Przy starcie kompa wyskakuje mi błąd, że nie może znaleźć pliku sass.exe w folderze c:/windows/config. Czytałam gdzieś, że to się pokazuje jak są błędy we wpisach rejestru. Wyczyściłam więc rejestr (Auslogics Boostspeed) ale błąd i tak się pokazuje...
[wirus + logi] Błąd przy starcie. sass.exe
Rozpoczęty przez
hellen
, 16 01 2008 13:10
-
Temat jest zamknięty
7 odpowiedzi w tym temacie
#2
Sanko
-
-
- 430 postów
Pomocnik Tweaks.pl
Napisano 16 01 2008 - 13:14
masz trojana o nazwie Troj/Funsta-A
Click to run a free scan for sass.exe related errors.
tu masz darmowy skaner
Click to run a free scan for sass.exe related errors.
tu masz darmowy skaner
#4
hellen
-
-
- 10 postów
Początkujący
Napisano 19 01 2008 - 14:45
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED 
.
ADS - ntoskrnl.exe: deleted 68 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\pok\Dane aplikacji\addon.dat
C:\Program Files\Common Files\{944D3~1
C:\Program Files\Common Files\{944D3~1\services.dll
C:\Program Files\outlook
C:\WINNT\system32\drivers\rundll32.exe
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\ping.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.
2008-01-19 13:45 . 00-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-18 14:16 . 08-01-18 14:16 <DIR> d-------- C:\Program Files\Metropolis
2008-01-17 21:40 . 08-01-17 22:13 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-01-16 14:05 . 08-01-16 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ESET
2008-01-16 13:38 . 08-01-16 13:38 <DIR> d-------- C:\Documents and Settings\pok\Dane aplikacji\Uniblue
2008-01-16 13:37 . 08-01-16 13:37 <DIR> d-------- C:\Program Files\Uniblue
2008-01-16 11:22 . 08-01-16 11:22 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-16 11:19 . 08-01-16 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-01-15 11:53 . 08-01-15 11:53 2,560 --a------ C:\WINNT\system32\bitcometres.dll
2008-01-15 11:52 . 08-01-15 12:15 <DIR> d-------- C:\Program Files\BitComet
2008-01-14 17:01 . 08-01-16 17:49 85 --a------ C:\WINNT\EmperorEdit.INI
2008-01-12 17:11 . 08-01-12 17:11 <DIR> d-------- C:\Program Files\Sierra
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 12:15 --------- d-----w C:\Documents and Settings\pok\Dane aplikacji\Skype
2008-01-19 10:13 --------- d---a-w C:\Program Files\Neostrada TP
2008-01-12 16:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2003-10-10 08:51 271 ---h--w C:\Program Files\desktop.ini
2003-10-10 08:51 22,039 ---h--w C:\Program Files\folder.htt
2003-07-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-07-29 14:24 472 --sha-r C:\WINNT\R0VDQiBVc2Vy\lXpGk21pwZpV.vbs
2003-07-08 12:00 327,298 --sh--r C:\WINNT\system32\vrghqr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-07-08 13:00 20752 C:\WINNT\system32\internat.exe]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [06-07-06 18:02 19951144]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [07-05-10 15:36 2111176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-07-08 13:00 111888 C:\WINNT\system32\mobsync.exe]
"NGClient"="C:\Program Files\SYMANTEC\Ghost\ngctw32.exe" [01-12-01 10:01 651119]
"WinVNC"="C:\WINNT\system32\rc\winvnc.exe" [01-10-10 16:40 217088]
"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [03-10-16 17:07 24576]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [04-01-26 10:38 866816]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [03-10-16 17:07 20480]
"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [03-10-16 17:07 53248]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [06-06-21 18:14 35328]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-07-08 13:00 20752 C:\WINNT\system32\internat.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="" []
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-03-07 17:47:03]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-01-26 17:45:19]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{944D3D8A-0224-1045-0106-009809220030}"= "C:\Program Files\Common Files\{944D3D8A-0224-1045-0106-009809220030}\Update.exe" mc-110-12-0000140
