20 19:05  23040  4187d9d4d94fcd138ce9ae352d5a9f3c	C:\WINDOWS\system32\ctfmon.exe
2002-09-20 19:05  23040  07f4a458e913beb87f1b75bc99987efd	C:\WINDOWS\system32\dllcache\ctfmon.exe

2002-09-20 19:05  152064  23c0106b37d81b6e2606b500677e9061	C:\WINDOWS\system32\wuauclt.exe
2002-09-20 19:05  152064  b42ad01455d2c18351b95d45c813b1ad	C:\WINDOWS\system32\dllcache\wuauclt.exe

2002-09-20 19:05  32256  0d55bb6aec2e7361cad1d396b98f5a35	C:\WINDOWS\system32\userinit.exe
2002-09-20 19:05  32256  edbe5fd297b5fdae18c2e29a3b9f1ad9	C:\WINDOWS\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((   snapshot@2008-08-16_12.43.41.67   )))))))))))))))))))))))))))))))))))))))))
.
- 2003-05-11 14:26:44	89,600	-c----w	C:\WINDOWS\$NtUninstallKB822603$\spuninst\spuninst.exe
+ 2003-05-11 14:26:44	99,328	-c----w	C:\WINDOWS\$NtUninstallKB822603$\spuninst\spuninst.exe
- 2005-10-20 18:02:28	163,328	----a-w	C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-20 18:02:28	173,056	----a-w	C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2005-10-20 18:02:28	163,328	----a-w	C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-10-20 18:02:28	173,056	----a-w	C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2002-09-20 17:05:48	249,856	----a-w	C:\WINDOWS\inf\unregmp2.exe
+ 2002-09-20 17:05:48	262,144	----a-w	C:\WINDOWS\inf\unregmp2.exe
- 2007-10-23 00:59:17	167,936	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2007-10-23 00:59:17	180,224	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2007-10-23 00:59:17	2,560	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2007-10-23 00:59:17	12,288	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2007-10-23 00:59:17	81,920	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2007-10-23 00:59:17	94,208	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2007-10-23 00:59:17	34,304	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2007-10-23 00:59:17	44,032	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2007-10-23 00:59:17	114,688	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2007-10-23 00:59:17	126,976	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2007-10-23 00:59:17	30,720	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2007-10-23 00:59:17	40,448	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2007-10-23 00:59:16	45,056	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2007-10-23 00:59:16	57,344	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2007-10-23 00:59:16	90,112	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2007-10-23 00:59:16	102,400	----a-r	C:\WINDOWS\Installer\{90280415-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2002-01-02 18:34:42	63,488	----a-w	C:\WINDOWS\LastGood.Tmp\System32\amstream.dll
+ 2002-09-20 17:03:38	1,180,672	----a-w	C:\WINDOWS\LastGood.Tmp\System32\d3d8.dll
+ 2002-01-02 18:34:52	8,192	----a-w	C:\WINDOWS\LastGood.Tmp\System32\d3d8thk.dll
+ 2002-01-02 18:34:52	436,224	----a-w	C:\WINDOWS\LastGood.Tmp\System32\d3dim.dll
+ 2002-01-02 18:34:52	791,040	----a-w	C:\WINDOWS\LastGood.Tmp\System32\d3dim700.dll
+ 2002-01-02 18:34:52	34,816	----a-w	C:\WINDOWS\LastGood.Tmp\System32\d3dpmesh.dll
+ 2002-01-02 18:34:52	590,336	----a-w	C:\WINDOWS\LastGood.Tmp\System32\d3dramp.dll
+ 2002-01-02 18:34:52	350,208	----a-w	C:\WINDOWS\LastGood.Tmp\System32\d3drm.dll
+ 2002-01-02 18:34:52	47,616	----a-w	C:\WINDOWS\LastGood.Tmp\System32\d3dxof.dll
+ 2002-09-20 17:03:40	253,440	----a-w	C:\WINDOWS\LastGood.Tmp\System32\ddraw.dll
+ 2002-01-02 18:34:54	24,064	----a-w	C:\WINDOWS\LastGood.Tmp\System32\ddrawex.dll
+ 2002-01-02 18:34:54	51,712	----a-w	C:\WINDOWS\LastGood.Tmp\System32\devenum.dll
+ 2002-01-02 18:34:54	394,752	----a-w	C:\WINDOWS\LastGood.Tmp\System32\diactfrm.dll
+ 2002-01-02 18:34:54	44,032	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dimap.dll
+ 2002-09-20 17:03:40	156,160	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dinput.dll
+ 2002-09-20 17:03:40	173,056	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dinput8.dll
+ 2002-12-11 23:14:32	64,512	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\amstream.dll
+ 2004-07-09 03:27:28	1,201,152	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\d3d8.dll
+ 2002-12-11 23:14:32	8,192	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\d3d8thk.dll
+ 2002-01-02 18:34:52	436,224	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\d3dim.dll
+ 2003-05-30 08:00:02	797,184	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\d3dim700.dll
+ 2002-01-02 18:34:52	34,816	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\d3dpmesh.dll
+ 2002-01-02 18:34:52	590,336	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\d3dramp.dll
+ 2002-01-02 18:34:52	350,208	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\d3drm.dll
+ 2002-01-02 18:34:52	47,616	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\d3dxof.dll
+ 2004-07-09 03:27:28	292,864	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\ddraw.dll
+ 2002-12-11 23:14:32	24,064	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\ddrawex.dll
+ 2002-01-02 18:34:54	51,712	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\devenum.dll
+ 2002-01-02 18:34:54	394,752	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\diactfrm.dll
+ 2002-01-02 18:34:54	44,032	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dimap.dll
+ 2002-09-20 17:03:40	156,160	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dinput.dll
+ 2002-09-20 17:03:40	173,056	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dinput8.dll
+ 2002-12-11 23:14:32	27,136	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dmband.dll
+ 2002-12-11 23:14:32	58,368	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dmcompos.dll
+ 2004-07-09 03:27:28	181,248	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dmime.dll
+ 2002-12-11 23:14:32	33,280	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dmloader.dll
+ 2002-12-11 23:14:32	76,800	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dmscript.dll
+ 2002-12-11 23:14:32	98,816	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dmstyle.dll
+ 2002-12-11 23:14:32	100,864	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dmsynth.dll
+ 2004-07-09 03:27:28	122,880	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dmusic.dll
+ 2002-12-11 23:14:32	28,160	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dplaysvr.exe
+ 2004-07-09 03:27:28	230,400	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dplayx.dll
+ 2002-12-11 23:14:32	77,824	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dpmodemx.dll
+ 2002-12-11 23:14:32	3,072	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dpnaddr.dll
+ 2002-12-11 23:14:32	723,968	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dpnet.dll
+ 2003-03-24 08:00:02	32,768	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dpnhpast.dll
+ 2002-09-20 17:03:40	56,320	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dpnhupnp.dll
+ 2002-12-11 23:14:32	3,072	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dpnlobby.dll
+ 2002-12-11 23:14:32	16,896	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dpnsvr.exe
+ 2002-12-11 23:14:32	19,968	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dpvacm.dll
+ 2002-12-11 23:14:32	381,952	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dpvoice.dll
+ 2002-12-11 23:14:32	80,896	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dpvsetup.exe
+ 2002-12-11 23:14:32	112,128	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dpvvox.dll
+ 2004-07-09 03:27:28	79,360	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dpwsockx.dll
+ 2002-12-11 23:14:32	186,880	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dsdmo.dll
+ 2002-12-11 23:14:32	491,520	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dsdmoprp.dll
+ 2002-01-02 18:35:12	338,944	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dsound.dll
+ 2002-12-11 23:14:32	1,294,336	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dsound3d.dll
+ 2002-12-11 23:14:32	18,432	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dswave.dll
+ 2002-12-11 23:14:32	602,624	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dx7vb.dll
+ 2003-05-30 08:00:02	1,189,888	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dx8vb.dll
+ 2002-01-02 18:35:12	10,496	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dxapi.sys
+ 2004-07-09 03:27:28	974,848	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\dxdiag.exe
+ 2002-01-02 18:35:16	77,312	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\gcdef.dll
+ 2002-12-11 23:14:32	34,304	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\mciqtz32.dll
+ 2002-01-02 18:35:40	11,264	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\msdmo.dll
+ 2002-09-20 17:04:32	1,223,168	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\msvidctl.dll
+ 2002-12-11 23:14:32	324,096	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\mswebdvd.dll
+ 2002-12-11 15:34:40	241,664	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\qasf.dll
+ 2002-12-11 23:14:32	257,024	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\qcap.dll
+ 2004-07-09 03:27:28	316,928	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\qdv.dll
+ 2004-07-09 03:27:28	470,528	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\qdvd.dll
+ 2002-12-11 23:14:32	1,798,144	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\qedit.dll
+ 2002-12-11 23:14:32	733,184	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\qedwipes.dll
+ 2002-09-20 17:04:40	1,146,368	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\quartz.dll
+ 2002-01-02 18:36:40	46,592	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DLLCache\wstdecod.dll
+ 2002-09-20 17:03:40	26,112	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dmband.dll
+ 2002-09-20 17:03:40	57,344	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dmcompos.dll
+ 2002-09-20 17:03:40	172,544	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dmime.dll
+ 2002-09-20 17:03:40	31,744	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dmloader.dll
+ 2002-09-20 17:03:40	77,312	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dmscript.dll
+ 2002-09-20 17:03:40	110,080	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dmstyle.dll
+ 2002-01-02 18:34:56	99,840	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dmsynth.dll
+ 2002-09-20 17:03:40	94,720	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dmusic.dll
+ 2002-01-02 18:34:56	26,112	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dplaysvr.exe
+ 2002-01-02 18:34:56	212,992	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dplayx.dll
+ 2002-01-02 18:34:56	21,504	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dpmodemx.dll
+ 2002-01-02 18:34:56	26,112	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dpnaddr.dll
+ 2002-09-20 17:03:40	156,672	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dpnet.dll
+ 2002-09-20 17:03:40	29,696	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dpnhpast.dll
+ 2002-09-20 17:03:40	56,320	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dpnhupnp.dll
+ 2002-01-02 18:34:56	38,400	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dpnlobby.dll
+ 2002-01-02 18:34:56	18,944	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dpnsvr.exe
+ 2002-01-02 18:34:56	24,064	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dpvacm.dll
+ 2002-09-20 17:03:40	206,848	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dpvoice.dll
+ 2002-09-20 17:05:20	58,368	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dpvsetup.exe
+ 2002-01-02 18:34:56	113,152	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dpvvox.dll
+ 2002-09-20 17:03:40	49,664	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dpwsockx.dll
+ 2002-01-02 18:35:12	10,496	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DRIVERS\dxapi.sys
+ 2002-09-20 17:18:00	131,712	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DRIVERS\ks.sys
+ 2002-08-29 00:27:12	7,040	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DRIVERS\mskssrv.sys
+ 2001-08-17 20:48:42	5,120	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DRIVERS\mspclock.sys
+ 2001-08-17 20:48:46	4,608	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DRIVERS\mspqm.sys
+ 2002-09-20 17:18:00	44,416	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DRIVERS\stream.sys
+ 2002-01-02 18:35:12	3,840	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DRIVERS\swenum.sys
+ 2002-08-28 23:32:54	28,160	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DRIVERS\usbccgp.sys
+ 2003-07-03 15:50:46	25,216	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DRIVERS\usbehci.sys
+ 2002-08-29 00:32:50	51,968	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DRIVERS\usbhub.sys
+ 2002-08-29 00:32:52	135,552	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DRIVERS\usbport.sys
+ 2002-08-29 00:32:50	19,328	----a-w	C:\WINDOWS\LastGood.Tmp\System32\DRIVERS\usbuhci.sys
+ 2007-03-30 15:07:42	267,864	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpodcsla_AA90739FE6CE6410E6FD075E7696EADED8A3F90D\hpzids01.dll
+ 2007-03-08 04:20:45	309,760	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hposcu10_4FC8229DA1D7F81E72322B6F2DBB249746ABAFD7\drivers\dot4\Win2000\difxapi.dll
+ 2007-03-08 04:20:46	364,544	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hposcu10_4FC8229DA1D7F81E72322B6F2DBB249746ABAFD7\drivers\dot4\Win2000\hppldcoi.dll
+ 2007-03-17 16:11:12	229,376	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hposcu10_4FC8229DA1D7F81E72322B6F2DBB249746ABAFD7\drivers\scanner\x32\hpotpusd.dll
+ 2007-03-17 16:11:12	569,344	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hposcu10_4FC8229DA1D7F81E72322B6F2DBB249746ABAFD7\drivers\scanner\x32\hpotscl3.dll
+ 2007-03-17 16:11:13	303,104	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hposcu10_4FC8229DA1D7F81E72322B6F2DBB249746ABAFD7\drivers\scanner\x32\hpovst10.dll
+ 2007-03-17 16:11:13	675,840	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hposcu10_4FC8229DA1D7F81E72322B6F2DBB249746ABAFD7\drivers\scanner\x32\hpowiax3.dll
+ 2007-03-08 04:20:48	49,920	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzid413_F75AD070CF6AC37359152FFE52115AEC89378C94\drivers\dot4\Win2000\HPZid412.sys
+ 2007-03-08 04:20:45	309,760	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\drivers\dot4\Win2000\difxapi.dll
+ 2007-03-08 04:20:46	364,544	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\drivers\dot4\Win2000\hppldcoi.dll
+ 2007-03-08 04:20:48	49,920	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\drivers\dot4\Win2000\HPZid412.sys
+ 2007-03-08 04:20:49	16,496	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\drivers\dot4\Win2000\HPzipr12.sys
+ 2007-03-08 04:20:50	21,568	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\drivers\dot4\Win2000\HPZius12.sys
+ 2007-03-08 04:20:37	282,624	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzipa13_DB40AE39DB38AD8D2AF2D8E4340ABA1C191DE2CE\HPZc3212.dll
+ 2007-03-08 04:20:49	16,496	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzipr13_9B62D8E7E43E761D5D4A9F1967C0FC868E8BC390\drivers\dot4\Win2000\HPZipr12.sys
+ 2007-03-08 04:20:45	309,760	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\Win2000\difxapi.dll
+ 2007-03-08 04:20:46	364,544	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\Win2000\hppldcoi.dll
+ 2007-03-08 04:20:48	49,920	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\Win2000\hpzid412.sys
