[wirus]pozaostałosci po wirusie
#1
Napisano 25 05 2008 - 13:52
ale tego nie umiem
jak sie tego napisu pozbyć
virus alert
a tu zapodaje loga na wszelaki
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:09: VIRUS ALERT!, on 2008-05-25
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Startup: Skrót do ccApp.lnk = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Tomek\Dane aplikacji\Dealio\kb124\res\DealioSearch.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O21 - SSODL: vregfwlx - {2E2FD5BA-3AE4-45EB-B52B-FADA0B9441C2} - C:\WINDOWS\vregfwlx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Usługa iPod (iPod Service) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton\Norton Utilities\NPROTECT.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 4155 bytes
#2
Napisano 25 05 2008 - 15:39
>>Hijack>>scan(Do a system scan only)>>zaznacz go >>Fix checked.O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O21 - SSODL: vregfwlx - {2E2FD5BA-3AE4-45EB-B52B-FADA0B9441C2} - C:\WINDOWS\vregfwlx.dll
Ściągnij >ComboFix, nie uruchamiaj.
Wklej do Notatnika:
File:: C:\WINDOWS\vregfwlx.dll Registry:: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="about:blank" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "vregfwlx"=->>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log). Daj ten log, który powstanie w trakcie usuwania.
Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.
ordynat
#4
Napisano 25 05 2008 - 15:57
>http://forum.idg.pl/index.php?showtopic=118804
Tam jest bardziej aktualny opis.
ordynat
#5
Napisano 25 05 2008 - 16:20
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.571 [GMT 2:00]
Running from: C:\Documents and Settings\Tomek\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tomek\Pulpit\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE ::
C:\WINDOWS\vregfwlx.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\Tomek\USTAWI~1\Temp\E_4
C:\DOCUME~1\Tomek\USTAWI~1\Temp\E_4\HtmlView.fne
C:\DOCUME~1\Tomek\USTAWI~1\Temp\E_4\iext.fnr
C:\DOCUME~1\Tomek\USTAWI~1\Temp\E_4\krnln.fnr
C:\Documents and Settings\Jola\Ulubione\Error Cleaner.url
C:\Documents and Settings\Jola\Ulubione\Privacy Protector.url
C:\Documents and Settings\Jola\Ulubione\Spyware&Malware Protection.url
C:\Documents and Settings\Tomek\Dane aplikacji\inst.exe
C:\Documents and Settings\Tomek\Ulubione\Error Cleaner.url
C:\Documents and Settings\Tomek\Ulubione\Privacy Protector.url
C:\Documents and Settings\Tomek\Ulubione\Spyware&Malware Protection.url
C:\WINDOWS\system32\awtRjggf.dll
C:\WINDOWS\system32\fggjRtwa.ini
C:\WINDOWS\system32\fggjRtwa.ini2
C:\WINDOWS\system32\gocdroye.ini
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\ycxwblyt.ini
C:\WINDOWS\system32\yejdvoxv.ini
C:\WINDOWS\vregfwlx.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NAVAPSVC
-------\Service_navapsvc
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.