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll
R1 ShldDrv;Panda File Shield Driver;C:\WINNT\system32\drivers\ShldDrv.sys [05-08-29 15:23 ]
R2 PavProc;Panda Process Protection Driver;C:\WINNT\system32\DRIVERS\PavProc.sys [06-04-25 18:02 ]
R3 cwbmidi_device;Sterownik Crystal WDM MPU-401 UART;C:\WINNT\system32\drivers\cwbmidi.sys [99-10-08 21:32 ]
R3 cwbwdm_device;Sterownik kodera-dekodera audio Crystal WDM;C:\WINNT\system32\drivers\cwbwdm.sys [99-11-02 06:10 ]
R3 EL90BC;Sterownik karty 3Com EtherLink XL B/C;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 20:22 ]
R3 NtApm;Sterownik interfejsu NT Apm/Legacy;C:\WINNT\system32\DRIVERS\NtApm.sys [00-03-08 23:24 ]
S0 GhPostConfig;Ghost Post-Configuration Driver;C:\WINNT\system32\drivers\ghpcw2k.sys [01-11-30 09:59 ]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;C:\WINNT\system32\drivers\ghpcw2k.sys [01-11-30 09:59 ]
S3 Di1610VM11;KONICA MINOLTA Di1610;C:\WINNT\system32\Drivers\Di1610.sys [01-08-17 21:53 ]
S3 RapDrv;RapDrv;C:\WINNT\system32\drivers\RapDrv.sys [02-06-14 14:23 ]
S3 RapFile;RapFile;C:\WINNT\system32\drivers\RapFile.sys [02-06-14 14:23 ]
S3 RapNet;RapNet;C:\WINNT\system32\drivers\RapNet.sys [02-06-14 14:24 ]
S3 vpntp;Nokia Virtual Adapter;C:\WINNT\system32\DRIVERS\vpntp.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{036309A2-B046-F842-0406-040204020301}]
C:\DOCUME~1\pok\USTAWI~1\Temp\nya.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 14:00:59
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-19 14:09:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 13:09:27
.
ADS - ntoskrnl.exe: deleted 68 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\pok\Dane aplikacji\addon.dat
C:\Program Files\Common Files\{944D3~1
C:\Program Files\Common Files\{944D3~1\services.dll
C:\Program Files\outlook
C:\WINNT\system32\drivers\rundll32.exe
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\ping.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.
2008-01-19 13:45 . 00-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-18 14:16 . 08-01-18 14:16 <DIR> d-------- C:\Program Files\Metropolis
2008-01-17 21:40 . 08-01-17 22:13 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-01-16 14:05 . 08-01-16 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ESET
2008-01-16 13:38 . 08-01-16 13:38 <DIR> d-------- C:\Documents and Settings\pok\Dane aplikacji\Uniblue
2008-01-16 13:37 . 08-01-16 13:37 <DIR> d-------- C:\Program Files\Uniblue
2008-01-16 11:22 . 08-01-16 11:22 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-16 11:19 . 08-01-16 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-01-15 11:53 . 08-01-15 11:53 2,560 --a------ C:\WINNT\system32\bitcometres.dll
2008-01-15 11:52 . 08-01-15 12:15 <DIR> d-------- C:\Program Files\BitComet
2008-01-14 17:01 . 08-01-16 17:49 85 --a------ C:\WINNT\EmperorEdit.INI
2008-01-12 17:11 . 08-01-12 17:11 <DIR> d-------- C:\Program Files\Sierra
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 12:15 --------- d-----w C:\Documents and Settings\pok\Dane aplikacji\Skype
2008-01-19 10:13 --------- d---a-w C:\Program Files\Neostrada TP
2008-01-12 16:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2003-10-10 08:51 271 ---h--w C:\Program Files\desktop.ini
2003-10-10 08:51 22,039 ---h--w C:\Program Files\folder.htt
2003-07-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-07-29 14:24 472 --sha-r C:\WINNT\R0VDQiBVc2Vy\lXpGk21pwZpV.vbs
2003-07-08 12:00 327,298 --sh--r C:\WINNT\system32\vrghqr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-07-08 13:00 20752 C:\WINNT\system32\internat.exe]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [06-07-06 18:02 19951144]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [07-05-10 15:36 2111176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-07-08 13:00 111888 C:\WINNT\system32\mobsync.exe]
