lukasz r utworzono 17 listopada 2008 utworzono 17 listopada 2008 Kaspersky znalazł podanego trojana i usunął zagrożenie, uruchomiłem ponownie, trojan znowu się pojawia, kaspersky go usuwa, za chwilę znowu się pojawia itd. Wykrywa-usuwa, ale nie robi tego ostatecznie. Stale na nowo pojawia się info o wykryciu riskware invader. [nigdzie w necie nie mogłem znaleźć trojana o podanej nazwię toteż może to kogoś zainteresować (?)] PROSZĘ O POMOC podaję loga: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:24:44, on 2008-11-17Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\VDOTool\TBPanel.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\System32\DeltaIITray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Olympus\DeviceDetector\DevDtct2.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Spyware Doctor\pctsGui.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i.com.ua/~video/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: (no name) - {1BE8EB40-5202-4A1B-834C-CCA961C406C2} - C:\WINDOWS\system32\hgGApnMe.dll (file missing)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: (no name) - {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} - C:\WINDOWS\system32\iifeeFxy.dll (file missing)O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exeO4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe bootO4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /AO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\DeltaIITray.exeO4 - HKLM\..\Run: [DeltaIITaskbarApp] C:\WINDOWS\system32\DeltaIITray.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htmO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cabO20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dllO20 - Winlogon Notify: iifeeFxy - iifeeFxy.dll (file missing)O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe--End of file - 6696 bytes
lukasz r komentarz 17 listopada 2008 Autor komentarz 17 listopada 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:24:44, on 2008-11-17Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\VDOTool\TBPanel.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\System32\DeltaIITray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Olympus\DeviceDetector\DevDtct2.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Spyware Doctor\pctsGui.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i.com.ua/~video/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: (no name) - {1BE8EB40-5202-4A1B-834C-CCA961C406C2} - C:\WINDOWS\system32\hgGApnMe.dll (file missing)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: (no name) - {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} - C:\WINDOWS\system32\iifeeFxy.dll (file missing)O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exeO4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe bootO4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /AO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\DeltaIITray.exeO4 - HKLM\..\Run: [DeltaIITaskbarApp] C:\WINDOWS\system32\DeltaIITray.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htmO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cabO20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dllO20 - Winlogon Notify: iifeeFxy - iifeeFxy.dll (file missing)O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe--End of file - 6696 bytes
Gość komentarz 17 listopada 2008 komentarz 17 listopada 2008 O2 - BHO: (no name) - {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} - C:\WINDOWS\system32\iifeeFxy.dll (file missing)O2 - BHO: (no name) - {1BE8EB40-5202-4A1B-834C-CCA961C406C2} - C:\WINDOWS\system32\hgGApnMe.dll (file missing)O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exeO20 - Winlogon Notify: iifeeFxy - iifeeFxy.dll (file missing) Te w/w wpisy sfiksuj w Hijacku: >>Hijack>>scan(Do a system scan only)>>zaznacz je >>Fix checked. Daj log z ComboFixa.
lukasz r komentarz 17 listopada 2008 Autor komentarz 17 listopada 2008 wykasowałem podane wpisy, podaję loga z combo fixa: ComboFix 08-11-16.05 - gi & luk 2008-11-17 12:23:41.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1619 [GMT 1:00]Uruchomiony z: c:\documents and settings\gi & luk\Pulpit\ComboFix.exe * Utworzono nowy punkt przywracania * Resident AV is active.((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\BMcfef56aa.txtc:\windows\BMcfef56aa.xmlc:\windows\pskt.inic:\windows\system32\bkshkulm.inic:\windows\system32\eMnpAGgh.inic:\windows\system32\eMnpAGgh.ini2c:\windows\system32\ibuqctut.inic:\windows\system32\mcrh.tmpc:\windows\system32\pivqdvny.inic:\windows\system32\vcohqqxu.inic:\windows\system32\vcohqqxu.ini2c:\windows\system32\vcohqqxu.tmp.((((((((((((((((((((((((( Pliki utworzone od 2008-10-17 do 2008-11-17 ))))))))))))))))))))))))))))))).2008-11-17 11:24 . 2008-11-17 11:24 <DIR> d-------- c:\program files\Trend Micro2008-11-17 11:06 . 2008-11-17 11:37 <DIR> d-a------ c:\documents and settings\All Users\Dane aplikacji\TEMP2008-11-17 10:05 . 2001-08-17 21:52 18,688 --a--c--- c:\windows\system32\dllcache\cdaudio.sys2008-11-16 22:03 . 2008-11-16 22:02 106,363 -r-hs---- C:\[u]0[/u]w.com2008-11-16 22:02 . 2008-11-16 22:02 106,363 -r-hs---- c:\windows\system32\kamsoft.exe2008-11-16 22:02 . 2008-11-17 11:59 85,504 -r-hs---- c:\windows\system32\gasretyw0.dll2008-11-16 19:42 . 2008-11-16 19:42 227 --a------ c:\windows\HP_CounterReport_Update_HPSU.ini2008-11-16 19:42 . 2008-11-16 19:42 214 --a------ c:\windows\HP_48BitScanUpdatePatch.ini2008-11-16 19:41 . 2008-11-16 19:41 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\HP Product Assistant2008-11-16 19:35 . 2008-11-16 19:35 221 --a------ c:\windows\HP_RedboxHprblog_HPSU.ini2008-11-16 19:22 . 2008-11-16 20:26 <DIR> d-------- c:\documents and settings\gi & luk\Dane aplikacji\Image Zone Express2008-11-16 19:21 . 2008-11-16 19:21 <DIR> d---s---- c:\documents and settings\gi & luk\UserData2008-11-16 19:11 . 2008-11-16 19:11 <DIR> d-------- c:\program files\Common Files\HP2008-11-16 19:11 . 2008-11-16 19:11 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\HP2008-11-16 19:08 . 2008-11-16 19:08 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard2008-11-16 19:07 . 2005-03-08 05:43 51,120 -ra------ c:\windows\system32\drivers\HPZid412.sys2008-11-16 19:07 . 2005-03-08 05:43 21,744 -ra------ c:\windows\system32\drivers\HPZius12.sys2008-11-16 19:07 . 2005-03-08 05:43 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys2008-11-16 19:06 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys2008-11-16 19:06 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys2008-11-16 19:05 . 2004-09-29 12:12 278,584 --a------ c:\windows\system32\HPZidr12.dll2008-11-16 19:05 . 2004-09-29 12:15 204,800 --a------ c:\windows\system32\HPZipr12.dll2008-11-16 19:05 . 2004-09-29 12:09 94,208 --a------ c:\windows\system32\HPZipt12.dll2008-11-16 19:05 . 2007-08-09 08:27 73,728 --a------ c:\windows\system32\HPZipm12.exe2008-11-16 19:05 . 2004-09-29 12:08 61,440 --a------ c:\windows\system32\HPZinw12.exe2008-11-16 19:05 . 