Skocz do zawartości


Zdjęcie

[wirus] Wirus dla XP

Rozpoczęty przez przemekfilu , 14 01 2008 16:21

  • Zamknięty Temat jest zamknięty
11 odpowiedzi w tym temacie

#1 przemekfilu

przemekfilu

    Obserwator

  • 6 postów

Napisano 14 01 2008 - 16:21

Witam mam pytanie... Ostatnio łazilem po stronach typu youtube, googlewideo, i takie tam... Na jednej z Stron poprosilo mnie albym włączył obsluge JavaScript... Zrobilem to i zaraz potym pokazalo sie okienko pobierania pliku. Nie sciagnelem tego pliku, ale i tak znalazl sie na pulpicie. Gdy zrestartowalem kompa mialem juz to zainstalowane (poimo, ze usunelem z pulpitu instalke). Był to program "antywirusowy" i jako pierwsze chcial pobrac "aktualizacje" a zaraz potym jak sie nie zgodzilem bylo juz ze mam Trial i musze tam zaplacic za full... Potem zaczął mi sie pojawiac alert po angielsku (mam win xp prof PL):
Alert przypomina ten jak po wgraniu windowsa xp informuje, ze komputer moze byc zagrozony bo nie ma antywirusa/sa wylaczone aktualizacje automatyczne(mała tarcza w tray'u). Roznica jest taka ze tam byla zolta tarcza, a tu jest niebieska z znakiem zapytania w srodku i ona zamienia sie co chwile w czerwona z krzyzykiem w srodku... Po kliknieciu na to lewym lub prawym przyciskiem otwiera sie okno IE i jakas strona nie wiem co na niej bo nie czekalem az sie zaladuje... Pojawilo mi sie takze okienko (http://www.fotosik.pl/pokaz_obrazek/94af22c2e401b1f5.html) na screenie jest moje normalne okienko! Na tym co sie samo pojawilo było tak: 1.Wszystko po angielsku... 2. Nie szlo otworzyc tych zakladek zazn. na niebiesko... 3. Tam gdzie jest zazn. na czerwono nie bylo tego tylko costam o antywirusie i dwa przyciski DOWNLOAD <- pewnie tego antywirusa (tylko przyciski szlo kliknac). Wielkie sory za monnotonnosc i ewentualne bledy. Jesli temat zamiescilem w zlym miejscu to przepraszam. Prosze o pomoc jak usunac ten blad/wirus (alert w tray'u).

Skanowalem oczywiscie kompa roznymi programami antywirusowymi, ale zaden tego nie wykrył. Jeszcze 1... gdy wlacze wlasciwosci menu start i tam ukrywanie ikon nieaktywnych to to jest nazwane bez tytułu (screen - http://www.fotosik.pl/pokaz_obrazek/d53b32ef7ca9a41e.html) i po kazdym restarcie kompa zmienia sie na "ukryj gdy niekatywne" (a to stale jest aktywne) a wiec chowanie tego nie dziala... Na niebiesko zanaczylem prawdziwy alert systemu Windows xp...

Proszę o pomoc!

  • 0

#2 wncvirus

wncvirus

    Leń !

  • 851 postów

Napisano 14 01 2008 - 17:25

Pokaż logi combofix

  • 0

#3 przemekfilu

przemekfilu

    Obserwator

  • 6 postów

Napisano 14 01 2008 - 17:47

bardzo chetnie... a co to jest;p
  • 0

#4 Tequila

Tequila

    Stały użytkownik

  • 386 postów

Napisano 14 01 2008 - 17:51

http://cybertrash.pl/images/tata/ComboFix.html - instrukcja "jak zrobic loga i gdzie on jest potem" + link do narzędzia.

Zanim zrobisz loga Combofixa pobierz z sieci SmitrfaudFix, rozpakuj, wystartuj do trybu awaryjnego, uruchom smitfraudfix.cmd i skorzystaj z opcji 2 -Clean

Loga Smitfraudfix również pokaz na forum.
  • 0

#5 przemekfilu

przemekfilu

    Obserwator

  • 6 postów

Napisano 14 01 2008 - 18:28

(Tequila jak zrobie tym SmitrfaudFix to tam bylo napisane, ze wyczysci mi dysk w opisie... Wyczysci z plikow czy z robalow?)zrobilem loga odrazu bez sciaganie tego co pisales wyglada tak:



ComboFix 08-01-14.4 - Admin 2008-01-14 17:31:30.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1065 [GMT 1:00]
Running from: G:\Documents and Settings\Admin\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED Dołączona grafika
.
The following files were disabled during the run:
G:\Program Files\Ashampoo\Ashampoo FireWall PRO\MD5.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\Documents and Settings\Admin\Dane aplikacji\addon.dat
G:\Program Files\Video Add-on

