Coś nie gra, komp mi się muli, ad adware wykrył trojana (Win32.Trojan.Downloader.Agent) - prosiłbym o pomoc.
Logi:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:41, on 2008-07-20
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Wincmd\TOTALCMD.EXE
H:\Dysk D\System\Walka\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.58.205.61:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O15 - Trusted Zone: http://skaner.mks.com.pl
O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Modu3 wstepnego 3adowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii sk3adników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 4393 bytes
Combofix
ComboFix 07-06-13.3 - H:\Dysk D\System\Walka\ComboFix.exe
"Mateusz" - 2008-07-20 17:48:17 - Dodatek Service Pack 2
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
2008-07-20 17:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-20 16:30 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-20 16:30 <DIR> d-------- C:\Program Files\SkanerOnline
2008-07-20 11:29 <DIR> dr------- C:\DOCUME~1\LOCALS~1\Ulubione
2008-07-15 19:12 49,152 --a------ C:\WINDOWS\nircmd.exe
2008-07-15 19:00 <DIR> dr------- C:\DOCUME~1\NETWOR~1\Ulubione
2008-07-06 18:17 <DIR> d-------- C:\Program Files\Fast Break Basketball
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-05-20 17:53:48 -------- d-----w C:\Program Files\TVAnts
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 11:56]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\Program Files\FlashGet\jccatch.dll [2007-08-06 10:11]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23]
{F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2007-05-18 17:13]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"Flashget"="C:\Program Files\FlashGet\flashget.exe" [2007-09-25 09:10]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="F:\BitComet\Nokia PC Suite 6\PcSync2.exe" /NoDialog
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=NVDESK32.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mateusz^Menu Start^Programy^Autostart^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\Mateusz\Menu Start\Programy\Autostart\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\Program Files\FlashGet\flashget.exe /min
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
"C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
"C:\Program Files\Octoshape Streaming Services\Mateusz\OctoshapeClient.exe" -inv:bootrun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
"F:\BitComet\Nokia 6500\Nokia PC Suite 6\PCSuite.exe" -onlytray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessKeyboard]
C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3395cf10-dd5a-11d8-827a-0040f49757f6}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- I:\Recycled\ctfmon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef00e320-fcc0-11d8-a36b-0040f49757f6}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- I:\Recycled\ctfmon.exe
Contents of the 'Scheduled Tasks' folder
2008-07-14 14:06:54 C:\WINDOWS\tasks\At1.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At2.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At3.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At4.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At5.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At6.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At7.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At8.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At9.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At10.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At11.job
2008-07-20 09:00:04 C:\WINDOWS\tasks\At12.job
2008-07-20 10:00:04 C:\WINDOWS\tasks\At13.job
2008-07-20 11:00:04 C:\WINDOWS\tasks\At14.job
2008-07-20 12:00:02 C:\WINDOWS\tasks\At15.job
2008-07-20 13:00:04 C:\WINDOWS\tasks\At16.job
2008-07-20 14:00:04 C:\WINDOWS\tasks\At17.job
2008-07-20 15:00:04 C:\WINDOWS\tasks\At18.job
2008-07-18 16:00:04 C:\WINDOWS\tasks\At19.job
2008-07-17 17:00:02 C:\WINDOWS\tasks\At20.job
2008-07-17 18:00:02 C:\WINDOWS\tasks\At21.job
2008-07-17 19:00:02 C:\WINDOWS\tasks\At22.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At23.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At24.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At25.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At26.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At27.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At28.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At29.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At30.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At31.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At32.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At33.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At34.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At35.job
2008-07-20 14:32:22 C:\WINDOWS\tasks\At36.job
2008-07-20 10:00:12 C:\WINDOWS\tasks\At37.job
2008-07-20 11:00:12 C:\WINDOWS\tasks\At38.job
2008-07-20 12:00:12 C:\WINDOWS\tasks\At39.job
2008-07-20 13:00:12 C:\WINDOWS\tasks\At40.job
2008-07-20 14:00:12 C:\WINDOWS\tasks\At41.job
2008-07-20 15:00:38 C:\WINDOWS\tasks\At42.job
2008-07-18 16:00:12 C:\WINDOWS\tasks\At43.job
2008-07-18 13:36:32 C:\WINDOWS\tasks\At44.job
2008-07-17 18:00:12 C:\WINDOWS\tasks\At45.job