2008-05-25 16:25 . 2008-05-25 16:25 14,336 --a------ C:\WINDOWS\system32\WinCtrl32.dl_
2008-05-25 16:05 . 2008-05-25 16:05 90,624 --a------ C:\WINDOWS\system32\eyordcog.dll
2008-05-25 15:04 . 2008-05-25 15:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-25 15:04 . 2008-05-25 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-05-25 12:54 . 2008-05-25 16:24 27,008 --a------ C:\WINDOWS\system32\drivers\Taf37.sys
2008-05-25 12:53 . 2008-05-25 16:25 29,056 --a------ C:\WINDOWS\system32\drivers\msX16.sys
2008-05-25 12:39 . 2008-05-25 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-05-25 11:25 . 2008-05-25 14:10 <DIR> d-------- C:\Program Files\SkanerOnline
2008-05-25 11:11 . 2008-05-25 11:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-25 10:32 . 2008-05-25 10:34 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-25 10:17 . 2008-05-25 13:05 <DIR> d-------- C:\Documents and Settings\Jola\Dane aplikacji\TmpRecentIcons
2008-05-25 10:02 . 2008-05-25 10:02 91,136 --a------ C:\WINDOWS\system32\tylbwxcy.dll
2008-05-25 09:48 . 2008-05-25 09:48 <DIR> d-------- C:\Documents and Settings\Tomek\Dane aplikacji\TmpRecentIcons
2008-05-25 08:37 . 2008-05-25 16:22 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-05-25 08:37 . 2006-12-26 17:45 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-05-25 08:37 . 2007-01-03 01:37 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-05-25 08:37 . 2008-05-25 08:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-25 08:28 . 2008-05-25 08:28 91,136 --a------ C:\WINDOWS\system32\vxovdjey.dll
2008-05-25 08:23 . 2008-05-25 08:24 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-05-25 08:23 . 2008-05-25 08:23 <DIR> d-------- C:\Program Files\ACD Systems
2008-05-25 08:23 . 2008-05-25 08:23 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ACD Systems
2008-05-25 08:22 . 2008-05-24 17:19 368,640 --a------ C:\WINDOWS\vltdfabw.dll
2008-05-25 08:22 . 2008-05-24 17:19 266,240 --a------ C:\WINDOWS\boqnrwdmstg.dll
2008-05-25 08:22 . 2008-05-24 17:20 188,416 --a------ C:\WINDOWS\atfxqogp.dll
2008-05-25 08:22 . 2008-05-24 17:19 159,744 --a------ C:\WINDOWS\edwf.exe
2008-05-25 08:22 . 2008-05-24 17:20 94,208 --a------ C:\WINDOWS\xmpstean.exe
2008-05-25 08:22 . 2008-05-25 08:22 29,824 --a------ C:\WINDOWS\system32\rqRJDtro.dll
2008-05-25 08:22 . 2008-05-25 16:24 14,336 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-05-21 14:24 . 2008-05-21 14:28 <DIR> d-------- C:\Program Files\ATI
2008-05-21 14:02 . 2008-05-21 14:02 <DIR> d-------- C:\Program Files\NEC DISPLAY SOLUTIONS
2008-05-21 13:59 . 2008-05-21 13:59 <DIR> d-------- C:\Documents and Settings\Tomek\Dane aplikacji\ATI
2008-05-21 13:59 . 2008-05-21 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ATI
2008-05-21 13:58 . 2008-05-21 13:58 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-05-21 13:48 . 2008-05-21 13:53 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2008-05-21 13:47 . 2008-03-28 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-05-21 13:46 . 2008-05-21 13:53 <DIR> d-------- C:\Program Files\ATI Technologies
2008-05-21 13:46 . 2007-12-21 04:35 3,107,788 -ra------ C:\WINDOWS\system32\ativvaxx.dat
2008-05-21 13:46 . 2007-12-21 04:35 3,107,788 -ra------ C:\WINDOWS\system32\ativva5x.dat
2008-05-21 13:46 . 2007-12-21 04:35 887,724 -ra------ C:\WINDOWS\system32\ativva6x.dat
2008-05-21 13:46 . 2008-03-29 06:05 372,736 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2008-05-21 13:46 . 2008-03-29 05:39 307,200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2008-05-21 13:46 . 2008-03-06 16:40 168,883 --a------ C:\WINDOWS\system32\atiicdxx.dat
2008-05-21 13:46 . 2008-01-21 15:48 12,477 --a------ C:\WINDOWS\atiogl.xml
2008-05-21 13:46 . 2007-08-31 16:20 7,167 -ra------ C:\WINDOWS\system32\atifglpf.xml
2008-05-13 18:43 . 2008-05-13 18:44 <DIR> d-------- C:\Program Files\Pet Soccer
2008-05-11 13:58 . 2008-05-11 13:58 <DIR> d-------- C:\Documents and Settings\Tomek\Dane aplikacji\teamspeak2
2008-05-09 12:14 . 2008-05-09 12:14 <DIR> d-------- C:\Program Files\Sports Interactive
2008-05-09 12:10 . 2008-05-09 12:18 <DIR> d-------- C:\Documents and Settings\Karol\Dane aplikacji\Sports Interactive