2004-09-29 12:09 57,344 --a------ c:\windows\system32\HPZisn12.dll2008-11-16 19:01 . 2008-11-16 19:44 <DIR> d-------- c:\program files\HP2008-11-16 18:59 . 2008-11-16 19:19 <DIR> d-------- c:\documents and settings\gi & luk\Dane aplikacji\HP2008-11-16 18:59 . 2008-11-16 19:11 113,574 --a------ c:\windows\hpoins07.dat2008-11-16 18:59 . 2005-05-24 09:22 21,124 --------- c:\windows\hpomdl07.dat2008-11-16 18:58 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys2008-11-16 18:58 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys2008-11-16 18:58 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys2008-11-16 18:58 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys2008-11-05 14:31 . 2008-11-16 20:54 69 --a------ c:\windows\NeroDigital.ini2008-11-05 14:19 . 2005-07-12 18:06 2,973,696 --------- c:\windows\UNNeroVision.exe2008-11-05 14:19 . 2005-09-16 13:10 154,568 --------- c:\windows\UNNeroVision.cfg2008-11-05 14:19 . 2001-03-08 19:30 24,064 --------- c:\windows\system32\msxml3a.dll2008-11-05 14:18 . 2008-11-05 14:18 <DIR> d-------- c:\program files\Common Files\Nero2008-11-05 14:18 . 2008-11-05 14:18 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\Ahead2008-11-05 14:18 . 2004-07-09 09:43 364,544 --------- c:\windows\system32\TwnLib4.dll2008-11-05 14:18 . 2001-06-26 08:15 38,912 --------- c:\windows\system32\picn20.dll2008-11-05 14:14 . 2008-11-05 14:14 <DIR> d-------- c:\program files\Common Files\Ahead2008-11-05 14:14 . 2008-11-05 14:18 <DIR> d-------- c:\program files\Ahead2008-11-05 14:14 . 2004-07-26 17:16 1,568,768 --------- c:\windows\system32\ImagX7.dll2008-11-05 14:14 . 2004-07-26 17:16 476,320 --------- c:\windows\system32\ImagXpr7.dll2008-11-05 14:14 . 2004-07-26 17:16 471,040 --------- c:\windows\system32\ImagXRA7.dll2008-11-05 14:14 . 2004-07-26 17:16 262,144 --------- c:\windows\system32\ImagXR7.dll2008-11-05 14:14 . 2001-07-09 11:50 155,648 --a------ c:\windows\system32\NeroCheck.exe2008-11-05 14:14 . 2000-06-26 11:45 106,496 --------- c:\windows\system32\TwnLib20.dll2008-10-28 12:12 . 2008-10-28 12:12 <DIR> d-------- c:\program files\PXL Designs2008-10-28 12:06 . 2008-10-28 12:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR2008-10-25 16:02 . 2004-08-03 23:44 221,184 --a------ c:\windows\system32\wmpns.dll.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-11-17 11:47 13,599,520 --sha-w c:\windows\system32\drivers\fidbox.dat2008-11-17 11:45 292,640 --sha-w c:\windows\system32\drivers\fidbox2.dat2008-11-17 11:42 31,496 --sha-w c:\windows\system32\drivers\fidbox2.idx2008-11-17 11:42 189,236 --sha-w c:\windows\system32\drivers\fidbox.idx2008-11-17 10:59 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab2008-11-17 00:47 --------- d-----w c:\documents and settings\gi & luk\Dane aplikacji\uTorrent2008-11-16 18:33 139,264 ----a-w c:\windows\system32\hpzjrd01.dll2008-11-10 09:08 --------- d-----w c:\program files\Java2008-11-10 08:56 --------- d--h--w c:\program files\InstallShield Installation Information2008-11-08 17:31 --------- d-----w c:\program files\eMule2008-11-04 14:49 --------- d-----w c:\program files\Soulseek2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-07-09 2119104][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]"Gainward"="c:\program files\VDOTool\TBPanel.exe" [2007-06-26 2165272]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-23 8466432]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-23 81920]"M-Audio Taskbar Icon"="c:\windows\System32\DeltaIITray.exe" [2007-12-03 236040]"DeltaIITaskbarApp"="c:\windows\system32\DeltaIITray.exe" [2007-12-03 236040]"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2008-03-28 413696]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]"nwiz"="nwiz.exe" [2007-07-23 c:\windows\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]c:\documents and settings\All Users\Menu Start\Programy\Autostart\Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-05-15 118784]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.3iv2"= 3ivxVfWCodec.dll"VIDC.VP31"= vp31vfw.dll"msacm.l3fhg"= mp3fhg.acm"vidc.MJPG"= pvmjpg21.dll"msacm.avis"= ff_acm.acm[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"="c:\\Program Files\\Gadu-Gadu\\gg.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\DRIVERS\deltaII.sys [2008-05-20 297992]S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys []S3 VNUSB;VN Series Device;c:\windows\system32\DRIVERS\VNUSB.sys [2008-05-15 38496][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1a66d86-266a-11dd-8988-001404381bcc}]\Shell\AutoRun\command - H:\ph.com\Shell\explore\Command - H:\ph.com\Shell\open\Command - H:\ph.com.Zawartość folderu 'Zaplanowane zadania'2008-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]2008-11-11 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []2008-05-15 c:\windows\Tasks\Uniblue SpeedUpMyPC.job- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []..------- Skan uzupełniający -------.FireFox -: Profile - c:\documents and settings\gi & luk\Dane aplikacji\Mozilla\Firefox\Profiles\kxxikjt1.default\FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dllFF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin.dllFF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dllFF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dllFF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dllFF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-11-17 12:45:43Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ...skanowanie ukrytych plików ... **************************************************************************.------------------------ Pozostałe uruchomione procesy ------------------------.c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exec:\program files\Bonjour\mDNSResponder.exec:\windows\system32\nvsvc32.exec:\windows\system32\wdfmgr.exec:\windows\system32\wscntfy.exec:\windows\system32\rundll32.exec:\program files\iPod\bin\iPodService.exec:\program files\HP\Digital Imaging\bin\hpqste08.exe.**************************************************************************.Czas ukończenia: 2008-11-17 12:57:28 - komputer został uruchomiony ponownie [gi & luk]ComboFix-quarantined-files.txt 2008-11-17 11:56:24Przed: 13 182 742 528 bajtów wolnychPo: 13,105,131,520 bajtów wolnychWindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect210
Gość komentarz 17 listopada 2008 komentarz 17 listopada 2008 1) Wylecz pendriva lub kartę pamięci Perlovga Removal Tool Flash Disinfector lub format 2) Wklej do Notatnika: File::C:\*0w.comc:\windows\system32\kamsoft.exec:\windows\system32\gasretyw0.dllC:\ph.comH:\ph.comC:\WINDOWS\system32\iifeeFxy.dll C:\WINDOWS\system32\hgGApnMe.dllRegistry::[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1a66d86-266a-11dd-8988-001404381bcc}] Uwaga! Po wklejeniu do notatnika usuń gwiazdkę * z tekstu! >>Plik>>Zapisz jako... >>> CFScript Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe --> Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania. Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox.