.
((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-14 17:29 . 2000-08-31 08:00 51,200 --a------ G:\WINDOWS\NirCmd.exe
2008-01-13 21:42 . 2008-01-13 21:43 528 --a------ G:\WINDOWS\system32\index.dat
2008-01-13 21:42 . 2008-01-13 21:43 378 --a------ G:\WINDOWS\system32\viridx.dat
2008-01-13 20:47 . 2007-04-16 17:25 7,168 --a------ G:\WINDOWS\system32\drivers\AshAvScan.sys
2008-01-13 20:11 . 2008-01-13 20:11 <DIR> d-------- G:\Program Files\Ashampoo
2008-01-13 19:46 . 2008-01-13 19:46 <DIR> d--hs---- G:\FOUND.003
2008-01-13 19:32 . 2008-01-13 19:32 <DIR> d-------- G:\Documents and Settings\Admin\Dane aplikacji\PC Tools
2008-01-13 19:31 . 2008-01-13 19:31 <DIR> d-------- G:\Program Files\PC Tools AntiVirus
2008-01-13 19:31 . 2008-01-13 19:31 <DIR> d-------- G:\Program Files\Common Files\PC Tools
2008-01-13 19:31 . 2008-01-13 19:31 <DIR> d-------- G:\Documents and Settings\All Users\Dane aplikacji\PC Tools
2008-01-13 19:31 . 2007-12-06 16:51 28,568 --a------ G:\WINDOWS\system32\drivers\AVHook.sys
2008-01-13 19:31 . 2007-12-06 16:51 21,912 --a------ G:\WINDOWS\system32\drivers\AVRec.sys
2008-01-13 19:31 . 2007-12-10 10:59 21,912 --a------ G:\WINDOWS\system32\drivers\AVFilter.sys
2008-01-13 19:17 . 2008-01-13 19:17 <DIR> d-------- G:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-01-13 12:33 . 2008-01-13 12:33 <DIR> d-------- G:\Program Files\BearShare
2008-01-13 12:33 . 2008-01-13 12:33 <DIR> d-------- G:\My Downloads
2008-01-11 17:33 . 2008-01-11 17:33 <DIR> d--h----- G:\Program Files\win32GI
2008-01-10 18:18 . 2008-01-10 18:18 <DIR> d--hs---- G:\FOUND.002
2008-01-07 14:02 . 2008-01-03 14:28 2,059,872 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest.exe
2008-01-07 14:02 . 2008-01-03 14:28 1,118,208 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_cpuid.dll
2008-01-07 14:02 . 2007-10-12 09:55 1,093,632 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_bench.dll
2008-01-07 14:02 . 2007-10-17 00:03 1,032,704 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_mondiag.dll
2008-01-07 14:02 . 2008-01-03 14:28 642,390 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest.dat
2008-01-07 14:02 . 2007-11-07 12:23 284,672 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_diskbench.dll
2008-01-07 14:02 . 2008-01-03 14:28 156,672 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_xpicons.dll
2008-01-07 14:02 . 2008-01-03 14:28 120,320 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_icons.dll
2008-01-07 14:02 . 2006-08-11 21:59 53,248 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_lglcd.dll
2008-01-07 14:02 . 2004-03-21 22:47 48,128 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_zipdll.dll
2008-01-06 22:37 . 2008-01-06 22:37 <DIR> d--hs---- G:\FOUND.001
2008-01-06 20:00 . 2008-01-06 20:00 <DIR> d-------- G:\Documents and Settings\Admin\Dane aplikacji\AdwareAlert
2008-01-06 19:29 . 2008-01-06 19:29 <DIR> d-------- G:\Program Files\ErrorKiller
2008-01-06 00:04 . 2008-01-06 00:04 <DIR> d-------- G:\Documents and Settings\Admin\Dane aplikacji\VideoEgg
2008-01-05 22:50 . 2008-01-05 22:50 <DIR> d-------- G:\Downloads
2008-01-05 22:42 . 2008-01-05 22:42 2,560 --a------ G:\WINDOWS\system32\bitcometres.dll
2008-01-05 00:37 . 2008-01-05 00:37 <DIR> d-------- G:\Program Files\3DO
2008-01-01 17:55 . 2006-11-12 11:39 483,328 --a------ G:\WINDOWS\system32\actskn45.ocx
2008-01-01 17:54 . 2008-01-01 17:54 <DIR> d-------- G:\Program Files\BearShare Applications
2007-12-29 20:43 . 2007-12-29 20:43 768 --a------ G:\WINDOWS\system32\d3d8caps.dat
2007-12-29 18:18 . 2007-12-29 18:18 <DIR> d-------- G:\Program Files\Readiris
2007-12-29 18:18 . 1997-05-26 14:55 23,040 --a------ G:\WINDOWS\system32\irisco32.dll
2007-12-29 18:18 . 2007-12-29 18:18 119 --a------ G:\WINDOWS\Readiris.ini
2007-12-29 18:17 . 2004-03-11 08:04 24,576 --------- G:\WINDOWS\SvcCon.exe
2007-12-29 18:16 . 2007-12-29 18:16 <DIR> d-------- G:\WINDOWS\system32\drivers\Samsung
2007-12-29 18:16 . 2007-12-29 18:16 <DIR> d-------- G:\Program Files\Samsung
2007-12-29 18:16 . 2004-04-16 08:42 73,728 --------- G:\WINDOWS\WiaInst.exe
2007-12-26 23:02 . 2006-09-13 18:17 320,384 --a------ G:\WINDOWS\system32\drivers\mgaum.sys
2007-12-26 23:02 . 2006-09-13 18:17 235,648 --a------ G:\WINDOWS\system32\mgaud.dll
2007-12-26 17:49 . 2007-12-27 18:02 1,324 --a------ G:\WINDOWS\system32\d3d9caps.dat
2007-12-19 17:05 . 2007-12-19 17:05 <DIR> d-------- G:\Program Files\MAX-FX Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 15:16 23 ----a-w G:\WINDOWS\system32\drivers\adidsl.cfg
2007-12-26 17:59 106,496 ------w G:\WINDOWS\DUMP2c3b.tmp
2007-12-26 16:38 106,496 ------w G:\WINDOWS\DUMP48ff.tmp
2007-12-26 16:00 106,496 ------w G:\WINDOWS\DUMP5515.tmp
2007-12-10 17:21 --------- d-----w G:\Program Files\SWiSHmax
2007-12-09 19:05 73,216 ------w G:\WINDOWS\ST6UNST.EXE
2007-12-09 19:05 249,856 ------w G:\WINDOWS\Setup1.exe
2007-12-08 16:15 --------- d-----w G:\Program Files\Real
2007-12-08 16:15 --------- d-----w G:\Program Files\Common Files\xing shared
2007-12-08 16:15 --------- d-----w G:\Program Files\Common Files\Real
2007-11-30 22:13 98,304 ----a-w G:\WINDOWS\system32\CmdLineExt.dll
2007-11-23 15:08 --------- d-----w G:\Program Files\Zajaczek 4.1
2007-10-23 19:16 47,104 ------w G:\WINDOWS\AKDeInstall.exe
2002-11-04 13:54 3,392 ----a-w G:\WINDOWS\inf\OTHER\cmiainfo.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="G:\WINDOWS\SiSUSBrg.exe" [2002-07-12 12:15 106496]
"NvCplDaemon"="G:\WINDOWS\system32\NvCpl.dll" [2004-07-12 16:50 4112384]
"nwiz"="nwiz.exe" [2004-07-12 16:50 843776 G:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="G:\WINDOWS\system32\NvMcTray.dll" [2004-07-12 16:50 81920]
"R2Plus_S2P"="G:\Program Files\Samsung\Samsung SCX-4x20 Series\PSU\Scan2pc.exe" [2005-09-02 01:56 229376]
"PCTAVApp"="G:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-01-10 11:09 1238928]
"AntiSpyWare2Guard"="G:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe" [2007-08-14 09:29 2334040]
"Ashampoo FireWall PRO"="G:\Program Files\Ashampoo\Ashampoo FireWall PRO\FireWall.exe" [2006-12-21 02:10 3543552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:44 15360]

G:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - G:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-12-29 16:16:26]
GuardGui.lnk - G:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe [2008-01-13 20:47:54]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{91316323-2ad5-4794-9589-52a2eaa60a68}"= G:\WINDOWS\system32\shlahsd.dll [2007-09-26 17:58 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtussro]
vtussro.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32]
winbjt32.dll

R2 avGuard;avGuard Service;G:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe [2007-08-29 14:48]
R3 AshAvScan;AshAvScan;G:\WINDOWS\system32\DRIVERS\AshAvScan.sys [2007-04-16 17:25]
R3 DrvFltIp;DrvFltIp;G:\Documents and Settings\Admin\Ustawienia lokalne\TEMP\DrvFltIp [2006-12-21 02:34]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;G:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2006-02-14 16:02]
S2 AASW2_Service;Ashampoo AntiSpyWare 2 Service;G:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe [2007-08-14 09:28]
S3 mgau;mgau;G:\WINDOWS\system32\DRIVERS\mgaum.sys [2006-09-13 18:17]
S3 usbscan;Sterownik skanera USB;G:\WINDOWS\system32\DRIVERS\usbscan.sys [2006-09-13 18:19]
S3 USBSTOR;Sterownik magazynu masowego USB;G:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{60E12CBD-A2A4-64AD-7E4F-AE9FA54938BE}]
G:\Program Files\win32GI\svchost.exe s
.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 02:00:02 G:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- G:\Program Files\AdwareAlert\AdwareAlert.ex
- G:\Program Files\AdwareAlert
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 17:35:12
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: G:\WINDOWS\system32\csrss.exe
-> G:\Program Files\Ashampoo\Ashampoo FireWall PRO\MD5.dll
.
Completion time: 2008-01-14 17:36:20
ComboFix-quarantined-files.txt 2008-01-14 16:36:12
  • 0