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 14:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-25 14:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 11:42 --------- d-----w C:\Program Files\Norton
2008-05-25 11:22 --------- d-----w C:\Documents and Settings\Tomek\Dane aplikacji\Lavasoft
2008-05-25 06:12 --------- d-----w C:\Program Files\Blaze Media Pro
2008-05-21 12:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 20:36 --------- d-----w C:\Program Files\mIRC
2008-05-10 06:12 --------- d-----w C:\Program Files\BearShare
2008-04-30 21:32 --------- d-----w C:\Documents and Settings\Karol\Dane aplikacji\teamspeak2
2008-04-22 13:39 98,304 ----a-w C:\WINDOWS\DUMP4a95.tmp
2008-04-21 14:56 --------- d-----w C:\Program Files\AV Vcs 6.0 GOLD
2008-04-17 07:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-04-11 18:27 --------- d-----w C:\Documents and Settings\Jola\Dane aplikacji\ArcSoft
2008-03-29 06:21 2,873,856 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-03-29 05:19 9,801,728 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-03-29 04:40 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-03-29 04:04 299,008 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-03-29 03:56 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-03-29 03:56 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-03-29 03:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-03-29 03:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-03-29 03:55 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-03-29 03:54 536,576 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-03-29 03:52 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-03-29 03:43 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-03-29 03:36 1,765,120 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-03-29 03:24 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-03-29 03:23 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-03-29 03:21 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-03-29 03:19 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-03-29 03:18 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-03-29 03:12 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-03-28 16:35 --------- d-----w C:\Documents and Settings\Karol\Dane aplikacji\ArcSoft
2008-03-28 16:34 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-03-28 16:34 --------- d-----w C:\Program Files\ArcSoft
2008-03-26 23:57 --------- d-----w C:\Program Files\WinSCP
2008-02-13 23:44 47,360 ----a-w C:\Documents and Settings\Tomek\Dane aplikacji\pcouffin.sys
2008-01-05 16:55 52,440 ----a-w C:\Documents and Settings\Karol\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-11-07 06:42 49,176 ----a-w C:\Documents and Settings\Tomek\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-03-17 07:55 397,312 ----a-w C:\Documents and Settings\Tomek\jogl.dll
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-12-29 08:37 32 --sha-w C:\WINDOWS\{20B102E0-E565-42D0-895C-84EE9430DC4D}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{26440D04-D04D-48BB-A471-CC8AF3386392}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{311DCC95-A844-49CF-B918-4BC02D9EF2E3}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{5C67A0B8-6C00-473D-99F0-31E687E1CFAD}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{7F5434EA-AEE2-4D9E-A184-997666982582}.dat
2007-12-29 08:38 32 --sha-w C:\WINDOWS\{8E3FB993-ED7B-49FF-A5A7-77EBE0569885}.dat
2007-12-29 08:37 32 --sha-w C:\WINDOWS\{D70A6BA9-F075-43B5-A6B4-7C16DCD3F736}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{1951497B-2534-4325-87E1-EE14DDB07E1F}.dat
2007-12-29 08:37 32 --sha-w C:\WINDOWS\system32\{87DBE9CB-9866-46F9-BA5C-71268F55D7F7}.dat
2007-12-29 08:38 32 --sha-w C:\WINDOWS\system32\{AE9C1732-8149-4B01-989B-AFEA7AE78B48}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{CABB3FEE-57AC-416C-9F5E-4D040C4B57F3}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{E02D4FDD-4A10-42C8-85C9-C15C51B59CA1}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{E28D228B-E848-49AA-9958-D730406FAD42}.dat
2007-12-29 08:37 32 --sha-w C:\WINDOWS\system32\{FB8742DE-BEFA-4E82-9590-22B40B07A27D}.dat
.