lukasz r komentarz 17 listopada 2008 Autor komentarz 17 listopada 2008 usunąłem podany folder, podaję loga: ComboFix 08-11-16.05 - gi & luk 2008-11-17 13:59:11.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1515 [GMT 1:00]Uruchomiony z: c:\documents and settings\gi & luk\Pulpit\ComboFix.exeUżyto następujących komend :: c:\documents and settings\gi & luk\Pulpit\CFScript.txt * Utworzono nowy punkt przywracania * Resident AV is activeFILE ::C:\[u]0[/u]w.comC:\ph.comc:\windows\system32\gasretyw0.dllc:\windows\system32\hgGApnMe.dllc:\windows\system32\iifeeFxy.dllc:\windows\system32\kamsoft.exeH:\ph.com.((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).C:\[u]0[/u]w.comc:\windows\system32\gasretyw0.dllc:\windows\system32\kamsoft.exe.((((((((((((((((((((((((( Pliki utworzone od 2008-10-17 do 2008-11-17 ))))))))))))))))))))))))))))))).2008-11-17 11:24 . 2008-11-17 11:24 <DIR> d-------- c:\program files\Trend Micro2008-11-17 11:06 . 2008-11-17 11:37 <DIR> d-a------ c:\documents and settings\All Users\Dane aplikacji\TEMP2008-11-17 10:05 . 2001-08-17 21:52 18,688 --a--c--- c:\windows\system32\dllcache\cdaudio.sys2008-11-16 19:42 . 2008-11-16 19:42 227 --a------ c:\windows\HP_CounterReport_Update_HPSU.ini2008-11-16 19:42 . 2008-11-16 19:42 214 --a------ c:\windows\HP_48BitScanUpdatePatch.ini2008-11-16 19:41 . 2008-11-16 19:41 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\HP Product Assistant2008-11-16 19:35 . 2008-11-16 19:35 221 --a------ c:\windows\HP_RedboxHprblog_HPSU.ini2008-11-16 19:22 . 2008-11-16 20:26 <DIR> d-------- c:\documents and settings\gi & luk\Dane aplikacji\Image Zone Express2008-11-16 19:11 . 2008-11-16 19:11 <DIR> d-------- c:\program files\Common Files\HP2008-11-16 19:11 . 2008-11-16 19:11 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\HP2008-11-16 19:08 . 2008-11-16 19:08 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard2008-11-16 19:07 . 2005-03-08 05:43 51,120 -ra------ c:\windows\system32\drivers\HPZid412.sys2008-11-16 19:07 . 2005-03-08 05:43 21,744 -ra------ c:\windows\system32\drivers\HPZius12.sys2008-11-16 19:07 . 2005-03-08 05:43 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys2008-11-16 19:06 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys2008-11-16 19:06 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys2008-11-16 19:05 . 2004-09-29 12:12 278,584 --a------ c:\windows\system32\HPZidr12.dll2008-11-16 19:05 . 2004-09-29 12:15 204,800 --a------ c:\windows\system32\HPZipr12.dll2008-11-16 19:05 . 2004-09-29 12:09 94,208 --a------ c:\windows\system32\HPZipt12.dll2008-11-16 19:05 . 2007-08-09 08:27 73,728 --a------ c:\windows\system32\HPZipm12.exe2008-11-16 19:05 . 2004-09-29 12:08 61,440 --a------ c:\windows\system32\HPZinw12.exe2008-11-16 19:05 . 2004-09-29 12:09 57,344 --a------ c:\windows\system32\HPZisn12.dll2008-11-16 19:01 . 2008-11-16 19:44 <DIR> d-------- c:\program files\HP2008-11-16 18:59 . 2008-11-16 19:19 <DIR> d-------- c:\documents and settings\gi & luk\Dane aplikacji\HP2008-11-16 18:59 . 2008-11-16 19:11 113,574 --a------ c:\windows\hpoins07.dat2008-11-16 18:59 . 2005-05-24 09:22 21,124 --------- c:\windows\hpomdl07.dat2008-11-16 18:58 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys2008-11-16 18:58 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys2008-11-16 18:58 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys2008-11-16 18:58 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys2008-11-05 14:31 . 2008-11-16 20:54 69 --a------ c:\windows\NeroDigital.ini2008-11-05 14:19 . 2005-07-12 18:06 2,973,696 --------- c:\windows\UNNeroVision.exe2008-11-05 14:19 . 2005-09-16 13:10 154,568 --------- c:\windows\UNNeroVision.cfg2008-11-05 14:19 . 2001-03-08 19:30 24,064 --------- c:\windows\system32\msxml3a.dll2008-11-05 14:18 . 2008-11-05 14:18 <DIR> d-------- c:\program files\Common Files\Nero2008-11-05 14:18 . 2008-11-05 14:18 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\Ahead2008-11-05 14:18 . 2004-07-09 09:43 364,544 --------- c:\windows\system32\TwnLib4.dll2008-11-05 14:18 . 2001-06-26 08:15 38,912 --------- c:\windows\system32\picn20.dll2008-11-05 14:14 . 2008-11-05 14:14 <DIR> d-------- c:\program files\Common Files\Ahead2008-11-05 14:14 . 2008-11-05 14:18 <DIR> d-------- c:\program files\Ahead2008-11-05 14:14 . 2004-07-26 17:16 1,568,768 --------- c:\windows\system32\ImagX7.dll2008-11-05 14:14 . 2004-07-26 17:16 476,320 --------- c:\windows\system32\ImagXpr7.dll2008-11-05 14:14 . 2004-07-26 17:16 471,040 --------- c:\windows\system32\ImagXRA7.dll2008-11-05 14:14 . 2004-07-26 17:16 262,144 --------- c:\windows\system32\ImagXR7.dll2008-11-05 14:14 . 2001-07-09 11:50 155,648 --a------ c:\windows\system32\NeroCheck.exe2008-11-05 14:14 . 2000-06-26 11:45 106,496 --------- c:\windows\system32\TwnLib20.dll2008-10-28 12:12 . 2008-10-28 12:12 <DIR> d-------- c:\program files\PXL Designs2008-10-28 12:06 . 2008-10-28 12:06 <DIR> d-------- c:\program files\Common Files\Adobe AIR2008-10-25 16:02 . 2004-08-03 23:44 221,184 --a------ c:\windows\system32\wmpns.dll.