#6 Tequila

Tequila

    Stały użytkownik

  • 386 postów

Napisano 14 01 2008 - 18:36

No siedzi tam u Ciebie trochę syfu.
Na początek - Vundo - ten post -> /index.php?s=&am...ost&p=71450
Potem smitfraudfix bo G:\Program Files\Video Add-on - to własnie infekcja smitfraud

Nie uruchamiaj trybu normalnego do tej pory aż narzędzia nie pousuwają syfów.

Na koniec - logi pokazujesz - komplecik -> te z programów wyżej + Combofix + HijackThis bo do dorznięcia ręcznego pewnie cos będzie
  • 0

#7 przemekfilu

przemekfilu

    Obserwator

  • 6 postów

Napisano 14 01 2008 - 20:42

To kolego mamy problem... Ja mam neostrade i w trybie awaryjnym nie odczytuje USC więc zonk musze wlazic na normalnego aby tu pisac... to tak:


-------------------------------------------------------------------------------------------------------------------------------------------------------------
LOG Vundofix:

VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 19:23:25 2008-01-14

Listing files found while scanning....

No infected files were found.

Beginning removal...


-------------------------------------------------------------------------------------------------------------------------------------------------------------
LOG smitfraudfix:


SmitFraudFix v2.274

Scan done at 19:36:02,57, 2008-01-14
Run from G:\Documents and Settings\Admin\Pulpit\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
Dołączona grafika!Attention, following keys are not inevitably infected!Dołączona grafika

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{91316323-2ad5-4794-9589-52a2eaa60a68}"="aposiopetic"

[HKEY_CLASSES_ROOT\CLSID\{91316323-2ad5-4794-9589-52a2eaa60a68}\InProcServer32]
@="G:\WINDOWS\system32\shlahsd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{91316323-2ad5-4794-9589-52a2eaa60a68}\InProcServer32]
@="G:\WINDOWS\system32\shlahsd.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

G:\WINDOWS\system32\shlahsd.dll -> Hoax.Win32.Renos.gen.o
G:\WINDOWS\system32\shlahsd.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

G:\DOCUME~1\ALLUSE~1\MENUST~1\Online Security Guide.url Deleted
G:\DOCUME~1\ALLUSE~1\MENUST~1\Security Troubleshooting.url Deleted
G:\DOCUME~1\ADMIN\ULUBIONE\Online Security Test.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
Dołączona grafika!Attention, following keys are not inevitably infected!Dołączona grafika

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
Dołączona grafika!Attention, following keys are not inevitably infected!Dołączona grafika

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


-------------------------------------------------------------------------------------------------------------------------------------------------------------

LOG HijackThis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:10:37, on 2008-01-14
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\Documents and Settings\Admin\Pulpit\FixVundo.exe
G:\Documents and Settings\Admin\Pulpit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adtest.gadu-gadu.pl/clickbtn.asp?ad...ugo-xyxx.com%2F
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - G:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O4 - HKLM\..\Run: [SiSUSBRG] G:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [R2Plus_S2P] G:\Program Files\Samsung\Samsung SCX-4x20 Series\PSU\Scan2pc.exe
O4 - HKLM\..\Run: [PCTAVApp] "G:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [AntiSpyWare2Guard] G:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKLM\..\Run: [Ashampoo FireWall PRO] "G:\Program Files\Ashampoo\Ashampoo FireWall PRO\FireWall.exe" -TRAY
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = G:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: GuardGui.lnk = G:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://G:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://G:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O20 - Winlogon Notify: vtussro - vtussro.dll (file missing)
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)
O22 - SharedTaskScheduler: aposiopetic - {91316323-2ad5-4794-9589-52a2eaa60a68} - G:\WINDOWS\system32\shlahsd.dll
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - G:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: avGuard Service (avGuard) - Unknown owner - G:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - G:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe

--
End of file - 3612 bytes


-------------------------------------------------------------------------------------------------------------------------------------------------------------

LOG Combofix:


ComboFix 08-01-14.4 - Admin 2008-01-14 19:38:52.2 - FAT32x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1170 [GMT 1:00]
Running from: G:\Documents and Settings\Admin\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED Dołączona grafika
.

