Skocz do zawartości


Zdjęcie

Logi - Dziwny proces

Rozpoczęty przez Lich-koś , 09 08 2008 23:41

  • Zamknięty Temat jest zamknięty
11 odpowiedzi w tym temacie

#1 Lich-koś

Lich-koś

    Who doesn't like chocolate rain?

  • 126 postów

Napisano 09 08 2008 - 23:41

Proszę was moi drodzy o sprawdzenie tego loga. Powód jest prosty. Pewien proces który zaczyna się na L (nie pamiętam dalej) powoduje zwolnienie pracy i dodatkowo wrzuca mi pop-up'y z IE ze stronami... porno Dołączona grafika 
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"ATI Launchpad" = "(empty string)" [file not found]
"MsServer" = "msfun80.exe" [null data]
"DAEMON Tools Lite" = ""E:\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"]
"SpybotSD TeaTimer" = "E:\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"AlcoholAutomount" = ""C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"this" = "C:\Program Files\Web Technologies\wcs.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"C:\WINDOWS\system32\kdhml.exe" = "C:\WINDOWS\system32\kdhml.exe" [null data]
"IMJPMIG8.2" = "msime82.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AcroIEHlprObj Class"
				   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}\(Default) = "Winamp Toolbar Loader"
  -> {HKLM...CLSID} = "Winamp Toolbar Loader"
				   \InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
				   \InProcServer32\(Default) = "E:\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
				   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{96372AB6-15EB-4316-B497-71C741BC548C}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Easy Gif Animator Toolbar Helper"
				   \InProcServer32\(Default) = "C:\Program Files\Easy Gif Animator Extension\v3.3.0.1\EasyGifAnimator_Toolbar.dll" [null data]
{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "solution Class"
				   \InProcServer32\(Default) = "C:\WINDOWS\system32\3hp8jMQg.dll" ["TODO: <Company name>"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
				   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
				   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
  -> {HKLM...CLSID} = "7-Zip Shell Extension"
				   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
				   \InProcServer32\(Default) = "E:\WinRAR\rarext.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
				   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
				   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
  -> {HKLM...CLSID} = "SimpleShlExt Class"
				   \InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]

HKLM\SOFTWA	RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "kdhml.exe" [null data]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
				   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
  -> {HKLM...CLSID} = "7-Zip Shell Extension"
				   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
				   \InProcServer32\(Default) = "E:\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
  -> {HKLM...CLSID} = "7-Zip Shell Extension"
				   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
				   \InProcServer32\(Default) = "E:\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
				   \InProcServer32\(Default) = "E:\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoSMBalloonTip" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSaveSettings" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Desktop|
Don't save settings at exit}

"NoRecentDocsHistory" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoStrCmpLogical" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoResolveSearch" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

"NoBrowserOptions" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Browser Menus|
Tools menu: Disable Internet Options... menu option}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"SynchronousMachineGroupPolicy" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"SynchronousUserGroupPolicy" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\liczkowscy\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

IviDVDEventHandler\
"Provider" = "InterVideo WinDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\DVD\shell\play\command\(Default) = ""C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"" [MS]

MPCPlayCDAudioOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayCDAudio"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = ""C:\Program Files\<a href="http://www.download.net.pl/105/K-Lite-Codec-Pack/">K-Lite Codec Pack</a>\Media Player Classic\mplayerc.exe" %1 /cd" ["Gabest"]

MPCPlayDVDMovieOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayDVDMovie"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = ""C:\Program Files\<a href="http://www.download.net.pl/105/K-Lite-Codec-Pack/">K-Lite Codec Pack</a>\Media Player Classic\mplayerc.exe" %1 /dvd" ["Gabest"]

MPCPlayMusicFilesOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayMusicFiles"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = ""C:\Program Files\<a href="http://www.download.net.pl/105/K-Lite-Codec-Pack/">K-Lite Codec Pack</a>\Media Player Classic\mplayerc.exe" %1" ["Gabest"]

MPCPlayVideoFilesOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayVideoFiles"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = ""C:\Program Files\<a href="http://www.download.net.pl/105/K-Lite-Codec-Pack/">K-Lite Codec Pack</a>\Media Player Classic\mplayerc.exe" %1" ["Gabest"]

NeroAutoPlay2CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2CopyCD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2DataDisc\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_DataDisc"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" ["Ahead Software AG"]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "F:\Program Files\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
				   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""F:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
  -> {HKLM...CLSID} = (no title provided)
				   \LocalServer32\(Default) = ""F:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]