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-11-17 13:03 13,735,712 --sha-w c:\windows\system32\drivers\fidbox.dat2008-11-17 13:01 296,480 --sha-w c:\windows\system32\drivers\fidbox2.dat2008-11-17 11:42 31,496 --sha-w c:\windows\system32\drivers\fidbox2.idx2008-11-17 11:42 189,236 --sha-w c:\windows\system32\drivers\fidbox.idx2008-11-17 10:59 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab2008-11-17 00:47 --------- d-----w c:\documents and settings\gi & luk\Dane aplikacji\uTorrent2008-11-16 18:33 139,264 ----a-w c:\windows\system32\hpzjrd01.dll2008-11-10 09:08 --------- d-----w c:\program files\Java2008-11-10 08:56 --------- d--h--w c:\program files\InstallShield Installation Information2008-11-08 17:31 --------- d-----w c:\program files\eMule2008-11-04 14:49 --------- d-----w c:\program files\Soulseek2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2007-07-09 2119104][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]"Gainward"="c:\program files\VDOTool\TBPanel.exe" [2007-06-26 2165272]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-23 8466432]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-23 81920]"M-Audio Taskbar Icon"="c:\windows\System32\DeltaIITray.exe" [2007-12-03 236040]"DeltaIITaskbarApp"="c:\windows\system32\DeltaIITray.exe" [2007-12-03 236040]"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2008-03-28 413696]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]"nwiz"="nwiz.exe" [2007-07-23 c:\windows\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]c:\documents and settings\All Users\Menu Start\Programy\Autostart\Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-05-15 118784]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.3iv2"= 3ivxVfWCodec.dll"VIDC.VP31"= vp31vfw.dll"msacm.l3fhg"= mp3fhg.acm"vidc.MJPG"= pvmjpg21.dll"msacm.avis"= ff_acm.acm[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"="c:\\Program Files\\Gadu-Gadu\\gg.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\DRIVERS\deltaII.sys [2008-05-20 297992]S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys []S3 VNUSB;VN Series Device;c:\windows\system32\DRIVERS\VNUSB.sys [2008-05-15 38496]*Newly Created Service* - CATCHME.Zawartość folderu 'Zaplanowane zadania'2008-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]2008-11-11 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []2008-05-15 c:\windows\Tasks\Uniblue SpeedUpMyPC.job- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [].**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-11-17 14:01:38Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ...skanowanie ukrytych plików ... **************************************************************************.Czas ukończenia: 2008-11-17 14:07:15ComboFix-quarantined-files.txt 2008-11-17 13:06:13ComboFix2.txt 2008-11-17 11:57:30Przed: 13 099 491 328 bajtów wolnychPo: 13,082,042,368 bajtów wolnych172 ]//Logi wstawiamy w tagi CODE //Następnym razem otrzymasz warna //jesiona zrestartowałem i wydaje się że wszystko w porządku, wielkie dzięki
ligus komentarz 18 listopada 2008 komentarz 18 listopada 2008 Witam, również złapałem tego wirusa, niby kasperski go usunął pare razy, narazie się nie pokazuje, ale chcę miec pewnośc że mam czysty komputer. Czy mógłbym prosic o sprawdzenie logów? Log z HiJackThis Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:47:36, on 2008-11-18Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)MSIE: Unable to get Internet Explorer version!Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeF:\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\WINDOWS\system32\RUNDLL32.EXEF:\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeF:\Opera\opera.exeC:\Documents and Settings\Mateusz\Pulpit\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Java\jre1.6.0_07\bin\ssv.dllO3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dllO4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exeO4 - HKLM\..\Run: [AVP] "F:\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logonO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: Dodaj do blokowanych banerów - F:\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htmO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dllO9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dllO9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cabO18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\Common Files\BinarySense\hlAPP.dll" (file missing)O20 - AppInit_DLLs: F:\KASPER~1\KASPER~1.0\adialhk.dllO23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - F:\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PDAgent - Raxco Software, Inc. - F:\Raxco\PerfectDisk\PDAgent.exeO23 - Service: PDEngine - Raxco Software, Inc. - F:\Raxco\PerfectDisk\PDEngine.exeO23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe--End of file - 5643 bytes Log z Combo Fix ComboFix 08-11-16.05 - Mateusz 2008-11-18 15:49:45.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.679 [GMT 1:00]Uruchomiony z: c:\documents and settings\Mateusz\Pulpit\ComboFix.exe * Utworzono nowy punkt przywracania[b]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/b].((((((((((((((((((((((((( Pliki utworzone od 2008-10-18 do 2008-11-18 ))))))))))))))))))))))))))))))).2008-11-16 17:40 . 2008-11-16 17:40 <DIR> d-------- c:\windows\Sun2008-11-16 17:37 . 2008-11-16 17:37 0 --a------ c:\windows\nsreg.dat2008-11-16 14:43 . 2008-11-17 21:55 85,504 --a------ c:\windows\system32\gasretyw0.dll2008-11-14 18:43 . 2003-12-08 11:53 70,688 --a------ c:\windows\system32\drivers\alcaudsl.sys2008-11-14 18:43 . 2003-12-08 11:53 53,600 --a------ c:\windows\system32\drivers\alcan5wn.sys2008-11-14 18:43 . 2003-12-08 11:53 5,606 --a------ c:\windows\system32\stci.dll2008-11-14 18:43 . 2003-12-08 11:53 5,280 --a------ c:\windows\system32\drivers\alcawh.sys2008-11-14 18:43 . 2003-12-08 11:53 3,968 --a------ c:\windows\system32\drivers\alcacr.sys2008-11-14 18:42 . 2008-11-14 18:42 <DIR> d--hs---- c:\windows\ftpcache2008-11-12 20:52 . 2008-11-12 20:54 <DIR> d-------- c:\program files\Common Files\BinarySense2008-11-12 20:52 . 2008-11-12 20:52 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\BinarySense2008-11-12 20:52 . 2008-11-12 20:59 <DIR> d-a------ c:\documents and settings\All Users\Dane aplikacji\TEMP2008-11-12 20:16 . 2008-11-12 20:17 <DIR> dr------- c:\documents and settings\LocalService\Moje dokumenty2008-11-12 20:15 . 