((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-14 19:36 . 2008-01-14 19:36 2,782 --a------ G:\WINDOWS\system32\tmp.reg
2008-01-14 19:23 . 2008-01-14 19:23 <DIR> d-------- G:\VundoFix Backups
2008-01-14 19:16 . 2008-01-14 19:16 <DIR> d-------- G:\WINDOWS\system32\xircom
2008-01-14 19:15 . 2008-01-14 19:15 <DIR> d-------- G:\Program Files\microsoft frontpage
2008-01-14 17:29 . 2000-08-31 08:00 51,200 --a------ G:\WINDOWS\NirCmd.exe
2008-01-13 21:42 . 2008-01-13 21:43 528 --a------ G:\WINDOWS\system32\index.dat
2008-01-13 21:42 . 2008-01-13 21:43 378 --a------ G:\WINDOWS\system32\viridx.dat
2008-01-13 20:47 . 2007-04-16 17:25 7,168 --a------ G:\WINDOWS\system32\drivers\AshAvScan.sys
2008-01-13 20:11 . 2008-01-13 20:11 <DIR> d-------- G:\Program Files\Ashampoo
2008-01-13 19:46 . 2008-01-13 19:46 <DIR> d--hs---- G:\FOUND.003
2008-01-13 19:32 . 2008-01-13 19:32 <DIR> d-------- G:\Documents and Settings\Admin\Dane aplikacji\PC Tools
2008-01-13 19:31 . 2008-01-13 19:31 <DIR> d-------- G:\Program Files\PC Tools AntiVirus
2008-01-13 19:31 . 2008-01-13 19:31 <DIR> d-------- G:\Program Files\Common Files\PC Tools
2008-01-13 19:31 . 2008-01-13 19:31 <DIR> d-------- G:\Documents and Settings\All Users\Dane aplikacji\PC Tools
2008-01-13 19:31 . 2007-12-06 16:51 28,568 --a------ G:\WINDOWS\system32\drivers\AVHook.sys
2008-01-13 19:31 . 2007-12-06 16:51 21,912 --a------ G:\WINDOWS\system32\drivers\AVRec.sys
2008-01-13 19:31 . 2007-12-10 10:59 21,912 --a------ G:\WINDOWS\system32\drivers\AVFilter.sys
2008-01-13 19:17 . 2008-01-13 19:17 <DIR> d-------- G:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-01-13 12:33 . 2008-01-13 12:33 <DIR> d-------- G:\Program Files\BearShare
2008-01-13 12:33 . 2008-01-13 12:33 <DIR> d-------- G:\My Downloads
2008-01-11 17:33 . 2008-01-11 17:33 <DIR> d--h----- G:\Program Files\win32GI
2008-01-10 18:18 . 2008-01-10 18:18 <DIR> d--hs---- G:\FOUND.002
2008-01-07 14:02 . 2008-01-03 14:28 2,059,872 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest.exe
2008-01-07 14:02 . 2008-01-03 14:28 1,118,208 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_cpuid.dll
2008-01-07 14:02 . 2007-10-12 09:55 1,093,632 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_bench.dll
2008-01-07 14:02 . 2007-10-17 00:03 1,032,704 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_mondiag.dll
2008-01-07 14:02 . 2008-01-03 14:28 642,390 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest.dat
2008-01-07 14:02 . 2007-11-07 12:23 284,672 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_diskbench.dll
2008-01-07 14:02 . 2008-01-03 14:28 156,672 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_xpicons.dll
2008-01-07 14:02 . 2008-01-03 14:28 120,320 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_icons.dll
2008-01-07 14:02 . 2006-08-11 21:59 53,248 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_lglcd.dll
2008-01-07 14:02 . 2004-03-21 22:47 48,128 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_zipdll.dll
2008-01-06 22:37 . 2008-01-06 22:37 <DIR> d--hs---- G:\FOUND.001
2008-01-06 20:00 . 2008-01-06 20:00 <DIR> d-------- G:\Documents and Settings\Admin\Dane aplikacji\AdwareAlert
2008-01-06 19:29 . 2008-01-06 19:29 <DIR> d-------- G:\Program Files\ErrorKiller
2008-01-06 00:04 . 2008-01-06 00:04 <DIR> d-------- G:\Documents and Settings\Admin\Dane aplikacji\VideoEgg
2008-01-05 22:50 . 2008-01-05 22:50 <DIR> d-------- G:\Downloads
2008-01-05 22:42 . 2008-01-05 22:42 2,560 --a------ G:\WINDOWS\system32\bitcometres.dll
2008-01-05 00:37 . 2008-01-05 00:37 <DIR> d-------- G:\Program Files\3DO
2008-01-01 17:55 . 2006-11-12 11:39 483,328 --a------ G:\WINDOWS\system32\actskn45.ocx
2008-01-01 17:54 . 2008-01-01 17:54 <DIR> d-------- G:\Program Files\BearShare Applications
2007-12-29 20:43 . 2007-12-29 20:43 768 --a------ G:\WINDOWS\system32\d3d8caps.dat
2007-12-29 18:18 . 2007-12-29 18:18 <DIR> d-------- G:\Program Files\Readiris
2007-12-29 18:18 . 1997-05-26 14:55 23,040 --a------ G:\WINDOWS\system32\irisco32.dll
2007-12-29 18:18 . 2007-12-29 18:18 119 --a------ G:\WINDOWS\Readiris.ini
2007-12-29 18:17 . 2004-03-11 08:04 24,576 --------- G:\WINDOWS\SvcCon.exe
2007-12-29 18:16 . 2007-12-29 18:16 <DIR> d-------- G:\WINDOWS\system32\drivers\Samsung
2007-12-29 18:16 . 2007-12-29 18:16 <DIR> d-------- G:\Program Files\Samsung
2007-12-29 18:16 . 2004-04-16 08:42 73,728 --------- G:\WINDOWS\WiaInst.exe
2007-12-26 23:02 . 2006-09-13 18:17 320,384 --a------ G:\WINDOWS\system32\drivers\mgaum.sys
2007-12-26 23:02 . 2006-09-13 18:17 235,648 --a------ G:\WINDOWS\system32\mgaud.dll
2007-12-26 17:49 . 2007-12-27 18:02 1,324 --a------ G:\WINDOWS\system32\d3d9caps.dat
2007-12-19 17:05 . 2007-12-19 17:05 <DIR> d-------- G:\Program Files\MAX-FX Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 15:16 23 ----a-w G:\WINDOWS\system32\drivers\adidsl.cfg
2007-12-26 17:59 106,496 ------w G:\WINDOWS\DUMP2c3b.tmp
2007-12-26 16:38 106,496 ------w G:\WINDOWS\DUMP48ff.tmp
2007-12-26 16:00 106,496 ------w G:\WINDOWS\DUMP5515.tmp
2007-12-10 17:21 --------- d-----w G:\Program Files\SWiSHmax
2007-12-09 19:05 73,216 ------w G:\WINDOWS\ST6UNST.EXE
2007-12-09 19:05 249,856 ------w G:\WINDOWS\Setup1.exe
2007-12-08 16:15 --------- d-----w G:\Program Files\Real
2007-12-08 16:15 --------- d-----w G:\Program Files\Common Files\xing shared
2007-12-08 16:15 --------- d-----w G:\Program Files\Common Files\Real
2007-11-30 22:13 98,304 ----a-w G:\WINDOWS\system32\CmdLineExt.dll
2007-11-23 15:08 --------- d-----w G:\Program Files\Zajaczek 4.1
2007-10-23 19:16 47,104 ------w G:\WINDOWS\AKDeInstall.exe
2002-11-04 13:54 3,392 ----a-w G:\WINDOWS\inf\OTHER\cmiainfo.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-14_17.35.37,12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 07:00:00 163,328 ----a-w G:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="G:\WINDOWS\SiSUSBrg.exe" [2002-07-12 12:15 106496]
"NvCplDaemon"="G:\WINDOWS\system32\NvCpl.dll" [2004-07-12 16:50 4112384]
"nwiz"="nwiz.exe" [2004-07-12 16:50 843776 G:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="G:\WINDOWS\system32\NvMcTray.dll" [2004-07-12 16:50 81920]
"R2Plus_S2P"="G:\Program Files\Samsung\Samsung SCX-4x20 Series\PSU\Scan2pc.exe" [2005-09-02 01:56 229376]
"PCTAVApp"="G:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-01-10 11:09 1238928]
"AntiSpyWare2Guard"="G:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe" [2007-08-14 09:29 2334040]
"Ashampoo FireWall PRO"="G:\Program Files\Ashampoo\Ashampoo FireWall PRO\FireWall.exe" [2006-12-21 02:10 3543552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:44 15360]

G:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - G:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-12-29 16:16:26]
GuardGui.lnk - G:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe [2008-01-13 20:47:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtussro]
vtussro.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32]
winbjt32.dll