Startup items in "liczkowscy" & "All Users" startup folders:
------------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"At1" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At10" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At11" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At12" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At13" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At14" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At15" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At16" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At17" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At18" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At19" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At2" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At20" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At21" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At22" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At23" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At24" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At25" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At26" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At27" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At28" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At29" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At3" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At30" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At31" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At32" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At33" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At34" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At35" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At36" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At37" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At38" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At39" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At4" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At40" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At41" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At42" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At43" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At44" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At45" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At46" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At47" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At48" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At49" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At5" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At50" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At51" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At52" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At53" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At54" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At55" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At56" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At57" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At58" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At59" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At6" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At60" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At61" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At62" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At63" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At64" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At65" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At66" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At67" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At68" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At69" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At7" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At70" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At71" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At72" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At73" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At74" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At75" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At76" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At77" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At78" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At79" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At8" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At80" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At81" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At82" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At83" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At84" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At85" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At86" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At87" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At88" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At89" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At9" -> launches: "C:\WINDOWS\system32\2lRS3447.exe" [null data]
"At90" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At91" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At92" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At93" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At94" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At95" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"At96" -> launches: "C:\WINDOWS\system32\L18E0mq0.exe" [file not found]
"Spybot - Search & Destroy -  Scheduled Task" -> launches: "E:\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK" ["Safer Networking Limited"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"
  -> {HKLM...CLSID} = "Winamp Toolbar"
				   \InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC."]
"{35065594-9169-4A34-B167-FC4865038E53}"
  -> {HKLM...CLSID} = "Easy Gif Animator Toolbar"
				   \InProcServer32\(Default) = "C:\Program Files\Easy Gif Animator Extension\v3.3.0.1\EasyGifAnimator_Toolbar.dll" [null data]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" = "Winamp Toolbar"
  -> {HKLM...CLSID} = "Winamp Toolbar"
				   \InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC."]
"{35065594-9169-4A34-B167-FC4865038E53}" = "Easy Gif Animator Toolbar"
  -> {HKLM...CLSID} = "Easy Gif Animator Toolbar"
				   \InProcServer32\(Default) = "C:\Program Files\Easy Gif Animator Extension\v3.3.0.1\EasyGifAnimator_Toolbar.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"
				   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
				   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
				   \InProcServer32\(Default) = "E:\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "Tabs" = "res://ieframe.dll/tabswelcome.htm" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
LightScribeService Direct Disc Labeling Service, LightScribeService, "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" ["Hewlett-Packard Company"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


---------- (launch time: 2008-08-09 23:35:26)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 160 seconds.
---------- (total run time: 213 seconds)


  • 0

#2 ordynat

ordynat

    Zaawansowany użytkownik

  • 804 postów

Napisano 10 08 2008 - 07:03

1) Użyj -->FixWareout
Po jego użyciu może zajść potrzeba ustawiania od nowa DNS Twojego dostawcy internetowego.
-->Jak przywrócić prawidłowe DNS.

2) Zamknij robaczywe porty przy pomocy --> Windows Worms Doors Cleaner
Ustaw znaczki na zielono, Netbios może być na żółto.
Po użyciu narzędzia wymagany jest restart.

3) Ściągnij ComboFix
Wklej do Notatnika:
File::
C:\WINDOWS\system32\msime82.exe
C:\WINDOWS\system32\msfun80.exe
C:\WINDOWS\msfun80.exe
C:\Program Files\Web Technologies\wcs.exe
C:\WINDOWS\system32\kdhml.exe
C:\WINDOWS\system32\3hp8jMQg.dll
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At73.job
C:\WINDOWS\Tasks\At74.job
C:\WINDOWS\Tasks\At75.job
C:\WINDOWS\Tasks\At76.job
C:\WINDOWS\Tasks\At77.job
C:\WINDOWS\Tasks\At78.job
C:\WINDOWS\Tasks\At79.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At80.job
C:\WINDOWS\Tasks\At81.job
C:\WINDOWS\Tasks\At82.job
C:\WINDOWS\Tasks\At83.job
C:\WINDOWS\Tasks\At84.job
C:\WINDOWS\Tasks\At85.job
C:\WINDOWS\Tasks\At86.job
C:\WINDOWS\Tasks\At87.job
C:\WINDOWS\Tasks\At88.job
C:\WINDOWS\Tasks\At89.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At90.job
C:\WINDOWS\Tasks\At91.job
C:\WINDOWS\Tasks\At92.job
C:\WINDOWS\Tasks\At93.job
C:\WINDOWS\Tasks\At94.job
C:\WINDOWS\Tasks\At95.job
C:\WINDOWS\Tasks\At96.job
C:\WINDOWS\system32\L18E0mq0.exe
C:\WINDOWS\system32\2lRS3447.exe

Folder::
C:\Program Files\Web Technologies

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
"MsServer"=-
"ATI Launchpad"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"this"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\WINDOWS\system32\kdhml.exe"=-
"IMJPMIG8.2"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\99C6D1BB-7555-474C-91DA-D8FB62A9CC75}]
]
>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
? podobnie jak na tym obrazku -->Dołączona grafika
Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C:\Qoobox.

Daj ten log, króry powstanie w trakcie usuwania.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "kdhml.exe" [null data]


To powinno samo zniknąć po usunięciu ukraińskiego Rootkita przez Fixwareout.
Daj też raport z C:\Fixwareout.txt.

ordynat

  • 0

#3 Lich-koś

Lich-koś

    Who doesn't like chocolate rain?

  • 126 postów

Napisano 10 08 2008 - 13:33

Najpierw z Fixwareout

Username "liczkowscy" - 2008-08-10 12:59:16 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdhml.exe"

Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS.


