ComboFix 09-01-20.05 - Jacek 2009-01-21 14:44:50.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.502.216 [GMT 1:00] Uruchomiony z: c:\documents and settings\Jacek\Pulpit\ComboFix.exe AV: avast! antivirus 4.8.1229 [VPS 081224-0] *On-access scanning disabled* (Outdated) AV: AVG Internet Security *On-access scanning disabled* (Outdated) FW: AVG Firewall *disabled* * Utworzono nowy punkt przywracania UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img] . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf C:\iq.bat c:\windows\system32\_000000_.tmp.dll c:\windows\system32\_000002_.tmp.dll c:\windows\system32\_000003_.tmp.dll c:\windows\system32\_000004_.tmp.dll c:\windows\system32\_000005_.tmp.dll c:\windows\system32\_000009_.tmp.dll c:\windows\system32\_000011_.tmp.dll c:\windows\system32\ciuytr0.dll c:\windows\system32\kav320.dll c:\windows\system32\vamsoft.exe C:\x2tpc.cmd . ((((((((((((((((((((((((( Pliki utworzone od 2008-12-21 do 2009-01-21 ))))))))))))))))))))))))))))))) . 2009-01-16 17:34 . 2009-01-16 17:33 106,047 -r-hs---- C:\982um3s9.exe 2009-01-16 17:33 . 2009-01-16 17:33 106,047 -r-hs---- c:\windows\system32\urretnd.exe 2009-01-16 17:33 . 2009-01-21 14:47 89,600 -r-hs---- c:\windows\system32\optyhww0.dll 2009-01-16 16:53 . 2009-01-16 16:53 110,003 -r-hs---- C:\x2csvg.exe 2009-01-13 23:20 . 2009-01-14 00:34 95,744 -r-hs---- c:\windows\system32\nmdfgds3.dll 2009-01-13 23:12 . 2009-01-13 23:45 95,744 --------- c:\windows\system32\nmdfgds2.dll 2009-01-13 23:04 . 2009-01-16 16:53 95,744 -r-hs---- c:\windows\system32\nmdfgds1.dll 2009-01-13 22:55 . 2009-01-16 16:53 110,003 -r-hs---- c:\windows\system32\olhrwef.exe 2009-01-13 22:55 . 2009-01-21 14:47 95,744 -r-hs---- c:\windows\system32\nmdfgds0.dll 2009-01-12 20:48 . 2009-01-20 10:54 90,112 -r-hs---- c:\windows\system32\ciuytr1.dll 2009-01-12 20:47 . 2004-08-04 13:00 70,144 --a------ c:\windows\AhnRpta.exe 2009-01-07 11:19 . 2009-01-07 11:19 <DIR> d-------- c:\program files\QPrinter 2009-01-07 11:19 . 2009-01-07 11:19 <DIR> d-------- c:\documents and settings\Jacek\Dane aplikacji\QPrinter 2008-12-31 21:34 . 2008-12-31 21:34 <DIR> d-------- c:\program files\Native Instruments 2008-12-31 19:41 . 2009-01-01 01:10 <DIR> d-------- C:\mlody 2008-12-29 09:44 . 2008-12-25 05:11 117,461 -r-hs---- C:\e8kj.exe . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys 2008-12-02 20:55 --------- d-----w c:\documents and settings\Jacek\Dane aplikacji\iPlus 2008-12-02 20:21 --------- d-----w c:\program files\WinPcap 2008-11-26 19:13 23,112 ----a-w c:\documents and settings\Jacek\Dane aplikacji\GDIPFONTCACHEV1.DAT 2008-10-27 12:05 81,920 ----a-w c:\documents and settings\Jacek\Dane aplikacji\ezpinst.exe 2008-10-27 12:05 47,360 ----a-w c:\documents and settings\Jacek\Dane aplikacji\pcouffin.sys 2008-09-27 18:00 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-09-27 18:00 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-09-27 18:00 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-09-27 18:00 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-09-27 18:00 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984] "cdoosoft"="c:\windows\system32\olhrwef.exe" [2009-01-16 110003] "cbvcs"="c:\windows\system32\urretnd.exe" [2009-01-16 106047] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-03-22 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-03-22 126976] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008] "SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2007-06-06 4067792] "Skrót do strony właściwości High Definition Audio"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe] "SMSERIAL"="sm56hlpr.exe" [2005-04-26 c:\windows\sm56hlpr.