S2 AASW2_Service;Ashampoo AntiSpyWare 2 Service;G:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe [2007-08-14 09:28]
S2 avGuard;avGuard Service;G:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe [2007-08-29 14:48]
S3 AshAvScan;AshAvScan;G:\WINDOWS\system32\DRIVERS\AshAvScan.sys [2007-04-16 17:25]
S3 DrvFltIp;DrvFltIp;G:\Documents and Settings\Admin\Ustawienia lokalne\TEMP\DrvFltIp []
S3 mgau;mgau;G:\WINDOWS\system32\DRIVERS\mgaum.sys [2006-09-13 18:17]
S3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;G:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2006-02-14 16:02]
S3 usbscan;Sterownik skanera USB;G:\WINDOWS\system32\DRIVERS\usbscan.sys [2006-09-13 18:19]
S3 USBSTOR;Sterownik magazynu masowego USB;G:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{60E12CBD-A2A4-64AD-7E4F-AE9FA54938BE}]
G:\Program Files\win32GI\svchost.exe s
.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 02:00:02 G:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- G:\Program Files\AdwareAlert\AdwareAlert.ex
- G:\Program Files\AdwareAlert
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 19:40:06
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-14 19:40:35
ComboFix-quarantined-files.txt 2008-01-14 18:40:34
ComboFix2.txt 2008-01-14 16:36:24


Przy tym otwarciu systemu nie pojawil sie ten glupi alert. Skanowalem też innymi programem... Log nizej

-------------------------------------------------------------------------------------------------------------------------------------------------------------
[01/14/2008, 19:35:08] - VirtumundoBeGone v1.5 ( "G:\Documents and Settings\Admin\Pulpit\VirtumundoBeGone.exe" )
[01/14/2008, 19:35:23] - Detected System Information:
[01/14/2008, 19:35:23] - Windows Version: 5.1.2600, Dodatek Service Pack 2
[01/14/2008, 19:35:23] - Current Username: Admin (Admin)
[01/14/2008, 19:35:23] - Windows is in SAFE mode with Networking.
[01/14/2008, 19:35:23] - Searching for Browser Helper Objects:
[01/14/2008, 19:35:23] - BHO 1: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} (BitComet Helper)
[01/14/2008, 19:35:23] - Finished Searching Browser Helper Objects
[01/14/2008, 19:35:23] - Finishing up...
[01/14/2008, 19:35:23] - Nothing found! Exiting...
  • 0

#8 Tequila

Tequila

    Stały użytkownik

  • 386 postów

Napisano 14 01 2008 - 23:33

Dobrze jest.

zafixuj

O20 - Winlogon Notify: vtussro - vtussro.dll (file missing)
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)
O22 - SharedTaskScheduler: aposiopetic - {91316323-2ad5-4794-9589-52a2eaa60a68} - G:\WINDOWS\system32\shlahsd.dll

Upewnij się, że plików wyżej wymenionych nie ma rzeczywiście - jak są - skasuj.

Dodatkowo skasuj pliki i foldery

G:\Program Files\AdwareAlert
G:\WINDOWS\DUMP2c3b.tmp
G:\WINDOWS\DUMP48ff.tmp
G:\WINDOWS\DUMP5515.tmp
G:\Program Files\ErrorKiller
G:\Program Files\win32GI


To;

S3 DrvFltIp;DrvFltIp;G:\Documents and Settings\Admin\Ustawienia lokalne\TEMP\DrvFltIp []

okrutnie mi sie nie podoba - wygląda jak to -> http://www.greatis.com/appdata/d/d/drvfltip.sys.htm
Ja bym usunąl
W wierszu polecenia
sc stop DrvFltIp
sc delete DrvFltIp
i kasacja folderu G:\Documents and Settings\Admin\Ustawienia lokalne\TEMP\DrvFltIp

Teraz z Harmonogramu zadań usuń zadanie "AdwareAlert Scheduled Scan"

To chyba wszystko co wyłapałem
Pokaż jeszcze dla pewności Combofixa i Hijacka po robocie.
  • 0

#9 wncvirus

wncvirus

    Leń !

  • 851 postów

Napisano 15 01 2008 - 00:03

(G:\WINDOWS\system32\viridx.dat sprawdzić na http://virusscan.jotti.org/ albo na http://www.virustotal.com/en/indexf.htm .
To wygląda podejrzanie, a chciałbym się dowiedzieć, czy to złe, czy nie.





do usunięcia poniższe klucze.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtussro]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{60E12CBD-A2A4-64AD-7E4F-AE9FA54938BE}]

  • 0

#10 przemekfilu

przemekfilu

    Obserwator

  • 6 postów

Napisano 15 01 2008 - 17:02

To tak: Tequilla napisales ze mam sfixowac ale nie wiem o co chodzi, skasowalem pliki, ale win32gi nie znalazlem, z harmonogramu zadań nie usunelem bo nie wiem jak wlaczyc -> svchost.exe nie dziala

vncwirus: klucze usunelem, DrvFltIp usuniete.
Plik viridx.dat jest czysty - wszystkie pokazuja.

Logi robilem bez trybu awaryjnego bo cos nie chcial tam wejsc...







Log Combofix:


ComboFix 08-01-14.4 - Admin 2008-01-15 15:56:35.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1065 [GMT 1:00]
Running from: G:\Documents and Settings\Admin\Pulpit\Antywiry\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED Dołączona grafika
.