System was rebooted successfully. 
 
~~~~~ Postrun check 
HKLM\SOFTWARE\~\Winlogon\ "system"="" 
....
....
~~~~~ Misc files. 
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdhml.ren 62976 2007-06-13 

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="atiptaxx.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"C:\\WINDOWS\\system32\\kdhml.exe"="C:\\WINDOWS\\system32\\kdhml.exe"
"IMJPMIG8.2"="msime82.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ATI Launchpad"=""
"MsServer"="msfun80.exe"
"DAEMON Tools Lite"="\"E:\\DAEMON Tools Lite\\daemon.exe\" -autorun"
"SpybotSD TeaTimer"="E:\\Spybot - Search & Destroy\\TeaTimer.exe"
"AlcoholAutomount"="\"C:\\Program Files\\Alcohol Soft\\Alcohol 120\\axcmd.exe\" /automount"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
A teraz ComboFix

ComboFix 08-08-09.06 - liczkowscy 2008-08-10 13:15:28.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.276 [GMT 2:00]
Running from: E:\Obrazki, instalki i inne\ComboFix.exe
Command switches used :: E:\Obrazki, instalki i inne\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]

FILE ::
C:\Program Files\Web Technologies\wcs.exe
C:\WINDOWS\msfun80.exe
C:\WINDOWS\system32\2lRS3447.exe
C:\WINDOWS\system32\3hp8jMQg.dll
C:\WINDOWS\system32\kdhml.exe
C:\WINDOWS\system32\L18E0mq0.exe
C:\WINDOWS\system32\msfun80.exe
C:\WINDOWS\system32\msime82.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At73.job
C:\WINDOWS\Tasks\At74.job
C:\WINDOWS\Tasks\At75.job
C:\WINDOWS\Tasks\At76.job
C:\WINDOWS\Tasks\At77.job
C:\WINDOWS\Tasks\At78.job
C:\WINDOWS\Tasks\At79.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At80.job
C:\WINDOWS\Tasks\At81.job
C:\WINDOWS\Tasks\At82.job
C:\WINDOWS\Tasks\At83.job
C:\WINDOWS\Tasks\At84.job
C:\WINDOWS\Tasks\At85.job
C:\WINDOWS\Tasks\At86.job
C:\WINDOWS\Tasks\At87.job
C:\WINDOWS\Tasks\At88.job
C:\WINDOWS\Tasks\At89.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At90.job
C:\WINDOWS\Tasks\At91.job
C:\WINDOWS\Tasks\At92.job
C:\WINDOWS\Tasks\At93.job
C:\WINDOWS\Tasks\At94.job
C:\WINDOWS\Tasks\At95.job
C:\WINDOWS\Tasks\At96.job
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Program Files\Web Technologies
C:\Program Files\Web Technologies\wcs.exe
C:\Program Files\Web Technologies\wcu.exe
C:\WINDOWS\system32\2lRS3447.exe
C:\WINDOWS\system32\3hp8jMQg.dll
C:\WINDOWS\system32\L18E0mq0.exe
C:\WINDOWS\system32\msfun80.exe
C:\WINDOWS\system32\msime82.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At73.job
C:\WINDOWS\Tasks\At74.job
C:\WINDOWS\Tasks\At75.job
C:\WINDOWS\Tasks\At76.job
C:\WINDOWS\Tasks\At77.job
C:\WINDOWS\Tasks\At78.job
C:\WINDOWS\Tasks\At79.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At80.job
C:\WINDOWS\Tasks\At81.job
C:\WINDOWS\Tasks\At82.job
C:\WINDOWS\Tasks\At83.job
C:\WINDOWS\Tasks\At84.job
C:\WINDOWS\Tasks\At85.job
C:\WINDOWS\Tasks\At86.job
C:\WINDOWS\Tasks\At87.job
C:\WINDOWS\Tasks\At88.job
C:\WINDOWS\Tasks\At89.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At90.job
C:\WINDOWS\Tasks\At91.job
C:\WINDOWS\Tasks\At92.job
C:\WINDOWS\Tasks\At93.job
C:\WINDOWS\Tasks\At94.job
C:\WINDOWS\Tasks\At95.job
C:\WINDOWS\Tasks\At96.job
C:\WINDOWS\ufdata2000.log
E:\AUTORUN.INF
F:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2008-07-10 to 2008-08-10  )))))))))))))))))))))))))))))))
.

2008-08-10 12:58 . 2008-08-10 13:05	<DIR>	d--------	C:\fixwareout
2008-08-09 19:23 . 2008-08-09 19:23	<DIR>	d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-08-09 19:23 . 2008-08-09 19:23	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-08-05 22:07 . 2008-08-05 22:33	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-08-05 18:50 . 2008-08-05 18:50	<DIR>	d--------	C:\Program Files\ReflexiveArcade
2008-08-01 15:20 . 2008-08-01 15:20	96	--a------	C:\WINDOWS\cool.ini
2008-08-01 15:19 . 1996-11-25 09:06	140,288	--a------	C:\WINDOWS\system32\ra3214_4.dll
2008-08-01 15:19 . 1996-11-25 09:06	90,624	--a------	C:\WINDOWS\system32\pnc32301.dll
2008-08-01 15:19 . 1996-11-25 09:06	85,504	--a------	C:\WINDOWS\system32\encdnet.dll
2008-08-01 15:19 . 1996-11-25 09:06	82,398	--a------	C:\WINDOWS\c96unins.exe
2008-08-01 15:19 . 1996-11-25 09:06	72,704	--a------	C:\WINDOWS\system32\ra3228_8.dll
2008-08-01 15:19 . 1996-11-25 09:06	13,824	--a------	C:\WINDOWS\system32\ra32dnet.dll
2008-07-30 19:51 . 2008-07-30 19:51	<DIR>	d--------	C:\Documents and Settings\liczkowscy\Dane aplikacji\DAEMON Tools
2008-07-24 20:54 . 2008-08-06 18:28	13,030	--a------	C:\PDOXUSRS.NET
2008-07-24 19:58 . 2008-07-24 19:58	<DIR>	d--------	C:\Program Files\Common Files\grafa
2008-07-24 19:58 . 2008-07-24 19:58	<DIR>	d--------	C:\Program Files\Common Files\Borland Shared
2008-07-24 19:55 . 2008-07-24 19:55	<DIR>	d--------	C:\WINDOWS\Downloaded Installations
2008-07-23 20:15 . 2008-07-23 20:15	<DIR>	dr-------	C:\Documents and Settings\LocalService\Ulubione
2008-07-23 14:12 . 2008-08-10 10:10	<DIR>	d--------	C:\Metin2_PL
2008-07-23 12:36 . 2008-07-23 12:36	1,720,086	--a------	C:\WINDOWS\system32\TmpA10893140
2008-07-21 22:07 . 2008-07-21 22:07	<DIR>	d--------	C:\Program Files\SystemRequirementsLab
2008-07-21 22:07 . 2008-07-21 22:07	<DIR>	d--------	C:\Documents and Settings\liczkowscy\SystemRequirementsLab
2008-07-20 20:59 . 2008-07-20 20:59	<DIR>	d--h-----	C:\WINDOWS\system32\GroupPolicy
2008-07-16 15:44 . 2008-07-16 15:44	0	--a------	C:\WINDOWS\system32\L18E0mq0.exe.a_a
2008-07-16 13:00 . 2008-07-16 13:00	<DIR>	dr-------	C:\Documents and Settings\NetworkService\Ulubione
2008-07-15 22:48 . 2008-07-15 22:48	0	--a------	C:\WINDOWS\system32\2lRS3447.exe.a_a