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - c:\program files\SAGEM WiFi manager\WLANUTL.exe [2008-03-06 950272] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{BB4C402F-882A-4526-8C08-51278EA437C1}"= "c:\windows\system32\afmain0.dll" [2007-06-13 78848] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-30 78416] R3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanBZXP.sys [2008-03-06 450560] R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-30 20560] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512] S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2008-03-25 81832] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [2008-03-25 13864] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [2008-03-25 107304] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [2008-03-25 99112] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [2008-03-25 21928] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [2008-03-25 97320] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [2008-03-25 97704] S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04e031d0-e6cd-11dd-b78a-e8ad03ccc866}] \Shell\AutoRun\command - E:\x2tpc.cmd \Shell\open\Command - E:\x2tpc.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{708c0a44-4b28-11db-b4ae-000ae4b83648}] \Shell\AutoRun\command - E:\982um3s9.exe \Shell\open\Command - E:\982um3s9.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73a0adff-d77a-11dd-b775-c1293cf59f65}] \Shell\AutoRun\command - E:\e8kj.exe \Shell\explore\Command - E:\e8kj.exe \Shell\open\Command - E:\e8kj.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c62087c-7f5a-11dd-b6f3-bb02dbe6e466}] \Shell\AutoRun\command - 32e2.com \Shell\explore\Command - 32e2.com \Shell\open\Command - 32e2.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13c9f68-8d39-11db-b500-000ae4b83648}] \Shell\AutoRun\command - E:\LaunchU3.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7eb5be1-8c8f-11dd-b70b-0060b39c6ae2}] \Shell\Auto\command - E:\fun.xls.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe . Zawartość folderu 'Zaplanowane zadania' 2008-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42] . - - - - USUNIĘTO PUSTE WPISY - - - - HKCU-Run-PcSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe HKCU-Run-vamsoft - c:\windows\system32\vamsoft.exe . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.onet.pl/ uInternet Settings,ProxyServer = 192.1680.1:8080 IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: {83088F4E-158C-4BC8-B766-5A6736CE0399} = 10.13.0.1,10.13.0.2 FF - ProfilePath - c:\documents and settings\Jacek\Dane aplikacji\Mozilla\Firefox\Profiles\zs32l3zt.default\ FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-21 14:47:50 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\windows\AhnRpta.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\CyberLink\Shared Files\RichVideo.exe c:\program files\Common Files\Teleca Shared\Generic.exe c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe . ************************************************************************** . Czas ukończenia: 2009-01-21 14:49:56 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-01-21 13:49:53 Przed: 16 901 066 752 bajtów wolnych Po: 17,642,778,624 bajtów wolnych 175 --- E O F --- 2009-01-14 05:58:51
[wirus]Czyszczenie po virku w Autoran.inf
#1
Napisano 21 01 2009 - 15:51
#2
Napisano 21 01 2009 - 16:10
File:: C:\982um3s9.exe c:\windows\system32\urretnd.exe c:\windows\system32\optyhww0.dll C:\x2csvg.exe c:\windows\system32\nmdfgds3.dll c:\windows\system32\nmdfgds2.dll c:\windows\system32\nmdfgds1.dll c:\windows\system32\olhrwef.exe c:\windows\system32\nmdfgds0.dll c:\windows\system32\ciuytr1.dll c:\windows\AhnRpta.exe Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "cdoosoft"=- "cbvcs"=- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04e031d0-e6cd-11dd-b78a-e8ad03ccc866}] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{708c0a44-4b28-11db-b4ae-000ae4b83648}] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73a0adff-d77a-11dd-b775-c1293cf59f65}] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c62087c-7f5a-11dd-b6f3-bb02dbe6e466}] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13c9f68-8d39-11db-b500-000ae4b83648}] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7eb5be1-8c8f-11dd-b70b-0060b39c6ae2}]
Plik zapisz pod nazwą CFScript.txt
Przeciągnij go i upuść na ikonę ComboFixa.