2008-11-12 20:15 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\Locktime2008-11-12 16:31 . 2008-11-12 16:31 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\teamspeak22008-11-11 19:08 . 2008-11-16 15:00 45,056 --a------ c:\windows\system32\UTSCSI.EXE2008-11-10 17:47 . 2008-11-10 17:47 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\Ventrilo2008-10-30 18:39 . 2008-10-30 18:39 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\InstallShield2008-10-30 18:38 . 2004-04-16 11:24 61,440 --a------ c:\windows\system32\ISUSPM.cpl2008-10-29 22:50 . 2008-10-29 22:50 34,064 --a------ c:\windows\system32\lhacm.acm2008-10-24 22:28 . 2008-10-24 22:28 <DIR> d-------- c:\windows\nview2008-10-24 22:28 . 2008-11-18 14:04 186,097 --a------ c:\windows\system32\nvapps.xml2008-10-24 22:28 . 2008-05-16 13:01 18,070 --a------ c:\windows\system32\nvdisp.nvu2008-10-24 19:17 . 2008-10-24 19:17 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\NVIDIA2008-10-23 21:54 . 2008-10-23 22:04 275 --a------ c:\windows\hpqcopy.INI2008-10-23 21:30 . 2008-10-23 21:30 <DIR> d-------- c:\program files\Creative2008-10-23 21:30 . 2002-06-06 13:38 139,264 --a------ c:\windows\system32\eax.dll2008-10-23 21:17 . 2008-11-16 15:03 352,256 -ra------ c:\windows\system32\MafiaSetup.exe.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-11-18 14:52 42,212,384 --sha-w c:\windows\system32\drivers\fidbox.dat2008-11-18 14:52 1,044,256 --sha-w c:\windows\system32\drivers\fidbox2.dat2008-11-18 13:05 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab2008-11-17 22:58 573,248 --sha-w c:\windows\system32\drivers\fidbox.idx2008-11-17 22:58 106,724 --sha-w c:\windows\system32\drivers\fidbox2.idx2008-11-16 14:01 57,856 ----a-w c:\windows\system32\spoolsv.exe2008-11-16 14:01 44,544 ----a-w c:\windows\system32\alg.exe2008-11-16 14:01 1,035,264 ----a-w c:\windows\explorer.exe2008-11-16 13:59 80,896 ----a-w c:\windows\system32\charmap.exe2008-11-16 13:09 --------- d--h--w c:\program files\InstallShield Installation Information2008-11-10 16:46 --------- d-----w c:\program files\Common Files\Wise Installation Wizard2008-10-30 17:38 --------- d-----w c:\program files\Common Files\InstallShield2008-10-08 12:46 --------- d-----w c:\program files\Common Files\DirectX2008-10-07 13:59 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Locktime2008-10-07 13:58 --------- d-----w c:\documents and settings\Mateusz\Dane aplikacji\Winamp2008-10-01 20:33 --------- d-----w c:\program files\Common Files\Adobe2008-09-07 14:42 444,952 ----a-w c:\windows\system32\wrap_oal.dll2008-09-07 14:42 109,080 ----a-w c:\windows\system32\OpenAL32.dll.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2008-11-16 229376]"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2008-11-16 196608]"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2006-10-17 398944]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]"nwiz"="nwiz.exe" [2008-11-16 c:\windows\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-11-16 15360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=f:\kasper~1\KASPER~1.0\adialhk.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS.exe]"Debugger"=dummy.dat[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS20.exe]"Debugger"=dummy.dat[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"=R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\DRIVERS\Amps2prt.sys [2006-05-09 13824]R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-04-04 24344]S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys []S3 SaiH5F0D;SaiH5F0D;c:\windows\system32\DRIVERS\SaiH5F0D.sys [2008-10-08 176640]S3 SaiU5F0D;SaiU5F0D;c:\windows\system32\DRIVERS\SaiU5F0D.sys [2008-10-08 27264]S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-08-11 306432]S4 HDDlife HDD Access service;HDDlife HDD Access service;"c:\program files\Common Files\BinarySense\hldasvc.exe" [2008-02-15 832760]S4 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe -k netsvcs [2008-04-14 14336]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsUxTuneUp*Newly Created Service* - PROCEXP90..------- Skan uzupełniający -------.FireFox -: Profile - c:\documents and settings\Mateusz\Dane aplikacji\Mozilla\Firefox\Profiles\ndie9nbv.default\FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://google.plFF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dllFF -: plugin - f:\adobe\Reader 8.0\Reader\browser\nppdf32.dllFF -: plugin - f:\java\jre1.6.0_07\bin\npjava11.dllFF -: plugin - f:\java\jre1.6.0_07\bin\npjava12.dllFF -: plugin - f:\java\jre1.6.0_07\bin\npjava13.dllFF -: plugin - f:\java\jre1.6.0_07\bin\npjava14.dllFF -: plugin - f:\java\jre1.6.0_07\bin\npjava32.dllFF -: plugin - f:\java\jre1.6.0_07\bin\npjpi160_07.dllFF -: plugin - f:\java\jre1.6.0_07\bin\npoji610.dllFF -: plugin - f:\k-lite codec pack\Real\browser\plugins\nppl3260.dllFF -: plugin - f:\k-lite codec pack\Real\browser\plugins\nprpjplug.dllFF -: plugin - f:\mozilla firefox\plugins\npnul32.dllFF -: plugin - f:\opera\program\plugins\npdsplay.dllFF -: plugin - f:\opera\program\plugins\nppl3260.dllFF -: plugin - f:\opera\program\plugins\nprpjplug.dllFF -: plugin - f:\opera\program\plugins\NPSWF32.dllFF -: plugin - f:\opera\program\plugins\npwmsdrm.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-11-18 15:52:59Windows 5.1.2600 Dodatek Service Pack 3 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ...skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.Czas ukończenia: 2008-11-18 15:54:17ComboFix-quarantined-files.txt 2008-11-18 14:54:13Przed: 14 531 874 816 bajtów wolnychPo: 14,521,790,464 bajtów wolnych139
Gość komentarz 18 listopada 2008 komentarz 18 listopada 2008 c:\windows\system32\gasretyw0.dll Usuń ten plik ręcznie w Trybie Awaryjnym. Poza tym - czysto.