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 16:39	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-07-31 18:33	---------	d-----w	C:\Documents and Settings\liczkowscy\Dane aplikacji\Hamachi
2008-07-31 10:08	25,280	----a-w	C:\WINDOWS\system32\drivers\hamachi.sys
2008-07-30 17:51	717,296	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2008-07-23 10:40	---------	d-----w	C:\Program Files\Image-Line
2008-07-17 21:00	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\ATI MMC
2008-07-17 20:14	---------	d-----w	C:\Program Files\NetPanel
2008-07-01 19:16	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-07-01 19:15	---------	d-----w	C:\Program Files\Lavasoft
2008-07-01 19:14	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 18:07	49,152	--sh--w	C:\fun.xls.exe
2008-06-22 20:53	---------	d-----w	C:\Program Files\CyberLink
2008-06-22 16:20	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\CyberLink
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 18:01	273,024	------w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 12:05	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2008-05-25 12:59	234,418	----a-w	C:\WINDOWS\EasyGifAnimator_Toolbar_Uninstaller_7109.exe
2008-02-28 22:35	0	----a-w	C:\Documents and Settings\liczkowscy\tree.dat
2007-11-17 12:44	19,552	----a-w	C:\Documents and Settings\liczkowscy\Dane aplikacji\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"DAEMON Tools Lite"="E:\DAEMON Tools Lite\daemon.exe" [2008-07-24 17:02 490952]
"SpybotSD TeaTimer"="E:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"ATIPTA"="atiptaxx.exe" [2006-02-22 02:05 344064 C:\WINDOWS\system32\atiptaxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 15:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\Gadu-Gadu\\gg.exe"=
"F:\\Program Files\\Soulseek\\slsk.exe"=
"F:\\CS 1.6\\hl.exe"=
"E:\\Liero\\LieroX.exe"=
"C:\\Metin2_PL\\metin2.bin"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1454:UDP"= 1454:UDP:Windows Media Format SDK (firefox.exe)
"1455:UDP"= 1455:UDP:Windows Media Format SDK (firefox.exe)
"22049:TCP"= 22049:TCP:BitComet 22049 TCP
"22049:UDP"= 22049:UDP:BitComet 22049 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{268384ab-9128-11dc-b43c-00e04c041f0b}]
\Shell\Auto\command - G:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35428b1a-5e61-11dd-b636-001bbf597f60}]
\Shell\Auto\command - G:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f09ec8a-5728-11dd-b61f-001bbf597f60}]
\Shell\Auto\command - G:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74f77f1e-6520-11dd-b643-001bbf597f60}]
\Shell\Auto\command - G:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c51083e-2a82-11dd-b5b3-001bbf597f60}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e906c680-48ec-11dd-b601-001bbf597f60}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-09 C:\WINDOWS\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- E:\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43]
.
- - - - ORPHANS REMOVED - - - -

BHO-{99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - (no file)
HKCU-Run-AlcoholAutomount - C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe
HKLM-Run-C:\WINDOWS\system32\kdhml.exe - C:\WINDOWS\system32\kdhml.exe
HKLM-Run-IMJPMIG8.2 - msime82.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 13:23:51
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


C:\SYZ_DAT
C:\WINDOWS\system32\drivers\MFX.sys 45824 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\\WINDOWS\\system32\\kdhml.exe"="C:\\WINDOWS\\system32\\kdhml.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-08-10 13:29:53 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-10 11:29:48

Pre-Run: 249,245,696 bajtów wolnych
Post-Run: 505,552,896 bajt˘w wolnych

382	--- E O F ---	2008-07-12 11:05:47

Dodam że już odczuwalnie komputer przyspieszył ^^ Dzięki wielkie ^^
  • 0

#4 ordynat

ordynat

    Zaawansowany użytkownik

  • 804 postów

Napisano 10 08 2008 - 14:17

2008-07-23 12:36 . 2008-07-23 12:36 1,720,086 --a------ C:\WINDOWS\system32\TmpA10893140

Nie wiem, co to za plik, o takim ogromnym rozmiarze. Być może utworzył go jakiś Twój program ukrywający?
Sprawdź go na --> http://virusscan.jotti.org/
albo na http://www.virustotal.com/en/indexf.html.