"NGClient"="C:\Program Files\SYMANTEC\Ghost\ngctw32.exe" [01-12-01 10:01 651119]
"WinVNC"="C:\WINNT\system32\rc\winvnc.exe" [01-10-10 16:40 217088]
"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [03-10-16 17:07 24576]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [04-01-26 10:38 866816]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [03-10-16 17:07 20480]
"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [03-10-16 17:07 53248]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [06-06-21 18:14 35328]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-07-08 13:00 20752 C:\WINNT\system32\internat.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="" []
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-03-07 17:47:03]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-01-26 17:45:19]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{944D3D8A-0224-1045-0106-009809220030}"= "C:\Program Files\Common Files\{944D3D8A-0224-1045-0106-009809220030}\Update.exe" mc-110-12-0000140
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll
R1 ShldDrv;Panda File Shield Driver;C:\WINNT\system32\drivers\ShldDrv.sys [05-08-29 15:23 ]
R2 PavProc;Panda Process Protection Driver;C:\WINNT\system32\DRIVERS\PavProc.sys [06-04-25 18:02 ]
R3 cwbmidi_device;Sterownik Crystal WDM MPU-401 UART;C:\WINNT\system32\drivers\cwbmidi.sys [99-10-08 21:32 ]
R3 cwbwdm_device;Sterownik kodera-dekodera audio Crystal WDM;C:\WINNT\system32\drivers\cwbwdm.sys [99-11-02 06:10 ]
R3 EL90BC;Sterownik karty 3Com EtherLink XL B/C;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 20:22 ]
R3 NtApm;Sterownik interfejsu NT Apm/Legacy;C:\WINNT\system32\DRIVERS\NtApm.sys [00-03-08 23:24 ]
S0 GhPostConfig;Ghost Post-Configuration Driver;C:\WINNT\system32\drivers\ghpcw2k.sys [01-11-30 09:59 ]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;C:\WINNT\system32\drivers\ghpcw2k.sys [01-11-30 09:59 ]
S3 Di1610VM11;KONICA MINOLTA Di1610;C:\WINNT\system32\Drivers\Di1610.sys [01-08-17 21:53 ]
S3 RapDrv;RapDrv;C:\WINNT\system32\drivers\RapDrv.sys [02-06-14 14:23 ]
S3 RapFile;RapFile;C:\WINNT\system32\drivers\RapFile.sys [02-06-14 14:23 ]
S3 RapNet;RapNet;C:\WINNT\system32\drivers\RapNet.sys [02-06-14 14:24 ]
S3 vpntp;Nokia Virtual Adapter;C:\WINNT\system32\DRIVERS\vpntp.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{036309A2-B046-F842-0406-040204020301}]
C:\DOCUME~1\pok\USTAWI~1\Temp\nya.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 14:00:59
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-19 14:09:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 13:09:27
#5
wncvirus
-
-
- 851 postów
Leń !
Napisano 20 01 2008 - 21:00
Wklej do Notatnika:
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
– podobnie jak na tym obrazku -->
Ma się rozpocząć usuwanie. (i powstanie log).
Po restarcie usuń ręcznie folder C:\Qoobox.
Daj ten log, który powstanie w trakcie usuwania.
File::
C:\WINNT\R0VDQiBVc2Vy\lXpGk21pwZpV.vbs
C:\WINNT\system32\vrghqr.exe
C:\DOCUME~1\pok\USTAWI~1\Temp\nya.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{036309A2-B046-F842-0406-040204020301}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{944D3D8A-0224-1045-0106-009809220030}"=->>Plik>>Zapisz jako... >>> CFScript Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
– podobnie jak na tym obrazku -->
Ma się rozpocząć usuwanie. (i powstanie log).
Po restarcie usuń ręcznie folder C:\Qoobox.
Daj ten log, który powstanie w trakcie usuwania.
#6
hellen
-
-
- 10 postów
Początkujący
Napisano 21 01 2008 - 13:13
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE
C:\DOCUME~1\pok\USTAWI~1\Temp\nya.exe
C:\WINNT\R0VDQiBVc2Vy\lXpGk21pwZpV.vbs
C:\WINNT\system32\vrghqr.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINNT\R0VDQiBVc2Vy\lXpGk21pwZpV.vbs
C:\WINNT\system32\vrghqr.exe
.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.