------- Sigcheck -------
2002-09-29 00:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-04 00:14 359040 28f288e08a098df3c0eb6aa813bb41fd C:\WINDOWS\system32\drivers\tcpip.sys
2002-09-29 00:00 13312 0c4c012b0a8960f48a666c240a7baa3d C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 01:44 15360 cbfa30492d70ce3938d8a7783d0c0436 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}]
2008-05-25 08:22 29824 --a------ C:\WINDOWS\system32\rqRJDtro.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B33B96B9-E0C2-4648-9819-A38DDCAFA33C}]
2008-05-24 17:19 266240 --a------ C:\WINDOWS\boqnrwdmstg.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-04-19 17:43 2101248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eca2046e"="C:\WINDOWS\system32\eyordcog.dll" [2008-05-25 16:05 90624]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}"= C:\WINDOWS\system32\rqRJDtro.dll [2008-05-25 08:22 29824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJDtro]
rqRJDtro.dll 2008-05-25 08:22 29824 C:\WINDOWS\system32\rqRJDtro.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 2008-05-25 16:24 14336 C:\WINDOWS\system32\WinCtrl32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.i420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geBtTLee
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\diO73.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msX16.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ouA61.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pvb38.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sxE61.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Taf37.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\taF62.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Norton System Doctor.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Norton System Doctor.LNK
backup=C:\WINDOWS\pss\Norton System Doctor.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Przyspieszenie uruchomienia programu AutoCAD.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Przyspieszenie uruchomienia programu AutoCAD.lnk
backup=C:\WINDOWS\pss\Przyspieszenie uruchomienia programu AutoCAD.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Karol^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5 - Tribes of the East.LNK]
path=C:\Documents and Settings\Karol\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5 - Tribes of the East.LNK
backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5 - Tribes of the East.LNKStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Tomek^Menu Start^Programy^Autostart^Norton Disk Doctor.lnk]
path=C:\Documents and Settings\Tomek\Menu Start\Programy\Autostart\Norton Disk Doctor.lnk
backup=C:\WINDOWS\pss\Norton Disk Doctor.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
C:\DOCUME~1\Tomek\USTAWI~1\Temp\rbnpsrv.exe/r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 12:48 157592 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DelayLoad]
C:\DOCUME~1\Tomek\USTAWI~1\Temp\msprint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eca2046e]
--a------ 2008-05-25 08:28 91136 C:\WINDOWS\system32\vxovdjey.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 08:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2005-12-05 02:39 461584 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\System32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 16:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2006-12-26 18:23 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Topic MSNGR32]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-04-02 04:20 12288 C:\Program Files\Winamp\Winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
R0 msX16;msX16;C:\WINDOWS\system32\Drivers\msX16.sys [2008-05-25 16:25]
R0 Taf37;Taf37;C:\WINDOWS\system32\Drivers\Taf37.sys [2008-05-25 16:24]
S0 diO73;diO73;C:\WINDOWS\system32\Drivers\diO73.sys []
S0 ouA61;ouA61;C:\WINDOWS\system32\Drivers\ouA61.sys []
S0 Pvb38;Pvb38;C:\WINDOWS\system32\Drivers\Pvb38.sys []
S0 sxE61;sxE61;C:\WINDOWS\system32\Drivers\sxE61.sys []
S0 taF62;taF62;C:\WINDOWS\system32\Drivers\taF62.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-05-23 18:00:24 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\Norton\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\DANEAP~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-05-23 15:32:54 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton\OBC.exe
"2008-05-25 14:26:32 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 16:25:16
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\gocdroye.ini 294 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\rqRJDtro.dll
-> C:\WINDOWS\system32\WinCtrl32.dll
-> C:\WINDOWS\system32\WLCtrl32.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\ydhdwfso.dll
-> C:\WINDOWS\system32\geBtTLee.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-25 16:32:53 - machine was rebooted [Tomek]
ComboFix-quarantined-files.txt 2008-05-25 14:32:43
Pre-Run: 23,164,817,408 bajtów wolnych
Post-Run: 23,808,221,184 bajt˘w wolnych
338
#6
Napisano 25 05 2008 - 16:38
Do usuwania daję też puste, zbędne już klucze "msconfig".
Wklej do Notatnika:
File:: C:\WINDOWS\system32\WinCtrl32.dl_ C:\WINDOWS\system32\eyordcog.dll C:\WINDOWS\system32\drivers\Taf37.sys C:\WINDOWS\system32\drivers\msX16.sys C:\WINDOWS\system32\tylbwxcy.dll C:\WINDOWS\system32\vxovdjey.dll C:\WINDOWS\vltdfabw.dll C:\WINDOWS\boqnrwdmstg.dll C:\WINDOWS\atfxqogp.dll C:\WINDOWS\edwf.exe C:\WINDOWS\xmpstean.exe C:\WINDOWS\system32\rqRJDtro.dll C:\WINDOWS\system32\WinCtrl32.dll C:\WINDOWS\system32\gocdroye.ini C:\WINDOWS\system32\rqRJDtro.dll C:\WINDOWS\system32\WinCtrl32.dll C:\WINDOWS\system32\WLCtrl32.dll C:\WINDOWS\system32\ydhdwfso.dll C:\WINDOWS\system32\geBtTLee.dll Driver:: msX16 Taf37 diO73 ouA61 Pvb38 sxE61 taF62 Registry:: [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B33B96B9-E0C2-4648-9819-A38DDCAFA33C}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "eca2046e"=- [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJDtro] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\diO73.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msX16.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ouA61.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pvb38.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sxE61.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Taf37.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\taF62.sys] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DelayLoad] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eca2046e] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Topic MSNGR32] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Ma się rozpocząć usuwanie. (i powstanie log).