+ 2007-03-08 04:20:49	16,496	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\Win2000\hpzipr12.sys
+ 2007-03-08 04:20:50	21,568	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\Win2000\HPZius12.sys
+ 2007-03-08 04:20:52	16,800	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\drivers\dot4\WinxP\Hppaufd0.sys
+ 2007-03-08 04:20:37	282,624	----a-r	C:\WINDOWS\LastGood.Tmp\System32\DRVSTORE\hpzius13_9B9B07948B5298EA9F9D379B539EC8677D74FF6B\HPZc3212.dll
+ 2002-01-02 18:35:12	165,888	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dsdmo.dll
+ 2002-01-02 18:35:12	67,584	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dsdmoprp.dll
+ 2002-01-02 18:35:12	338,944	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dsound.dll
+ 2002-01-02 18:35:12	1,293,824	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dsound3d.dll
+ 2002-01-02 18:35:12	16,896	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dswave.dll
+ 2002-01-02 18:35:12	595,456	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dx7vb.dll
+ 2002-01-02 18:35:12	1,185,792	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dx8vb.dll
+ 2002-09-20 17:05:20	794,624	----a-w	C:\WINDOWS\LastGood.Tmp\System32\dxdiag.exe
+ 2002-09-20 17:03:48	12,288	----a-w	C:\WINDOWS\LastGood.Tmp\System32\encapi.dll
+ 2002-01-02 18:35:16	77,312	----a-w	C:\WINDOWS\LastGood.Tmp\System32\gcdef.dll
+ 2001-10-26 16:27:02	4,096	----a-w	C:\WINDOWS\LastGood.Tmp\System32\ksuser.dll
+ 2002-01-02 18:35:32	33,280	----a-w	C:\WINDOWS\LastGood.Tmp\System32\mciqtz32.dll
+ 2002-01-02 18:35:40	11,264	----a-w	C:\WINDOWS\LastGood.Tmp\System32\msdmo.dll
+ 2002-09-20 17:04:32	1,223,168	----a-w	C:\WINDOWS\LastGood.Tmp\System32\msvidctl.dll
+ 2002-09-20 17:04:32	193,024	----a-w	C:\WINDOWS\LastGood.Tmp\System32\mswebdvd.dll
+ 2002-01-02 18:35:12	16,384	----a-w	C:\WINDOWS\LastGood.Tmp\System32\msyuv.dll
+ 2002-09-20 17:18:00	31,744	----a-w	C:\WINDOWS\LastGood.Tmp\System32\pid.dll
+ 2002-12-11 15:34:40	241,664	----a-w	C:\WINDOWS\LastGood.Tmp\System32\qasf.dll
+ 2002-09-20 17:04:40	184,832	----a-w	C:\WINDOWS\LastGood.Tmp\System32\qcap.dll
+ 2002-01-02 18:36:10	266,752	----a-w	C:\WINDOWS\LastGood.Tmp\System32\qdv.dll
+ 2002-09-20 17:04:40	358,400	----a-w	C:\WINDOWS\LastGood.Tmp\System32\qdvd.dll
+ 2002-09-20 17:04:40	512,512	----a-w	C:\WINDOWS\LastGood.Tmp\System32\qedit.dll
+ 2002-01-02 18:36:10	734,208	----a-w	C:\WINDOWS\LastGood.Tmp\System32\qedwipes.dll
+ 2002-09-20 17:04:40	1,146,368	----a-w	C:\WINDOWS\LastGood.Tmp\System32\quartz.dll
+ 2002-01-02 18:36:40	46,592	----a-w	C:\WINDOWS\LastGood.Tmp\System32\wstdecod.dll
+ 2006-02-03 07:41:26	14,032	----a-w	C:\WINDOWS\LastGood.Tmp\System32\x3daudio1_0.dll
- 2000-08-31 06:00:00	28,672	----a-w	C:\WINDOWS\Nircmd.exe
+ 2000-08-31 06:00:00	38,400	----a-w	C:\WINDOWS\Nircmd.exe
- 2002-01-02 18:35:56	67,072	----a-w	C:\WINDOWS\NOTEPAD.EXE
+ 2002-01-02 18:35:56	76,800	----a-w	C:\WINDOWS\NOTEPAD.EXE
- 2002-09-20 17:05:26	742,400	----a-w	C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
+ 2002-09-20 17:05:26	752,128	----a-w	C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
- 2002-09-20 17:05:40	137,216	----a-w	C:\WINDOWS\regedit.exe
+ 2002-09-20 17:05:40	146,944	----a-w	C:\WINDOWS\regedit.exe
- 2002-12-11 23:14:32	28,160	-c--a-w	C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dplaysvr.exe
+ 2002-12-11 23:14:32	37,888	-c--a-w	C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dplaysvr.exe
- 2002-12-11 23:14:32	16,896	-c--a-w	C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpnsvr.exe
+ 2002-12-11 23:14:32	26,624	-c--a-w	C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpnsvr.exe
- 2002-12-11 23:14:32	80,896	-c--a-w	C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpvsetup.exe
+ 2002-12-11 23:14:32	90,624	-c--a-w	C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpvsetup.exe
- 2004-07-09 03:27:28	974,848	-c--a-w	C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdiag.exe
+ 2004-07-09 03:27:28	987,136	-c--a-w	C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdiag.exe
- 2002-12-11 23:14:32	46,592	-c--a-w	C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
+ 2002-12-11 23:14:32	56,320	-c--a-w	C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
- 2000-08-31 06:00:00	98,816	----a-w	C:\WINDOWS\sed.exe
+ 2000-08-31 06:00:00	108,544	----a-w	C:\WINDOWS\sed.exe
- 2004-01-09 01:54:06	65,536	------w	C:\WINDOWS\soundman.exe
+ 2004-01-09 01:54:06	75,264	------w	C:\WINDOWS\soundman.exe
- 2000-08-31 06:00:00	161,792	----a-w	C:\WINDOWS\swreg.exe
+ 2000-08-31 06:00:00	171,520	----a-w	C:\WINDOWS\swreg.exe
- 2006-08-20 18:30:03	4,356	-c--a-w	C:\WINDOWS\system32\11101072ld.exe
+ 2006-08-20 18:30:03	23,812	-c--a-w	C:\WINDOWS\system32\11101072ld.exe
- 2006-10-25 08:01:35	4,356	-c--a-w	C:\WINDOWS\system32\1141242ld.exe
+ 2006-10-25 08:01:35	14,084	-c--a-w	C:\WINDOWS\system32\1141242ld.exe
- 2006-08-17 16:02:35	11,616	-c--a-w	C:\WINDOWS\system32\1169522ld.exe
+ 2006-08-17 16:02:35	21,344	-c--a-w	C:\WINDOWS\system32\1169522ld.exe
- 2006-08-27 11:13:49	11,616	-c--a-w	C:\WINDOWS\system32\12187482ld.exe
+ 2006-08-27 11:13:49	21,344	-c--a-w	C:\WINDOWS\system32\12187482ld.exe
- 2006-08-25 18:14:29	11,616	-c--a-w	C:\WINDOWS\system32\13126702ld.exe
+ 2006-08-25 18:14:29	21,344	-c--a-w	C:\WINDOWS\system32\13126702ld.exe
- 2006-08-17 16:14:56	11,616	-c--a-w	C:\WINDOWS\system32\13156362ld.exe
+ 2006-08-17 16:14:56	21,344	-c--a-w	C:\WINDOWS\system32\13156362ld.exe
- 2006-08-17 17:16:37	11,616	-c--a-w	C:\WINDOWS\system32\14598222ld.exe
+ 2006-08-17 17:16:37	31,072	-c--a-w	C:\WINDOWS\system32\14598222ld.exe
- 2006-08-22 08:15:48	11,616	-c--a-w	C:\WINDOWS\system32\1461712ld.exe
+ 2006-08-22 08:15:48	31,072	-c--a-w	C:\WINDOWS\system32\1461712ld.exe
- 2006-08-17 15:15:27	11,616	-c--a-w	C:\WINDOWS\system32\1487562ld.exe
+ 2006-08-17 15:15:27	31,072	-c--a-w	C:\WINDOWS\system32\1487562ld.exe
- 2006-09-21 18:03:19	11,616	-c--a-w	C:\WINDOWS\system32\1491372ld.exe
+ 2006-09-21 18:03:19	31,072	-c--a-w	C:\WINDOWS\system32\1491372ld.exe
- 2006-08-18 15:17:43	11,616	-c--a-w	C:\WINDOWS\system32\15122852ld.exe
+ 2006-08-18 15:17:43	31,072	-c--a-w	C:\WINDOWS\system32\15122852ld.exe
- 2006-09-24 21:17:45	11,616	-c--a-w	C:\WINDOWS\system32\16151982ld.exe
+ 2006-09-24 21:17:45	31,072	-c--a-w	C:\WINDOWS\system32\16151982ld.exe
- 2006-09-01 18:17:48	11,616	-c--a-w	C:\WINDOWS\system32\16375712ld.exe
+ 2006-09-01 18:17:48	40,800	-c--a-w	C:\WINDOWS\system32\16375712ld.exe
- 2006-08-27 17:18:18	11,616	-c--a-w	C:\WINDOWS\system32\16447042ld.exe
+ 2006-08-27 17:18:18	31,072	-c--a-w	C:\WINDOWS\system32\16447042ld.exe
- 2006-08-17 16:18:20	11,616	-c--a-w	C:\WINDOWS\system32\1716912ld.exe
+ 2006-08-17 16:18:20	31,072	-c--a-w	C:\WINDOWS\system32\1716912ld.exe
- 2006-08-20 14:19:44	11,616	-c--a-w	C:\WINDOWS\system32\17208682ld.exe
+ 2006-08-20 14:19:44	31,072	-c--a-w	C:\WINDOWS\system32\17208682ld.exe
- 2006-08-17 14:18:51	11,616	-c--a-w	C:\WINDOWS\system32\17316812ld.exe
+ 2006-08-17 14:18:51	31,072	-c--a-w	C:\WINDOWS\system32\17316812ld.exe
- 2006-08-17 15:20:20	11,616	-c--a-w	C:\WINDOWS\system32\1918272ld.exe
+ 2006-08-17 15:20:20	31,072	-c--a-w	C:\WINDOWS\system32\1918272ld.exe
- 2006-08-24 08:21:22	11,616	-c--a-w	C:\WINDOWS\system32\20129192ld.exe
+ 2006-08-24 08:21:22	31,072	-c--a-w	C:\WINDOWS\system32\20129192ld.exe
- 2006-09-02 17:22:27	17,424	-c--a-w	C:\WINDOWS\system32\21353612ld.exe
+ 2006-09-02 17:22:27	36,880	-c--a-w	C:\WINDOWS\system32\21353612ld.exe
+ 2006-08-27 17:12:45	30,636	-c--a-w	C:\WINDOWS\system32\21503862ld.exe
- 2006-08-17 14:24:33	11,616	-c--a-w	C:\WINDOWS\system32\2229192ld.exe
+ 2006-08-17 14:24:33	31,072	-c--a-w	C:\WINDOWS\system32\2229192ld.exe
- 2006-08-17 15:24:24	11,616	-c--a-w	C:\WINDOWS\system32\22373872ld.exe
+ 2006-08-17 15:24:24	31,072	-c--a-w	C:\WINDOWS\system32\22373872ld.exe
- 2006-08-27 12:05:27	11,616	-c--a-w	C:\WINDOWS\system32\228492ld.exe
+ 2006-08-27 12:05:27	31,072	-c--a-w	C:\WINDOWS\system32\228492ld.exe
- 2006-08-26 12:24:59	11,616	-c--a-w	C:\WINDOWS\system32\23266662ld.exe
+ 2006-08-26 12:24:59	31,072	-c--a-w	C:\WINDOWS\system32\23266662ld.exe
- 2006-11-24 16:26:31	11,616	-c--a-w	C:\WINDOWS\system32\24113792ld.exe
+ 2006-11-24 16:26:31	31,072	-c--a-w	C:\WINDOWS\system32\24113792ld.exe
- 2006-08-15 18:24:29	4,356	-c--a-w	C:\WINDOWS\system32\2422482ld.exe
+ 2006-08-15 18:24:29	23,812	-c--a-w	C:\WINDOWS\system32\2422482ld.exe
- 2006-08-17 14:04:24	11,616	-c--a-w	C:\WINDOWS\system32\2454172ld.exe
+ 2006-08-17 14:04:24	31,072	-c--a-w	C:\WINDOWS\system32\2454172ld.exe
- 2006-08-17 16:26:23	11,616	-c--a-w	C:\WINDOWS\system32\2495562ld.exe
+ 2006-08-17 16:26:23	31,072	-c--a-w	C:\WINDOWS\system32\2495562ld.exe
- 2006-08-19 13:03:53	11,616	-c--a-w	C:\WINDOWS\system32\2536502ld.exe
+ 2006-08-19 13:03:53	31,072	-c--a-w	C:\WINDOWS\system32\2536502ld.exe
- 2006-08-17 15:04:36	11,616	-c--a-w	C:\WINDOWS\system32\2584122ld.exe
+ 2006-08-17 15:04:36	31,072	-c--a-w	C:\WINDOWS\system32\2584122ld.exe
- 2006-08-17 14:27:56	11,616	-c--a-w	C:\WINDOWS\system32\2637152ld.exe
+ 2006-08-17 14:27:56	31,072	-c--a-w	C:\WINDOWS\system32\2637152ld.exe
- 2006-08-17 17:27:58	11,616	-c--a-w	C:\WINDOWS\system32\26482272ld.exe
+ 2006-08-17 17:27:58	31,072	-c--a-w	C:\WINDOWS\system32\26482272ld.exe
- 2006-08-27 10:29:19	11,616	-c--a-w	C:\WINDOWS\system32\27595442ld.exe
+ 2006-08-27 10:29:19	31,072	-c--a-w	C:\WINDOWS\system32\27595442ld.exe
- 2006-08-24 21:30:44	11,616	-c--a-w	C:\WINDOWS\system32\2817932ld.exe
+ 2006-08-24 21:30:44	31,072	-c--a-w	C:\WINDOWS\system32\2817932ld.exe
- 2006-08-23 21:32:15	11,616	-c--a-w	C:\WINDOWS\system32\28281152ld.exe
+ 2006-08-23 21:32:15	31,072	-c--a-w	C:\WINDOWS\system32\28281152ld.exe
- 2006-08-17 15:31:07	11,616	-c--a-w	C:\WINDOWS\system32\29477362ld.exe
+ 2006-08-17 15:31:07	31,072	-c--a-w	C:\WINDOWS\system32\29477362ld.exe
- 2006-08-17 16:31:33	11,616	-c--a-w	C:\WINDOWS\system32\30147412ld.exe
+ 2006-08-17 16:31:33	31,072	-c--a-w	C:\WINDOWS\system32\30147412ld.exe
- 2006-08-17 14:31:33	11,616	-c--a-w	C:\WINDOWS\system32\3027712ld.exe
+ 2006-08-17 14:31:33	31,072	-c--a-w	C:\WINDOWS\system32\3027712ld.exe
- 2006-08-20 15:29:02	5,808	-c--a-w	C:\WINDOWS\system32\30544882ld.exe
+ 2006-08-20 15:29:02	15,536	-c--a-w	C:\WINDOWS\system32\30544882ld.exe
- 2006-08-27 17:32:21	11,616	-c--a-w	C:\WINDOWS\system32\3058752ld.exe
+ 2006-08-27 17:32:21	31,072	-c--a-w	C:\WINDOWS\system32\3058752ld.exe
- 2006-08-17 17:32:39	11,616	-c--a-w	C:\WINDOWS\system32\31346792ld.exe
+ 2006-08-17 17:32:39	31,072	-c--a-w	C:\WINDOWS\system32\31346792ld.exe
- 2006-10-25 21:34:29	4,356	-c--a-w	C:\WINDOWS\system32\32247562ld.exe
+ 2006-10-25 21:34:29	33,540	-c--a-w	C:\WINDOWS\system32\32247562ld.exe
- 2006-11-23 17:06:39	11,616	-c--a-w	C:\WINDOWS\system32\3263162ld.exe
+ 2006-11-23 17:06:39	31,072	-c--a-w	C:\WINDOWS\system32\3263162ld.exe
- 2006-08-26 13:05:10	11,616	-c--a-w	C:\WINDOWS\system32\3298912ld.exe
+ 2006-08-26 13:05:10	31,072	-c--a-w	C:\WINDOWS\system32\3298912ld.exe
- 2006-08-17 15:35:02	11,616	-c--a-w	C:\WINDOWS\system32\33131812ld.exe
+ 2006-08-17 15:35:02	31,072	-c--a-w	C:\WINDOWS\system32\33131812ld.exe
- 2006-08-25 17:34:47	8,712	-c--a-w	C:\WINDOWS\system32\34164732ld.exe
+ 2006-08-25 17:34:47	28,168	-c--a-w	C:\WINDOWS\system32\34164732ld.exe
- 2006-08-17 17:35:43	11,616	-c--a-w	C:\WINDOWS\system32\34376422ld.exe
+ 2006-08-17 17:35:43	31,072	-c--a-w	C:\WINDOWS\system32\34376422ld.exe
- 2006-08-20 15:37:23	11,616	-c--a-w	C:\WINDOWS\system32\34417102ld.exe
+ 2006-08-20 15:37:23	31,072	-c--a-w	C:\WINDOWS\system32\34417102ld.exe
- 2006-08-29 15:37:07	11,616	-c--a-w	C:\WINDOWS\system32\35306132ld.exe
+ 2006-08-29 15:37:07	31,072	-c--a-w	C:\WINDOWS\system32\35306132ld.exe
- 2006-08-17 16:37:33	11,616	-c--a-w	C:\WINDOWS\system32\35543402ld.exe
+ 2006-08-17 16:37:33	31,072	-c--a-w	C:\WINDOWS\system32\35543402ld.exe
- 2006-08-17 14:36:57	11,616	-c--a-w	C:\WINDOWS\system32\3564882ld.exe
+ 2006-08-17 14:36:57	31,072	-c--a-w	C:\WINDOWS\system32\3564882ld.exe
- 2006-08-27 17:37:48	11,616	-c--a-w	C:\WINDOWS\system32\36314752ld.exe
+ 2006-08-27 17:37:48	31,072	-c--a-w	C:\WINDOWS\system32\36314752ld.exe
- 2006-11-23 16:39:04	11,616	-c--a-w	C:\WINDOWS\system32\36435912ld.exe
+ 2006-11-23 16:39:04	31,072	-c--a-w	C:\WINDOWS\system32\36435912ld.exe
- 2006-08-20 10:39:12	11,616	-c--a-w	C:\WINDOWS\system32\37419862ld.exe
+ 2006-08-20 10:39:12	31,072	-c--a-w	C:\WINDOWS\system32\37419862ld.exe
- 2006-08-17 15:38:24	11,616	-c--a-w	C:\WINDOWS\system32\3747742ld.exe
+ 2006-08-17 15:38:24	31,072	-c--a-w	C:\WINDOWS\system32\3747742ld.exe
- 2006-08-27 10:39:58	11,616	-c--a-w	C:\WINDOWS\system32\38404652ld.exe
+ 2006-08-27 10:39:58	31,072	-c--a-w	C:\WINDOWS\system32\38404652ld.exe
- 2006-08-17 17:40:22	11,616	-c--a-w	C:\WINDOWS\system32\39166232ld.exe
+ 2006-08-17 17:40:22	31,072	-c--a-w	C:\WINDOWS\system32\39166232ld.exe
- 2006-11-25 20:43:16	4,356	-c--a-w	C:\WINDOWS\system32\393442ld.exe
+ 2006-11-25 20:43:16	33,540	-c--a-w	C:\WINDOWS\system32\393442ld.exe
- 2006-08-17 14:40:23	11,616	-c--a-w	C:\WINDOWS\system32\3934792ld.exe
+ 2006-08-17 14:40:23	31,072	-c--a-w	C:\WINDOWS\system32\3934792ld.exe
- 2006-08-26 18:59:27	7,260	-c--a-w	C:\WINDOWS\system32\40352342ld.exe
+ 2006-08-26 18:59:27	26,716	-c--a-w	C:\WINDOWS\system32\40352342ld.exe
- 2006-08-17 16:42:39	11,616	-c--a-w	C:\WINDOWS\system32\411042ld.exe
+ 2006-08-17 16:42:39	31,072	-c--a-w	C:\WINDOWS\system32\411042ld.exe
- 2006-08-19 20:57:22	7,260	-c--a-w	C:\WINDOWS\system32\4120532ld.exe
+ 2006-08-19 20:57:22	26,716	-c--a-w	C:\WINDOWS\system32\4120532ld.exe
- 2006-08-15 13:44:00	4,356	-c--a-w	C:\WINDOWS\system32\43128582ld.exe
+ 2006-08-15 13:44:00	23,812	-c--a-w	C:\WINDOWS\system32\43128582ld.exe
- 2006-08-17 15:45:14	11,616	-c--a-w	C:\WINDOWS\system32\43351862ld.exe
+ 2006-08-17 15:45:14	31,072	-c--a-w	C:\WINDOWS\system32\43351862ld.exe
- 2006-08-27 10:45:13	11,616	-c--a-w	C:\WINDOWS\system32\43571112ld.exe
+ 2006-08-27 10:45:13	31,072	-c--a-w	C:\WINDOWS\system32\43571112ld.exe
- 2006-08-16 16:49:39	11,616	-c--a-w	C:\WINDOWS\system32\44415842ld.exe
+ 2006-08-16 16:49:39	31,072	-c--a-w	C:\WINDOWS\system32\44415842ld.exe
- 2006-08-17 16:46:10	11,616	-c--a-w	C:\WINDOWS\system32\44516422ld.exe
+ 2006-08-17 16:46:10	31,072	-c--a-w	C:\WINDOWS\system32\44516422ld.exe
- 2006-09-02 17:47:43	2,904	-c--a-w	C:\WINDOWS\system32\45295132ld.exe
+ 2006-09-02 17:47:43	32,088	-c--a-w	C:\WINDOWS\system32\45295132ld.exe
- 2006-08-17 13:47:17	11,616	-c--a-w	C:\WINDOWS\system32\45385902ld.exe
+ 2006-08-17 13:47:17	31,072	-c--a-w	C:\WINDOWS\system32\45385902ld.exe
- 2006-08-27 19:48:20	11,616	-c--a-w	C:\WINDOWS\system32\46343942ld.exe
+ 2006-08-27 19:48:20	31,072	-c--a-w	C:\WINDOWS\system32\46343942ld.exe
- 2006-08-17 15:48:49	11,616	-c--a-w	C:\WINDOWS\system32\4719282ld.exe
+ 2006-08-17 15:48:49	31,072	-c--a-w	C:\WINDOWS\system32\4719282ld.exe
- 2006-08-17 14:49:41	11,616	-c--a-w	C:\WINDOWS\system32\47392902ld.exe
+ 2006-08-17 14:49:41	31,072	-c--a-w	C:\WINDOWS\system32\47392902ld.exe
- 2006-08-20 15:52:17	11,616	-c--a-w	C:\WINDOWS\system32\48284982ld.exe
+ 2006-08-20 15:52:17	31,072	-c--a-w	C:\WINDOWS\system32\48284982ld.exe
- 2006-10-25 22:12:15	15,972	-c--a-w	C:\WINDOWS\system32\48414432ld.exe
+ 2006-10-25 22:12:15	35,428	-c--a-w	C:\WINDOWS\system32\48414432ld.exe
- 2006-08-27 17:50:01	11,616	-c--a-w	C:\WINDOWS\system32\48451902ld.exe
+ 2006-08-27 17:50:01	31,072	-c--a-w	C:\WINDOWS\system32\48451902ld.exe
- 2006-08-23 08:51:54	11,616	-c--a-w	C:\WINDOWS\system32\49229732ld.exe