((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 15:49 . 2008-01-15 15:49 <DIR> d--hs---- G:\FOUND.004
2008-01-14 19:36 . 2008-01-14 19:36 2,782 --a------ G:\WINDOWS\system32\tmp.reg
2008-01-14 19:23 . 2008-01-14 19:23 <DIR> d-------- G:\VundoFix Backups
2008-01-14 19:16 . 2008-01-14 19:16 <DIR> d-------- G:\WINDOWS\system32\xircom
2008-01-14 19:15 . 2008-01-14 19:15 <DIR> d-------- G:\Program Files\microsoft frontpage
2008-01-14 17:29 . 2000-08-31 08:00 51,200 --a------ G:\WINDOWS\NirCmd.exe
2008-01-13 21:42 . 2008-01-13 21:43 528 --a------ G:\WINDOWS\system32\index.dat
2008-01-13 21:42 . 2008-01-13 21:43 378 --a------ G:\WINDOWS\system32\viridx.dat
2008-01-13 20:47 . 2007-04-16 17:25 7,168 --a------ G:\WINDOWS\system32\drivers\AshAvScan.sys
2008-01-13 20:11 . 2008-01-13 20:11 <DIR> d-------- G:\Program Files\Ashampoo
2008-01-13 19:46 . 2008-01-13 19:46 <DIR> d--hs---- G:\FOUND.003
2008-01-13 19:32 . 2008-01-13 19:32 <DIR> d-------- G:\Documents and Settings\Admin\Dane aplikacji\PC Tools
2008-01-13 19:31 . 2008-01-13 19:31 <DIR> d-------- G:\Program Files\PC Tools AntiVirus
2008-01-13 19:31 . 2008-01-13 19:31 <DIR> d-------- G:\Program Files\Common Files\PC Tools
2008-01-13 19:17 . 2008-01-13 19:17 <DIR> d-------- G:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-01-13 12:33 . 2008-01-13 12:33 <DIR> d-------- G:\Program Files\BearShare
2008-01-13 12:33 . 2008-01-13 12:33 <DIR> d-------- G:\My Downloads
2008-01-11 17:33 . 2008-01-11 17:33 <DIR> d--h----- G:\Program Files\win32GI
2008-01-10 18:18 . 2008-01-10 18:18 <DIR> d--hs---- G:\FOUND.002
2008-01-07 14:02 . 2008-01-03 14:28 2,059,872 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest.exe
2008-01-07 14:02 . 2008-01-03 14:28 1,118,208 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_cpuid.dll
2008-01-07 14:02 . 2007-10-12 09:55 1,093,632 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_bench.dll
2008-01-07 14:02 . 2007-10-17 00:03 1,032,704 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_mondiag.dll
2008-01-07 14:02 . 2008-01-03 14:28 642,390 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest.dat
2008-01-07 14:02 . 2007-11-07 12:23 284,672 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_diskbench.dll
2008-01-07 14:02 . 2008-01-03 14:28 156,672 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_xpicons.dll
2008-01-07 14:02 . 2008-01-03 14:28 120,320 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_icons.dll
2008-01-07 14:02 . 2006-08-11 21:59 53,248 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_lglcd.dll
2008-01-07 14:02 . 2004-03-21 22:47 48,128 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_zipdll.dll
2008-01-06 22:37 . 2008-01-06 22:37 <DIR> d--hs---- G:\FOUND.001
2008-01-06 20:00 . 2008-01-06 20:00 <DIR> d-------- G:\Documents and Settings\Admin\Dane aplikacji\AdwareAlert
2008-01-06 00:04 . 2008-01-06 00:04 <DIR> d-------- G:\Documents and Settings\Admin\Dane aplikacji\VideoEgg
2008-01-05 22:50 . 2008-01-05 22:50 <DIR> d-------- G:\Downloads
2008-01-05 22:42 . 2008-01-05 22:42 2,560 --a------ G:\WINDOWS\system32\bitcometres.dll
2008-01-05 00:37 . 2008-01-05 00:37 <DIR> d-------- G:\Program Files\3DO
2008-01-01 17:55 . 2006-11-12 11:39 483,328 --a------ G:\WINDOWS\system32\actskn45.ocx
2008-01-01 17:54 . 2008-01-01 17:54 <DIR> d-------- G:\Program Files\BearShare Applications
2007-12-29 20:43 . 2007-12-29 20:43 768 --a------ G:\WINDOWS\system32\d3d8caps.dat
2007-12-29 18:18 . 2007-12-29 18:18 <DIR> d-------- G:\Program Files\Readiris
2007-12-29 18:18 . 1997-05-26 14:55 23,040 --a------ G:\WINDOWS\system32\irisco32.dll
2007-12-29 18:18 . 2007-12-29 18:18 119 --a------ G:\WINDOWS\Readiris.ini
2007-12-29 18:17 . 2004-03-11 08:04 24,576 --------- G:\WINDOWS\SvcCon.exe
2007-12-29 18:16 . 2007-12-29 18:16 <DIR> d-------- G:\WINDOWS\system32\drivers\Samsung
2007-12-29 18:16 . 2007-12-29 18:16 <DIR> d-------- G:\Program Files\Samsung
2007-12-29 18:16 . 2004-04-16 08:42 73,728 --------- G:\WINDOWS\WiaInst.exe
2007-12-26 23:02 . 2006-09-13 18:17 320,384 --a------ G:\WINDOWS\system32\drivers\mgaum.sys
2007-12-26 23:02 . 2006-09-13 18:17 235,648 --a------ G:\WINDOWS\system32\mgaud.dll
2007-12-26 17:49 . 2007-12-27 18:02 1,324 --a------ G:\WINDOWS\system32\d3d9caps.dat
2007-12-19 17:05 . 2007-12-19 17:05 <DIR> d-------- G:\Program Files\MAX-FX Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 15:16 23 ----a-w G:\WINDOWS\system32\drivers\adidsl.cfg
2007-12-10 17:21 --------- d-----w G:\Program Files\SWiSHmax
2007-12-09 19:05 73,216 ------w G:\WINDOWS\ST6UNST.EXE
2007-12-09 19:05 249,856 ------w G:\WINDOWS\Setup1.exe
2007-12-08 16:15 --------- d-----w G:\Program Files\Real
2007-12-08 16:15 --------- d-----w G:\Program Files\Common Files\xing shared
2007-12-08 16:15 --------- d-----w G:\Program Files\Common Files\Real
2007-11-30 22:13 98,304 ----a-w G:\WINDOWS\system32\CmdLineExt.dll
2007-11-23 15:08 --------- d-----w G:\Program Files\Zajaczek 4.1
2007-10-23 19:16 47,104 ------w G:\WINDOWS\AKDeInstall.exe
2002-11-04 13:54 3,392 ----a-w G:\WINDOWS\inf\OTHER\cmiainfo.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-14_17.35.37,12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 07:00:00 163,328 ----a-w G:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="G:\WINDOWS\SiSUSBrg.exe" [2002-07-12 12:15 106496]
"NvCplDaemon"="G:\WINDOWS\system32\NvCpl.dll" [2004-07-12 16:50 4112384]
"nwiz"="nwiz.exe" [2004-07-12 16:50 843776 G:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="G:\WINDOWS\system32\NvMcTray.dll" [2004-07-12 16:50 81920]
"R2Plus_S2P"="G:\Program Files\Samsung\Samsung SCX-4x20 Series\PSU\Scan2pc.exe" [2005-09-02 01:56 229376]
"AntiSpyWare2Guard"="G:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe" [2007-08-14 09:29 2334040]
"Ashampoo FireWall PRO"="G:\Program Files\Ashampoo\Ashampoo FireWall PRO\FireWall.exe" [2006-12-21 02:10 3543552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:44 15360]

G:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - G:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-12-29 16:16:26]
GuardGui.lnk - G:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe [2008-01-13 20:47:54]

R2 AASW2_Service;Ashampoo AntiSpyWare 2 Service;G:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe [2007-08-14 09:28]
R2 avGuard;avGuard Service;G:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe [2007-08-29 14:48]
R3 AshAvScan;AshAvScan;G:\WINDOWS\system32\DRIVERS\AshAvScan.sys [2007-04-16 17:25]
R3 DrvFltIp;DrvFltIp;G:\Documents and Settings\Admin\Ustawienia lokalne\TEMP\DrvFltIp [2006-12-21 02:34]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;G:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2006-02-14 16:02]
S3 mgau;mgau;G:\WINDOWS\system32\DRIVERS\mgaum.sys [2006-09-13 18:17]
S3 usbscan;Sterownik skanera USB;G:\WINDOWS\system32\DRIVERS\usbscan.sys [2006-09-13 18:19]
S3 USBSTOR;Sterownik magazynu masowego USB;G:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 02:00:02 G:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- G:\Program Files\AdwareAlert\AdwareAlert.ex
- G:\Program Files\AdwareAlert
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 15:58:11
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: G:\WINDOWS\system32\winlogon.exe
-> G:\Program Files\Ashampoo\Ashampoo FireWall PRO\MD5.dll