Daj ten log, który powstanie w trakcie usuwania.
Po restarcie usuń ręcznie folder C:\Qoobox.
ordynat
#7
Napisano 25 05 2008 - 16:55
#8
Napisano 25 05 2008 - 17:08
ordynat
#9
Napisano 25 05 2008 - 17:26
ComboFix 08-05-24.1 - Tomek 2008-05-25 17:26:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.719 [GMT 2:00]
Running from: C:\Documents and Settings\Tomek\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tomek\Pulpit\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE ::
C:\WINDOWS\atfxqogp.dll
C:\WINDOWS\boqnrwdmstg.dll
C:\WINDOWS\edwf.exe
C:\WINDOWS\system32\drivers\msX16.sys
C:\WINDOWS\system32\drivers\Taf37.sys
C:\WINDOWS\system32\eyordcog.dll
C:\WINDOWS\system32\geBtTLee.dll
C:\WINDOWS\system32\gocdroye.ini
C:\WINDOWS\system32\rqRJDtro.dll
C:\WINDOWS\system32\tylbwxcy.dll
C:\WINDOWS\system32\vxovdjey.dll
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\ydhdwfso.dll
C:\WINDOWS\vltdfabw.dll
C:\WINDOWS\xmpstean.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\atfxqogp.dll
C:\WINDOWS\boqnrwdmstg.dll
C:\WINDOWS\edwf.exe
C:\WINDOWS\system32\drivers\msX16.sys
C:\WINDOWS\system32\drivers\Taf37.sys
C:\WINDOWS\system32\gocdroye.ini
C:\WINDOWS\system32\rqRJDtro.dll
C:\WINDOWS\system32\tylbwxcy.dll
C:\WINDOWS\system32\vxovdjey.dll
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\ydhdwfso.dll
C:\WINDOWS\vltdfabw.dll
C:\WINDOWS\xmpstean.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSX16
-------\Legacy_SXE61
-------\Legacy_TAF37
-------\Service_diO73
-------\Service_msX16
-------\Service_ouA61
-------\Service_Pvb38
-------\Service_sxE61
-------\Service_Taf37
-------\Service_taF62
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.
2008-05-25 15:04 . 2008-05-25 15:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-25 15:04 . 2008-05-25 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-05-25 12:39 . 2008-05-25 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-05-25 11:25 . 2008-05-25 14:10 <DIR> d-------- C:\Program Files\SkanerOnline
2008-05-25 11:11 . 2008-05-25 11:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-25 10:32 . 2008-05-25 10:34 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-25 10:17 . 2008-05-25 13:05 <DIR> d-------- C:\Documents and Settings\Jola\Dane aplikacji\TmpRecentIcons
2008-05-25 09:48 . 2008-05-25 09:48 <DIR> d-------- C:\Documents and Settings\Tomek\Dane aplikacji\TmpRecentIcons
2008-05-25 08:37 . 2008-05-25 17:07 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2008-05-25 08:37 . 2006-12-26 17:45 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2008-05-25 08:37 . 2007-01-03 01:37 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-05-25 08:37 . 2006-12-26 17:32 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2008-05-25 08:37 . 2008-05-25 08:37 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-25 08:23 . 2008-05-25 08:24 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-05-25 08:23 . 2008-05-25 08:23 <DIR> d-------- C:\Program Files\ACD Systems
2008-05-25 08:23 . 2008-05-25 08:23 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ACD Systems
2008-05-21 14:24 . 2008-05-21 14:28 <DIR> d-------- C:\Program Files\ATI
2008-05-21 14:02 . 2008-05-21 14:02 <DIR> d-------- C:\Program Files\NEC DISPLAY SOLUTIONS
2008-05-21 13:59 . 2008-05-21 13:59 <DIR> d-------- C:\Documents and Settings\Tomek\Dane aplikacji\ATI
2008-05-21 13:59 . 2008-05-21 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ATI
2008-05-21 13:58 . 2008-05-21 13:58 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-05-21 13:48 . 2008-05-21 13:53 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2008-05-21 13:47 . 2008-03-28 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-05-21 13:46 . 2008-05-21 13:53 <DIR> d-------- C:\Program Files\ATI Technologies
2008-05-21 13:46 . 2007-12-21 04:35 3,107,788 -ra------ C:\WINDOWS\system32\ativvaxx.dat
2008-05-21 13:46 . 2007-12-21 04:35 3,107,788 -ra------ C:\WINDOWS\system32\ativva5x.dat