Wklej do Notatnika:
File::
C:\fun.xls.exe
C:\WINDOWS\system32\L18E0mq0.exe.a_a
C:\WINDOWS\system32\2lRS3447.exe.a_a
G:\fun.xls.exe
d:\fun.xls.exe
C:\\WINDOWS\\system32\\kdhml.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{268384ab-9128-11dc-b43c-00e04c041f0b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35428b1a-5e61-11dd-b636-001bbf597f60}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f09ec8a-5728-11dd-b61f-001bbf597f60}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74f77f1e-6520-11dd-b643-001bbf597f60}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c51083e-2a82-11dd-b5b3-001bbf597f60}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e906c680-48ec-11dd-b601-001bbf597f60}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\WINDOWS\system32\kdhml.exe"=-
>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
? podobnie jak na tym obrazku -->Dołączona grafika
Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C:\Qoobox.

Daj ten log, króry powstanie w trakcie usuwania.

ordynat
  • 0

#5 Lich-koś

Lich-koś

    Who doesn't like chocolate rain?

  • 126 postów

Napisano 11 08 2008 - 19:22

Jeden problem. Po zrobieniu CFScripta i po całym tym procesie nie dostałem loga. Co jest? Czy to możliwe że Spybot - S&D nie pozwolił na zrobienie loga?
  • 0

#6 karolkuich

karolkuich

    Początkujący

  • 141 postów

Napisano 11 08 2008 - 20:00

Sprawdź na dysku C:\ . ComboFix.txt
  • 0

#7 Lich-koś

Lich-koś

    Who doesn't like chocolate rain?

  • 126 postów

Napisano 11 08 2008 - 23:04

Heh miałeś rację ^^'

ComboFix 08-08-10.02 - liczkowscy 2008-08-11 12:10:55.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.283 [GMT 2:00]
Running from: E:\Obrazki, instalki i inne\ComboFix.exe
Command switches used :: E:\Obrazki, instalki i inne\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]

FILE ::
C:\\WINDOWS\\system32\\kdhml.exe
C:\fun.xls.exe
C:\WINDOWS\system32\2lRS3447.exe.a_a
C:\WINDOWS\system32\L18E0mq0.exe.a_a
d:\fun.xls.exe
G:\fun.xls.exe
.

  • 0

#8 ordynat

ordynat

    Zaawansowany użytkownik

  • 804 postów

Napisano 12 08 2008 - 01:15

To nie jest log, to jest tylko górna cząsteczka logu.

ordynat
  • 0

#9 Lich-koś

Lich-koś

    Who doesn't like chocolate rain?

  • 126 postów

Napisano 13 08 2008 - 11:24

Wybaczcie za te pomyłki ^^' Jakiś taki pomylony jestem ^^

ComboFix 08-08-12.01 - liczkowscy 2008-08-13 11:05:05.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.285 [GMT 2:00]
Running from: E:\Obrazki, instalki i inne\ComboFix.exe
Command switches used :: E:\Obrazki, instalki i inne\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]

FILE ::
C:\\WINDOWS\\system32\\kdhml.exe
C:\fun.xls.exe
C:\WINDOWS\system32\2lRS3447.exe.a_a
C:\WINDOWS\system32\L18E0mq0.exe.a_a
d:\fun.xls.exe
G:\fun.xls.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\AUTORUN.INF
C:\fun.xls.exe
C:\WINDOWS\ufdata2000.log
E:\AUTORUN.INF
F:\Autorun.inf
.
---- Previous Run -------
.
C:\autorun.inf
C:\fun.xls.exe
C:\WINDOWS\system32\2lRS3447.exe.a_a
C:\WINDOWS\system32\L18E0mq0.exe.a_a
C:\WINDOWS\ufdata2000.log
E:\AUTORUN.INF
F:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2008-07-13 to 2008-08-13  )))))))))))))))))))))))))))))))
.