+ 2006-08-23 08:51:54	31,072	-c--a-w	C:\WINDOWS\system32\49229732ld.exe
- 2006-08-16 13:49:37	7,260	-c--a-w	C:\WINDOWS\system32\4971392ld.exe
+ 2006-08-16 13:49:37	26,716	-c--a-w	C:\WINDOWS\system32\4971392ld.exe
- 2006-08-17 16:51:20	11,616	-c--a-w	C:\WINDOWS\system32\502392ld.exe
+ 2006-08-17 16:51:20	31,072	-c--a-w	C:\WINDOWS\system32\502392ld.exe
- 2006-08-20 12:51:52	11,616	-c--a-w	C:\WINDOWS\system32\50315432ld.exe
+ 2006-08-20 12:51:52	31,072	-c--a-w	C:\WINDOWS\system32\50315432ld.exe
- 2006-08-19 19:51:43	11,616	-c--a-w	C:\WINDOWS\system32\5036352ld.exe
+ 2006-08-19 19:51:43	31,072	-c--a-w	C:\WINDOWS\system32\5036352ld.exe
- 2006-08-17 15:52:14	11,616	-c--a-w	C:\WINDOWS\system32\50544372ld.exe
+ 2006-08-17 15:52:14	31,072	-c--a-w	C:\WINDOWS\system32\50544372ld.exe
- 2006-08-18 13:51:31	11,616	-c--a-w	C:\WINDOWS\system32\5058422ld.exe
+ 2006-08-18 13:51:31	31,072	-c--a-w	C:\WINDOWS\system32\5058422ld.exe
+ 2006-09-02 18:21:34	11,180	-c--a-w	C:\WINDOWS\system32\52407852ld.exe
- 2006-08-17 14:55:06	11,616	-c--a-w	C:\WINDOWS\system32\53164852ld.exe
+ 2006-08-17 14:55:06	31,072	-c--a-w	C:\WINDOWS\system32\53164852ld.exe
- 2006-08-17 16:55:06	11,616	-c--a-w	C:\WINDOWS\system32\53288662ld.exe
+ 2006-08-17 16:55:06	31,072	-c--a-w	C:\WINDOWS\system32\53288662ld.exe
- 2006-08-27 10:54:54	11,616	-c--a-w	C:\WINDOWS\system32\53359232ld.exe
+ 2006-08-27 10:54:54	31,072	-c--a-w	C:\WINDOWS\system32\53359232ld.exe
- 2006-10-22 16:47:05	13,068	-c--a-w	C:\WINDOWS\system32\53368772ld.exe
+ 2006-10-22 16:47:05	22,796	-c--a-w	C:\WINDOWS\system32\53368772ld.exe
- 2006-08-17 13:55:36	11,616	-c--a-w	C:\WINDOWS\system32\53582392ld.exe
+ 2006-08-17 13:55:36	31,072	-c--a-w	C:\WINDOWS\system32\53582392ld.exe
- 2006-08-23 08:55:27	11,616	-c--a-w	C:\WINDOWS\system32\53593502ld.exe
+ 2006-08-23 08:55:27	31,072	-c--a-w	C:\WINDOWS\system32\53593502ld.exe
- 2006-08-17 15:55:48	11,616	-c--a-w	C:\WINDOWS\system32\54183312ld.exe
+ 2006-08-17 15:55:48	31,072	-c--a-w	C:\WINDOWS\system32\54183312ld.exe
- 2006-08-17 15:59:12	11,616	-c--a-w	C:\WINDOWS\system32\57534402ld.exe
+ 2006-08-17 15:59:12	31,072	-c--a-w	C:\WINDOWS\system32\57534402ld.exe
- 2006-08-27 19:42:20	5,808	-c--a-w	C:\WINDOWS\system32\576422ld.exe
+ 2006-08-27 19:42:20	15,536	-c--a-w	C:\WINDOWS\system32\576422ld.exe
- 2006-08-15 17:54:40	7,260	-c--a-w	C:\WINDOWS\system32\58437882ld.exe
+ 2006-08-15 17:54:40	16,988	-c--a-w	C:\WINDOWS\system32\58437882ld.exe
- 2006-08-27 18:01:56	11,616	-c--a-w	C:\WINDOWS\system32\59136732ld.exe
+ 2006-08-27 18:01:56	31,072	-c--a-w	C:\WINDOWS\system32\59136732ld.exe
- 2006-10-12 17:16:16	7,260	-c--a-w	C:\WINDOWS\system32\5929602ld.exe
+ 2006-10-12 17:16:16	16,988	-c--a-w	C:\WINDOWS\system32\5929602ld.exe
- 2006-08-17 15:00:55	11,616	-c--a-w	C:\WINDOWS\system32\59363012ld.exe
+ 2006-08-17 15:00:55	31,072	-c--a-w	C:\WINDOWS\system32\59363012ld.exe
- 2002-01-02 18:34:40	183,296	----a-w	C:\WINDOWS\system32\accwiz.exe
+ 2002-01-02 18:34:40	193,024	----a-w	C:\WINDOWS\system32\accwiz.exe
- 2002-01-02 18:34:40	4,096	-c--a-w	C:\WINDOWS\system32\actmovie.exe
+ 2002-01-02 18:34:40	13,824	-c--a-w	C:\WINDOWS\system32\actmovie.exe
- 2002-09-20 17:05:14	91,648	-c--a-w	C:\WINDOWS\system32\ahui.exe
+ 2002-09-20 17:05:14	101,376	-c--a-w	C:\WINDOWS\system32\ahui.exe
- 2002-09-20 17:05:14	41,984	-c--a-w	C:\WINDOWS\system32\alg.exe
+ 2002-09-20 17:05:14	51,712	-c--a-w	C:\WINDOWS\system32\alg.exe
- 2002-01-02 18:34:44	11,264	----a-w	C:\WINDOWS\system32\attrib.exe
+ 2002-01-02 18:34:44	20,992	----a-w	C:\WINDOWS\system32\attrib.exe
- 2002-01-02 18:34:48	5,120	----a-w	C:\WINDOWS\system32\cisvc.exe
+ 2002-01-02 18:34:48	14,848	----a-w	C:\WINDOWS\system32\cisvc.exe
- 2002-09-20 17:05:16	99,328	----a-w	C:\WINDOWS\system32\clipbrd.exe
+ 2002-09-20 17:05:16	109,056	----a-w	C:\WINDOWS\system32\clipbrd.exe
- 2002-01-02 18:34:48	30,720	----a-w	C:\WINDOWS\system32\clipsrv.exe
+ 2002-01-02 18:34:48	40,448	----a-w	C:\WINDOWS\system32\clipsrv.exe
- 2002-01-02 18:34:48	382,976	----a-w	C:\WINDOWS\system32\cmd.exe
+ 2002-01-02 18:34:48	392,704	----a-w	C:\WINDOWS\system32\cmd.exe
- 2008-08-16 10:29:42	16,384	----a-w	C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-17 14:39:24	16,384	----a-w	C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-16 10:27:44	262,144	----a-w	C:\WINDOWS\system32\config\systemprofile\NtUser.dat
+ 2008-08-17 15:06:23	262,144	----a-w	C:\WINDOWS\system32\config\systemprofile\NtUser.dat
- 2008-08-16 10:29:42	32,768	----a-w	C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
+ 2008-08-17 14:39:24	32,768	----a-w	C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat
+ 2008-08-16 10:51:37	8,790	----a-w	C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\8CMSGOR8\wr[1].exe
+ 2008-08-16 11:10:55	8,790	----a-w	C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\8CMSGOR8\wr[2].exe
+ 2008-08-16 17:30:31	8,790	----a-w	C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\8CMSGOR8\wr[3].exe
+ 2008-08-17 13:52:45	8,790	----a-w	C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\8CMSGOR8\wr[4].exe
+ 2008-08-17 14:58:48	8,790	----a-w	C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\8CMSGOR8\wr[5].exe
- 2008-08-16 10:29:42	49,152	----a-w	C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-17 14:39:24	32,768	----a-w	C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-16 14:14:33	8,790	----a-w	C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\V1CGZ7V4\wr[1].exe
+ 2008-08-17 06:09:35	8,790	----a-w	C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\V1CGZ7V4\wr[2].exe
+ 2008-08-17 07:27:17	8,790	----a-w	C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\V1CGZ7V4\wr[3].exe
+ 2008-08-17 12:22:45	8,790	----a-w	C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\V1CGZ7V4\wr[4].exe
- 2002-01-02 18:34:50	102,450	----a-w	C:\WINDOWS\system32\cscript.exe
+ 2002-01-02 18:34:50	114,738	----a-w	C:\WINDOWS\system32\cscript.exe
- 2002-01-02 18:34:54	18,432	----a-w	C:\WINDOWS\system32\diskperf.exe
+ 2002-01-02 18:34:54	28,160	----a-w	C:\WINDOWS\system32\diskperf.exe
- 2002-01-02 18:34:54	4,608	----a-w	C:\WINDOWS\system32\dllhost.exe
+ 2002-01-02 18:34:54	14,336	----a-w	C:\WINDOWS\system32\dllhost.exe
- 2002-01-02 18:34:54	205,312	----a-w	C:\WINDOWS\system32\dmadmin.exe
+ 2002-01-02 18:34:54	215,040	----a-w	C:\WINDOWS\system32\dmadmin.exe
- 2007-05-10 14:53:12	31,744	----a-w	C:\WINDOWS\system32\drivers\Setup.exe
+ 2007-05-10 14:53:12	41,472	----a-w	C:\WINDOWS\system32\drivers\Setup.exe
- 2002-01-02 18:35:12	47,104	----a-w	C:\WINDOWS\system32\drwtsn32.exe
+ 2002-01-02 18:35:12	56,832	----a-w	C:\WINDOWS\system32\drwtsn32.exe
- 2002-09-20 17:05:20	180,224	----a-w	C:\WINDOWS\system32\dwwin.exe
+ 2002-09-20 17:05:20	192,512	----a-w	C:\WINDOWS\system32\dwwin.exe
- 2002-01-02 18:35:16	9,216	----a-w	C:\WINDOWS\system32\find.exe
+ 2002-01-02 18:35:16	18,944	----a-w	C:\WINDOWS\system32\find.exe
- 2002-01-02 18:35:16	26,112	----a-w	C:\WINDOWS\system32\findstr.exe
+ 2002-01-02 18:35:16	35,840	----a-w	C:\WINDOWS\system32\findstr.exe
- 2002-09-20 17:05:24	19,968	----a-w	C:\WINDOWS\system32\fontview.exe
+ 2002-09-20 17:05:24	29,696	----a-w	C:\WINDOWS\system32\fontview.exe
- 2002-09-20 17:05:24	42,496	----a-w	C:\WINDOWS\system32\ftp.exe
+ 2002-09-20 17:05:24	52,224	----a-w	C:\WINDOWS\system32\ftp.exe
- 2002-01-02 18:35:18	37,888	----a-w	C:\WINDOWS\system32\grpconv.exe
+ 2002-01-02 18:35:18	47,616	----a-w	C:\WINDOWS\system32\grpconv.exe
- 2002-09-20 17:05:28	123,904	----a-w	C:\WINDOWS\system32\imapi.exe
+ 2002-09-20 17:05:28	133,632	----a-w	C:\WINDOWS\system32\imapi.exe
- 2002-01-02 18:35:30	68,096	----a-w	C:\WINDOWS\system32\locator.exe
+ 2002-01-02 18:35:30	77,824	----a-w	C:\WINDOWS\system32\locator.exe
- 1999-04-14 13:07:34	39,184	----a-w	C:\WINDOWS\system32\MAPISRVR.EXE
+ 1999-04-14 13:07:34	48,912	----a-w	C:\WINDOWS\system32\MAPISRVR.EXE
- 2002-01-02 18:35:36	774,656	----a-w	C:\WINDOWS\system32\mmc.exe
+ 2002-01-02 18:35:36	784,384	----a-w	C:\WINDOWS\system32\mmc.exe
- 2002-01-02 18:35:36	32,768	----a-w	C:\WINDOWS\system32\mnmsrvc.exe
+ 2002-01-02 18:35:36	45,056	----a-w	C:\WINDOWS\system32\mnmsrvc.exe
- 2002-09-20 17:05:34	118,272	----a-w	C:\WINDOWS\system32\mplay32.exe
+ 2002-09-20 17:05:34	128,000	----a-w	C:\WINDOWS\system32\mplay32.exe
- 2002-01-02 18:35:40	6,144	----a-w	C:\WINDOWS\system32\msdtc.exe
+ 2002-01-02 18:35:40	15,872	----a-w	C:\WINDOWS\system32\msdtc.exe
- 2002-01-02 18:35:42	128,000	----a-w	C:\WINDOWS\system32\mshearts.exe
+ 2002-01-02 18:35:42	137,728	----a-w	C:\WINDOWS\system32\mshearts.exe
- 2002-01-02 18:35:42	24,064	----a-w	C:\WINDOWS\system32\mshta.exe
+ 2002-01-02 18:35:42	33,792	----a-w	C:\WINDOWS\system32\mshta.exe
- 2002-09-20 17:05:34	64,512	----a-w	C:\WINDOWS\system32\msiexec.exe
+ 2002-09-20 17:05:34	74,240	----a-w	C:\WINDOWS\system32\msiexec.exe
- 2002-09-20 17:05:36	342,016	----a-w	C:\WINDOWS\system32\mspaint.exe
+ 2002-09-20 17:05:36	351,744	----a-w	C:\WINDOWS\system32\mspaint.exe
- 2002-09-20 16:36:14	390,144	----a-w	C:\WINDOWS\system32\mstsc.exe
+ 2002-09-20 16:36:14	399,872	----a-w	C:\WINDOWS\system32\mstsc.exe
- 2002-09-20 17:05:36	115,200	----a-w	C:\WINDOWS\system32\net1.exe
+ 2002-09-20 17:05:36	124,928	----a-w	C:\WINDOWS\system32\net1.exe
- 2002-09-20 17:05:36	109,568	----a-w	C:\WINDOWS\system32\netdde.exe
+ 2002-09-20 17:05:36	119,296	----a-w	C:\WINDOWS\system32\netdde.exe
- 2002-01-02 18:35:56	67,072	----a-w	C:\WINDOWS\system32\notepad.exe
+ 2002-01-02 18:35:56	76,800	----a-w	C:\WINDOWS\system32\notepad.exe
- 2002-01-02 18:35:58	1,157,120	----a-w	C:\WINDOWS\system32\ntbackup.exe
+ 2002-01-02 18:35:58	1,166,848	----a-w	C:\WINDOWS\system32\ntbackup.exe
- 2008-03-30 07:22:33	40,128	----a-w	C:\WINDOWS\system32\perfc009.dat
+ 2008-08-16 10:41:00	40,128	----a-w	C:\WINDOWS\system32\perfc009.dat
- 2008-03-30 07:22:33	49,712	----a-w	C:\WINDOWS\system32\perfc015.dat
+ 2008-08-16 10:41:00	49,712	----a-w	C:\WINDOWS\system32\perfc015.dat
- 2008-03-30 07:22:33	311,740	----a-w	C:\WINDOWS\system32\perfh009.dat
+ 2008-08-16 10:41:00	311,740	----a-w	C:\WINDOWS\system32\perfh009.dat
- 2008-03-30 07:22:33	355,830	----a-w	C:\WINDOWS\system32\perfh015.dat
+ 2008-08-16 10:41:00	355,830	----a-w	C:\WINDOWS\system32\perfh015.dat
- 2002-09-20 17:05:38	17,408	----a-w	C:\WINDOWS\system32\ping.exe
+ 2002-09-20 17:05:38	27,136	----a-w	C:\WINDOWS\system32\ping.exe
- 2002-01-02 18:36:08	23,040	----a-w	C:\WINDOWS\system32\proxycfg.exe
+ 2002-01-02 18:36:08	32,768	----a-w	C:\WINDOWS\system32\proxycfg.exe
- 2002-01-02 18:36:10	19,456	----a-w	C:\WINDOWS\system32\qprocess.exe
+ 2002-01-02 18:36:10	29,184	----a-w	C:\WINDOWS\system32\qprocess.exe
- 2002-09-20 17:05:38	34,304	----a-w	C:\WINDOWS\system32\rcimlby.exe
+ 2002-09-20 17:05:38	44,032	----a-w	C:\WINDOWS\system32\rcimlby.exe
- 2002-01-02 18:36:12	10,240	----a-w	C:\WINDOWS\system32\regsvr32.exe
+ 2002-01-02 18:36:12	19,968	----a-w	C:\WINDOWS\system32\regsvr32.exe
- 2002-09-20 17:05:40	373,248	----a-w	C:\WINDOWS\system32\Restore\rstrui.exe
+ 2002-09-20 17:05:40	382,976	----a-w	C:\WINDOWS\system32\Restore\rstrui.exe
- 2002-01-02 18:36:12	20,480	----a-w	C:\WINDOWS\system32\route.exe
+ 2002-01-02 18:36:12	30,208	----a-w	C:\WINDOWS\system32\route.exe
- 2002-01-02 18:36:12	132,608	----a-w	C:\WINDOWS\system32\rsvp.exe
+ 2002-01-02 18:36:12	142,336	----a-w	C:\WINDOWS\system32\rsvp.exe
- 2002-01-02 18:36:14	31,744	----a-w	C:\WINDOWS\system32\rundll32.exe
+ 2002-01-02 18:36:14	41,472	----a-w	C:\WINDOWS\system32\rundll32.exe
- 2002-09-20 17:05:40	12,800	----a-w	C:\WINDOWS\system32\runonce.exe
+ 2002-09-20 17:05:40	22,528	----a-w	C:\WINDOWS\system32\runonce.exe
- 2002-09-20 17:05:40	19,968	----a-w	C:\WINDOWS\system32\savedump.exe
+ 2002-09-20 17:05:40	29,696	----a-w	C:\WINDOWS\system32\savedump.exe
- 2002-01-02 18:36:14	95,744	----a-w	C:\WINDOWS\system32\scardsvr.exe
+ 2002-01-02 18:36:14	105,472	----a-w	C:\WINDOWS\system32\scardsvr.exe
- 2002-09-20 17:05:42	130,048	----a-w	C:\WINDOWS\system32\sessmgr.exe
+ 2002-09-20 17:05:42	139,776	----a-w	C:\WINDOWS\system32\sessmgr.exe
- 2002-09-20 17:05:42	33,280	----a-w	C:\WINDOWS\system32\shmgrate.exe
+ 2002-09-20 17:05:42	43,008	----a-w	C:\WINDOWS\system32\shmgrate.exe
- 2002-01-02 18:36:18	18,944	----a-w	C:\WINDOWS\system32\shutdown.exe
+ 2002-01-02 18:36:18	28,672	----a-w	C:\WINDOWS\system32\shutdown.exe
- 2002-09-20 17:05:44	84,480	----a-w	C:\WINDOWS\system32\smlogsvc.exe
+ 2002-09-20 17:05:44	94,208	----a-w	C:\WINDOWS\system32\smlogsvc.exe
- 2002-01-02 18:36:20	23,552	----a-w	C:\WINDOWS\system32\sort.exe
+ 2002-01-02 18:36:20	33,280	----a-w	C:\WINDOWS\system32\sort.exe
- 2002-09-20 17:05:44	534,016	----a-w	C:\WINDOWS\system32\spider.exe
+ 2002-09-20 17:05:44	543,744	----a-w	C:\WINDOWS\system32\spider.exe
- 2002-01-02 18:36:24	13,312	----a-w	C:\WINDOWS\system32\tcmsetup.exe
+ 2002-01-02 18:36:24	23,040	----a-w	C:\WINDOWS\system32\tcmsetup.exe
- 2002-09-20 17:05:46	69,632	----a-w	C:\WINDOWS\system32\tlntsvr.exe
+ 2002-09-20 17:05:46	79,360	----a-w	C:\WINDOWS\system32\tlntsvr.exe
- 2002-01-02 18:36:26	346,624	----a-w	C:\WINDOWS\system32\tourstart.exe
+ 2002-01-02 18:36:26	356,352	----a-w	C:\WINDOWS\system32\tourstart.exe
- 2002-01-02 18:36:28	17,920	----a-w	C:\WINDOWS\system32\tsshutdn.exe
+ 2002-01-02 18:36:28	27,648	----a-w	C:\WINDOWS\system32\tsshutdn.exe
- 2002-09-20 17:05:48	16,384	----a-w	C:\WINDOWS\system32\ups.exe
+ 2002-09-20 17:05:48	26,112	----a-w	C:\WINDOWS\system32\ups.exe
- 2002-09-20 17:05:32	232,960	----a-w	C:\WINDOWS\system32\usmt\migwiz.exe
+ 2002-09-20 17:05:32	242,688	----a-w	C:\WINDOWS\system32\usmt\migwiz.exe
- 2002-01-02 18:36:32	277,504	----a-w	C:\WINDOWS\system32\vssvc.exe
+ 2002-01-02 18:36:32	287,232	----a-w	C:\WINDOWS\system32\vssvc.exe
- 2002-01-02 18:36:36	117,248	----a-w	C:\WINDOWS\system32\wbem\wmiapsrv.exe
+ 2002-01-02 18:36:36	126,976	----a-w	C:\WINDOWS\system32\wbem\wmiapsrv.exe
- 2002-01-02 18:36:34	8,192	----a-w	C:\WINDOWS\system32\winhlp32.exe
+ 2002-01-02 18:36:34	17,920	----a-w	C:\WINDOWS\system32\winhlp32.exe
- 2002-01-02 18:36:40	118,834	----a-w	C:\WINDOWS\system32\wscript.exe
+ 2002-01-02 18:36:40	131,122	----a-w	C:\WINDOWS\system32\wscript.exe
- 2002-01-02 18:36:40	32,256	----a-w	C:\WINDOWS\system32\wupdmgr.exe
+ 2002-01-02 18:36:40	41,984	----a-w	C:\WINDOWS\system32\wupdmgr.exe
- 2000-08-31 06:00:00	49,152	----a-w	C:\WINDOWS\VFind.exe
+ 2000-08-31 06:00:00	61,440	----a-w	C:\WINDOWS\VFind.exe
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45080112-43D4-4B43-A8BC-7F1DFBFDCEAF}]
2008-08-17 17:23	3584	--a------	C:\WINDOWS\System32\MYBHO.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2007-12-02 16:13	394680	--a------	C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1523741]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]
"Komunikator"="C:\Program Files\Tlen.pl\tlen.exe" [2008-01-15 17:09 6300672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-08-06 10:45 887296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 61551]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 61440]
"runner1"="C:\WINDOWS\mrofinu1001186.exe" [2008-08-17 17:23 54272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 19:05 23040]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26 39424]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Oaf62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-01-29 16:51 25451048 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-11-21 19:38 45056 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"firewalldisableoverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc

*Newly Created Service* - BNX67
*Newly Created Service* - OAF62
*Newly Created Service* - TCPSR
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2008-08-17 17:14:40
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Bnx67]

.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\neos.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\alt.exe.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\system32\firewall.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-17 17:30:15 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-17 15:28:34

Pre-Run: 5,927,596,032 bajtów wolnych
Post-Run: 5,836,361,728 bajt˘w wolnych

761

  • 0

#7 ordynat

ordynat

    Zaawansowany użytkownik

  • 804 postów

Napisano 17 08 2008 - 18:34

Tych plików C:\WINDOWS\system32\xxxxxxld.exe najprawdopodobniej już nie ma, ale daję je do usuwania, co w logu to wygląda tak, jakby zostały usunięte, ale na ich miejsce wprowadzone zostały inne o tej samej nazwie, ale o innym rozmiarze.
Ciekawi mnie, czy tak było?

Wklej do Notatnika:
File::
 C:\WINDOWS\System32\MYBHO.DLL
C:\WINDOWS\system32\zkumy.exe
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\11101072ld.exe
C:\WINDOWS\system32\1141242ld.exe
C:\WINDOWS\system32\1169522ld.exe
C:\WINDOWS\system32\12187482ld.exe
C:\WINDOWS\system32\13126702ld.exe
C:\WINDOWS\system32\13156362ld.exe
C:\WINDOWS\system32\14598222ld.exe
C:\WINDOWS\system32\1461712ld.exe
C:\WINDOWS\system32\1487562ld.exe
C:\WINDOWS\system32\1491372ld.exe
C:\WINDOWS\system32\15122852ld.exe
C:\WINDOWS\system32\16151982ld.exe
C:\WINDOWS\system32\16375712ld.exe
C:\WINDOWS\system32\16447042ld.exe
C:\WINDOWS\system32\1716912ld.exe
C:\WINDOWS\system32\17208682ld.exe
C:\WINDOWS\system32\17316812ld.exe
C:\WINDOWS\system32\1918272ld.exe
C:\WINDOWS\system32\20129192ld.exe
C:\WINDOWS\system32\21353612ld.exe
C:\WINDOWS\system32\21503862ld.exe
C:\WINDOWS\system32\2229192ld.exe
C:\WINDOWS\system32\22373872ld.exe
C:\WINDOWS\system32\228492ld.exe
C:\WINDOWS\system32\23266662ld.exe
C:\WINDOWS\system32\24113792ld.exe
C:\WINDOWS\system32\2422482ld.exe
C:\WINDOWS\system32\2454172ld.exe
C:\WINDOWS\system32\2495562ld.exe
C:\WINDOWS\system32\2536502ld.exe
C:\WINDOWS\system32\2584122ld.exe
C:\WINDOWS\system32\2637152ld.exe
C:\WINDOWS\system32\26482272ld.exe
C:\WINDOWS\system32\27595442ld.exe
C:\WINDOWS\system32\2817932ld.exe
C:\WINDOWS\system32\28281152ld.exe
C:\WINDOWS\system32\29477362ld.exe
C:\WINDOWS\system32\30147412ld.exe
C:\WINDOWS\system32\3027712ld.exe
C:\WINDOWS\system32\30544882ld.exe
C:\WINDOWS\system32\3058752ld.exe
C:\WINDOWS\system32\31346792ld.exe
C:\WINDOWS\system32\32247562ld.exe
C:\WINDOWS\system32\3263162ld.exe
C:\WINDOWS\system32\3298912ld.exe
C:\WINDOWS\system32\33131812ld.exe
C:\WINDOWS\system32\34164732ld.exe
C:\WINDOWS\system32\34376422ld.exe
C:\WINDOWS\system32\34417102ld.exe
C:\WINDOWS\system32\35306132ld.exe
C:\WINDOWS\system32\35543402ld.exe
C:\WINDOWS\system32\3564882ld.exe
C:\WINDOWS\system32\36314752ld.exe
C:\WINDOWS\system32\36435912ld.exe
C:\WINDOWS\system32\37419862ld.exe
C:\WINDOWS\system32\3747742ld.exe
C:\WINDOWS\system32\38404652ld.exe
C:\WINDOWS\system32\39166232ld.exe
C:\WINDOWS\system32\393442ld.exe
C:\WINDOWS\system32\3934792ld.exe
C:\WINDOWS\system32\40352342ld.exe
C:\WINDOWS\system32\411042ld.exe
C:\WINDOWS\system32\4120532ld.exe
C:\WINDOWS\system32\43128582ld.exe
C:\WINDOWS\system32\43351862ld.exe
C:\WINDOWS\system32\43571112ld.exe
C:\WINDOWS\system32\44415842ld.exe
C:\WINDOWS\system32\44516422ld.exe
C:\WINDOWS\system32\45295132ld.exe
C:\WINDOWS\system32\45385902ld.exe
C:\WINDOWS\system32\46343942ld.exe
C:\WINDOWS\system32\4719282ld.exe
C:\WINDOWS\system32\47392902ld.exe
C:\WINDOWS\system32\48284982ld.exe
C:\WINDOWS\system32\48414432ld.exe
C:\WINDOWS\system32\48451902ld.exe
C:\WINDOWS\system32\49229732ld.exe
C:\WINDOWS\system32\4971392ld.exe
C:\WINDOWS\system32\502392ld.exe
C:\WINDOWS\system32\50315432ld.exe
C:\WINDOWS\system32\5036352ld.exe
C:\WINDOWS\system32\50544372ld.exe
C:\WINDOWS\system32\5058422ld.exe
C:\WINDOWS\system32\52407852ld.exe
C:\WINDOWS\system32\53164852ld.exe
C:\WINDOWS\system32\53288662ld.exe
C:\WINDOWS\system32\53359232ld.exe
C:\WINDOWS\system32\53368772ld.exe
C:\WINDOWS\system32\53582392ld.exe
C:\WINDOWS\system32\53593502ld.exe
C:\WINDOWS\system32\54183312ld.exe
C:\WINDOWS\system32\57534402ld.exe
C:\WINDOWS\system32\576422ld.exe
C:\WINDOWS\system32\58437882ld.exe
C:\WINDOWS\system32\59136732ld.exe
C:\WINDOWS\system32\5929602ld.exe
C:\WINDOWS\system32\59363012ld.exe
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\neos.exe
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\firewall.exe

Driver::
BNX67
OAF62
TCPSR

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45080112-43D4-4B43-A8BC-7F1DFBFDCEAF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"runner1"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Oaf62.sys]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Bnx67]
>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
--> Dołączona grafikaDołączona grafika
Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Po restarcie usuń ręcznie folder C:\Qoobox.

ordynat
  • 0

#8 jack64vp

jack64vp

    Początkujący

  • 40 postów

Napisano 22 08 2008 - 19:52

Witam, przepraszam, że nie odpisałem ale musiałem wyjechac na kilka dni. Przed wyjazdem zdążyłem tylko zrobić loga. Teraz pisze z innego kompa, po tym ostatnim skanowaniu combofixem w tamtym kompie wogóle wszystko sie popsuło, nie da się otworzyć żadnej strony internetowej, nie działa wogóle GG.
Wklejam tego loga i proszę o pomoc.