2008-07-17 19:00:12 C:\WINDOWS\tasks\At46.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At47.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At48.job
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
No new files created in this timespan
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-05-20 17:53:48 -------- d-----w C:\Program Files\TVAnts
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 11:56]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\Program Files\FlashGet\jccatch.dll [2007-08-06 10:11]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23]
{F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2007-05-18 17:13]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"Flashget"="C:\Program Files\FlashGet\flashget.exe" [2007-09-25 09:10]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="F:\BitComet\Nokia PC Suite 6\PcSync2.exe" /NoDialog
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=NVDESK32.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mateusz^Menu Start^Programy^Autostart^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\Mateusz\Menu Start\Programy\Autostart\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\Program Files\FlashGet\flashget.exe /min
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
"C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
"C:\Program Files\Octoshape Streaming Services\Mateusz\OctoshapeClient.exe" -inv:bootrun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
"F:\BitComet\Nokia 6500\Nokia PC Suite 6\PCSuite.exe" -onlytray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessKeyboard]
C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3395cf10-dd5a-11d8-827a-0040f49757f6}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- I:\Recycled\ctfmon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef00e320-fcc0-11d8-a36b-0040f49757f6}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- I:\Recycled\ctfmon.exe
Contents of the 'Scheduled Tasks' folder
2008-07-14 14:06:54 C:\WINDOWS\tasks\At1.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At2.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At3.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At4.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At5.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At6.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At7.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At8.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At9.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At10.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At11.job
2008-07-20 09:00:04 C:\WINDOWS\tasks\At12.job
2008-07-20 10:00:04 C:\WINDOWS\tasks\At13.job
2008-07-20 11:00:04 C:\WINDOWS\tasks\At14.job
2008-07-20 12:00:02 C:\WINDOWS\tasks\At15.job
2008-07-20 13:00:04 C:\WINDOWS\tasks\At16.job
2008-07-20 14:00:04 C:\WINDOWS\tasks\At17.job
2008-07-20 15:00:04 C:\WINDOWS\tasks\At18.job
2008-07-18 16:00:04 C:\WINDOWS\tasks\At19.job
2008-07-17 17:00:02 C:\WINDOWS\tasks\At20.job
2008-07-17 18:00:02 C:\WINDOWS\tasks\At21.job
2008-07-17 19:00:02 C:\WINDOWS\tasks\At22.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At23.job
2008-07-14 14:06:54 C:\WINDOWS\tasks\At24.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At25.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At26.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At27.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At28.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At29.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At30.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At31.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At32.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At33.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At34.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At35.job
2008-07-20 14:32:22 C:\WINDOWS\tasks\At36.job
2008-07-20 10:00:12 C:\WINDOWS\tasks\At37.job
2008-07-20 11:00:12 C:\WINDOWS\tasks\At38.job
2008-07-20 12:00:12 C:\WINDOWS\tasks\At39.job
2008-07-20 13:00:12 C:\WINDOWS\tasks\At40.job
2008-07-20 14:00:12 C:\WINDOWS\tasks\At41.job
2008-07-20 15:00:38 C:\WINDOWS\tasks\At42.job
2008-07-18 16:00:12 C:\WINDOWS\tasks\At43.job
2008-07-18 13:36:32 C:\WINDOWS\tasks\At44.job
2008-07-17 18:00:12 C:\WINDOWS\tasks\At45.job
2008-07-17 19:00:12 C:\WINDOWS\tasks\At46.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At47.job
2008-07-14 14:20:46 C:\WINDOWS\tasks\At48.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 17:50:16
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2008-07-20 17:50:45
--- E O F ---
Logi - System zaśmiecony adware
Rozpoczęty przez
Rogerson
, 20 07 2008 17:53
-
Temat jest zamknięty
10 odpowiedzi w tym temacie
#2
ordynat
-
-
- 804 postów
Zaawansowany użytkownik
Napisano 20 07 2008 - 18:57
Masz infekcję na pendrive oraz jakieś nieznane 48 Zaplanowanych Zadań.
Twój ComboFix jest mocno przestarzały - od czasu jego zainstalowania było już kilkaset nowych wersji. Stara wersja nie pokazuje wszystkiego.
Wklej do Notatnika:
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Po restarcie usuń ręcznie folder C:\Qoobox.
ordynat
Twój ComboFix jest mocno przestarzały - od czasu jego zainstalowania było już kilkaset nowych wersji. Stara wersja nie pokazuje wszystkiego.