2008-08-13 11:11 . 2008-08-13 11:11	49,152	---hs----	C:\fun.xls.exe
2008-08-13 11:11 . 2008-08-13 11:11	129	---hs----	C:\AUTORUN.INF
2008-08-12 12:03 . 2008-08-12 12:03	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-08-12 12:03 . 2008-08-12 12:03	1,409	--a------	C:\WINDOWS\QTFont.for
2008-08-11 11:15 . 2008-08-11 11:15	49,152	--a------	C:\WINDOWS\system32\msime82.exe
2008-08-11 11:15 . 2008-08-11 11:15	49,152	--a------	C:\WINDOWS\system32\msfun80.exe
2008-08-10 12:58 . 2008-08-10 13:05	<DIR>	d--------	C:\fixwareout
2008-08-09 19:23 . 2008-08-09 19:23	<DIR>	d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-08-09 19:23 . 2008-08-09 19:23	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-08-05 22:07 . 2008-08-05 22:33	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-08-05 18:50 . 2008-08-05 18:50	<DIR>	d--------	C:\Program Files\ReflexiveArcade
2008-08-01 15:20 . 2008-08-01 15:20	96	--a------	C:\WINDOWS\cool.ini
2008-08-01 15:19 . 1996-11-25 09:06	140,288	--a------	C:\WINDOWS\system32\ra3214_4.dll
2008-08-01 15:19 . 1996-11-25 09:06	90,624	--a------	C:\WINDOWS\system32\pnc32301.dll
2008-08-01 15:19 . 1996-11-25 09:06	85,504	--a------	C:\WINDOWS\system32\encdnet.dll
2008-08-01 15:19 . 1996-11-25 09:06	82,398	--a------	C:\WINDOWS\c96unins.exe
2008-08-01 15:19 . 1996-11-25 09:06	72,704	--a------	C:\WINDOWS\system32\ra3228_8.dll
2008-08-01 15:19 . 1996-11-25 09:06	13,824	--a------	C:\WINDOWS\system32\ra32dnet.dll
2008-07-30 19:51 . 2008-07-30 19:51	<DIR>	d--------	C:\Documents and Settings\liczkowscy\Dane aplikacji\DAEMON Tools
2008-07-24 20:54 . 2008-08-11 22:47	13,030	--a------	C:\PDOXUSRS.NET
2008-07-24 19:58 . 2008-07-24 19:58	<DIR>	d--------	C:\Program Files\Common Files\grafa
2008-07-24 19:58 . 2008-07-24 19:58	<DIR>	d--------	C:\Program Files\Common Files\Borland Shared
2008-07-24 19:55 . 2008-07-24 19:55	<DIR>	d--------	C:\WINDOWS\Downloaded Installations
2008-07-23 20:15 . 2008-07-23 20:15	<DIR>	dr-------	C:\Documents and Settings\LocalService\Ulubione
2008-07-23 14:12 . 2008-08-12 14:26	<DIR>	d--------	C:\Metin2_PL
2008-07-23 12:36 . 2008-07-23 12:36	1,720,086	--a------	C:\WINDOWS\system32\TmpA10893140
2008-07-21 22:07 . 2008-07-21 22:07	<DIR>	d--------	C:\Program Files\SystemRequirementsLab
2008-07-21 22:07 . 2008-07-21 22:07	<DIR>	d--------	C:\Documents and Settings\liczkowscy\SystemRequirementsLab
2008-07-20 20:59 . 2008-07-20 20:59	<DIR>	d--h-----	C:\WINDOWS\system32\GroupPolicy
2008-07-16 13:00 . 2008-07-16 13:00	<DIR>	dr-------	C:\Documents and Settings\NetworkService\Ulubione

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 16:39	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-07-31 18:33	---------	d-----w	C:\Documents and Settings\liczkowscy\Dane aplikacji\Hamachi
2008-07-31 10:08	25,280	----a-w	C:\WINDOWS\system32\drivers\hamachi.sys
2008-07-30 17:51	717,296	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2008-07-23 10:40	---------	d-----w	C:\Program Files\Image-Line
2008-07-17 21:00	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\ATI MMC
2008-07-17 20:14	---------	d-----w	C:\Program Files\NetPanel
2008-07-01 19:16	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-07-01 19:15	---------	d-----w	C:\Program Files\Lavasoft
2008-07-01 19:14	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-06-22 20:53	---------	d-----w	C:\Program Files\CyberLink
2008-06-22 16:20	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\CyberLink
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 18:01	273,024	------w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 12:05	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2008-05-25 12:59	234,418	----a-w	C:\WINDOWS\EasyGifAnimator_Toolbar_Uninstaller_7109.exe
2008-02-28 22:35	0	----a-w	C:\Documents and Settings\liczkowscy\tree.dat
2007-11-17 12:44	19,552	----a-w	C:\Documents and Settings\liczkowscy\Dane aplikacji\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"DAEMON Tools Lite"="E:\DAEMON Tools Lite\daemon.exe" [2008-07-24 17:02 490952]
"SpybotSD TeaTimer"="E:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [BU]
"MsServer"="msfun80.exe" [2008-08-11 11:15 49152 C:\WINDOWS\system32\msfun80.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"ATIPTA"="atiptaxx.exe" [2006-02-22 02:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"IMJPMIG8.2"="msime82.exe" [2008-08-11 11:15 49152 C:\WINDOWS\system32\msime82.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 15:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\Gadu-Gadu\\gg.exe"=
"F:\\Program Files\\Soulseek\\slsk.exe"=
"F:\\CS 1.6\\hl.exe"=
"C:\\Metin2_PL\\metin2.bin"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1454:UDP"= 1454:UDP:Windows Media Format SDK (firefox.exe)
"1455:UDP"= 1455:UDP:Windows Media Format SDK (firefox.exe)
"22049:TCP"= 22049:TCP:BitComet 22049 TCP
"22049:UDP"= 22049:UDP:BitComet 22049 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.
Contents of the 'Scheduled Tasks' folder

2008-07-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-09 C:\WINDOWS\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- E:\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43]
.
- - - - ORPHANS REMOVED - - - -

BHO-{99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - (no file)
HKLM-Run-C:\WINDOWS\system32\kdhml.exe - C:\WINDOWS\system32\kdhml.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 11:11:47
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  MsServer = msfun80.exe???. 

scanning hidden files ... 