Po operacji daj loga z hijackthisa i combo
#3
Napisano 21 01 2009 - 20:37
File:: C:\982um3s9.exe c:\windows\system32\urretnd.exe c:\windows\system32\optyhww0.dll C:\x2csvg.exe c:\windows\system32\nmdfgds3.dll c:\windows\system32\nmdfgds2.dll c:\windows\system32\nmdfgds1.dll c:\windows\system32\olhrwef.exe c:\windows\system32\nmdfgds0.dll c:\windows\system32\ciuytr1.dll c:\windows\AhnRpta.exe c:\windows\system32\afmain0.dll c:\windows\system32\afmain1.dll c:\windows\system32\afmain2.dll C:\e8kj.exe Registry:: [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{BB4C402F-882A-4526-8C08-51278EA437C1}"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "cdoosoft"=- "cbvcs"=- [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04e031d0-e6cd-11dd-b78a-e8ad03ccc866}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{708c0a44-4b28-11db-b4ae-000ae4b83648}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73a0adff-d77a-11dd-b775-c1293cf59f65}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c62087c-7f5a-11dd-b6f3-bb02dbe6e466}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13c9f68-8d39-11db-b500-000ae4b83648}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7eb5be1-8c8f-11dd-b70b-0060b39c6ae2}]Resztę wykonaj tak, jak podał @macsch15
ordynat
#4
Napisano 21 01 2009 - 21:13
ComboFix 09-01-20.05 - Jacek 2009-01-21 19:57:19.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.502.207 [GMT 1:00] Uruchomiony z: c:\documents and settings\Jacek\Pulpit\ComboFix.exe Użyto następujących komend :: c:\documents and settings\Jacek\Pulpit\CFScript.txt AV: avast! antivirus 4.8.1229 [VPS 081224-0] *On-access scanning disabled* (Outdated) AV: AVG Internet Security *On-access scanning disabled* (Outdated) FW: AVG Firewall *disabled* * Utworzono nowy punkt przywracania UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img] FILE :: C:\982um3s9.exe C:\e8kj.exe c:\windows\AhnRpta.exe c:\windows\system32\afmain0.dll c:\windows\system32\afmain1.dll c:\windows\system32\afmain2.dll c:\windows\system32\ciuytr1.dll c:\windows\system32\nmdfgds0.dll c:\windows\system32\nmdfgds1.dll c:\windows\system32\nmdfgds2.dll c:\windows\system32\nmdfgds3.dll c:\windows\system32\olhrwef.exe c:\windows\system32\optyhww0.dll c:\windows\system32\urretnd.exe C:\x2csvg.exe . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\982um3s9.exe C:\autorun.inf C:\e8kj.exe c:\windows\AhnRpta.exe c:\windows\system32\afmain0.dll c:\windows\system32\afmain1.dll c:\windows\system32\afmain2.dll c:\windows\system32\ciuytr1.dll c:\windows\system32\nmdfgds0.dll c:\windows\system32\nmdfgds1.dll c:\windows\system32\nmdfgds2.dll c:\windows\system32\nmdfgds3.dll c:\windows\system32\olhrwef.exe c:\windows\system32\optyhww0.dll c:\windows\system32\urretnd.exe C:\x2csvg.exe . ((((((((((((((((((((((((( Pliki utworzone od 2008-12-21 do 2009-01-21 ))))))))))))))))))))))))))))))) . 2009-01-21 14:59 . 2009-01-21 14:59 108,869 -r-hs---- C:\gy.exe 2009-01-07 11:19 . 2009-01-07 11:19 <DIR> d-------- c:\program files\QPrinter 2009-01-07 11:19 . 2009-01-07 11:19 <DIR> d-------- c:\documents and settings\Jacek\Dane aplikacji\QPrinter 2008-12-31 21:34 . 2008-12-31 21:34 <DIR> d-------- c:\program files\Native Instruments 2008-12-31 19:41 . 2009-01-01 01:10 <DIR> d-------- C:\mlody . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys 2008-12-02 20:55 --------- d-----w c:\documents and settings\Jacek\Dane aplikacji\iPlus 2008-12-02 20:21 --------- d-----w c:\program files\WinPcap 2008-11-26 19:13 23,112 ----a-w c:\documents and settings\Jacek\Dane aplikacji\GDIPFONTCACHEV1.DAT 2008-10-27 12:05 81,920 ----a-w c:\documents and settings\Jacek\Dane aplikacji\ezpinst.exe 2008-10-27 12:05 47,360 ----a-w c:\documents and settings\Jacek\Dane aplikacji\pcouffin.sys 2008-09-27 18:00 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-09-27 18:00 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-09-27 18:00 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-09-27 18:00 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-09-27 18:00 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( snapshot@2009-01-21_14.49.15.20 ))))))))))))))))))))))))))))))))))))))))) . + 2009-01-21 18:59:36 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5fc.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-03-22 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-03-22 126976] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008] "SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2007-06-06 4067792] "Skrót do strony właściwości High Definition Audio"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe] "SMSERIAL"="sm56hlpr.exe" [2005-04-26 c:\windows\sm56hlpr.