2008-05-21 13:46 . 2007-12-21 04:35 887,724 -ra------ C:\WINDOWS\system32\ativva6x.dat
2008-05-21 13:46 . 2008-03-29 06:05 372,736 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2008-05-21 13:46 . 2008-03-29 05:39 307,200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2008-05-21 13:46 . 2008-03-06 16:40 168,883 --a------ C:\WINDOWS\system32\atiicdxx.dat
2008-05-21 13:46 . 2008-01-21 15:48 12,477 --a------ C:\WINDOWS\atiogl.xml
2008-05-21 13:46 . 2007-08-31 16:20 7,167 -ra------ C:\WINDOWS\system32\atifglpf.xml
2008-05-13 18:43 . 2008-05-13 18:44 <DIR> d-------- C:\Program Files\Pet Soccer
2008-05-11 13:58 . 2008-05-11 13:58 <DIR> d-------- C:\Documents and Settings\Tomek\Dane aplikacji\teamspeak2
2008-05-09 12:14 . 2008-05-09 12:14 <DIR> d-------- C:\Program Files\Sports Interactive
2008-05-09 12:10 . 2008-05-09 12:18 <DIR> d-------- C:\Documents and Settings\Karol\Dane aplikacji\Sports Interactive
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 15:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-25 14:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 11:42 --------- d-----w C:\Program Files\Norton
2008-05-25 11:22 --------- d-----w C:\Documents and Settings\Tomek\Dane aplikacji\Lavasoft
2008-05-25 06:12 --------- d-----w C:\Program Files\Blaze Media Pro
2008-05-21 12:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 20:36 --------- d-----w C:\Program Files\mIRC
2008-05-10 06:12 --------- d-----w C:\Program Files\BearShare
2008-04-30 21:32 --------- d-----w C:\Documents and Settings\Karol\Dane aplikacji\teamspeak2
2008-04-22 13:39 98,304 ----a-w C:\WINDOWS\DUMP4a95.tmp
2008-04-21 14:56 --------- d-----w C:\Program Files\AV Vcs 6.0 GOLD
2008-04-17 07:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-04-11 18:27 --------- d-----w C:\Documents and Settings\Jola\Dane aplikacji\ArcSoft
2008-03-29 06:21 2,873,856 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-03-29 03:18 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-03-28 16:35 --------- d-----w C:\Documents and Settings\Karol\Dane aplikacji\ArcSoft
2008-03-28 16:34 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-03-28 16:34 --------- d-----w C:\Program Files\ArcSoft
2008-03-26 23:57 --------- d-----w C:\Program Files\WinSCP
2008-02-13 23:44 47,360 ----a-w C:\Documents and Settings\Tomek\Dane aplikacji\pcouffin.sys
2008-01-05 16:55 52,440 ----a-w C:\Documents and Settings\Karol\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-11-07 06:42 49,176 ----a-w C:\Documents and Settings\Tomek\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-03-17 07:55 397,312 ----a-w C:\Documents and Settings\Tomek\jogl.dll
2007-12-29 08:37 32 --sha-w C:\WINDOWS\{20B102E0-E565-42D0-895C-84EE9430DC4D}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{26440D04-D04D-48BB-A471-CC8AF3386392}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{311DCC95-A844-49CF-B918-4BC02D9EF2E3}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{5C67A0B8-6C00-473D-99F0-31E687E1CFAD}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\{7F5434EA-AEE2-4D9E-A184-997666982582}.dat
2007-12-29 08:38 32 --sha-w C:\WINDOWS\{8E3FB993-ED7B-49FF-A5A7-77EBE0569885}.dat
2007-12-29 08:37 32 --sha-w C:\WINDOWS\{D70A6BA9-F075-43B5-A6B4-7C16DCD3F736}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{1951497B-2534-4325-87E1-EE14DDB07E1F}.dat
2007-12-29 08:37 32 --sha-w C:\WINDOWS\system32\{87DBE9CB-9866-46F9-BA5C-71268F55D7F7}.dat
2007-12-29 08:38 32 --sha-w C:\WINDOWS\system32\{AE9C1732-8149-4B01-989B-AFEA7AE78B48}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{CABB3FEE-57AC-416C-9F5E-4D040C4B57F3}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{E02D4FDD-4A10-42C8-85C9-C15C51B59CA1}.dat
2007-12-29 08:36 32 --sha-w C:\WINDOWS\system32\{E28D228B-E848-49AA-9958-D730406FAD42}.dat
2007-12-29 08:37 32 --sha-w C:\WINDOWS\system32\{FB8742DE-BEFA-4E82-9590-22B40B07A27D}.dat
.