C:\SYZ_DAT
C:\WINDOWS\system32\drivers\MFX.sys 45824 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\\WINDOWS\\system32\\kdhml.exe"="C:\\WINDOWS\\system32\\kdhml.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\algsrvs.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-13 11:17:45 - machine was rebooted [liczkowscy]
ComboFix-quarantined-files.txt  2008-08-13 09:17:40
ComboFix2.txt  2008-08-10 11:29:54

Pre-Run: 589,070,336 bajtów wolnych
Post-Run: 637,968,384 bajt˘w wolnych

181	--- E O F ---	2008-07-12 11:05:47

Jeszcze raz ordynat dzięki za całą pomoc. Nie wiem co bym bez ciebie zrobił :)
  • 0

#10 ordynat

ordynat

    Zaawansowany użytkownik

  • 804 postów

Napisano 13 08 2008 - 12:00

To wygląda tak, jakbyś sobie zrobił "Przywracanie Systemu", bo powróciły te same infekcje.
>START>Panel Sterowania>System>Przywracanie Systemu>>zaznacz w okienku przy "Wyłącz przywracanie na wszystkich dyskach">Zastosuj>OK.
Potem możesz powrócić do poprzedniego ustawienia (czyli usunąć zaznaczenie z okienka) - ale dopiero po usuwaniu!.

Wklej do Notatnika:
File::
C:\fun.xls.exe
e:\fun.xls.exe
f:\fun.xls.exe
C:\AUTORUN.INF
C:\WINDOWS\system32\msime82.exe
C:\WINDOWS\system32\msfun80.exe
C:\\WINDOWS\\system32\\kdhml.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsServer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.2"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\\WINDOWS\\system32\\kdhml.exe"=-
>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
--> Dołączona grafika
Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Po restarcie usuń ręcznie folder C:\Qoobox.

ordynat
  • 0

#11 Lich-koś

Lich-koś

    Who doesn't like chocolate rain?

  • 126 postów

Napisano 13 08 2008 - 21:16 

ComboFix 08-08-12.01 - liczkowscy 2008-08-13 21:09:23.4 - NTFSx86

Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.315 [GMT 2:00]

Running from: E:\Obrazki, instalki i inne\ComboFix.exe

Command switches used :: E:\Obrazki, instalki i inne\CFScript.txt

 * Created a new restore point



[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img][/b][/color]



FILE ::

C:\\WINDOWS\\system32\\kdhml.exe

C:\AUTORUN.INF

C:\fun.xls.exe

C:\WINDOWS\system32\msfun80.exe

C:\WINDOWS\system32\msime82.exe

e:\fun.xls.exe

f:\fun.xls.exe

.



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.



C:\AUTORUN.INF

C:\fun.xls.exe

C:\WINDOWS\system32\msfun80.exe

C:\WINDOWS\system32\msime82.exe

C:\WINDOWS\ufdata2000.log

E:\Autorun.inf

e:\fun.xls.exe

F:\Autorun.inf

f:\fun.xls.exe



.

(((((((((((((((((((((((((   Files Created from 2008-07-13 to 2008-08-13  )))))))))))))))))))))))))))))))

.



2008-08-12 12:03 . 2008-08-12 12:03	54,156	--ah-----	C:\WINDOWS\QTFont.qfn

2008-08-12 12:03 . 2008-08-12 12:03	1,409	--a------	C:\WINDOWS\QTFont.for

2008-08-10 12:58 . 2008-08-10 13:05	<DIR>	d--------	C:\fixwareout

2008-08-09 19:23 . 2008-08-09 19:23	<DIR>	d--------	C:\WINDOWS\system32\Kaspersky Lab

2008-08-09 19:23 . 2008-08-09 19:23	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab

2008-08-05 22:07 . 2008-08-05 22:33	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy

2008-08-05 18:50 . 2008-08-05 18:50	<DIR>	d--------	C:\Program Files\ReflexiveArcade

2008-08-01 15:20 . 2008-08-01 15:20	96	--a------	C:\WINDOWS\cool.ini

2008-08-01 15:19 . 1996-11-25 09:06	140,288	--a------	C:\WINDOWS\system32\ra3214_4.dll

2008-08-01 15:19 . 1996-11-25 09:06	90,624	--a------	C:\WINDOWS\system32\pnc32301.dll

2008-08-01 15:19 . 1996-11-25 09:06	85,504	--a------	C:\WINDOWS\system32\encdnet.dll

2008-08-01 15:19 . 1996-11-25 09:06	82,398	--a------	C:\WINDOWS\c96unins.exe

2008-08-01 15:19 . 1996-11-25 09:06	72,704	--a------	C:\WINDOWS\system32\ra3228_8.dll

2008-08-01 15:19 . 1996-11-25 09:06	13,824	--a------	C:\WINDOWS\system32\ra32dnet.dll

2008-07-30 19:51 . 2008-07-30 19:51	<DIR>	d--------	C:\Documents and Settings\liczkowscy\Dane aplikacji\DAEMON Tools

2008-07-24 20:54 . 2008-08-11 22:47	13,030	--a------	C:\PDOXUSRS.NET

2008-07-24 19:58 . 2008-07-24 19:58	<DIR>	d--------	C:\Program Files\Common Files\grafa

2008-07-24 19:58 . 2008-07-24 19:58	<DIR>	d--------	C:\Program Files\Common Files\Borland Shared

2008-07-24 19:55 . 2008-07-24 19:55	<DIR>	d--------	C:\WINDOWS\Downloaded Installations

2008-07-23 20:15 . 2008-07-23 20:15	<DIR>	dr-------	C:\Documents and Settings\LocalService\Ulubione

2008-07-23 14:12 . 2008-08-13 15:45	<DIR>	d--------	C:\Metin2_PL

2008-07-23 12:36 . 2008-07-23 12:36	1,720,086	--a------	C:\WINDOWS\system32\TmpA10893140

2008-07-21 22:07 . 2008-07-21 22:07	<DIR>	d--------	C:\Program Files\SystemRequirementsLab

2008-07-21 22:07 . 2008-07-21 22:07	<DIR>	d--------	C:\Documents and Settings\liczkowscy\SystemRequirementsLab