ComboFix 08-08-17.03 - Administrator 2008-08-18 14:25:34.3 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
 * Created a new restore point

[color="red"][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]

FILE ::
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\neos.exe
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\system32\11101072ld.exe
C:\WINDOWS\system32\1141242ld.exe
C:\WINDOWS\system32\1169522ld.exe
C:\WINDOWS\system32\12187482ld.exe
C:\WINDOWS\system32\13126702ld.exe
C:\WINDOWS\system32\13156362ld.exe
C:\WINDOWS\system32\14598222ld.exe
C:\WINDOWS\system32\1461712ld.exe
C:\WINDOWS\system32\1487562ld.exe
C:\WINDOWS\system32\1491372ld.exe
C:\WINDOWS\system32\15122852ld.exe
C:\WINDOWS\system32\16151982ld.exe
C:\WINDOWS\system32\16375712ld.exe
C:\WINDOWS\system32\16447042ld.exe
C:\WINDOWS\system32\1716912ld.exe
C:\WINDOWS\system32\17208682ld.exe
C:\WINDOWS\system32\17316812ld.exe
C:\WINDOWS\system32\1918272ld.exe
C:\WINDOWS\system32\20129192ld.exe
C:\WINDOWS\system32\21353612ld.exe
C:\WINDOWS\system32\21503862ld.exe
C:\WINDOWS\system32\2229192ld.exe
C:\WINDOWS\system32\22373872ld.exe
C:\WINDOWS\system32\228492ld.exe
C:\WINDOWS\system32\23266662ld.exe
C:\WINDOWS\system32\24113792ld.exe
C:\WINDOWS\system32\2422482ld.exe
C:\WINDOWS\system32\2454172ld.exe
C:\WINDOWS\system32\2495562ld.exe
C:\WINDOWS\system32\2536502ld.exe
C:\WINDOWS\system32\2584122ld.exe
C:\WINDOWS\system32\2637152ld.exe
C:\WINDOWS\system32\26482272ld.exe
C:\WINDOWS\system32\27595442ld.exe
C:\WINDOWS\system32\2817932ld.exe
C:\WINDOWS\system32\28281152ld.exe
C:\WINDOWS\system32\29477362ld.exe
C:\WINDOWS\system32\30147412ld.exe
C:\WINDOWS\system32\3027712ld.exe
C:\WINDOWS\system32\30544882ld.exe
C:\WINDOWS\system32\3058752ld.exe
C:\WINDOWS\system32\31346792ld.exe
C:\WINDOWS\system32\32247562ld.exe
C:\WINDOWS\system32\3263162ld.exe
C:\WINDOWS\system32\3298912ld.exe
C:\WINDOWS\system32\33131812ld.exe
C:\WINDOWS\system32\34164732ld.exe
C:\WINDOWS\system32\34376422ld.exe
C:\WINDOWS\system32\34417102ld.exe
C:\WINDOWS\system32\35306132ld.exe
C:\WINDOWS\system32\35543402ld.exe
C:\WINDOWS\system32\3564882ld.exe
C:\WINDOWS\system32\36314752ld.exe
C:\WINDOWS\system32\36435912ld.exe
C:\WINDOWS\system32\37419862ld.exe
C:\WINDOWS\system32\3747742ld.exe
C:\WINDOWS\system32\38404652ld.exe
C:\WINDOWS\system32\39166232ld.exe
C:\WINDOWS\system32\393442ld.exe
C:\WINDOWS\system32\3934792ld.exe
C:\WINDOWS\system32\40352342ld.exe
C:\WINDOWS\system32\411042ld.exe
C:\WINDOWS\system32\4120532ld.exe
C:\WINDOWS\system32\43128582ld.exe
C:\WINDOWS\system32\43351862ld.exe
C:\WINDOWS\system32\43571112ld.exe
C:\WINDOWS\system32\44415842ld.exe
C:\WINDOWS\system32\44516422ld.exe
C:\WINDOWS\system32\45295132ld.exe
C:\WINDOWS\system32\45385902ld.exe
C:\WINDOWS\system32\46343942ld.exe
C:\WINDOWS\system32\4719282ld.exe
C:\WINDOWS\system32\47392902ld.exe
C:\WINDOWS\system32\48284982ld.exe
C:\WINDOWS\system32\48414432ld.exe
C:\WINDOWS\system32\48451902ld.exe
C:\WINDOWS\system32\49229732ld.exe
C:\WINDOWS\system32\4971392ld.exe
C:\WINDOWS\system32\502392ld.exe
C:\WINDOWS\system32\50315432ld.exe
C:\WINDOWS\system32\5036352ld.exe
C:\WINDOWS\system32\50544372ld.exe
C:\WINDOWS\system32\5058422ld.exe
C:\WINDOWS\system32\52407852ld.exe
C:\WINDOWS\system32\53164852ld.exe
C:\WINDOWS\system32\53288662ld.exe
C:\WINDOWS\system32\53359232ld.exe
C:\WINDOWS\system32\53368772ld.exe
C:\WINDOWS\system32\53582392ld.exe
C:\WINDOWS\system32\53593502ld.exe
C:\WINDOWS\system32\54183312ld.exe
C:\WINDOWS\system32\57534402ld.exe
C:\WINDOWS\system32\576422ld.exe
C:\WINDOWS\system32\58437882ld.exe
C:\WINDOWS\system32\59136732ld.exe
C:\WINDOWS\system32\5929602ld.exe
C:\WINDOWS\system32\59363012ld.exe
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\firewall.exe
C:\WINDOWS\System32\MYBHO.DLL
C:\WINDOWS\system32\zkumy.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\UserData
C:\Documents and Settings\Administrator\UserData\G8LKZJ6R\oXMLStoreUnit[1].xml
C:\Documents and Settings\Administrator\UserData\index.dat
C:\Documents and Settings\ASIA\UserData
C:\Documents and Settings\ASIA\UserData\index.dat
C:\WINDOWS\17PHolmes1001186.exe
C:\WINDOWS\crock+mock.config
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\mrofinu1001186.exe.tmp
C:\WINDOWS\neos.exe
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\system32\11101072ld.exe
C:\WINDOWS\system32\1141242ld.exe
C:\WINDOWS\system32\1169522ld.exe
C:\WINDOWS\system32\12187482ld.exe
C:\WINDOWS\system32\13126702ld.exe
C:\WINDOWS\system32\13156362ld.exe
C:\WINDOWS\system32\14598222ld.exe
C:\WINDOWS\system32\1461712ld.exe
C:\WINDOWS\system32\1487562ld.exe
C:\WINDOWS\system32\1491372ld.exe
C:\WINDOWS\system32\15122852ld.exe
C:\WINDOWS\system32\16151982ld.exe
C:\WINDOWS\system32\16375712ld.exe
C:\WINDOWS\system32\16447042ld.exe
C:\WINDOWS\system32\1716912ld.exe
C:\WINDOWS\system32\17208682ld.exe
C:\WINDOWS\system32\17316812ld.exe
C:\WINDOWS\system32\1918272ld.exe
C:\WINDOWS\system32\20129192ld.exe
C:\WINDOWS\system32\21353612ld.exe
C:\WINDOWS\system32\21503862ld.exe
C:\WINDOWS\system32\2229192ld.exe
C:\WINDOWS\system32\22373872ld.exe
C:\WINDOWS\system32\228492ld.exe
C:\WINDOWS\system32\23266662ld.exe
C:\WINDOWS\system32\24113792ld.exe
C:\WINDOWS\system32\2422482ld.exe
C:\WINDOWS\system32\2454172ld.exe
C:\WINDOWS\system32\2495562ld.exe
C:\WINDOWS\system32\2536502ld.exe
C:\WINDOWS\system32\2584122ld.exe
C:\WINDOWS\system32\2637152ld.exe
C:\WINDOWS\system32\26482272ld.exe
C:\WINDOWS\system32\27595442ld.exe
C:\WINDOWS\system32\2817932ld.exe
C:\WINDOWS\system32\28281152ld.exe
C:\WINDOWS\system32\29477362ld.exe
C:\WINDOWS\system32\30147412ld.exe
C:\WINDOWS\system32\3027712ld.exe
C:\WINDOWS\system32\30544882ld.exe
C:\WINDOWS\system32\3058752ld.exe
C:\WINDOWS\system32\31346792ld.exe
C:\WINDOWS\system32\32247562ld.exe
C:\WINDOWS\system32\3263162ld.exe
C:\WINDOWS\system32\3298912ld.exe
C:\WINDOWS\system32\33131812ld.exe
C:\WINDOWS\system32\34164732ld.exe
C:\WINDOWS\system32\34376422ld.exe
C:\WINDOWS\system32\34417102ld.exe
C:\WINDOWS\system32\35306132ld.exe
C:\WINDOWS\system32\35543402ld.exe
C:\WINDOWS\system32\3564882ld.exe
C:\WINDOWS\system32\36314752ld.exe
C:\WINDOWS\system32\36435912ld.exe
C:\WINDOWS\system32\37419862ld.exe
C:\WINDOWS\system32\3747742ld.exe
C:\WINDOWS\system32\38404652ld.exe
C:\WINDOWS\system32\39166232ld.exe
C:\WINDOWS\system32\393442ld.exe
C:\WINDOWS\system32\3934792ld.exe
C:\WINDOWS\system32\40352342ld.exe
C:\WINDOWS\system32\411042ld.exe
C:\WINDOWS\system32\4120532ld.exe
C:\WINDOWS\system32\43128582ld.exe
C:\WINDOWS\system32\43351862ld.exe
C:\WINDOWS\system32\43571112ld.exe
C:\WINDOWS\system32\44415842ld.exe
C:\WINDOWS\system32\44516422ld.exe
C:\WINDOWS\system32\45295132ld.exe
C:\WINDOWS\system32\45385902ld.exe
C:\WINDOWS\system32\46343942ld.exe
C:\WINDOWS\system32\4719282ld.exe
C:\WINDOWS\system32\47392902ld.exe
C:\WINDOWS\system32\48284982ld.exe
C:\WINDOWS\system32\48414432ld.exe
C:\WINDOWS\system32\48451902ld.exe
C:\WINDOWS\system32\49229732ld.exe
C:\WINDOWS\system32\4971392ld.exe
C:\WINDOWS\system32\502392ld.exe
C:\WINDOWS\system32\50315432ld.exe
C:\WINDOWS\system32\5036352ld.exe
C:\WINDOWS\system32\50544372ld.exe
C:\WINDOWS\system32\5058422ld.exe
C:\WINDOWS\system32\52407852ld.exe
C:\WINDOWS\system32\53164852ld.exe
C:\WINDOWS\system32\53288662ld.exe
C:\WINDOWS\system32\53359232ld.exe
C:\WINDOWS\system32\53368772ld.exe
C:\WINDOWS\system32\53582392ld.exe
C:\WINDOWS\system32\53593502ld.exe
C:\WINDOWS\system32\54183312ld.exe
C:\WINDOWS\system32\57534402ld.exe
C:\WINDOWS\system32\576422ld.exe
C:\WINDOWS\system32\58437882ld.exe
C:\WINDOWS\system32\59136732ld.exe
C:\WINDOWS\system32\5929602ld.exe
C:\WINDOWS\system32\59363012ld.exe
C:\WINDOWS\system32\advpac.dll
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\back.exe.exe
C:\WINDOWS\system32\drivers\Bnx67.sys
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\firewall.exe
C:\WINDOWS\system32\iexplore.exe
C:\WINDOWS\System32\MYBHO.DLL
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\zkumy.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BNX67
-------\Legacy_OAF62
-------\Legacy_TCPSR
-------\Service_Bnx67
-------\Service_Oaf62
-------\Service_tcpsr


(((((((((((((((((((((((((   Files Created from 2008-07-18 to 2008-08-18  )))))))))))))))))))))))))))))))
.

2008-08-17 20:02 . 2008-08-17 20:13	91,648	-ra------	C:\WINDOWS\system32\TFTP12580
2008-08-17 18:06 . 2008-08-17 18:08	415,232	--a------	C:\WINDOWS\system32\win_86342.exe
2008-08-17 17:50 . 2008-08-17 17:50	415,232	-r-hs----	C:\WINDOWS\wuaucpl.exe
2008-08-17 17:48 . 2008-08-17 18:06	87	--a------	C:\WINDOWS\system32\i
2008-08-17 17:37 . 2008-08-17 17:37	130	--a------	C:\WINDOWS\system32\cwmuhzjo.bat
2008-08-17 17:27 . 2008-08-17 17:27	29	--a------	C:\WINDOWS\system32\atywqghs.tmp
2008-08-17 17:24 . 2008-08-17 17:24	18	--a------	C:\WINDOWS\system32\12.tmp
2008-08-17 17:23 . 2008-08-18 11:19	30,848	--a------	C:\WINDOWS\system32\drivers\Oaf62.sys
2008-08-17 17:23 . 2008-08-17 17:23	192	--a------	C:\WINDOWS\system32\D.tmp
2008-08-13 13:54 . 2008-08-13 13:54	<DIR>	d--------	C:\Program Files\Google
2008-08-13 13:53 . 2008-08-13 13:57	<DIR>	d--------	C:\Program Files\Picasa2
2008-08-12 17:47 . 2008-08-12 17:48	<DIR>	d--------	C:\Program Files\a-squared HiJackFree

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-17 13:54	---------	d-----w	C:\Program Files\Tlen.pl
2008-08-16 14:35	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2008-08-12 15:49	---------	d-----w	C:\Program Files\Trend Micro
2007-10-13 14:51	17,144	----a-w	C:\Documents and Settings\Administrator\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-02-20 11:02	31	----a-w	C:\Documents and Settings\Administrator\getfile.dat
2006-07-16 15:02	31	----a-w	C:\Documents and Settings\ASIA\getfile.dat
.

------- Sigcheck -------

2002-09-20 19:05  1015296  925387582296260489564ae2aa284322	C:\WINDOWS\explorer.exe
2002-09-20 19:05  1015296  1a99a4e504e5cbaa19d554b42f034594	C:\WINDOWS\system32\dllcache\explorer.exe

2002-09-20 19:05  23040  4187d9d4d94fcd138ce9ae352d5a9f3c	C:\WINDOWS\system32\ctfmon.exe
2002-09-20 19:05  23040  07f4a458e913beb87f1b75bc99987efd	C:\WINDOWS\system32\dllcache\ctfmon.exe

2002-09-20 19:05  152064  23c0106b37d81b6e2606b500677e9061	C:\WINDOWS\system32\wuauclt.exe
2002-09-20 19:05  152064  b42ad01455d2c18351b95d45c813b1ad	C:\WINDOWS\system32\dllcache\wuauclt.exe

2002-09-20 19:05  32256  0d55bb6aec2e7361cad1d396b98f5a35	C:\WINDOWS\system32\userinit.exe
2002-09-20 19:05  32256  edbe5fd297b5fdae18c2e29a3b9f1ad9	C:\WINDOWS\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45080112-43D4-4B43-A8BC-7F1DFBFDCEAF}]
2008-08-18 15:23	3584	--a------	C:\WINDOWS\System32\MYBHO.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2007-12-02 16:13	394680	--a------	C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1523741]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]
"Komunikator"="C:\Program Files\Tlen.pl\tlen.exe" [2008-01-15 17:09 6300672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-08-06 10:45 887296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 61551]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 61440]
"runner1"="C:\WINDOWS\mrofinu1001186.exe" [2008-08-18 15:23 54272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 19:05 23040]
"neos"="C:\WINDOWS\neos.exe" [2008-08-18 15:24 94208]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26 39424]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
2008-08-18 15:24 16896 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjs64.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-01-29 16:51 25451048 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-11-21 19:38 45056 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"firewalldisableoverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\regsvr32.exe"=
"C:\\WINDOWS\\system32\\NOTEPAD.EXE"=

R2 Local Service;Local Service;C:\WINDOWS\wuaucpl.exe [2008-08-17 17:50]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\KS-959.sys [2005-10-09 05:26]
S3 restore;restore;C:\WINDOWS\system32\drivers\restore.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc

*Newly Created Service* - UPM39
*Newly Created Service* - WINJS64
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{EA3775F2-28BE-11D3-9C8D-00105A24ED29} - C:\WINDOWS\temp\IcnOvrly.dll
HKLM-Run-Windows Network Firewall - C:\WINDOWS\System32\firewall.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2008-08-18 14:42:18
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ... 

C:\WINDOWS\wuaucpl.exe [1140] 0x82A492F0

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Upm39]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Tlen.pl\hook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\mrofinu1001186.exexe
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-18 15:25:58 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-18 13:25:41
ComboFix2.txt  2008-08-17 15:30:27

Pre-Run: 5,682,302,976 bajtów wolnych
Post-Run: 5,437,665,280 bajt˘w wolnych

375

  • 0

#9 ordynat

ordynat

    Zaawansowany użytkownik

  • 804 postów

Napisano 22 08 2008 - 22:47

Podaję usuwanie, choć zdaję sobie sprawę, że to nie ma już sensu, skoro internet już Ci nie działa.

Okazało się, że te pliki "xxxxxld.exe" jednak były. Obawiam się, że jest ich dużo więcej, bo ComboFix pokazuje tylko do 90 dni wstecz.

Wklej do Notatnika:
File::
C:\WINDOWS\system32\TFTP12580
C:\WINDOWS\system32\win_86342.exe
C:\WINDOWS\wuaucpl.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\cwmuhzjo.bat
C:\WINDOWS\system32\atywqghs.tmp
C:\WINDOWS\system32\12.tmp
C:\WINDOWS\system32\drivers\Oaf62.sys
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\mrofinu1001186.exexe
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\System32\MYBHO.DLL
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\neos.exe

Driver::
Local Service
restore
WINJS64
UPM39
Oaf62

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Upm39]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45080112-43D4-4B43-A8BC-7F1DFBFDCEAF}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjs64.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Oaf62]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"runner1"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"neos"=-
>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
--> Dołączona grafikaDołączona grafika
Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Po restarcie usuń ręcznie folder C:\Qoobox.

Uzyj też narzędzi zaleconych przez @karolkuich.

ordynat
  • 0

#10 jack64vp

jack64vp

    Początkujący

  • 40 postów

Napisano 24 08 2008 - 10:50

Ten program "cureit" wogóle nie ruszył, zaraz po rozpoczęciu skanowania system się wyłączał. Pozostałymi zeskanowałem, ale nie wszystki syf dał się usunąć.
Generalnie połączenie z netem mam, tylko strona albo otwiera sie bardzo wolno albo wcale. Działa tlen, ale gg już nie, nawet po reinstalacji. Mam nadzieje, że uda się tu jeszcze coś z tym zrobic.
Daje logi w kolejności jakiej działałem:

ComboFix 08-08-17.03 - Administrator 2008-08-19 23:22:49.6 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
 * Created a new restore point

[color="red"][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]

FILE ::
C:\WINDOWS\mrofinu1001186.exexe
C:\WINDOWS\neos.exe
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\12.tmp
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\atywqghs.tmp
C:\WINDOWS\system32\cwmuhzjo.bat
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\drivers\Oaf62.sys
C:\WINDOWS\system32\i
C:\WINDOWS\System32\MYBHO.DLL
C:\WINDOWS\system32\TFTP12580
C:\WINDOWS\system32\win_86342.exe
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\wuaucpl.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\12.tmp
C:\WINDOWS\system32\atywqghs.tmp
C:\WINDOWS\system32\cwmuhzjo.bat
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\i
C:\WINDOWS\system32\TFTP12580
C:\WINDOWS\system32\win_86342.exe
C:\WINDOWS\wuaucpl.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LOCAL_SERVICE
-------\Service_Local Service
-------\Service_restore
-------\Legacy_Irmon
-------\Service_Irmon


(((((((((((((((((((((((((   Files Created from 2008-07-19 to 2008-08-19  )))))))))))))))))))))))))))))))
.