Wklej do Notatnika:
File::
I:\Recycled\ctfmon.exe
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3395cf10-dd5a-11d8-827a-0040f49757f6}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef00e320-fcc0-11d8-a36b-0040f49757f6}]>>Plik>>Zapisz jako... >>> CFScript Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Po restarcie usuń ręcznie folder C:\Qoobox.
ordynat
#3
karolkuich
-
-
- 141 postów
Początkujący
Napisano 20 07 2008 - 19:05
Gdzie jest antywirus i zapora sieciowa ?
#4
Rogerson
-
-
- 14 postów
Początkujący
Napisano 20 07 2008 - 19:15
Antywira obecnie nie mam - jakoś tak wyszło :]
Log po:
ComboFix 08-07-19.1 - Mateusz 2008-07-20 19:21:02.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.51 [GMT 2:00]
Running from: C:\Documents and Settings\Mateusz\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mateusz\Pulpit\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE ::
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
I:\Recycled\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\1.bin\MYWAYPLUGINPROXY.CLASS
C:\Program Files\MyWay\myBar\1.bin\PARTNER.BMP
C:\Program Files\MyWay\myBar\1.bin\PARTNER.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER2.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER3.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER4.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER5.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER6.DAT
C:\Program Files\MyWay\myBar\Cache\008710D4
C:\Program Files\MyWay\myBar\Cache\00871810
C:\Program Files\MyWay\myBar\Cache\0087196F.bin
C:\Program Files\MyWay\myBar\Cache\00871C04.bin
C:\Program Files\MyWay\myBar\Cache\00871D3A.bin
C:\Program Files\MyWay\myBar\Cache\files.ini
C:\Program Files\MyWay\myBar\History\search
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\Recycled\Recycled
C:\WINDOWS\system32\Check.exe
C:\WINDOWS\system32\deyqywxi.ini
C:\WINDOWS\system32\dsnhrlgn.ini
C:\WINDOWS\system32\hvxufuie.ini
C:\WINDOWS\system32\icasmbdv.ini
C:\WINDOWS\system32\icvpqdhp.ini
C:\WINDOWS\system32\llyfifhc.ini
C:\WINDOWS\system32\lvlxbgbp.ini
C:\WINDOWS\system32\mykmxdyu.ini
C:\WINDOWS\system32\obvdvkjh.ini
C:\WINDOWS\system32\qjdfvfhx.ini
C:\WINDOWS\system32\qmiujlok.ini
C:\WINDOWS\system32\skspshyd.ini
C:\WINDOWS\system32\xvsxwuxi.ini
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
H:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NTMLSVC
-------\Service_NtmlSvc
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.
2008-07-20 17:07 . 2008-07-20 17:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-20 16:30 . 2008-07-20 16:30 <DIR> d-------- C:\Program Files\SkanerOnline
2008-07-20 11:29 . 2008-07-20 11:29 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-07-15 19:00 . 2008-07-15 19:00 <DIR> dr------- C:\Documents and Settings\NetworkService\Ulubione
2008-07-14 18:20 . 2008-07-14 18:20 0 --a------ C:\WINDOWS\system32\HwnABMD0.exe.a_a
2008-07-06 18:17 . 2008-07-06 18:17 <DIR> d-------- C:\Program Files\Fast Break Basketball
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 20:12 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Installations
2008-05-20 17:53 --------- d-----w C:\Program Files\TVAnts
.
------- Sigcheck -------
2006-04-20 13:51 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\system32\drivers\tcpip.sys
2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\system32\dllcache\tcpip.sys
2002-08-28 23:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 08:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2004-08-04 08:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2005-05-25 21:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 03:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\85df038b1f331d3835256425c1b567cb\sp2gdr\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\85df038b1f331d3835256425c1b567cb\sp2qfe\tcpip.sys
2008-06-20 12:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp2qfe\tcpip.sys
2008-06-20 12:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp2gdr\tcpip.sys
2008-06-20 13:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp3gdr\tcpip.sys
2008-06-20 13:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp3qfe\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"Flashget"="C:\Program Files\FlashGet\flashget.exe" [2007-09-25 09:10 2007088]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-15 11:42 4112384]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:44 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"vidc.VSPX"= vspxvfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mateusz^Menu Start^Programy^Autostart^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\Mateusz\Menu Start\Programy\Autostart\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 09:44 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
--a------ 2007-09-25 09:10 2007088 C:\Program Files\FlashGet\flashget.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-07-15 11:42 4112384 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-07-15 11:42 81920 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 11:12 695808 F:\BitComet\Nokia 6500\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-08-06 12:43 23165736 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-15 11:42 843776 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2007-02-15 19:48]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-06 00:39]
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-Nokia.PCSync - F:\BitComet\Nokia PC Suite 6\PcSync2.exe
MSConfigStartUp-MsgCenterExe - C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
MSConfigStartUp-Octoshape Streaming Services - C:\Program Files\Octoshape Streaming Services\Mateusz\OctoshapeClient.exe
MSConfigStartUp-QuickTime Task - C:\Program Files\QuickTime\qttask.exe
MSConfigStartUp-RealPlayer - C:\Program Files\Real\RealPlayer\realplay.exe
MSConfigStartUp-SDTray - C:\Program Files\Spyware Doctor\SDTrayApp.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
MSConfigStartUp-TkBellExe - C:\Program Files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-WireLessKeyboard - C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 19:24:13
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\WINDOWS\SYSTEM32\PNKBSTRA.EXE
.