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - c:\program files\SAGEM WiFi manager\WLANUTL.exe [2008-03-06 950272] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-30 78416] R3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanBZXP.sys [2008-03-06 450560] R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-30 20560] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512] S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2008-03-25 81832] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [2008-03-25 13864] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [2008-03-25 107304] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [2008-03-25 99112] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [2008-03-25 21928] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [2008-03-25 97320] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [2008-03-25 97704] S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?] . Zawartość folderu 'Zaplanowane zadania' 2008-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42] . - - - - USUNIĘTO PUSTE WPISY - - - - HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe HKCU-Run-cbvcs - c:\windows\system32\urretnd.exe . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.onet.pl/ uInternet Settings,ProxyServer = 192.1680.1:8080 IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: {83088F4E-158C-4BC8-B766-5A6736CE0399} = 10.13.0.1,10.13.0.2 FF - ProfilePath - c:\documents and settings\Jacek\Dane aplikacji\Mozilla\Firefox\Profiles\zs32l3zt.default\ FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-21 19:59:59 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\CyberLink\Shared Files\RichVideo.exe c:\program files\Common Files\Teleca Shared\Generic.exe c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe . ************************************************************************** . Czas ukończenia: 2009-01-21 20:02:01 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-01-21 19:01:58 ComboFix2.txt 2009-01-21 13:49:58 Przed: 17 790 464 000 bajtów wolnych Po: 17,771,315,200 bajtów wolnych 165 --- E O F --- 2009-01-14 05:58:51
Combofix:
ComboFix 09-01-20.05 - Jacek 2009-01-21 19:57:19.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.502.207 [GMT 1:00] Uruchomiony z: c:\documents and settings\Jacek\Pulpit\ComboFix.exe Użyto następujących komend :: c:\documents and settings\Jacek\Pulpit\CFScript.txt AV: avast! antivirus 4.8.1229 [VPS 081224-0] *On-access scanning disabled* (Outdated) AV: AVG Internet Security *On-access scanning disabled* (Outdated) FW: AVG Firewall *disabled* * Utworzono nowy punkt przywracania UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img] FILE :: C:\982um3s9.exe C:\e8kj.exe c:\windows\AhnRpta.exe c:\windows\system32\afmain0.dll c:\windows\system32\afmain1.dll c:\windows\system32\afmain2.dll c:\windows\system32\ciuytr1.dll c:\windows\system32\nmdfgds0.dll c:\windows\system32\nmdfgds1.dll c:\windows\system32\nmdfgds2.dll c:\windows\system32\nmdfgds3.dll c:\windows\system32\olhrwef.exe c:\windows\system32\optyhww0.dll c:\windows\system32\urretnd.exe C:\x2csvg.exe . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\982um3s9.exe C:\autorun.inf C:\e8kj.exe c:\windows\AhnRpta.exe c:\windows\system32\afmain0.dll c:\windows\system32\afmain1.dll c:\windows\system32\afmain2.dll c:\windows\system32\ciuytr1.dll c:\windows\system32\nmdfgds0.dll c:\windows\system32\nmdfgds1.dll c:\windows\system32\nmdfgds2.dll c:\windows\system32\nmdfgds3.dll c:\windows\system32\olhrwef.exe c:\windows\system32\optyhww0.dll c:\windows\system32\urretnd.exe C:\x2csvg.exe . ((((((((((((((((((((((((( Pliki utworzone od 2008-12-21 do 2009-01-21 ))))))))))))))))))))))))))))))) . 2009-01-21 14:59 . 2009-01-21 14:59 108,869 -r-hs---- C:\gy.exe 2009-01-07 11:19 . 2009-01-07 11:19 <DIR> d-------- c:\program files\QPrinter 2009-01-07 11:19 . 2009-01-07 11:19 <DIR> d-------- c:\documents and settings\Jacek\Dane aplikacji\QPrinter 2008-12-31 21:34 . 2008-12-31 21:34 <DIR> d-------- c:\program files\Native Instruments 2008-12-31 19:41 . 2009-01-01 01:10 <DIR> d-------- C:\mlody . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys 2008-12-02 20:55 --------- d-----w c:\documents and settings\Jacek\Dane aplikacji\iPlus 2008-12-02 20:21 --------- d-----w c:\program files\WinPcap 2008-11-26 19:13 23,112 ----a-w c:\documents and settings\Jacek\Dane aplikacji\GDIPFONTCACHEV1.DAT 2008-10-27 12:05 81,920 ----a-w c:\documents and settings\Jacek\Dane aplikacji\ezpinst.exe 2008-10-27 12:05 47,360 ----a-w c:\documents and settings\Jacek\Dane aplikacji\pcouffin.sys 2008-09-27 18:00 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-09-27 18:00 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-09-27 18:00 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-09-27 18:00 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-09-27 18:00 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( snapshot@2009-01-21_14.49.15.20 ))))))))))))))))))))))))))))))))))))))))) . + 2009-01-21 18:59:36 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5fc.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-03-22 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-03-22 126976] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008] "SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2007-06-06 4067792] "Skrót do strony właściwości High Definition Audio"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe] "SMSERIAL"="sm56hlpr.exe" [2005-04-26 c:\windows\sm56hlpr.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - c:\program files\SAGEM WiFi manager\WLANUTL.exe [2008-03-06 950272] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-30 78416] R3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanBZXP.sys [2008-03-06 450560] R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-30 20560] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512] S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2008-03-25 81832] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [2008-03-25 13864] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [2008-03-25 107304] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [2008-03-25 99112] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [2008-03-25 21928] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [2008-03-25 97320] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [2008-03-25 97704] S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?] . Zawartość folderu 'Zaplanowane zadania' 2008-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42] . - - - - USUNIĘTO PUSTE WPISY - - - - HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe HKCU-Run-cbvcs - c:\windows\system32\urretnd.exe . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.onet.pl/ uInternet Settings,ProxyServer = 192.1680.1:8080 IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: {83088F4E-158C-4BC8-B766-5A6736CE0399} = 10.13.0.1,10.13.0.2 FF - ProfilePath - c:\documents and settings\Jacek\Dane aplikacji\Mozilla\Firefox\Profiles\zs32l3zt.default\ FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-21 19:59:59 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\CyberLink\Shared Files\RichVideo.exe c:\program files\Common Files\Teleca Shared\Generic.exe c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe . ************************************************************************** . Czas ukończenia: 2009-01-21 20:02:01 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-01-21 19:01:58 ComboFix2.txt 2009-01-21 13:49:58 Przed: 17 790 464 000 bajtów wolnych Po: 17,771,315,200 bajtów wolnych 165 --- E O F --- 2009-01-14 05:58:51
#5
Napisano 21 01 2009 - 22:46
File:: C:\gy.exe c:\windows\system32\afmain3.dll>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
– podobnie jak na tym obrazku -->
Ma się rozpocząć usuwanie. (i powstanie log)
Daj ten log, który powstanie w trakcie usuwania.
ordynat
#6
Napisano 22 01 2009 - 12:43
ComboFix 09-01-20.05 - Jacek 2009-01-22 11:37:48.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.502.225 [GMT 1:00] Uruchomiony z: c:\documents and settings\Jacek\Pulpit\ComboFix.exe Użyto następujących komend :: c:\documents and settings\Jacek\Pulpit\CFScript.txt AV: avast! antivirus 4.8.1229 [VPS 081224-0] *On-access scanning disabled* (Outdated) AV: AVG Internet Security *On-access scanning disabled* (Outdated) FW: AVG Firewall *disabled* * Utworzono nowy punkt przywracania UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA [img]http://www.forum.tweaks.pl/public/style_emoticons/default/excl.gif[/img] FILE :: C:\gy.exe c:\windows\system32\afmain3.dll . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\gy.exe c:\windows\system32\afmain3.dll . ((((((((((((((((((((((((( Pliki utworzone od 2008-12-22 do 2009-01-22 ))))))))))))))))))))))))))))))) . 2009-01-21 20:12 . 2009-01-21 20:12 <DIR> d-------- c:\program files\Trend Micro 2009-01-07 11:19 . 2009-01-07 11:19 <DIR> d-------- c:\program files\QPrinter 2009-01-07 11:19 . 2009-01-07 11:19 <DIR> d-------- c:\documents and settings\Jacek\Dane aplikacji\QPrinter 2008-12-31 21:34 . 2008-12-31 21:34 <DIR> d-------- c:\program files\Native Instruments 2008-12-31 19:41 . 