2008-08-18 15:48 . 2008-08-18 15:48	0	--a------	C:\WINDOWS\system32\13.tmp
2008-08-18 15:45 . 2008-08-18 15:45	198,144	-r-hs----	C:\WINDOWS\wmssvc.exe
2008-08-18 15:45 . 2008-08-18 15:48	164,895	--a------	C:\WINDOWS\system32\11.tmp
2008-08-18 15:45 . 2008-08-18 15:48	31,744	-ra------	C:\WINDOWS\system32\TFTP2116
2008-08-18 15:45 . 2008-08-18 15:45	136	--a------	C:\WINDOWS\system32\C.tmp
2008-08-18 15:44 . 2008-08-18 15:45	73,216	-ra------	C:\WINDOWS\system32\antiv.exe
2008-08-18 15:24 . 2008-08-18 15:24	18	--a------	C:\WINDOWS\system32\14.tmp
2008-08-18 15:23 . 2008-08-18 15:23	136	--a------	C:\WINDOWS\system32\F.tmp
2008-08-13 13:54 . 2008-08-13 13:54	<DIR>	d--------	C:\Program Files\Google
2008-08-13 13:53 . 2008-08-13 13:57	<DIR>	d--------	C:\Program Files\Picasa2
2008-08-12 17:47 . 2008-08-12 17:48	<DIR>	d--------	C:\Program Files\a-squared HiJackFree

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 01:10	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Tlen.pl
2008-08-18 13:31	---------	d-----w	C:\Program Files\Tlen.pl
2008-08-16 14:35	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2008-08-12 15:49	---------	d-----w	C:\Program Files\Trend Micro
2007-10-13 14:51	17,144	----a-w	C:\Documents and Settings\Administrator\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-02-20 11:02	31	----a-w	C:\Documents and Settings\Administrator\getfile.dat
2006-07-16 15:02	31	----a-w	C:\Documents and Settings\ASIA\getfile.dat
.

------- Sigcheck -------

2002-09-20 19:05  1015296  925387582296260489564ae2aa284322	C:\WINDOWS\explorer.exe
2002-09-20 19:05  1015296  1a99a4e504e5cbaa19d554b42f034594	C:\WINDOWS\system32\dllcache\explorer.exe

2002-09-20 19:05  23040  4187d9d4d94fcd138ce9ae352d5a9f3c	C:\WINDOWS\system32\ctfmon.exe
2002-09-20 19:05  23040  07f4a458e913beb87f1b75bc99987efd	C:\WINDOWS\system32\dllcache\ctfmon.exe

2002-09-20 19:05  152064  23c0106b37d81b6e2606b500677e9061	C:\WINDOWS\system32\wuauclt.exe
2002-09-20 19:05  152064  b42ad01455d2c18351b95d45c813b1ad	C:\WINDOWS\system32\dllcache\wuauclt.exe

2002-09-20 19:05  32256  0d55bb6aec2e7361cad1d396b98f5a35	C:\WINDOWS\system32\userinit.exe
2002-09-20 19:05  32256  edbe5fd297b5fdae18c2e29a3b9f1ad9	C:\WINDOWS\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2007-12-02 16:13	394680	--a------	C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1523741]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-08-06 10:45 887296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 61551]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 61440]
"Microsoft Anivirus Monitor Process"="antiv.exe" [2008-08-18 15:45 73216 C:\WINDOWS\system32\antiv.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Anivirus Monitor Process"="antiv.exe" [2008-08-18 15:45 73216 C:\WINDOWS\system32\antiv.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 19:05 23040]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26 39424]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-01-29 16:51 25451048 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-11-21 19:38 45056 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"firewalldisableoverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\regsvr32.exe"=
"C:\\WINDOWS\\system32\\NOTEPAD.EXE"=
"wmssvc.exe"= wmssvc.exe:SYSTEM

R2 NET Service;NET Service;C:\WINDOWS\wmssvc.exe [2008-08-18 15:45]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\KS-959.sys [2005-10-09 05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2008-08-19 23:28:23
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ... 

C:\WINDOWS\wmssvc.exe [1104] 0x829DBA28

scanning hidden autostart entries ...

scanning hidden files ... 


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-08-19 23:35:25 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt  2008-08-19 21:34:18

Pre-Run: 5,275,934,720 bajtów wolnych
Post-Run: 5,220,749,312 bajt˘w wolnych

145

Malwarebytes' Anti-Malware 1.25
Wersja bazy definicji: 1078
Windows 5.1.2600 Dodatek Service Pack. 1

01:10:00 2008-08-20
mbam-log-08-20-2008 (01-10-00).txt

Typ skanowania: Pełne skanowanie (C:\|D:\|)
Przeskanowane obiekty: 68299
Upłynęło: 39 minute(s), 24 second(s)

Zainfekowane procesy w pamięci: 0
Zainfekowane moduły pamięci: 0
Zainfekowane klucze rejestru: 169
Zainfekowane wartości rejestru: 7
Zainfekowane pliki rejestru: 0
Zainfekowane foldery: 0
Zainfekowane pliki: 28

Zainfekowane procesy w pamięci:
(Nie wykryto groźnych plików)

Zainfekowane moduły pamięci:
(Nie wykryto groźnych plików)

Zainfekowane klucze rejestru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45080112-43d4-4b43-a8bc-7f1dfbfdceaf} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{45080112-43d4-4b43-a8bc-7f1dfbfdceaf} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xbtb01713.ietoolbar (Adware.IE.Toolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xbtb01713.ietoolbar.1 (Adware.IE.Toolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xbtb01713.xbtb01713 (Adware.IE.Toolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xbtb01713.xbtb01713.1 (Adware.IE.Toolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{22a6ff82-b3e0-94bb-5fcd-ea067b86810f} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{34f681d0-3640-11cf-9294-00aa00b8a733} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{09509866-79aa-11d2-8bf5-00c04fc2f51d} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{09509867-79aa-11d2-8bf5-00c04fc2f51d} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{28a4b924-61fe-11d2-a740-00c04f79754c} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2a8f0b06-be2b-11d1-b219-00c04fc2a0ca} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2ae71568-4b34-11d1-b1e3-00c04fc2a0ca} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3089d9a0-4ce1-11d2-933e-00a0c9b72d4d} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3584f274-61ea-11d2-8bd9-00c04fc2f51d} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5f00f545-df18-11d1-ab6f-00c04fd92b6b} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e0b5fc4-4d1e-11d2-aa53-00c04fc2f60f} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{89131312-7806-11d2-8bee-00c04fc2f51d} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{960d8eff-e494-11d1-ab75-00c04fd92b6b} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9caddc0c-ad56-11d1-9ff8-00c04fa32195} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a3034056-ec1c-11d1-9be8-00c04fc2f51d} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ad083dbb-5817-11d2-aba1-00c04fd92b6b} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b90e5258-574a-11d1-8e7b-00c04fc29d46} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b90e5259-574a-11d1-8e7b-00c04fc29d46} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b90e525a-574a-11d1-8e7b-00c04fc29d46} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ba8b033e-1e91-11d1-8809-00c04fc29d46} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bacd4d86-4a4f-11d1-9bc8-00c04fc2f51d} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c46c1bf3-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d5570790-57e2-11d2-933f-00a0c9b72d4d} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb5093c7-56f9-11d2-88ce-00c04fa35859} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f3e1b522-d8a6-11d1-9be5-00c04fc2f51d} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fa261cf0-c44e-11d1-9be4-00c04fc2f51d} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fc54beaa-5b12-11d1-8e7b-00c04fc29d46} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fc54beab-5b12-11d1-8e7b-00c04fc29d46} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25b0f91c-d23d-11d0-9b85-00c04fc2f51d} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{283807b5-2c60-11d0-a31d-00aa00b92c03} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{283807b5-2c60-11d0-a31d-00aa00b92c03} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{283807b8-2c60-11d0-a31d-00aa00b92c03} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{50b4791f-4731-11d0-8912-00c04fc2a0ca} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{542fb453-5003-11cf-92a2-00aa00b8a733} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5dfb2651-9668-11d0-b17b-00c04fc2a0ca} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69ad90ef-1c20-11d1-8801-00c04fc29d46} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9cde7341-3c20-11d0-a330-00aa00b92c03} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{af868304-ab0b-11d0-876a-00c04fc29d46} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b6ffc24c-7e13-11d0-9b47-00c04fc2f51d} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bc1-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bc4-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bc6-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bc8-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bca-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bcc-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bce-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bd0-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bd2-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bd4-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bd6-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bd8-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bda-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bdc-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bde-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1be0-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1be2-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1be4-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1be6-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bec-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bee-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bf0-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bf2-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c46c1bf4-3c52-11d0-9200-848c1d000000} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d17506c3-6b26-11d0-8914-00c04fc2a0ca} (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d778513b-1c40-4819-b0c5-49e40b39afd0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{621feacd-8857-43a6-ae26-451d670d5370} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyGlobalSearch (Adware.BookedSpace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Zainfekowane wartości rejestru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft anivirus monitor process (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\microsoft anivirus monitor process (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Zainfekowane pliki rejestru:
(Nie wykryto groźnych plików)

Zainfekowane foldery:
(Nie wykryto groźnych plików)

Zainfekowane pliki:
C:\WINDOWS\system32\MYBHO.DLL (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\danim.dll (Worm.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000017.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000018.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000019.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000021.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000022.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000024.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000025.DLL (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000027.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000028.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000029.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000032.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000035.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000037.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000042.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000047.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000080.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000081.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000082.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000083.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000084.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP2\A0000020.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A0CBB88-691E-4D05-9207-440081966557}\RP3\A0003099.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\stfMeane1001186.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\antiv.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\back.exe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svcp.csv (Malware.Trace) -> Quarantined and deleted successfully.


[b]SDFix: Version 1.218 [/b]
Run by Administrator on 2008-08-20 at 01:41

Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

[b]Name [/b]: 
tcpsr
HQV27

[b]Path [/b]:
\??\C:\WINDOWS\System32\drivers\tcpsr.sys 
System32\Drivers\Hqv27.sys 

tcpsr - Deleted
HQV27 - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Service HQV27 - Deleted

[b]Checking Files [/b]: 

Trojan Files Found:

C:\WINDOWS\SYSTEM32\UUYUDDHD.TMP - Deleted
C:\WINDOWS\SYSTEM32\ASN3.EXE - Deleted
C:\WINDOWS\SYSTEM32\ER9306~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ERA3FA~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ERAAFA~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ERAC14~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ERAE09~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ERASEM~2.EXE - Deleted
C:\WINDOWS\SYSTEM32\MOK32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SUCKER.EXE - Deleted
C:\WINDOWS\SYSTEM32\UPDATE~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\UPDATE~2.EXE - Deleted
C:\WINDOWS\SYSTEM32\WINFIX~1.EXE - Deleted
C:\WINDOWS\system32\eraseme_01832.exe - Deleted
C:\WINDOWS\system32\eraseme_02231.exe - Deleted
C:\WINDOWS\system32\eraseme_36248.exe - Deleted
C:\WINDOWS\system32\eraseme_41013.exe - Deleted
C:\WINDOWS\system32\eraseme_50540.exe - Deleted
C:\WINDOWS\system32\eraseme_72863.exe - Deleted
C:\WINDOWS\system32\eraseme_73777.exe - Deleted
C:\WINDOWS\system32\eraseme_80868.exe - Deleted
C:\WINDOWS\system32\x.bat - Deleted
C:\WINDOWS\system32\2.tmp - Deleted
C:\WINDOWS\system32\20.tmp - Deleted
C:\WINDOWS\system32\29.tmp - Deleted
C:\WINDOWS\system32\2C.tmp - Deleted
C:\WINDOWS\system32\2D.tmp - Deleted
C:\WINDOWS\system32\11.tmp - Deleted
C:\WINDOWS\system32\13.tmp - Deleted
C:\WINDOWS\system32\14.tmp - Deleted
C:\WINDOWS\system32\17.tmp - Deleted
C:\WINDOWS\system32\TFTP1652 - Deleted
C:\WINDOWS\system32\TFTP2116 - Deleted
C:\WINDOWS\system32\TFTP2164 - Deleted
C:\WINDOWS\system32\TFTP2304 - Deleted
C:\WINDOWS\system32\TFTP2320 - Deleted
C:\WINDOWS\system32\TFTP2700 - Deleted
C:\WINDOWS\system32\TFTP344 - Deleted
C:\WINDOWS\system32\TFTP564 - Deleted
C:\WINDOWS\system32\TFTP920 - Deleted
C:\WINDOWS\system32\sucker.exe  - Deleted
C:\WINDOWS\system32\drivers\HQV27.sys - Deleted





Removing Temp Files

[b]ADS Check [/b]:
 


								 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2008-08-20 01:49:05
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

C:\WINDOWS\wmssvc.exe [1316] 0x82909A80

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eobrkb]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\C:\WINDOWS\System32\drivers\sedoanp.sys"
"DisplayName"="eobrkb"
"RulesData"=hex:03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eobrkb\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\sedoanp.sys 30720 bytes executable

scan completed successfully
hidden processes: 1
hidden services: 1
hidden files: 1


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\System32\\regsvr32.exe"="C:\\WINDOWS\\System32\\regsvr32.exe:*:Enabled:Windows Update"
"C:\\WINDOWS\\system32\\NOTEPAD.EXE"="C:\\WINDOWS\\system32\\NOTEPAD.EXE:*:Enabled:Windows Update"
"wmssvc.exe"="wmssvc.exe:*:Enabled:SYSTEM"

[b]Remaining Files [/b]:



[b]Files with Hidden Attributes [/b]:

Mon 18 Aug 2008	   198,144 ..SHR --- "C:\WINDOWS\wmssvc.exe"
Wed 13 Aug 2008	 6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Tue 26 Jun 2007		 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

[b]Finished![/b]

  • 0

#11 ordynat

ordynat

    Zaawansowany użytkownik

  • 804 postów

Napisano 24 08 2008 - 14:06

Zamknij robaczywe porty przy pomocy --> Windows Worms Doors Cleaner (niżej na stronie linku)..
Ustaw znaczki na zielono, Netbios może być na żółto.
Po użyciu narzędzia wymagany jest restart.

Wklej do Notatnika:
File::
C:\WINDOWS\system32\13.tmp
C:\WINDOWS\wmssvc.exe
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\system32\TFTP2116
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\antiv.exe
C:\WINDOWS\system32\14.tmp
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\System32\drivers\sedoanp.sys

Driver::
"NET Service"

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Anivirus Monitor Process"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Anivirus Monitor Process"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eobrkb]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"wmssvc.exe"=-
>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
--> Dołączona grafika
Ma się rozpocząć usuwanie. (i powstanie log). Daj ten log, który powstanie w trakcie usuwania.
Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.

ordynat

  • 0

#12 jack64vp

jack64vp

    Początkujący

  • 40 postów

Napisano 24 08 2008 - 17:49

Dzięki, daje loga i proszę o dalsze wskazówki:

ComboFix 08-08-17.03 - Administrator 2008-08-24 16:16:11.7 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1250.48.1045.18.148 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
 * Created a new restore point

[color="red"][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]

FILE ::
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\system32\13.tmp
C:\WINDOWS\system32\14.tmp
C:\WINDOWS\system32\antiv.exe
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\System32\drivers\sedoanp.sys
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\TFTP2116
C:\WINDOWS\wmssvc.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\browsel.dll
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\System32\drivers\sedoanp.sys
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\iexplore.exe
C:\WINDOWS\system32\logon.exe
C:\WINDOWS\system32\MYBHO.DLL
C:\WINDOWS\wmssvc.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NET_SERVICE
-------\Legacy_TCPSR
-------\Service_NET Service
-------\Service_tcpsr
-------\Legacy_eobrkb
-------\Service_eobrkb


(((((((((((((((((((((((((   Files Created from 2008-07-24 to 2008-08-24  )))))))))))))))))))))))))))))))
.

2008-08-20 05:52 . 2008-08-20 05:52	21,504	--a------	C:\WINDOWS\system32\abgcwh.dll
2008-08-20 02:28 . 2008-08-24 16:12	31,872	--a------	C:\WINDOWS\system32\drivers\Bnt51.sys
2008-08-20 02:22 . 2008-08-20 02:22	97,280	--a------	C:\WINDOWS\stfMeane1001186.exe
2008-08-20 02:13 . 2008-08-20 02:13	81	--a------	C:\WINDOWS\system32\i
2008-08-20 02:13 . 2008-08-20 02:13	0	--a------	C:\WINDOWS\system32\30.tmp
2008-08-20 01:35 . 2008-08-20 01:35	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-08-20 01:30 . 2008-08-20 02:00	<DIR>	d--------	C:\SDFix
2008-08-20 00:12 . 2008-08-20 00:12	<DIR>	d--------	C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-08-20 00:11 . 2008-08-20 00:12	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-08-20 00:11 . 2008-08-20 00:11	<DIR>	d--------	C:\Program Files\Common Files\Download Manager
2008-08-20 00:11 . 2008-08-20 00:11	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
2008-08-20 00:11 . 2008-08-17 15:01	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-20 00:11 . 2008-08-17 15:01	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-19 23:45 . 2008-08-19 23:45	<DIR>	d--------	C:\Documents and Settings\Administrator\DoctorWeb
2008-08-13 13:54 . 2008-08-13 13:54	<DIR>	d--------	C:\Program Files\Google
2008-08-13 13:53 . 2008-08-13 13:57	<DIR>	d--------	C:\Program Files\Picasa2
2008-08-12 17:47 . 2008-08-12 17:48	<DIR>	d--------	C:\Program Files\a-squared HiJackFree

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 12:01	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Tlen.pl
2008-08-20 00:13	187,155	--sh--r	C:\WINDOWS\Fonts\wmsncs.exe
2008-08-19 21:50	65,536	----a-w	C:\WINDOWS\DUMP3e28.tmp
2008-08-18 13:31	---------	d-----w	C:\Program Files\Tlen.pl
2008-08-16 14:35	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2008-08-12 15:49	---------	d-----w	C:\Program Files\Trend Micro
2007-10-13 14:51	17,144	----a-w	C:\Documents and Settings\Administrator\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-02-20 11:02	31	----a-w	C:\Documents and Settings\Administrator\getfile.dat
2006-07-16 15:02	31	----a-w	C:\Documents and Settings\ASIA\getfile.dat
.