**************************************************************************
.
Completion time: 2008-07-20 19:25:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-20 17:25:06
Pre-Run: 678,641,664 bajtów wolnych
Post-Run: 671,662,080 bajt˘w wolnych
259
Log po:
ComboFix 08-07-19.1 - Mateusz 2008-07-20 19:21:02.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.51 [GMT 2:00]
Running from: C:\Documents and Settings\Mateusz\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mateusz\Pulpit\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE ::
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
I:\Recycled\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\1.bin\MYWAYPLUGINPROXY.CLASS
C:\Program Files\MyWay\myBar\1.bin\PARTNER.BMP
C:\Program Files\MyWay\myBar\1.bin\PARTNER.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER2.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER3.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER4.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER5.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER6.DAT
C:\Program Files\MyWay\myBar\Cache\008710D4
C:\Program Files\MyWay\myBar\Cache\00871810
C:\Program Files\MyWay\myBar\Cache\0087196F.bin
C:\Program Files\MyWay\myBar\Cache\00871C04.bin
C:\Program Files\MyWay\myBar\Cache\00871D3A.bin
C:\Program Files\MyWay\myBar\Cache\files.ini
C:\Program Files\MyWay\myBar\History\search
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\Recycled\Recycled
C:\WINDOWS\system32\Check.exe
C:\WINDOWS\system32\deyqywxi.ini
C:\WINDOWS\system32\dsnhrlgn.ini
C:\WINDOWS\system32\hvxufuie.ini
C:\WINDOWS\system32\icasmbdv.ini
C:\WINDOWS\system32\icvpqdhp.ini
C:\WINDOWS\system32\llyfifhc.ini
C:\WINDOWS\system32\lvlxbgbp.ini
C:\WINDOWS\system32\mykmxdyu.ini
C:\WINDOWS\system32\obvdvkjh.ini
C:\WINDOWS\system32\qjdfvfhx.ini
C:\WINDOWS\system32\qmiujlok.ini
C:\WINDOWS\system32\skspshyd.ini
C:\WINDOWS\system32\xvsxwuxi.ini
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
H:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NTMLSVC
-------\Service_NtmlSvc
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.
2008-07-20 17:07 . 2008-07-20 17:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-20 16:30 . 2008-07-20 16:30 <DIR> d-------- C:\Program Files\SkanerOnline
2008-07-20 11:29 . 2008-07-20 11:29 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-07-15 19:00 . 2008-07-15 19:00 <DIR> dr------- C:\Documents and Settings\NetworkService\Ulubione
2008-07-14 18:20 . 2008-07-14 18:20 0 --a------ C:\WINDOWS\system32\HwnABMD0.exe.a_a
2008-07-06 18:17 . 2008-07-06 18:17 <DIR> d-------- C:\Program Files\Fast Break Basketball
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 20:12 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Installations
2008-05-20 17:53 --------- d-----w C:\Program Files\TVAnts
.