ligus komentarz 28 listopada 2008 komentarz 28 listopada 2008 Dzięki za pomoc Mógłbym jeszcze raz poprosić o sprawdzenie loga ? Musiałem podłączyć pendrive w szkole i oczywiscie złapałem wszystkie wirusy które tylko się dało, kaspersky nawet nie dał rady, wykryć wszystkiego na penie, combofix usunął autoruny itp. ale pewnie jeszcze cos zostało :/ . ComboFix 08-11-27.07 - Mateusz 2008-11-29 0:23:19.4 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.770 [GMT 1:00]Uruchomiony z: c:\documents and settings\Mateusz\Pulpit\ComboFix.exe[b]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !![/b].((((((((((((((((((((((((( Pliki utworzone od 2008-10-28 do 2008-11-28 ))))))))))))))))))))))))))))))).2008-11-28 22:06 . 2008-11-29 00:21 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab2008-11-28 22:06 . 2008-11-29 00:26 1,168,416 --ahs---- c:\windows\system32\drivers\fidbox.dat2008-11-28 22:06 . 2008-11-28 22:39 96,976 --a------ c:\windows\system32\drivers\klin.dat2008-11-28 22:06 . 2008-11-28 22:39 87,855 --a------ c:\windows\system32\drivers\klick.dat2008-11-28 22:06 . 2008-11-29 00:19 25,352 --ahs---- c:\windows\system32\drivers\fidbox.idx2008-11-28 22:06 . 2008-11-29 00:26 13,088 --ahs---- c:\windows\system32\drivers\fidbox2.dat2008-11-28 22:06 . 2008-11-29 00:19 4,196 --ahs---- c:\windows\system32\drivers\fidbox2.idx2008-11-28 21:59 . 2008-11-28 21:59 <DIR> d-------- C:\Temp2008-11-25 23:10 . 2008-11-25 23:10 <DIR> d-------- c:\windows\Sun2008-11-25 23:09 . 2008-11-25 23:09 <DIR> d-------- c:\program files\Java2008-11-25 23:09 . 2008-11-25 23:09 410,976 --a------ c:\windows\system32\deploytk.dll2008-11-25 23:09 . 2008-11-25 23:09 73,728 --a------ c:\windows\system32\javacpl.cpl2008-11-23 16:27 . 2008-11-23 16:29 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\Dev-Cpp2008-11-23 15:37 . 2008-04-14 00:15 10,368 --a------ c:\windows\system32\drivers\hidusb.sys2008-11-23 15:37 . 2008-04-14 00:15 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys2008-11-23 15:35 . 2008-11-23 15:35 <DIR> d-------- c:\program files\Colin McRae 2005 Polish language add-on2008-11-23 15:35 . 2008-11-23 15:35 720,896 --a------ c:\windows\iun6002.exe2008-11-23 15:35 . 2001-05-11 13:18 420,240 --a------ c:\windows\system32\mpg4c32.dll2008-11-23 15:35 . 2001-05-16 17:54 309,616 --a------ c:\windows\system32\wmv8dmod.dll2008-11-23 15:35 . 2001-03-26 04:41 245,760 --a------ c:\windows\system32\mp4sds32.ax2008-11-23 14:30 . 2008-11-23 14:30 <DIR> d-------- c:\program files\ScanSoft2008-11-23 00:18 . 2008-11-23 00:18 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\DAEMON Tools2008-11-22 23:57 . 2008-11-28 17:18 <DIR> d-------- c:\windows\system32\LogFiles2008-11-22 23:57 . 2008-11-22 23:57 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\Leadertech2008-11-21 23:44 . 2006-02-04 03:50 5,174 --a------ c:\windows\system32\nppt9x.vxd2008-11-21 23:44 . 2006-02-04 03:50 4,682 --a------ c:\windows\system32\npptNT2.sys2008-11-21 23:38 . 2008-11-21 23:38 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\InstallShield2008-11-21 23:33 . 2008-11-28 19:29 69 --a------ c:\windows\NeroDigital.ini2008-11-21 23:32 . 2008-11-21 23:32 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\Media Player Classic2008-11-21 23:03 . 2008-11-21 23:03 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\TuneUp Software2008-11-21 23:03 . 2008-11-21 23:03 306,432 --a------ c:\windows\system32\TuneUpDefragService.exe2008-11-21 23:03 . 2007-12-20 10:41 29,440 --a------ c:\windows\system32\uxtuneup.dll2008-11-21 23:02 . 2008-11-21 23:02 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard2008-11-21 23:02 . 2008-11-21 23:02 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\TuneUp Software2008-11-21 22:57 . 2008-11-21 22:57 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\Nero2008-11-21 22:38 . 2008-11-21 22:39 <DIR> d-------- c:\program files\Common Files\Nero2008-11-21 22:38 . 2008-11-21 22:38 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\Nero2008-11-21 22:16 . 2008-11-21 22:16 <DIR> d-------- c:\windows\system32\XPSViewer2008-11-21 22:16 . 2008-11-21 22:16 <DIR> d-------- c:\program files\Reference Assemblies2008-11-21 22:16 . 2008-11-21 22:16 <DIR> d-------- c:\program files\MSBuild2008-11-21 22:16 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys2008-11-21 22:16 . 2006-06-29 13:07 22,752 --a------ c:\windows\system32\spupdsvc.exe2008-11-21 22:16 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll2008-11-21 21:51 . 2008-11-23 00:18 717,296 --a------ c:\windows\system32\drivers\sptd.sys2008-11-21 21:49 . 2008-11-21 21:49 23 --a------ c:\windows\system32\acfacfd9_r.ocx2008-11-21 21:47 . 2008-11-21 21:47 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\PDFCreator2008-11-21 21:47 . 2000-05-22 17:58 647,872 --a------ c:\windows\system32\MSCOMCT2.OCX2008-11-21 21:47 . 2005-04-20 20:08 196,608 --a------ c:\windows\system32\PDFSpooler.exe2008-11-21 21:47 . 1998-07-06 17:55 158,208 --a------ c:\windows\system32\MSCMCDE.DLL2008-11-21 21:47 . 1998-07-06 17:56 125,712 --a------ c:\windows\system32\VB6DE.DLL2008-11-21 21:47 . 2001-10-28 17:42 116,224 --a------ c:\windows\system32\pdfcmnnt.dll2008-11-21 21:47 . 