------- Sigcheck -------

2002-09-20 19:05  1015296  925387582296260489564ae2aa284322	C:\WINDOWS\explorer.exe
2002-09-20 19:05  1015296  1a99a4e504e5cbaa19d554b42f034594	C:\WINDOWS\system32\dllcache\explorer.exe

2002-09-20 19:05  23040  4187d9d4d94fcd138ce9ae352d5a9f3c	C:\WINDOWS\system32\ctfmon.exe
2002-09-20 19:05  23040  07f4a458e913beb87f1b75bc99987efd	C:\WINDOWS\system32\dllcache\ctfmon.exe

2002-09-20 19:05  152064  23c0106b37d81b6e2606b500677e9061	C:\WINDOWS\system32\wuauclt.exe
2002-09-20 19:05  152064  b42ad01455d2c18351b95d45c813b1ad	C:\WINDOWS\system32\dllcache\wuauclt.exe

2002-09-20 19:05  32256  0d55bb6aec2e7361cad1d396b98f5a35	C:\WINDOWS\system32\userinit.exe
2002-09-20 19:05  32256  edbe5fd297b5fdae18c2e29a3b9f1ad9	C:\WINDOWS\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2007-12-02 16:13	394680	--a------	C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1523741]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-08-06 10:45 887296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 61551]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 61440]
"NvidMediaCenter"="C:\Program Files\Common Files\System\wmsncs.exe" [2008-08-20 02:13 187155]
"Wmsncs Service"="C:\WINDOWS\Fonts\wmsncs.exe" [2008-08-20 02:13 187155]
"Spool Driver Service"="C:\WINDOWS\System32\spool\drivers\wmsncs.exe" [2008-08-20 02:13 187155]
"Wins Service"="C:\WINDOWS\System32\wins\wmsncs.exe" [2008-08-20 02:13 187155]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 19:05 23040]
"NvidMediaCenter"="C:\Program Files\Common Files\System\wmsncs.exe" [2008-08-20 02:13 187155]
"Wmsncs Service"="C:\WINDOWS\Fonts\wmsncs.exe" [2008-08-20 02:13 187155]
"Spool Driver Service"="C:\WINDOWS\System32\spool\drivers\wmsncs.exe" [2008-08-20 02:13 187155]
"Wins Service"="C:\WINDOWS\System32\wins\wmsncs.exe" [2008-08-20 02:13 187155]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26 39424]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]
wmsncs.exe [2008-08-20 02:13:55 187155]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe \"C:\\WINDOWS\\Fonts\\wmsncs.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abgcwh]
2008-08-20 05:52 21504 C:\WINDOWS\system32\abgcwh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Bnt51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-01-29 16:51 25451048 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-11-21 19:38 45056 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"firewalldisableoverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\regsvr32.exe"=
"C:\\WINDOWS\\system32\\NOTEPAD.EXE"=
"wmsncs.exe"= wmsncs.exe:SYSTEM

R0 Bnt51;Bnt51;C:\WINDOWS\System32\Drivers\Bnt51.sys [2008-08-24 16:12]
R2 NET Runtime Optimization Service v2.1.41329_X86;NET Runtime Optimization Service v2.1.41329_X86;C:\WINDOWS\Fonts\wmsncs.exe [2008-08-20 02:13]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\KS-959.sys [2005-10-09 05:26]
S3 restore;restore;C:\WINDOWS\system32\drivers\restore.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{103L3C30-C3B3-4130-9363-E59E1375PERM}]
C:\WINDOWS\Fonts\wmsncs.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Windows Logon Application - C:\WINDOWS\System32\logon.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2008-08-24 16:52:58
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ... 

C:\WINDOWS\Fonts\wmsncs.exe [1084] 0x829CB980

scanning hidden autostart entries ...

scanning hidden files ... 


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\abgcwh.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-24 17:00:06 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-24 14:58:57
ComboFix2.txt  2008-08-19 21:35:26

Pre-Run: 4,303,073,280 bajtów wolnych
Post-Run: 4,247,388,160 bajt˘w wolnych

174


  • 0

#13 ordynat

ordynat

    Zaawansowany użytkownik

  • 804 postów

Napisano 24 08 2008 - 18:06

Wklej do Notatnika:
File::
C:\WINDOWS\system32\abgcwh.dll
C:\WINDOWS\system32\drivers\Bnt51.sys
C:\WINDOWS\stfMeane1001186.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\30.tmp
C:\WINDOWS\Fonts\wmsncs.exe
C:\WINDOWS\System32\spool\drivers\wmsncs.exe
C:\WINDOWS\System32\wins\wmsncs.exe
C:\Program Files\Common Files\System\wmsncs.exe
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\wmsncs.exe

Driver::
Bnt51
"NET Runtime Optimization Service v2.1.41329_X86"
restore

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wmsncs Service"=-
"Spool Driver Service"=-
"Wins Service"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvidMediaCenter"=-
"Wmsncs Service"=-
"Spool Driver Service"=-
"Wins Service"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abgcwh]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"wmsncs.exe"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Bnt51.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{103L3C30-C3B3-4130-9363-E59E1375PERM}]
>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
--> Dołączona grafikaDołączona grafika
Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Po restarcie usuń ręcznie folder C:\Qoobox.

ordynat
  • 0

#14 jack64vp

jack64vp

    Początkujący

  • 40 postów

Napisano 25 08 2008 - 09:18

Narazie net mi działa, powoli ale da sie wejść, niestety GG dalej nie działa, ale to chyba wina combofixa, bo po kliknięciu na ikonke GG pokazuje się na ułamek sekundy czarne okienko jak w combofixie, a potem już tylko szukanie gg.exe. Daje loga:


ComboFix 08-08-17.03 - Administrator 2008-08-25  8:35:47.7 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1250.1.1045.18.161 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
 * Created a new restore point

[color="red"][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]

FILE ::
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\wmsncs.exe
C:\Program Files\Common Files\System\wmsncs.exe
C:\WINDOWS\Fonts\wmsncs.exe
C:\WINDOWS\stfMeane1001186.exe
C:\WINDOWS\system32\30.tmp
C:\WINDOWS\system32\abgcwh.dll
C:\WINDOWS\system32\drivers\Bnt51.sys
C:\WINDOWS\system32\i
C:\WINDOWS\System32\spool\drivers\wmsncs.exe
C:\WINDOWS\System32\wins\wmsncs.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\wmsncs.exe
C:\Program Files\Common Files\System\wmsncs.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\WINDOWS\Fonts\wmsncs.exe
C:\WINDOWS\stfMeane1001186.exe
C:\WINDOWS\system32\30.tmp
C:\WINDOWS\system32\abgcwh.dll
C:\WINDOWS\system32\browsel.dll
C:\WINDOWS\system32\drivers\Bnt51.sys
C:\WINDOWS\system32\i
C:\WINDOWS\system32\iexplore.exe
C:\WINDOWS\system32\logon.exe
C:\WINDOWS\system32\MYBHO.DLL
C:\WINDOWS\System32\spool\drivers\wmsncs.exe
C:\WINDOWS\System32\wins\wmsncs.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BNT51
-------\Legacy_NET_RUNTIME_OPTIMIZATION_SERVICE_V2.1.41329_X86
-------\Legacy_TCPSR
-------\Service_Bnt51
-------\Service_NET Runtime Optimization Service v2.1.41329_X86
-------\Service_restore
-------\Service_tcpsr


(((((((((((((((((((((((((   Files Created from 2008-07-25 to 2008-08-25  )))))))))))))))))))))))))))))))
.

2008-08-25 08:20 . 2008-08-25 08:20	21,504	--a------	C:\WINDOWS\system32\abgcwh32.dll
2008-08-24 22:17 . 2008-08-24 17:29	113,664	---------	C:\WINDOWS\trz21.tmp
2008-08-24 22:17 . 2008-08-20 05:52	21,504	---------	C:\WINDOWS\system32\trz23.tmp
2008-08-24 21:57 . 2008-08-24 21:57	<DIR>	d--------	C:\Program Files\Elfima
2008-08-24 21:57 . 2003-10-26 15:16	266,752	--a------	C:\WINDOWS\system32\mscomctl.oca
2008-08-24 18:19 . 2008-08-24 22:36	<DIR>	d--------	C:\Program Files\Gadu-Gadu
2008-08-20 01:35 . 2008-08-20 01:35	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-08-20 01:30 . 2008-08-20 02:00	<DIR>	d--------	C:\SDFix
2008-08-20 00:12 . 2008-08-20 00:12	<DIR>	d--------	C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-08-20 00:11 . 2008-08-20 00:12	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-08-20 00:11 . 2008-08-20 00:11	<DIR>	d--------	C:\Program Files\Common Files\Download Manager
2008-08-20 00:11 . 2008-08-20 00:11	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
2008-08-20 00:11 . 2008-08-17 15:01	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-20 00:11 . 2008-08-17 15:01	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-19 23:45 . 2008-08-19 23:45	<DIR>	d--------	C:\Documents and Settings\Administrator\DoctorWeb
2008-08-18 15:45 . 2008-08-18 15:45	198,144	-r-hs----	C:\WINDOWS\wmssvc.exe
2008-08-13 13:54 . 2008-08-13 13:54	<DIR>	d--------	C:\Program Files\Google
2008-08-13 13:53 . 2008-08-13 13:57	<DIR>	d--------	C:\Program Files\Picasa2
2008-08-12 17:47 . 2008-08-12 17:48	<DIR>	d--------	C:\Program Files\a-squared HiJackFree

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 20:36	---------	d-----w	C:\Program Files\Opera
2008-08-24 20:35	---------	d-----w	C:\Program Files\Tlen.pl
2008-08-24 12:01	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Tlen.pl
2008-08-19 21:50	65,536	----a-w	C:\WINDOWS\DUMP3e28.tmp
2008-08-16 14:35	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2008-08-12 15:49	---------	d-----w	C:\Program Files\Trend Micro
2007-10-13 14:51	17,144	----a-w	C:\Documents and Settings\Administrator\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-02-20 11:02	31	----a-w	C:\Documents and Settings\Administrator\getfile.dat
2006-07-16 15:02	31	----a-w	C:\Documents and Settings\ASIA\getfile.dat
.

------- Sigcheck -------

2002-09-20 19:05  1015296  925387582296260489564ae2aa284322	C:\WINDOWS\explorer.exe
2002-09-20 19:05  1015296  1a99a4e504e5cbaa19d554b42f034594	C:\WINDOWS\system32\dllcache\explorer.exe

2002-09-20 19:05  23040  4187d9d4d94fcd138ce9ae352d5a9f3c	C:\WINDOWS\system32\ctfmon.exe
2002-09-20 19:05  23040  07f4a458e913beb87f1b75bc99987efd	C:\WINDOWS\system32\dllcache\ctfmon.exe

2002-09-20 19:05  152064  23c0106b37d81b6e2606b500677e9061	C:\WINDOWS\system32\wuauclt.exe
2002-09-20 19:05  152064  b42ad01455d2c18351b95d45c813b1ad	C:\WINDOWS\system32\dllcache\wuauclt.exe

2002-09-20 19:05  32256  0d55bb6aec2e7361cad1d396b98f5a35	C:\WINDOWS\system32\userinit.exe
2002-09-20 19:05  32256  edbe5fd297b5fdae18c2e29a3b9f1ad9	C:\WINDOWS\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2007-12-02 16:13	394680	--a------	C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1523741]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-08-06 10:45 887296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 61551]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 19:05 23040]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26 39424]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abgcwh]
2008-08-25 08:20 21504 C:\WINDOWS\system32\abgcwh32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-01-29 16:51 25451048 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-11-21 19:38 45056 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"firewalldisableoverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\regsvr32.exe"=
"C:\\WINDOWS\\system32\\NOTEPAD.EXE"=
"wmssvc.exe"= wmssvc.exe:SYSTEM

R2 NET Service;NET Service;C:\WINDOWS\wmssvc.exe [2008-08-18 15:45]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\KS-959.sys [2005-10-09 05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NvidMediaCenter - C:\Program Files\Common Files\System\wmsncs.exe
HKLM-Run-Windows Logon Application - C:\WINDOWS\System32\logon.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2008-08-25 08:44:05
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ... 

C:\WINDOWS\wmssvc.exe [1088] 0x8296CD80

scanning hidden autostart entries ...

scanning hidden files ... 


C:\WINDOWS\system32\drivers\sedoanp.sys 30720 bytes executable


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eobrkb]
"ImagePath"="\??\C:\WINDOWS\System32\drivers\sedoanp.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\abgcwh32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-25  8:53:25 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt  2008-08-25 06:52:06
ComboFix2.txt  2008-08-24 15:00:09

Pre-Run: 4,111,527,936 bajtów wolnych
Post-Run: 4,044,963,840 bajt˘w wolnych

175

  • 0

#15 wncvirus

wncvirus

    Leń !

  • 851 postów

Napisano 25 08 2008 - 10:04

Do tego co combofix sam usuną zrób

Wklej do notatnika
REGISTRY::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abgcwh]

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe)
– podobnie jak na tym obrazku -->Dołączona grafika
(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: \Qoobox.

Po wykonaniu tego daj nowego loga z combofixa.
  • 0

#16 jack64vp

jack64vp

    Początkujący

  • 40 postów

Napisano 25 08 2008 - 11:03

GG dalej nie działa, daje loga:


ComboFix 08-08-24.02 - Administrator 2008-08-25 10:34:52.8 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1250.1.1045.18.178 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
 * Created a new restore point

[color="red"][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\adpti.dll
C:\WINDOWS\system32\comui.dll

.
(((((((((((((((((((((((((   Files Created from 2008-07-25 to 2008-08-25  )))))))))))))))))))))))))))))))
.

2008-08-25 09:34 . 2008-08-25 09:34	<DIR>	d--------	C:\WINDOWS\system32\jdk-1_5_0_19-windows-i391-pp
2008-08-25 09:34 . 2008-08-25 09:34	111,703	--a------	C:\WINDOWS\system32\mshdllsbw.exe
2008-08-25 09:11 . 2008-08-25 09:12	<DIR>	d--------	C:\Program Files\Gadu-Gadu
2008-08-25 09:00 . 2008-08-25 09:00	113,664	--a------	C:\WINDOWS\faceback1001186.exe.tmp
2008-08-25 09:00 . 2008-08-25 10:20	113,664	--a------	C:\WINDOWS\faceback1001186.exe
2008-08-25 08:20 . 2008-08-25 08:20	21,504	--a------	C:\WINDOWS\system32\abgcwh32.dll
2008-08-24 22:17 . 2008-08-24 17:29	113,664	---------	C:\WINDOWS\trz21.tmp
2008-08-24 22:17 . 2008-08-20 05:52	21,504	---------	C:\WINDOWS\system32\trz23.tmp
2008-08-24 21:57 . 2008-08-24 21:57	<DIR>	d--------	C:\Program Files\Elfima
2008-08-24 21:57 . 2003-10-26 15:16	266,752	--a------	C:\WINDOWS\system32\mscomctl.oca
2008-08-20 01:35 . 2008-08-20 01:35	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-08-20 01:30 . 2008-08-20 02:00	<DIR>	d--------	C:\SDFix
2008-08-20 00:12 . 2008-08-20 00:12	<DIR>	d--------	C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-08-20 00:11 . 2008-08-20 00:12	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-08-20 00:11 . 2008-08-20 00:11	<DIR>	d--------	C:\Program Files\Common Files\Download Manager
2008-08-20 00:11 . 2008-08-20 00:11	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
2008-08-20 00:11 . 2008-08-17 15:01	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-20 00:11 . 2008-08-17 15:01	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-19 23:45 . 2008-08-19 23:45	<DIR>	d--------	C:\Documents and Settings\Administrator\DoctorWeb
2008-08-18 15:45 . 2008-08-18 15:45	198,144	-r-hs----	C:\WINDOWS\wmssvc.exe
2008-08-13 13:54 . 2008-08-13 13:54	<DIR>	d--------	C:\Program Files\Google
2008-08-13 13:53 . 2008-08-13 13:57	<DIR>	d--------	C:\Program Files\Picasa2
2008-08-12 17:47 . 2008-08-12 17:48	<DIR>	d--------	C:\Program Files\a-squared HiJackFree

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 20:36	---------	d-----w	C:\Program Files\Opera
2008-08-24 20:35	---------	d-----w	C:\Program Files\Tlen.pl
2008-08-24 12:01	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Tlen.pl
2008-08-19 21:50	65,536	----a-w	C:\WINDOWS\DUMP3e28.tmp
2008-08-16 14:35	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2008-08-12 15:49	---------	d-----w	C:\Program Files\Trend Micro
2007-10-13 14:51	17,144	----a-w	C:\Documents and Settings\Administrator\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-02-20 11:02	31	----a-w	C:\Documents and Settings\Administrator\getfile.dat
2006-07-16 15:02	31	----a-w	C:\Documents and Settings\ASIA\getfile.dat
.