2008-01-21 12:06 . 08-01-21 12:21 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2a0.dat
2008-01-19 14:01 . 08-01-19 14:01 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_288.dat
2008-01-19 13:45 . 00-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-18 14:16 . 08-01-18 14:16 <DIR> d-------- C:\Program Files\Metropolis
2008-01-17 21:40 . 08-01-17 22:13 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-01-16 14:05 . 08-01-16 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ESET
2008-01-16 13:38 . 08-01-16 13:38 <DIR> d-------- C:\Documents and Settings\pok\Dane aplikacji\Uniblue
2008-01-16 13:37 . 08-01-16 13:37 <DIR> d-------- C:\Program Files\Uniblue
2008-01-16 11:22 . 08-01-16 11:22 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-16 11:19 . 08-01-16 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-01-15 11:53 . 08-01-15 11:53 2,560 --a------ C:\WINNT\system32\bitcometres.dll
2008-01-15 11:52 . 08-01-15 12:15 <DIR> d-------- C:\Program Files\BitComet
2008-01-14 17:01 . 08-01-16 17:49 85 --a------ C:\WINNT\EmperorEdit.INI
2008-01-12 17:11 . 08-01-12 17:11 <DIR> d-------- C:\Program Files\Sierra
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 11:19 --------- d---a-w C:\Program Files\Neostrada TP
2008-01-21 11:08 --------- d-----w C:\Documents and Settings\pok\Dane aplikacji\Skype
2008-01-12 16:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2003-10-10 08:51 271 ---h--w C:\Program Files\desktop.ini
2003-10-10 08:51 22,039 ---h--w C:\Program Files\folder.htt
2003-07-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((( snapshot@So 2008-01-19_14.08.54.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 12:47:24 1,511,424 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-21 11:20:42 1,511,424 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-19 12:47:24 12,288 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 11:20:42 12,288 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-07-08 13:00 20752 C:\WINNT\system32\internat.exe]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [06-07-06 18:02 19951144]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [07-05-10 15:36 2111176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-07-08 13:00 111888 C:\WINNT\system32\mobsync.exe]
"NGClient"="C:\Program Files\SYMANTEC\Ghost\ngctw32.exe" [01-12-01 10:01 651119]
"WinVNC"="C:\WINNT\system32\rc\winvnc.exe" [01-10-10 16:40 217088]
"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [03-10-16 17:07 24576]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [04-01-26 10:38 866816]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [03-10-16 17:07 20480]
"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [03-10-16 17:07 53248]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [06-06-21 18:14 35328]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-07-08 13:00 20752 C:\WINNT\system32\internat.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="" []
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-03-07 17:47:03]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-01-26 17:45:19]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{944D3D8A-0224-1045-0106-009809220030}"= "C:\Program Files\Common Files\{944D3D8A-0224-1045-0106-009809220030}\Update.exe" mc-110-12-0000140
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll
R3 cwbmidi_device;Sterownik Crystal WDM MPU-401 UART;C:\WINNT\system32\drivers\cwbmidi.sys [99-10-08 21:32 ]
R3 cwbwdm_device;Sterownik kodera-dekodera audio Crystal WDM;C:\WINNT\system32\drivers\cwbwdm.sys [99-11-02 06:10 ]
R3 EL90BC;Sterownik karty 3Com EtherLink XL B/C;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 20:22 ]
S0 GhPostConfig;Ghost Post-Configuration Driver;C:\WINNT\system32\drivers\ghpcw2k.sys [01-11-30 09:59 ]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;C:\WINNT\system32\drivers\ghpcw2k.sys [01-11-30 09:59 ]
S3 Di1610VM11;KONICA MINOLTA Di1610;C:\WINNT\system32\Drivers\Di1610.sys [01-08-17 21:53 ]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{036309A2-B046-F842-0406-040204020301}]
C:\DOCUME~1\pok\USTAWI~1\Temp\nya.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 12:30:16
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-21 12:36:02
ComboFix-quarantined-files.txt 2008-01-21 11:36:00
ComboFix2.txt 2008-01-19 13:09:30
FILE
C:\DOCUME~1\pok\USTAWI~1\Temp\nya.exe
C:\WINNT\R0VDQiBVc2Vy\lXpGk21pwZpV.vbs
C:\WINNT\system32\vrghqr.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINNT\R0VDQiBVc2Vy\lXpGk21pwZpV.vbs
C:\WINNT\system32\vrghqr.exe
.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.