PROCESS: G:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> G:\Program Files\Ashampoo\Ashampoo FireWall PRO\MD5.dll

PROCESS: G:\WINDOWS\system32\csrss.exe
-> G:\Program Files\Ashampoo\Ashampoo FireWall PRO\MD5.dll
.
Completion time: 2008-01-15 15:58:50
ComboFix-quarantined-files.txt 2008-01-15 14:58:46
ComboFix3.txt 2008-01-14 16:36:24
ComboFix2.txt 2008-01-14 18:40:38



------------------------------------------------------------------------------------------------------------------------------------------------------------------


Log HiJackThis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:59:15, on 2008-01-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
G:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Samsung\Samsung SCX-4x20 Series\PSU\Scan2pc.exe
G:\Program Files\Ashampoo\Ashampoo FireWall PRO\FireWall.exe
G:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
G:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe
G:\WINDOWS\system32\wscntfy.exe
G:\WINDOWS\explorer.exe
G:\Documents and Settings\Admin\Pulpit\Antywiry\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adtest.gadu-gadu.pl/clickbtn.asp?ad...ugo-xyxx.com%2F
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - G:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O4 - HKLM\..\Run: [SiSUSBRG] G:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [R2Plus_S2P] G:\Program Files\Samsung\Samsung SCX-4x20 Series\PSU\Scan2pc.exe
O4 - HKLM\..\Run: [AntiSpyWare2Guard] G:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKLM\..\Run: [Ashampoo FireWall PRO] "G:\Program Files\Ashampoo\Ashampoo FireWall PRO\FireWall.exe" -TRAY
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = G:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: GuardGui.lnk = G:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://G:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://G:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - G:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: avGuard Service (avGuard) - Unknown owner - G:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3546 bytes
  • 0

#11 wncvirus

wncvirus

    Leń !

  • 851 postów

Napisano 15 01 2008 - 18:55

Notatnika:
File::
G:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job

Folder::
G:\FOUND.003
G:\Program Files\win32GI
G:\FOUND.002
G:\FOUND.001
G:\Program Files\AdwareAlert
>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
– podobnie jak na tym obrazku -->Dołączona grafika
Ma się rozpocząć usuwanie. (i powstanie log).
Po restarcie usuń ręcznie folder C:\Qoobox.

Daj ten log, który powstanie w trakcie usuwania.

G:\Documents and Settings\Admin\Ustawienia lokalne\TEMP\DrvFltIp

Tego nie usuwaj - jest od Ashampoo!

  • 0

#12 przemekfilu

przemekfilu

    Obserwator

  • 6 postów

Napisano 15 01 2008 - 20:04

Haha to pliki ashampoo poszly;p... zainstraluje jeszcze raz;p













ComboFix 08-01-14.4 - Admin 2008-01-15 19:12:24.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1032 [GMT 1:00]
Running from: G:\Documents and Settings\Admin\Pulpit\Antywiry\ComboFix.exe
Command switches used :: G:\Documents and Settings\Admin\Pulpit\Antywiry\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED Dołączona grafika