------- Sigcheck -------
2006-04-20 13:51 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\system32\drivers\tcpip.sys
2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\system32\dllcache\tcpip.sys
2002-08-28 23:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 08:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2004-08-04 08:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2005-05-25 21:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 03:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\85df038b1f331d3835256425c1b567cb\sp2gdr\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\85df038b1f331d3835256425c1b567cb\sp2qfe\tcpip.sys
2008-06-20 12:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp2qfe\tcpip.sys
2008-06-20 12:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp2gdr\tcpip.sys
2008-06-20 13:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp3gdr\tcpip.sys
2008-06-20 13:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp3qfe\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"Flashget"="C:\Program Files\FlashGet\flashget.exe" [2007-09-25 09:10 2007088]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-15 11:42 4112384]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:44 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"vidc.VSPX"= vspxvfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mateusz^Menu Start^Programy^Autostart^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\Mateusz\Menu Start\Programy\Autostart\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 09:44 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
--a------ 2007-09-25 09:10 2007088 C:\Program Files\FlashGet\flashget.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-07-15 11:42 4112384 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-07-15 11:42 81920 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 11:12 695808 F:\BitComet\Nokia 6500\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-08-06 12:43 23165736 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-15 11:42 843776 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2007-02-15 19:48]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-06 00:39]
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-Nokia.PCSync - F:\BitComet\Nokia PC Suite 6\PcSync2.exe
MSConfigStartUp-MsgCenterExe - C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
MSConfigStartUp-Octoshape Streaming Services - C:\Program Files\Octoshape Streaming Services\Mateusz\OctoshapeClient.exe
MSConfigStartUp-QuickTime Task - C:\Program Files\QuickTime\qttask.exe
MSConfigStartUp-RealPlayer - C:\Program Files\Real\RealPlayer\realplay.exe
MSConfigStartUp-SDTray - C:\Program Files\Spyware Doctor\SDTrayApp.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
MSConfigStartUp-TkBellExe - C:\Program Files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-WireLessKeyboard - C:\Program Files\Multimedia Keyboard Driver\StartAutorun.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 19:24:13
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\WINDOWS\SYSTEM32\PNKBSTRA.EXE
.
**************************************************************************
.
Completion time: 2008-07-20 19:25:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-20 17:25:06
Pre-Run: 678,641,664 bajtów wolnych
Post-Run: 671,662,080 bajt˘w wolnych
259
#6
Rogerson
-
-
- 14 postów
Początkujący
Napisano 20 07 2008 - 19:26
Właśnie zauważyłem, ale już poprawiony log w poprzednim moim poście.
#7
ordynat
-
-
- 804 postów
Zaawansowany użytkownik
Napisano 20 07 2008 - 19:46
No proszę, ten nowszy ComboFix usunął samoczynnie przy okazji infekcję, której w starym ComboFixie w ogóle nie było widać.
Zrób jeszcze to:
Wklej do Notatnika:
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).
Po restarcie usuń ręcznie folder C:\Qoobox.
ordynat
Zrób jeszcze to:
Wklej do Notatnika:
File:: C:\WINDOWS\system32\HwnABMD0.exe.a_a>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).
Po restarcie usuń ręcznie folder C:\Qoobox.
ordynat
#8
Rogerson
-
-
- 14 postów
Początkujący
Napisano 20 07 2008 - 19:58
Done
Log:
ComboFix 08-07-19.1 - Mateusz 2008-07-20 19:53:57.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.124 [GMT 2:00]
Running from: C:\Documents and Settings\Mateusz\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mateusz\Pulpit\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE ::
C:\WINDOWS\system32\HwnABMD0.exe.a_a
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\HwnABMD0.exe.a_a
.
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.
2008-07-20 17:07 . 2008-07-20 17:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-20 16:30 . 2008-07-20 16:30 <DIR> d-------- C:\Program Files\SkanerOnline
2008-07-20 11:29 . 2008-07-20 11:29 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-07-15 19:00 . 2008-07-15 19:00 <DIR> dr------- C:\Documents and Settings\NetworkService\Ulubione
2008-07-06 18:17 . 2008-07-06 18:17 <DIR> d-------- C:\Program Files\Fast Break Basketball
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 20:12 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Installations
2008-05-20 17:53 --------- d-----w C:\Program Files\TVAnts
.