1998-07-06 17:55 64,512 --a------ c:\windows\system32\MSCC2DE.DLL2008-11-21 21:47 . 1998-07-06 17:55 33,792 --a------ c:\windows\system32\CMDLGDE.DLL2008-11-21 21:47 . 1998-07-06 01:00 23,552 --a------ c:\windows\system32\MSMPIDE.DLL2008-11-21 21:46 . 2003-03-19 04:14 499,712 --a------ c:\windows\system32\msvcp71.dll2008-11-21 21:27 . 2008-11-21 21:27 707 --a------ c:\windows\unins000.dat2008-11-21 21:24 . 2008-11-21 21:41 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\Winamp2008-11-21 21:23 . 2008-09-24 19:41 839,680 --a------ c:\windows\system32\lameACM.acm2008-11-21 21:23 . 2004-01-25 17:18 217,088 --a------ c:\windows\system32\yv12vfw.dll2008-11-21 21:23 . 2007-09-04 17:56 164,352 --a------ c:\windows\system32\unrar.dll2008-11-21 21:23 . 2007-09-21 01:52 118,784 --a------ c:\windows\system32\ac3acm.acm2008-11-21 21:23 . 2008-10-03 13:30 414 --a------ c:\windows\system32\lame_acm.xml2008-11-21 21:23 . 2008-07-30 20:09 38 --a------ c:\windows\avisplitter.ini2008-11-21 21:22 . 2008-09-19 22:57 3,596,288 --a------ c:\windows\system32\qt-dx331.dll2008-11-21 21:22 . 2008-01-10 13:15 755,027 --a------ c:\windows\system32\xvidcore.dll2008-11-21 21:22 . 2008-10-28 23:35 684,032 --a------ c:\windows\system32\divx.dll2008-11-21 21:22 . 2004-01-11 23:00 348,160 --a------ c:\windows\system32\msvcr71.dll2008-11-21 21:22 . 2008-01-10 13:16 159,839 --a------ c:\windows\system32\xvidvfw.dll2008-11-21 21:22 . 2008-09-25 09:03 81,920 --a------ c:\windows\system32\dpl100.dll2008-11-21 21:22 . 2008-11-02 15:02 7,680 --a------ c:\windows\system32\ff_vfw.dll2008-11-21 21:22 . 2007-07-10 17:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest2008-11-21 21:21 . 2008-11-21 21:21 <DIR> d-------- c:\program files\Common Files\Adobe2008-11-21 21:13 . 2008-11-21 21:13 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\Gadu-Gadu2008-11-21 21:10 . 2008-11-21 21:12 <DIR> d-------- c:\documents and settings\Mateusz\Gadu-Gadu2008-11-21 21:06 . 2003-06-19 01:31 17,920 --a------ c:\windows\system32\mdimon.dll2008-11-21 21:06 . 2008-11-21 21:06 421 --a------ c:\windows\ODBC.INI2008-11-21 21:05 . 2008-11-21 21:05 <DIR> d-------- c:\windows\SHELLNEW2008-11-21 21:05 . 2008-11-21 21:05 <DIR> d-------- c:\program files\Microsoft.NET2008-11-21 21:00 . 2008-11-21 21:00 <DIR> d-------- c:\documents and settings\Mateusz\Dane aplikacji\Hewlett-Packard2008-11-21 21:00 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys2008-11-21 21:00 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-11-28 21:39 112,144 ----a-w c:\windows\system32\drivers\kl1.sys2008-11-23 14:25 --------- d--h--w c:\program files\InstallShield Installation Information2008-11-21 20:07 --------- d-----w c:\program files\Hewlett-Packard2008-11-21 19:57 --------- d-----w c:\program files\Common Files\Hewlett-Packard2008-11-21 19:48 --------- d-----w c:\program files\Canon2008-11-21 19:47 --------- d-----w c:\program files\Common Files\CANON2008-11-21 19:46 --------- d--h--w c:\program files\CanonBJ2008-11-21 19:46 --------- d--h--w c:\documents and settings\All Users\Dane aplikacji\CanonBJ2008-11-21 19:22 --------- d-----w c:\program files\A4Tech2008-11-21 19:17 --------- d-----w c:\program files\NVIDIA Corporation2008-11-21 19:17 --------- d-----w c:\program files\Common Files\NVIDIA Shared2008-11-21 19:17 --------- d-----w c:\program files\Common Files\InstallShield2008-11-21 19:12 --------- d-----w c:\program files\DirectX2008-11-21 18:43 --------- d-----w c:\program files\microsoft frontpage2008-11-21 18:41 --------- d-----w c:\program files\Usługi online2008-10-02 09:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2006-12-26 196608]"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=d:\kasper~1\KASPER~1.0\adialhk.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"=R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\DRIVERS\Amps2prt.sys [2006-05-09 13824]R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-04-04 24344]S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys [2001-08-17 18688]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsUxTuneUp[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c1d6783-b80e-11dd-b7ab-000c6edf5467}]\Shell\AutoRun\command - H:\Autorun.exe.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-11-29 00:26:58Windows 5.1.2600 Dodatek Service Pack 3 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ...skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'winlogon.exe'(1220)d:\kaspersky lab\Kaspersky Internet Security 7.0\miscr3.dllc:\windows\system32\klogon.dll- - - - - - - > 'lsass.exe'(1276)d:\kaspersky lab\Kaspersky Internet Security 7.0\dnsq.dlld:\kaspersky lab\Kaspersky Internet Security 7.0\miscr3.dll.Czas ukończenia: 2008-11-29 0:27:56ComboFix-quarantined-files.txt 2008-11-28 23:27:54Przed: 15 919 419 392 bajtów wolnychPo: 15,903,174,656 bajtów wolnych165