FILE
G:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\FOUND.001
G:\FOUND.001\FILE0000.CHK
G:\FOUND.002
G:\FOUND.002\FILE0000.CHK
G:\FOUND.002\FILE0001.CHK
G:\FOUND.002\FILE0002.CHK
G:\FOUND.002\FILE0003.CHK
G:\FOUND.002\FILE0004.CHK
G:\FOUND.002\FILE0005.CHK
G:\FOUND.002\FILE0006.CHK
G:\FOUND.002\FILE0007.CHK
G:\FOUND.002\FILE0008.CHK
G:\FOUND.002\FILE0009.CHK
G:\FOUND.003
G:\FOUND.003\FILE0000.CHK
G:\Program Files\win32GI
G:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 19:01 . 2008-01-15 19:01 <DIR> d-------- G:\Program Files\t@b
2008-01-15 18:55 . 2008-01-15 18:55 <DIR> d-------- G:\Program Files\ATP
2008-01-15 18:55 . 2000-06-12 15:34 73,728 --a------ G:\WINDOWS\system32\EventList.ocx
2008-01-15 15:49 . 2008-01-15 15:49 <DIR> d--hs---- G:\FOUND.004
2008-01-14 19:36 . 2008-01-14 19:36 2,782 --a------ G:\WINDOWS\system32\tmp.reg
2008-01-14 19:23 . 2008-01-14 19:23 <DIR> d-------- G:\VundoFix Backups
2008-01-14 19:16 . 2008-01-14 19:16 <DIR> d-------- G:\WINDOWS\system32\xircom
2008-01-14 19:15 . 2008-01-14 19:15 <DIR> d-------- G:\Program Files\microsoft frontpage
2008-01-14 17:29 . 2000-08-31 08:00 51,200 --a------ G:\WINDOWS\NirCmd.exe
2008-01-13 21:42 . 2008-01-13 21:43 528 --a------ G:\WINDOWS\system32\index.dat
2008-01-13 21:42 . 2008-01-13 21:43 378 --a------ G:\WINDOWS\system32\viridx.dat
2008-01-13 20:47 . 2007-04-16 17:25 7,168 --a------ G:\WINDOWS\system32\drivers\AshAvScan.sys
2008-01-13 20:11 . 2008-01-13 20:11 <DIR> d-------- G:\Program Files\Ashampoo
2008-01-13 19:32 . 2008-01-13 19:32 <DIR> d-------- G:\Documents and Settings\Admin\Dane aplikacji\PC Tools
2008-01-13 19:31 . 2008-01-13 19:31 <DIR> d-------- G:\Program Files\PC Tools AntiVirus
2008-01-13 19:31 . 2008-01-13 19:31 <DIR> d-------- G:\Program Files\Common Files\PC Tools
2008-01-13 19:17 . 2008-01-13 19:17 <DIR> d-------- G:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-01-13 12:33 . 2008-01-13 12:33 <DIR> d-------- G:\Program Files\BearShare
2008-01-13 12:33 . 2008-01-13 12:33 <DIR> d-------- G:\My Downloads
2008-01-07 14:02 . 2008-01-03 14:28 2,059,872 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest.exe
2008-01-07 14:02 . 2008-01-03 14:28 1,118,208 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_cpuid.dll
2008-01-07 14:02 . 2007-10-12 09:55 1,093,632 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_bench.dll
2008-01-07 14:02 . 2007-10-17 00:03 1,032,704 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_mondiag.dll
2008-01-07 14:02 . 2008-01-03 14:28 642,390 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest.dat
2008-01-07 14:02 . 2007-11-07 12:23 284,672 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_diskbench.dll
2008-01-07 14:02 . 2008-01-03 14:28 156,672 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_xpicons.dll
2008-01-07 14:02 . 2008-01-03 14:28 120,320 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_icons.dll
2008-01-07 14:02 . 2006-08-11 21:59 53,248 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_lglcd.dll
2008-01-07 14:02 . 2004-03-21 22:47 48,128 --a------ G:\Documents and Settings\Everest Ultimate Edition v4.20.1240 PL\everest_zipdll.dll
2008-01-06 20:00 . 2008-01-06 20:00 <DIR> d-------- G:\Documents and Settings\Admin\Dane aplikacji\AdwareAlert
2008-01-06 00:04 . 2008-01-06 00:04 <DIR> d-------- G:\Documents and Settings\Admin\Dane aplikacji\VideoEgg
2008-01-05 22:50 . 2008-01-05 22:50 <DIR> d-------- G:\Downloads
2008-01-05 22:42 . 2008-01-05 22:42 2,560 --a------ G:\WINDOWS\system32\bitcometres.dll
2008-01-05 00:37 . 2008-01-05 00:37 <DIR> d-------- G:\Program Files\3DO
2008-01-01 17:55 . 2006-11-12 11:39 483,328 --a------ G:\WINDOWS\system32\actskn45.ocx
2008-01-01 17:54 . 2008-01-01 17:54 <DIR> d-------- G:\Program Files\BearShare Applications
2007-12-29 20:43 . 2007-12-29 20:43 768 --a------ G:\WINDOWS\system32\d3d8caps.dat
2007-12-29 18:18 . 2007-12-29 18:18 <DIR> d-------- G:\Program Files\Readiris
2007-12-29 18:18 . 1997-05-26 14:55 23,040 --a------ G:\WINDOWS\system32\irisco32.dll
2007-12-29 18:18 . 2007-12-29 18:18 119 --a------ G:\WINDOWS\Readiris.ini
2007-12-29 18:17 . 2004-03-11 08:04 24,576 --------- G:\WINDOWS\SvcCon.exe
2007-12-29 18:16 . 2007-12-29 18:16 <DIR> d-------- G:\WINDOWS\system32\drivers\Samsung
2007-12-29 18:16 . 2007-12-29 18:16 <DIR> d-------- G:\Program Files\Samsung
2007-12-29 18:16 . 2004-04-16 08:42 73,728 --------- G:\WINDOWS\WiaInst.exe
2007-12-26 23:02 . 2006-09-13 18:17 320,384 --a------ G:\WINDOWS\system32\drivers\mgaum.sys
2007-12-26 23:02 . 2006-09-13 18:17 235,648 --a------ G:\WINDOWS\system32\mgaud.dll
2007-12-26 17:49 . 2007-12-27 18:02 1,324 --a------ G:\WINDOWS\system32\d3d9caps.dat
2007-12-19 17:05 . 2007-12-19 17:05 <DIR> d-------- G:\Program Files\MAX-FX Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 15:16 23 ----a-w G:\WINDOWS\system32\drivers\adidsl.cfg
2007-12-10 17:21 --------- d-----w G:\Program Files\SWiSHmax
2007-12-09 19:05 73,216 ------w G:\WINDOWS\ST6UNST.EXE
2007-12-09 19:05 249,856 ------w G:\WINDOWS\Setup1.exe
2007-12-08 16:15 --------- d-----w G:\Program Files\Real
2007-12-08 16:15 --------- d-----w G:\Program Files\Common Files\xing shared
2007-12-08 16:15 --------- d-----w G:\Program Files\Common Files\Real
2007-11-30 22:13 98,304 ----a-w G:\WINDOWS\system32\CmdLineExt.dll
2007-11-23 15:08 --------- d-----w G:\Program Files\Zajaczek 4.1
2007-10-23 19:16 47,104 ------w G:\WINDOWS\AKDeInstall.exe
2002-11-04 13:54 3,392 ----a-w G:\WINDOWS\inf\OTHER\cmiainfo.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-14_17.35.37,12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-14 16:30:34 245,760 ----a-w G:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-15 18:12:18 245,760 ----a-w G:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-14 16:30:34 12,288 ----a-w G:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-15 18:12:18 12,288 ----a-w G:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-14 16:30:34 245,760 ----a-w G:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-15 18:12:18 245,760 ----a-w G:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-14 16:30:34 12,288 ----a-w G:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-15 18:12:18 12,288 ----a-w G:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-14 16:30:34 4,395,008 ----a-w G:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-15 18:12:18 4,444,160 ----a-w G:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-14 16:30:34 16,384 ----a-w G:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 18:12:18 16,384 ----a-w G:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-31 07:00:00 163,328 ----a-w G:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
- 2007-12-29 19:05:50 70,264 ----a-w G:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-01-15 16:28:46 70,264 ----a-w G:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="G:\WINDOWS\SiSUSBrg.exe" [2002-07-12 12:15 106496]
"NvCplDaemon"="G:\WINDOWS\system32\NvCpl.dll" [2004-07-12 16:50 4112384]
"nwiz"="nwiz.exe" [2004-07-12 16:50 843776 G:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="G:\WINDOWS\system32\NvMcTray.dll" [2004-07-12 16:50 81920]
"R2Plus_S2P"="G:\Program Files\Samsung\Samsung SCX-4x20 Series\PSU\Scan2pc.exe" [2005-09-02 01:56 229376]
"AntiSpyWare2Guard"="G:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe" [2007-08-14 09:29 2334040]
"Ashampoo FireWall PRO"="G:\Program Files\Ashampoo\Ashampoo FireWall PRO\FireWall.exe" [2006-12-21 02:10 3543552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:44 15360]

G:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - G:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-12-29 16:16:26]
GuardGui.lnk - G:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe [2008-01-13 20:47:54]

R2 AASW2_Service;Ashampoo AntiSpyWare 2 Service;G:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe [2007-08-14 09:28]
R2 avGuard;avGuard Service;G:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe [2007-08-29 14:48]
R3 AshAvScan;AshAvScan;G:\WINDOWS\system32\DRIVERS\AshAvScan.sys [2007-04-16 17:25]
R3 DrvFltIp;DrvFltIp;G:\Documents and Settings\Admin\Ustawienia lokalne\TEMP\DrvFltIp []
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;G:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2006-02-14 16:02]
S3 mgau;mgau;G:\WINDOWS\system32\DRIVERS\mgaum.sys [2006-09-13 18:17]
S3 usbscan;Sterownik skanera USB;G:\WINDOWS\system32\DRIVERS\usbscan.sys [2006-09-13 18:19]
S3 USBSTOR;Sterownik magazynu masowego USB;G:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 19:13:57
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 19:14:28
ComboFix-quarantined-files.txt 2008-01-15 18:14:26
ComboFix4.txt 2008-01-14 16:36:24
ComboFix3.txt 2008-01-14 18:40:38
ComboFix2.txt 2008-01-15 14:58:52

  • 0
Wróć do Bezpieczeństwo (wirusy i trojany)


Użytkownicy przeglądający ten temat: 0

0 użytkowników, 0 gości, 0 anonimowych

  1. Forum Komputerowe Tweaks.pl
  2. Oprogramowanie
  3. Bezpieczeństwo (wirusy i trojany)
  4. Polityka prywatności
  5. Szukaj
  6. Regulamin Forum ·