------- Sigcheck -------
2006-04-20 13:51 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\system32\drivers\tcpip.sys
2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\system32\dllcache\tcpip.sys
2002-08-28 23:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 08:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2004-08-04 08:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2005-05-25 21:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 03:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\85df038b1f331d3835256425c1b567cb\sp2gdr\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\85df038b1f331d3835256425c1b567cb\sp2qfe\tcpip.sys
2008-06-20 12:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp2qfe\tcpip.sys
2008-06-20 12:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp2gdr\tcpip.sys
2008-06-20 13:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp3gdr\tcpip.sys
2008-06-20 13:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp3qfe\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"Flashget"="C:\Program Files\FlashGet\flashget.exe" [2007-09-25 09:10 2007088]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-15 11:42 4112384]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:44 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"vidc.VSPX"= vspxvfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mateusz^Menu Start^Programy^Autostart^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\Mateusz\Menu Start\Programy\Autostart\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 09:44 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
--a------ 2007-09-25 09:10 2007088 C:\Program Files\FlashGet\flashget.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-07-15 11:42 4112384 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-07-15 11:42 81920 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 11:12 695808 F:\BitComet\Nokia 6500\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-08-06 12:43 23165736 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-15 11:42 843776 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2007-02-15 19:48]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-06 00:39]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 19:54:56
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-20 19:55:16
ComboFix-quarantined-files.txt 2008-07-20 17:55:16
Pre-Run: 759,566,336 bajtów wolnych
Post-Run: 747,466,752 bajtów wolnych
112
Log:
ComboFix 08-07-19.1 - Mateusz 2008-07-20 19:53:57.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.124 [GMT 2:00]
Running from: C:\Documents and Settings\Mateusz\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mateusz\Pulpit\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE ::
C:\WINDOWS\system32\HwnABMD0.exe.a_a
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\HwnABMD0.exe.a_a
.
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.
2008-07-20 17:07 . 2008-07-20 17:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-20 16:30 . 2008-07-20 16:30 <DIR> d-------- C:\Program Files\SkanerOnline
2008-07-20 11:29 . 2008-07-20 11:29 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2008-07-15 19:00 . 2008-07-15 19:00 <DIR> dr------- C:\Documents and Settings\NetworkService\Ulubione
2008-07-06 18:17 . 2008-07-06 18:17 <DIR> d-------- C:\Program Files\Fast Break Basketball
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 20:12 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Installations
2008-05-20 17:53 --------- d-----w C:\Program Files\TVAnts
.
------- Sigcheck -------
2006-04-20 13:51 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\system32\drivers\tcpip.sys
2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\system32\dllcache\tcpip.sys
2002-08-28 23:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 08:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2004-08-04 08:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2005-05-25 21:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 03:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\85df038b1f331d3835256425c1b567cb\sp2gdr\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\85df038b1f331d3835256425c1b567cb\sp2qfe\tcpip.sys
2008-06-20 12:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp2qfe\tcpip.sys
2008-06-20 12:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp2gdr\tcpip.sys
2008-06-20 13:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp3gdr\tcpip.sys
2008-06-20 13:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\908074217de9c0a4d4d2d573db7b5e8f\sp3qfe\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"Flashget"="C:\Program Files\FlashGet\flashget.exe" [2007-09-25 09:10 2007088]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-15 11:42 4112384]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:44 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"vidc.VSPX"= vspxvfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mateusz^Menu Start^Programy^Autostart^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\Mateusz\Menu Start\Programy\Autostart\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 09:44 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
--a------ 2007-09-25 09:10 2007088 C:\Program Files\FlashGet\flashget.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-07-15 11:42 4112384 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-07-15 11:42 81920 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 11:12 695808 F:\BitComet\Nokia 6500\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-08-06 12:43 23165736 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-15 11:42 843776 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2007-02-15 19:48]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-06 00:39]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 19:54:56
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-20 19:55:16
ComboFix-quarantined-files.txt 2008-07-20 17:55:16
Pre-Run: 759,566,336 bajtów wolnych
Post-Run: 747,466,752 bajtów wolnych
112
#9
ordynat
-
-
- 804 postów
Zaawansowany użytkownik
Napisano 20 07 2008 - 20:04
Uważam, że teraz jest OK.
ordynat
ordynat
#11
karolkuich
-
-
- 141 postów
Początkujący
Napisano 20 07 2008 - 20:57
Na koniec wyłącz jeszcze na chwilę przywracanie systemu, po chwili możesz włączyć spowrotem.
Odinstaluj ComboFix : Start>>Uruchom i wpisz :
Następnym razem pobierzesz nową wersję Combo.
Przeczyść kompa programem : http://cybertrash.pl/images/tata/CCleaner/CCleaner.html
I koniecznie zainstaluj antywirusa.
Odinstaluj ComboFix : Start>>Uruchom i wpisz :
ComboFix /u
Następnym razem pobierzesz nową wersję Combo.
Przeczyść kompa programem : http://cybertrash.pl/images/tata/CCleaner/CCleaner.html
I koniecznie zainstaluj antywirusa.
Użytkownicy przeglądający ten temat: 1
0 użytkowników, 1 gości, 0 anonimowych