2009-01-01 01:10 <DIR> d-------- C:\mlody . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-13 06:39 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys 2008-12-11 11:57 333,184 ----a-w c:\windows\system32\dllcache\srv.sys 2008-12-02 20:55 --------- d-----w c:\documents and settings\Jacek\Dane aplikacji\iPlus 2008-12-02 20:21 --------- d-----w c:\program files\WinPcap 2008-11-26 19:13 23,112 ----a-w c:\documents and settings\Jacek\Dane aplikacji\GDIPFONTCACHEV1.DAT 2008-11-07 17:32 2,109,440 ----a-w c:\windows\system32\dllcache\WMVCore.dll 2008-10-27 12:05 81,920 ----a-w c:\documents and settings\Jacek\Dane aplikacji\ezpinst.exe 2008-10-27 12:05 47,360 ----a-w c:\documents and settings\Jacek\Dane aplikacji\pcouffin.sys 2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys 2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll 2008-10-23 13:01 283,648 ----a-w c:\windows\system32\dllcache\gdi32.dll 2008-09-27 18:00 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-09-27 18:00 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-09-27 18:00 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-09-27 18:00 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-09-27 18:00 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-03-22 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-03-22 126976] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008] "SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2007-06-06 4067792] "Skrót do strony właściwości High Definition Audio"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe] "SMSERIAL"="sm56hlpr.exe" [2005-04-26 c:\windows\sm56hlpr.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk - c:\program files\SAGEM WiFi manager\WLANUTL.exe [2008-03-06 950272] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-30 78416] R3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanBZXP.sys [2008-03-06 450560] R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-30 20560] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512] S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2008-03-25 81832] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [2008-03-25 13864] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [2008-03-25 107304] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [2008-03-25 99112] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [2008-03-25 21928] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [2008-03-25 97320] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [2008-03-25 97704] S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?] . Zawartość folderu 'Zaplanowane zadania' 2008-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42] . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.onet.pl/ uInternet Settings,ProxyServer = 192.1680.1:8080 IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: {83088F4E-158C-4BC8-B766-5A6736CE0399} = 10.13.0.1,10.13.0.2 FF - ProfilePath - c:\documents and settings\Jacek\Dane aplikacji\Mozilla\Firefox\Profiles\zs32l3zt.default\ FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-22 11:40:02 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . Czas ukończenia: 2009-01-22 11:42:13 ComboFix-quarantined-files.txt 2009-01-22 10:42:10 ComboFix2.txt 2009-01-21 19:02:03 Przed: 17 845 460 992 bajtów wolnych Po: 17,830,883,328 bajtów wolnych 126 --- E O F --- 2009-01-14 05:58:51
A co z logiem z Hijackthis?
#7
Napisano 22 01 2009 - 13:39
Przecież nie dałeś dotąd żadnego logu z Hijacka (za to dwa z ComboFixa w jednym poście).A co z logiem z Hijackthis?
Ale ja nie potrzebuję logu Hijacka, bo to, co jest w Hijacku, potrafię odczytać także w logu ComboFixa. ComboFix podaje to samo, tylko w innej postaci. Podaje też to:
To też odnosi się do logu Hijacka.------- Skan uzupełniający -------
.
uStart Page = hxxp://www.onet.pl/
uInternet Settings,ProxyServer = 192.1680.1:8080
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {83088F4E-158C-4BC8-B766-5A6736CE0399} = 10.13.0.1,10.13.0.2
Log z ComboFixa - czysty.
1) Usuń ręcznie folder C:\Qoobox.
2) Usuń kopie szkodników z folderu "System Volume Information" poprzez chwilowe wyłączenie "Przywracania Systemu":
>START>Panel Sterowania>System>Przywracanie Systemu>>zaznacz w okienku przy "Wyłącz przywracanie na wszystkich dyskach">Zastosuj>OK.
Potem możesz powrócić do poprzedniego ustawienia (czyli usunąć zaznaczenie z okienka).
3) Przejrzyj dolną część tego tematu:
>http://www.searchengines.pl/Infekcje-z-pen...ych-t94761.html
ordynat
Użytkownicy przeglądający ten temat: 0
0 użytkowników, 0 gości, 0 anonimowych