------- Sigcheck -------
2002-09-29 00:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-04 00:14 359040 28f288e08a098df3c0eb6aa813bb41fd C:\WINDOWS\system32\drivers\tcpip.sys
2002-09-29 00:00 13312 0c4c012b0a8960f48a666c240a7baa3d C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 01:44 15360 cbfa30492d70ce3938d8a7783d0c0436 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-25_17.05.28.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 14:57:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 15:32:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-04-19 17:43 2101248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.i420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
"VIDC.ACDV"= ACDV.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Norton System Doctor.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Norton System Doctor.LNK
backup=C:\WINDOWS\pss\Norton System Doctor.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Przyspieszenie uruchomienia programu AutoCAD.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Przyspieszenie uruchomienia programu AutoCAD.lnk
backup=C:\WINDOWS\pss\Przyspieszenie uruchomienia programu AutoCAD.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Karol^Menu Start^Programy^Autostart^Registration Heroes of Might & Magic 5 - Tribes of the East.LNK]
path=C:\Documents and Settings\Karol\Menu Start\Programy\Autostart\Registration Heroes of Might & Magic 5 - Tribes of the East.LNK
backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5 - Tribes of the East.LNKStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Tomek^Menu Start^Programy^Autostart^Norton Disk Doctor.lnk]
path=C:\Documents and Settings\Tomek\Menu Start\Programy\Autostart\Norton Disk Doctor.lnk
backup=C:\WINDOWS\pss\Norton Disk Doctor.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 12:48 157592 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 08:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2005-12-05 02:39 461584 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 16:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2006-12-26 18:23 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-04-02 04:20 12288 C:\Program Files\Winamp\Winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
.
Contents of the 'Scheduled Tasks' folder
"2008-05-23 18:00:24 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\Norton\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\DANEAP~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-05-23 15:32:54 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton\OBC.exe
"2008-05-25 15:34:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 17:33:15
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-25 17:37:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-25 15:37:47
ComboFix2.txt 2008-05-25 15:07:05
ComboFix3.txt 2008-05-25 14:32:55
Pre-Run: 28,974,772,224 bajtów wolnych
Post-Run: 28,912,394,240 bajt˘w wolnych
262
robie res
#10
Napisano 25 05 2008 - 17:37
ordynat
#11
Napisano 25 05 2008 - 17:46
jakies sugestie ?
#12
Napisano 25 05 2008 - 17:57
Czy jest tam może podana ścieżka?
ordynat
#13
Napisano 25 05 2008 - 18:01
#14
Napisano 25 05 2008 - 18:12
1) użyj SmitfraudFix
Daj z niego Raport.txt.
2) Jeśli to dalej nie zniknie, to dasz jeszcze log z SillentRunners
ordynat
#15
Napisano 25 05 2008 - 18:36
nic nie pomogl
SmitFraudFix v2.322
Scan done at 18:39:30,37, 2008-05-25
Run from C:\Documents and Settings\Tomek\Pulpit\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!Attention, following keys are not inevitably infected!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning not selected.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!Attention, following keys are not inevitably infected!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
niestety juz musze wyjsc wiec ten drugi program uruchomie jutro dopiero ..
Użytkownicy przeglądający ten temat: 1
0 użytkowników, 1 gości, 0 anonimowych