2008-01-21 12:06 . 08-01-21 12:21 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2a0.dat
2008-01-19 14:01 . 08-01-19 14:01 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_288.dat
2008-01-19 13:45 . 00-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-18 14:16 . 08-01-18 14:16 <DIR> d-------- C:\Program Files\Metropolis
2008-01-17 21:40 . 08-01-17 22:13 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-01-16 14:05 . 08-01-16 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ESET
2008-01-16 13:38 . 08-01-16 13:38 <DIR> d-------- C:\Documents and Settings\pok\Dane aplikacji\Uniblue
2008-01-16 13:37 . 08-01-16 13:37 <DIR> d-------- C:\Program Files\Uniblue
2008-01-16 11:22 . 08-01-16 11:22 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-16 11:19 . 08-01-16 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-01-15 11:53 . 08-01-15 11:53 2,560 --a------ C:\WINNT\system32\bitcometres.dll
2008-01-15 11:52 . 08-01-15 12:15 <DIR> d-------- C:\Program Files\BitComet
2008-01-14 17:01 . 08-01-16 17:49 85 --a------ C:\WINNT\EmperorEdit.INI
2008-01-12 17:11 . 08-01-12 17:11 <DIR> d-------- C:\Program Files\Sierra
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 11:19 --------- d---a-w C:\Program Files\Neostrada TP
2008-01-21 11:08 --------- d-----w C:\Documents and Settings\pok\Dane aplikacji\Skype
2008-01-12 16:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2003-10-10 08:51 271 ---h--w C:\Program Files\desktop.ini
2003-10-10 08:51 22,039 ---h--w C:\Program Files\folder.htt
2003-07-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((( snapshot@So 2008-01-19_14.08.54.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 12:47:24 1,511,424 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-21 11:20:42 1,511,424 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-19 12:47:24 12,288 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 11:20:42 12,288 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-07-08 13:00 20752 C:\WINNT\system32\internat.exe]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [06-07-06 18:02 19951144]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [07-05-10 15:36 2111176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-07-08 13:00 111888 C:\WINNT\system32\mobsync.exe]
"NGClient"="C:\Program Files\SYMANTEC\Ghost\ngctw32.exe" [01-12-01 10:01 651119]
"WinVNC"="C:\WINNT\system32\rc\winvnc.exe" [01-10-10 16:40 217088]
"WooCnxMon"="C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [03-10-16 17:07 24576]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [04-01-26 10:38 866816]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [03-10-16 17:07 20480]
"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" [03-10-16 17:07 53248]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [06-06-21 18:14 35328]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-07-08 13:00 20752 C:\WINNT\system32\internat.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="" []
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-03-07 17:47:03]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-01-26 17:45:19]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{944D3D8A-0224-1045-0106-009809220030}"= "C:\Program Files\Common Files\{944D3D8A-0224-1045-0106-009809220030}\Update.exe" mc-110-12-0000140
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll
R3 cwbmidi_device;Sterownik Crystal WDM MPU-401 UART;C:\WINNT\system32\drivers\cwbmidi.sys [99-10-08 21:32 ]
R3 cwbwdm_device;Sterownik kodera-dekodera audio Crystal WDM;C:\WINNT\system32\drivers\cwbwdm.sys [99-11-02 06:10 ]
R3 EL90BC;Sterownik karty 3Com EtherLink XL B/C;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 20:22 ]
S0 GhPostConfig;Ghost Post-Configuration Driver;C:\WINNT\system32\drivers\ghpcw2k.sys [01-11-30 09:59 ]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;C:\WINNT\system32\drivers\ghpcw2k.sys [01-11-30 09:59 ]
S3 Di1610VM11;KONICA MINOLTA Di1610;C:\WINNT\system32\Drivers\Di1610.sys [01-08-17 21:53 ]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{036309A2-B046-F842-0406-040204020301}]
C:\DOCUME~1\pok\USTAWI~1\Temp\nya.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 12:30:16
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-21 12:36:02
ComboFix-quarantined-files.txt 2008-01-21 11:36:00
ComboFix2.txt 2008-01-19 13:09:30
#7
Gość_chranchips_*
Gość_chranchips_*
Napisano 21 01 2008 - 15:36
Widze 3 wyjścia!
1)Zgrywasz wszystko co ci potrzebne na flash'a i robisz formata
2)instalujesz Avast Antyvirus i skanujesz configa
3) Przywracasz System
1)Zgrywasz wszystko co ci potrzebne na flash'a i robisz formata
2)instalujesz Avast Antyvirus i skanujesz configa
3) Przywracasz System
#8
wncvirus
-
-
- 851 postów
Leń !
Napisano 21 01 2008 - 20:05
Nie zgodzę się z przed mówcą!.Jak wróce do domu to rzuce okiem w log i wyszystko będzie jasne.
Użytkownicy przeglądający ten temat: 0
0 użytkowników, 0 gości, 0 anonimowych