2008-07-20 20:59 . 2008-07-20 20:59	<DIR>	d--h-----	C:\WINDOWS\system32\GroupPolicy

2008-07-16 13:00 . 2008-07-16 13:00	<DIR>	dr-------	C:\Documents and Settings\NetworkService\Ulubione



.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-05 16:39	---------	d--h--w	C:\Program Files\InstallShield Installation Information

2008-07-31 18:33	---------	d-----w	C:\Documents and Settings\liczkowscy\Dane aplikacji\Hamachi

2008-07-31 10:08	25,280	----a-w	C:\WINDOWS\system32\drivers\hamachi.sys

2008-07-30 17:51	717,296	----a-w	C:\WINDOWS\system32\drivers\sptd.sys

2008-07-23 10:40	---------	d-----w	C:\Program Files\Image-Line

2008-07-17 21:00	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\ATI MMC

2008-07-17 20:14	---------	d-----w	C:\Program Files\NetPanel

2008-07-01 19:16	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft

2008-07-01 19:15	---------	d-----w	C:\Program Files\Lavasoft

2008-07-01 19:14	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard

2008-06-24 18:07	49,152	----a-w	C:\WINDOWS\system32\algsrvs.exe

2008-06-22 20:53	---------	d-----w	C:\Program Files\CyberLink

2008-06-22 16:20	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\CyberLink

2008-06-20 17:42	246,784	----a-w	C:\WINDOWS\system32\mswsock.dll

2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-14 18:01	273,024	------w	C:\WINDOWS\system32\drivers\bthport.sys

2008-06-14 12:05	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer

2008-05-27 14:13	107,888	----a-w	C:\WINDOWS\system32\CmdLineExt.dll

2008-05-25 12:59	234,418	----a-w	C:\WINDOWS\EasyGifAnimator_Toolbar_Uninstaller_7109.exe

2008-02-28 22:35	0	----a-w	C:\Documents and Settings\liczkowscy\tree.dat

2007-11-17 12:44	19,552	----a-w	C:\Documents and Settings\liczkowscy\Dane aplikacji\GDIPFONTCACHEV1.DAT

.



(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]

"DAEMON Tools Lite"="E:\DAEMON Tools Lite\daemon.exe" [2008-07-24 17:02 490952]

"SpybotSD TeaTimer"="E:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]

"ATIPTA"="atiptaxx.exe" [2006-02-22 02:05 344064 C:\WINDOWS\system32\atiptaxx.exe]



[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360]



C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 15:44:06 29696]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStrCmpLogical"= 1 (0x1)

"NoResolveSearch"= 1 (0x1)



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"= 0 (0x0)



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3fhg"= mp3fhg.acm

"VIDC.X264"= x264vfw.dll

"VIDC.HFYU"= huffyuv.dll

"vidc.i263"= i263_32.drv

"VIDC.YV12"= yv12vfw.dll

"msacm.divxa32"= divxa32.acm



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"E:\\Gadu-Gadu\\gg.exe"=

"F:\\Program Files\\Soulseek\\slsk.exe"=

"F:\\CS 1.6\\hl.exe"=

"C:\\Metin2_PL\\metin2.bin"=



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1454:UDP"= 1454:UDP:Windows Media Format SDK (firefox.exe)

"1455:UDP"= 1455:UDP:Windows Media Format SDK (firefox.exe)

"22049:TCP"= 22049:TCP:BitComet 22049 TCP

"22049:UDP"= 22049:UDP:BitComet 22049 UDP

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009



.

Contents of the 'Scheduled Tasks' folder



2008-07-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]



2008-08-09 C:\WINDOWS\Tasks\Spybot - Search & Destroy -  Scheduled Task.job

- E:\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43]

.

- - - - ORPHANS REMOVED - - - -



HKCU-Run-AlcoholAutomount - C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe





**************************************************************************



catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-13 21:11:55

Windows 5.1.2600 Dodatek Service Pack 2 NTFS



scanning hidden processes ... 



scanning hidden autostart entries ...



scanning hidden files ... 





C:\SYZ_DAT

C:\WINDOWS\system32\drivers\MFX.sys 45824 bytes executable



scan completed successfully

hidden files: 2



**************************************************************************

.

Completion time: 2008-08-13 21:14:16

ComboFix-quarantined-files.txt  2008-08-13 19:13:36

ComboFix2.txt  2008-08-13 09:17:46



Pre-Run: 561,057,792 bajtów wolnych

Post-Run: 556,376,064 bajtów wolnych



154	--- E O F ---	2008-07-12 11:05:47


  • 0

#12 ordynat

ordynat

    Zaawansowany użytkownik

  • 804 postów

Napisano 14 08 2008 - 07:21

C:\WINDOWS\system32\TmpA10893140

Nie napisałeś nic o wynikach sprawdzania tego pliku.

Wklej do Notatnika:
File::
C:\WINDOWS\system32\algsrvs.exe
>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
--> Dołączona grafika
Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Po restarcie usuń ręcznie folder C:\Qoobox.

ordynat

  • 0
Wróć do Bezpieczeństwo (wirusy i trojany)


Użytkownicy przeglądający ten temat: 0

0 użytkowników, 0 gości, 0 anonimowych

  1. Forum Komputerowe Tweaks.pl
  2. Oprogramowanie
  3. Bezpieczeństwo (wirusy i trojany)
  4. Polityka prywatności
  5. Szukaj
  6. Regulamin Forum ·