------- Sigcheck -------

2002-09-20 19:05  1015296  925387582296260489564ae2aa284322	C:\WINDOWS\explorer.exe
2002-09-20 19:05  1015296  1a99a4e504e5cbaa19d554b42f034594	C:\WINDOWS\system32\dllcache\explorer.exe

2002-09-20 19:05  23040  4187d9d4d94fcd138ce9ae352d5a9f3c	C:\WINDOWS\system32\ctfmon.exe
2002-09-20 19:05  23040  07f4a458e913beb87f1b75bc99987efd	C:\WINDOWS\system32\dllcache\ctfmon.exe

2002-09-20 19:05  152064  23c0106b37d81b6e2606b500677e9061	C:\WINDOWS\system32\wuauclt.exe
2002-09-20 19:05  152064  b42ad01455d2c18351b95d45c813b1ad	C:\WINDOWS\system32\dllcache\wuauclt.exe

2002-09-20 19:05  32256  0d55bb6aec2e7361cad1d396b98f5a35	C:\WINDOWS\system32\userinit.exe
2002-09-20 19:05  32256  edbe5fd297b5fdae18c2e29a3b9f1ad9	C:\WINDOWS\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10C9A893-C4B8-4562-B312-DA794B04C69D}]
2002-01-02 20:34	91648	--a------	C:\WINDOWS\System32\certmg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2007-12-02 16:13	394680	--a------	C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1523741]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-08-06 10:45 887296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 61551]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 61440]
"runner1"="C:\WINDOWS\faceback1001186.exe" [2008-08-25 10:20 113664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 19:05 23040]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26 39424]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abgcwh]
2008-08-25 08:20 21504 C:\WINDOWS\system32\abgcwh32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-01-29 16:51 25451048 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-11-21 19:38 45056 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"firewalldisableoverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\regsvr32.exe"=
"C:\\WINDOWS\\system32\\NOTEPAD.EXE"=
"wmssvc.exe"= wmssvc.exe:SYSTEM

R2 NET Service;NET Service;C:\WINDOWS\wmssvc.exe [2008-08-18 15:45]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\KS-959.sys [2005-10-09 05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2008-08-25 10:39:36
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ... 

C:\WINDOWS\wmssvc.exe [1080] 0x8297F3E8

scanning hidden autostart entries ...

scanning hidden files ... 


C:\WINDOWS\system32\drivers\sedoanp.sys 30720 bytes executable


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\eobrkb]
"ImagePath"="\??\C:\WINDOWS\System32\drivers\sedoanp.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\abgcwh32.dll
.
Completion time: 2008-08-25 10:43:31
ComboFix-quarantined-files.txt  2008-08-25 08:42:25
ComboFix2.txt  2008-08-25 06:53:29

Pre-Run: 3,942,256,640 bajtów wolnych
Post-Run: 3,899,359,232 bajtów wolnych

137

  • 0

#17 wncvirus

wncvirus

    Leń !

  • 851 postów

Napisano 25 08 2008 - 11:59

Wklej do notatnika:
File::
C:\WINDOWS\system32\mshdllsbw.exe
C:\WINDOWS\faceback1001186.exe.tmp
C:\WINDOWS\faceback1001186.exe
C:\WINDOWS\system32\abgcwh32.dll
C:\WINDOWS\trz21.tmp
C:\WINDOWS\system32\trz23.tmp
C:\WINDOWS\wmssvc.exe
C:\WINDOWS\System32\certmg.dll
C:\WINDOWS\system32\drivers\sedoanp.sys

Folder::
C:\WINDOWS\system32\jdk-1_5_0_19-windows-i391-pp

Driver::
"NET Service"
REGISTRY::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10C9A893-C4B8-4562-B312-DA794B04C69D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"runner1"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abgcwh]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"wmssvc.exe"=-
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\eobrkb]
>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe)
– podobnie jak na tym obrazku -->Dołączona grafika
(jeśli pojawi się pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: \Qoobox.


Po wykonaniu tego daj nowego loga z combofixa
  • 0

#18 jack64vp

jack64vp

    Początkujący

  • 40 postów

Napisano 26 08 2008 - 19:01

GG się pojawiło, net jeszcze bardzo wolno chodzi, daje loga:

ComboFix 08-08-24.02 - Administrator 2008-08-26 18:08:46.9 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1250.1.1045.18.171 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
 * Created a new restore point

[color="red"][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]

FILE ::
C:\WINDOWS\faceback1001186.exe
C:\WINDOWS\faceback1001186.exe.tmp
C:\WINDOWS\system32\abgcwh32.dll
C:\WINDOWS\System32\certmg.dll
C:\WINDOWS\system32\drivers\sedoanp.sys
C:\WINDOWS\system32\mshdllsbw.exe
C:\WINDOWS\system32\trz23.tmp
C:\WINDOWS\trz21.tmp
C:\WINDOWS\wmssvc.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Dane aplikacji\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\Administrator\Dane aplikacji\rhcaj7j0encv
C:\Documents and Settings\All Users\Menu Start\Programy\Antivirus XP 2008
C:\Documents and Settings\All Users\Menu Start\Programy\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Menu Start\Programy\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Menu Start\Programy\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Menu Start\Programy\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Menu Start\Programy\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Menu Start\Programy\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Pulpit\Antivirus XP 2008.lnk
C:\Program Files\rhcaj7j0encv
C:\WINDOWS\b152.exe
C:\WINDOWS\faceback1001186.exe
C:\WINDOWS\system32\abgcwh32.dll
C:\WINDOWS\system32\blphcej7j0encv.scr
C:\WINDOWS\System32\certmg.dll
C:\WINDOWS\system32\drivers\sedoanp.sys
C:\WINDOWS\system32\jdk-1_5_0_19-windows-i391-pp
C:\WINDOWS\system32\jdk-1_5_0_19-windows-i391-pp\jav.bat
C:\WINDOWS\system32\jdk-1_5_0_19-windows-i391-pp\js.exe
C:\WINDOWS\system32\lphcej7j0encv.exe
C:\WINDOWS\system32\mshdllsbw.exe
C:\WINDOWS\system32\phcej7j0encv.bmp
C:\WINDOWS\system32\pphcej7j0encv.exe
C:\WINDOWS\system32\trz23.tmp
C:\WINDOWS\trz21.tmp
C:\WINDOWS\wmssvc.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NET_SERVICE
-------\Service_NET Service
-------\Legacy_eobrkb
-------\Service_eobrkb


(((((((((((((((((((((((((   Files Created from 2008-07-26 to 2008-08-26  )))))))))))))))))))))))))))))))
.

2008-08-25 10:58 . 2008-08-25 10:58	<DIR>	d--------	C:\Program Files\Gadu-Gadu
2008-08-25 10:44 . 2008-08-25 10:44	<DIR>	d--------	C:\Program Files\Mjcore
2008-08-25 10:40 . 2008-08-25 10:40	113,664	--a------	C:\WINDOWS\stfMeane1001186.exe
2008-08-24 21:57 . 2008-08-24 21:57	<DIR>	d--------	C:\Program Files\Elfima
2008-08-24 21:57 . 2003-10-26 15:16	266,752	--a------	C:\WINDOWS\system32\mscomctl.oca
2008-08-20 01:35 . 2008-08-20 01:35	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-08-20 01:30 . 2008-08-20 02:00	<DIR>	d--------	C:\SDFix
2008-08-20 00:12 . 2008-08-20 00:12	<DIR>	d--------	C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-08-20 00:11 . 2008-08-20 00:12	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-08-20 00:11 . 2008-08-20 00:11	<DIR>	d--------	C:\Program Files\Common Files\Download Manager
2008-08-20 00:11 . 2008-08-20 00:11	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
2008-08-20 00:11 . 2008-08-17 15:01	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-20 00:11 . 2008-08-17 15:01	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-19 23:45 . 2008-08-19 23:45	<DIR>	d--------	C:\Documents and Settings\Administrator\DoctorWeb
2008-08-13 13:54 . 2008-08-13 13:54	<DIR>	d--------	C:\Program Files\Google
2008-08-13 13:53 . 2008-08-13 13:57	<DIR>	d--------	C:\Program Files\Picasa2
2008-08-12 17:47 . 2008-08-12 17:48	<DIR>	d--------	C:\Program Files\a-squared HiJackFree

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 20:36	---------	d-----w	C:\Program Files\Opera
2008-08-24 20:35	---------	d-----w	C:\Program Files\Tlen.pl
2008-08-24 12:01	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Tlen.pl
2008-08-19 21:50	65,536	----a-w	C:\WINDOWS\DUMP3e28.tmp
2008-08-16 14:35	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2008-08-12 15:49	---------	d-----w	C:\Program Files\Trend Micro
2007-10-13 14:51	17,144	----a-w	C:\Documents and Settings\Administrator\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-02-20 11:02	31	----a-w	C:\Documents and Settings\Administrator\getfile.dat
2006-07-16 15:02	31	----a-w	C:\Documents and Settings\ASIA\getfile.dat
.

------- Sigcheck -------

2002-09-20 19:05  1015296  925387582296260489564ae2aa284322	C:\WINDOWS\explorer.exe
2002-09-20 19:05  1015296  1a99a4e504e5cbaa19d554b42f034594	C:\WINDOWS\system32\dllcache\explorer.exe

2002-09-20 19:05  23040  4187d9d4d94fcd138ce9ae352d5a9f3c	C:\WINDOWS\system32\ctfmon.exe
2002-09-20 19:05  23040  07f4a458e913beb87f1b75bc99987efd	C:\WINDOWS\system32\dllcache\ctfmon.exe

2002-09-20 19:05  152064  23c0106b37d81b6e2606b500677e9061	C:\WINDOWS\system32\wuauclt.exe
2002-09-20 19:05  152064  b42ad01455d2c18351b95d45c813b1ad	C:\WINDOWS\system32\dllcache\wuauclt.exe

2002-09-20 19:05  32256  0d55bb6aec2e7361cad1d396b98f5a35	C:\WINDOWS\system32\userinit.exe
2002-09-20 19:05  32256  edbe5fd297b5fdae18c2e29a3b9f1ad9	C:\WINDOWS\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2007-12-02 16:13	394680	--a------	C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1523741]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-08-06 10:45 887296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 61551]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 19:05 23040]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26 39424]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-01-29 16:51 25451048 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-11-21 19:38 45056 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"firewalldisableoverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\regsvr32.exe"=
"C:\\WINDOWS\\system32\\NOTEPAD.EXE"=

S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\KS-959.sys [2005-10-09 05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphcej7j0encv - C:\WINDOWS\System32\lphcej7j0encv.exe
HKLM-Run-SMrhcaj7j0encv - C:\Program Files\rhcaj7j0encv\rhcaj7j0encv.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2008-08-26 18:29:10
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-26 18:36:11 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-26 16:35:04
ComboFix2.txt  2008-08-25 08:43:32

Pre-Run: 6,112,731,136 bajtów wolnych
Post-Run: 6,058,704,896 bajt˘w wolnych

169

  • 0

#19 ordynat

ordynat

    Zaawansowany użytkownik

  • 804 postów

Napisano 26 08 2008 - 19:24

File::
C:\WINDOWS\stfMeane1001186.exe

Folder::
C:\Program Files\Mjcore

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}]
>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
--> Dołączona grafika
Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Po restarcie usuń ręcznie folder C:\Qoobox.

ordynat
  • 0

#20 jack64vp

jack64vp

    Początkujący

  • 40 postów

Napisano 26 08 2008 - 20:26

ComboFix 08-08-25.01 - Administrator 2008-08-26 19:51:08.10 - NTFSx86

Microsoft Windows XP Professional  5.1.2600.1.1250.1.1045.18.211 [GMT 2:00]

Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt

 * Created a new restore point



[color="red"][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]



FILE ::

C:\WINDOWS\stfMeane1001186.exe

.



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.



C:\Program Files\Mjcore

C:\Program Files\Mjcore\Mjcore.dll

C:\WINDOWS\stfMeane1001186.exe

C:\WINDOWS\system32\comdlg3.dll

C:\WINDOWS\system32\ntos.exe

C:\WINDOWS\system32\wsnpoem

C:\WINDOWS\system32\wsnpoem\audio.dll

C:\WINDOWS\system32\wsnpoem\video.dll



.

(((((((((((((((((((((((((   Files Created from 2008-07-26 to 2008-08-26  )))))))))))))))))))))))))))))))

.



2008-08-26 19:07 . 2008-08-26 19:07	50,176	--a------	C:\WINDOWS\system32\46.tmp

2008-08-26 19:07 . 2008-08-26 19:07	44	--a------	C:\WINDOWS\system32\44.tmp

2008-08-26 19:07 . 2008-08-26 19:07	18	--a------	C:\WINDOWS\system32\47.tmp

2008-08-26 18:38 . 2008-08-26 18:38	50,176	--a------	C:\WINDOWS\system32\B.tmp

2008-08-26 18:38 . 2008-08-26 18:38	44	--a------	C:\WINDOWS\system32\A.tmp

2008-08-26 18:38 . 2008-08-26 18:38	18	--a------	C:\WINDOWS\system32\C.tmp

2008-08-25 10:58 . 2008-08-26 18:39	<DIR>	d--------	C:\Program Files\Gadu-Gadu

2008-08-25 10:40 . 2008-08-26 18:39	109,056	--a------	C:\WINDOWS\faceback.exe

2008-08-24 21:57 . 2008-08-24 21:57	<DIR>	d--------	C:\Program Files\Elfima

2008-08-24 21:57 . 2003-10-26 15:16	266,752	--a------	C:\WINDOWS\system32\mscomctl.oca

2008-08-20 01:35 . 2008-08-20 01:35	<DIR>	d--------	C:\WINDOWS\ERUNT

2008-08-20 01:30 . 2008-08-20 02:00	<DIR>	d--------	C:\SDFix

2008-08-20 00:12 . 2008-08-20 00:12	<DIR>	d--------	C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes

2008-08-20 00:11 . 2008-08-20 00:12	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware

2008-08-20 00:11 . 2008-08-20 00:11	<DIR>	d--------	C:\Program Files\Common Files\Download Manager

2008-08-20 00:11 . 2008-08-20 00:11	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes

2008-08-20 00:11 . 2008-08-17 15:01	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-08-20 00:11 . 2008-08-17 15:01	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys

2008-08-19 23:45 . 2008-08-19 23:45	<DIR>	d--------	C:\Documents and Settings\Administrator\DoctorWeb

2008-08-13 13:54 . 2008-08-13 13:54	<DIR>	d--------	C:\Program Files\Google

2008-08-13 13:53 . 2008-08-13 13:57	<DIR>	d--------	C:\Program Files\Picasa2

2008-08-12 17:47 . 2008-08-12 17:48	<DIR>	d--------	C:\Program Files\a-squared HiJackFree



.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-24 20:36	---------	d-----w	C:\Program Files\Opera

2008-08-24 20:35	---------	d-----w	C:\Program Files\Tlen.pl

2008-08-24 12:01	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Tlen.pl

2008-08-19 21:50	65,536	----a-w	C:\WINDOWS\DUMP3e28.tmp

2008-08-16 14:35	---------	d-----w	C:\Documents and Settings\Administrator\Dane aplikacji\Skype

2008-08-12 15:49	---------	d-----w	C:\Program Files\Trend Micro

2007-10-13 14:51	17,144	----a-w	C:\Documents and Settings\Administrator\Dane aplikacji\GDIPFONTCACHEV1.DAT

2007-02-20 11:02	31	----a-w	C:\Documents and Settings\Administrator\getfile.dat

2006-07-16 15:02	31	----a-w	C:\Documents and Settings\ASIA\getfile.dat

.



------- Sigcheck -------



2002-09-20 19:05  1015296  925387582296260489564ae2aa284322	C:\WINDOWS\explorer.exe

2002-09-20 19:05  1015296  1a99a4e504e5cbaa19d554b42f034594	C:\WINDOWS\system32\dllcache\explorer.exe



2002-09-20 19:05  23040  4187d9d4d94fcd138ce9ae352d5a9f3c	C:\WINDOWS\system32\ctfmon.exe

2002-09-20 19:05  23040  07f4a458e913beb87f1b75bc99987efd	C:\WINDOWS\system32\dllcache\ctfmon.exe



2002-09-20 19:05  152064  23c0106b37d81b6e2606b500677e9061	C:\WINDOWS\system32\wuauclt.exe

2002-09-20 19:05  152064  b42ad01455d2c18351b95d45c813b1ad	C:\WINDOWS\system32\dllcache\wuauclt.exe



2002-09-20 19:05  32256  0d55bb6aec2e7361cad1d396b98f5a35	C:\WINDOWS\system32\userinit.exe

2002-09-20 19:05  32256  edbe5fd297b5fdae18c2e29a3b9f1ad9	C:\WINDOWS\system32\dllcache\userinit.exe

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]

2007-12-02 16:13	394680	--a------	C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1523741]

"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-08-06 10:45 887296]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 61551]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 61440]



[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 19:05 23040]



C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26 39424]

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]



[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"NoDispBackgroundPage"= 1 (0x1)

"NoDispScrSavPage"= 1 (0x1)



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= ctwdm32.dll



[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders	msapsspc.dllschannel.dlldigest.dllmsnsspc.dll



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

--a------ 2007-01-29 16:51 25451048 C:\Program Files\Skype\Phone\Skype.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2006-11-21 19:38 45056 C:\Program Files\Winamp\winampa.exe



[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

"AntiVirusOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"firewalldisableoverride"=dword:00000001



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\WINDOWS\\System32\\regsvr32.exe"=

"C:\\WINDOWS\\system32\\NOTEPAD.EXE"=



S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\KS-959.sys [2005-10-09 05:26]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc



*Newly Created Service* - CATCHME

.



**************************************************************************



catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]

Rootkit scan 2008-08-26 19:54:57

Windows 5.1.2600 Dodatek Service Pack. 1 NTFS



detected NTDLL code modification:

ZwOpenFile



scanning hidden processes ... 



scanning hidden autostart entries ...



scanning hidden files ... 





**************************************************************************

.

Completion time: 2008-08-26 19:58:24

ComboFix-quarantined-files.txt  2008-08-26 17:57:19



Pre-Run: 5,972,410,368 bajtów wolnych

Post-Run: 5,929,779,200 bajtów wolnych



131


  • 0




Użytkownicy przeglądający ten temat: 0

0 użytkowników, 0 gości, 0 anonimowych