worm87 komentarz 16 stycznia 2009 komentarz 16 stycznia 2009 Witam. Zrobiłem parę standardowych czynności. Wygląda na to że się skubańca pozbyłem, ale dla pewności proszę o sprawdzenie logów. Z Hijacka: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 21:49:41, on 2009-02-04Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exeC:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exeC:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exeC:\Program Files\Eset\nod32krn.exeC:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\UGS\UGSLicensing\lmgrd.exeC:\Program Files\UGS\UGSLicensing\lmgrd.exeC:\Program Files\Apoint2K\Apoint.exeC:\WINDOWS\system32\VTTimer.exeC:\WINDOWS\system32\S3trayp.exeC:\Program Files\Eset\nod32kui.exeC:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exeC:\Program Files\Gadu-Gadu\gg.exeC:\Program Files\DAEMON Tools Lite\daemon.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\UGS\UGSLicensing\ugslmd.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://clk.tradedoubler.com/click?p=55647&...mp;pools=175516R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dllO3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dllO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [VTTimer] VTTimer.exeO4 - HKLM\..\Run: [s3Trayp] S3trayp.exeO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUpO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorunO4 - HKCU\..\Run: [EPSON Stylus DX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE /FU "C:\WINDOWS\TEMP\E_S5DD.tmp" /EF "HKCU"O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Przyspieszenie uruchomienia programu AutoCAD.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exeO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exeO23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: Ansys JobManager Service V11 (JobManagerService110) - Ansys, Inc - C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeO23 - Service: Ansys ScriptHost Service V11 (ScriptHostService110) - Ansys, Inc. - C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exeO23 - Service: UGS License Server (ugslmd) - Macrovision Corporation - C:\Program Files\UGS\UGSLicensing\lmgrd.exe--End of file - 5252 bytes A to z ComboFix: ComboFix 08-07-29.1 - rybka 2009-02-04 21:56:51.8 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.106 [GMT 1:00]Running from: C:\Documents and Settings\rybka\Pulpit\programy\ComboFix.exe * Resident AV is active.- REDUCED FUNCTIONALITY MODE -.((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 ))))))))))))))))))))))))))))))).2009-02-04 18:16 . 2009-02-04 21:44 729,120 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat2009-02-04 18:16 . 2009-02-04 21:44 11,708 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx2009-02-04 17:07 . 2000-06-18 14:03 106,544 --a------ C:\WINDOWS\system32\TWEAKUI.CPL2009-02-04 16:42 . 2009-02-04 16:42 <DIR> d-------- C:\Program Files\VS Revo Group2009-02-04 16:41 . 2009-02-04 16:54 <DIR> d-------- C:\Program Files\RegCleaner2009-02-04 16:23 . 2009-02-04 16:23 118 --a------ C:\WINDOWS\system32\MRT.INI2009-02-04 15:32 . 2009-02-04 15:47 110,003 -r-hs---- C:\x2csvg.exe2009-02-02 22:33 . 2009-02-04 21:49 <DIR> d-------- C:\Program Files\Trend Micro2009-02-02 10:48 . 2009-02-04 15:31 95,744 -r-hs---- C:\WINDOWS\system32\nmdfgds1.dll2009-02-02 00:49 . 2009-02-02 00:49 496 --a------ C:\WINDOWS\WIN.INI2009-02-02 00:41 . 2009-02-02 10:15 <DIR> d-------- C:\Program Files\Enigma Software Group2009-02-01 16:52 . 2009-02-04 15:47 95,744 -r-hs---- C:\WINDOWS\system32\nmdfgds0.dll2009-02-01 12:18 . 2008-04-14 18:21 70,144 --a------ C:\WINDOWS\AhnRpta.exe2009-01-06 15:13 . 2009-01-06 15:13 <DIR> d-------- C:\flexlm2009-01-06 14:01 . 2009-01-06 15:17 <DIR> d-------- C:\Documents and Settings\rybka\Dane aplikacji\Ansys2009-01-06 13:59 . 2009-01-06 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\IsolatedStorage2009-01-06 13:50 . 2006-06-28 04:37 1,009,336 --------- C:\WINDOWS\system32\mschrt20.ocx2009-01-06 13:50 . 2004-02-17 09:46 499,712 --------- C:\WINDOWS\system32\msvcp71.dll2009-01-06 13:50 . 2005-03-03 21:09 389,120 --------- C:\WINDOWS\system32\Codejock.DockingPane.Unicode.9601.ocx2009-01-06 13:50 . 2006-06-28 04:37 224,016 --------- C:\WINDOWS\system32\TABCTL32.OCX2009-01-06 13:50 . 2006-06-28 04:37 212,240 --------- C:\WINDOWS\system32\RICHTX32.OCX2009-01-06 13:50 . 2003-03-18 22:05 89,088 --------- C:\WINDOWS\system32\atl71.dll2009-01-06 13:50 . 2001-07-30 16:40 24,576 --------- C:\WINDOWS\system32\msxml3a.dll2009-01-06 13:47 . 2009-01-06 14:13 <DIR> d-------- C:\Program Files\ANSYS Inc2009-01-04 22:18 . 1998-11-13 14:10 307,200 --a------ C:\WINDOWS\IsUn0415.exe.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-03 23:45 --------- d-----w C:\Documents and Settings\rybka\Dane aplikacji\foobar20002009-01-31 17:07 --------- d-----w C:\Program Files\Eset2009-01-28 21:43 --------- d-----w C:\Program Files\English Translator 32009-01-09 19:31 --------- d-----w C:\Program Files\Apoint2K2009-01-09 16:18 --------- d-----w C:\Documents and Settings\rybka\Dane aplikacji\Wildfire2009-01-06 13:13 --------- d--h--w C:\Program Files\InstallShield Installation Information2009-01-04 22:12 --------- d-----w C:\Program Files\ABBYY FineReader 6.0 Sprint2009-01-03 12:16 --------- d-----w C:\Documents and Settings\rybka\Dane aplikacji\U32009-01-01 17:21 --------- d-----w C:\Documents and Settings\rybka\Dane aplikacji\Ahead2008-12-11 10:57 333,952 ----a-w C:\WINDOWS\system32\drivers\srv.sys2008-12-05 11:09 --------- d-----w C:\Documents and Settings\rybka\Dane aplikacji\EPSON2008-11-15 17:50 270,336 ----a-w C:\WINDOWS\system32\imon.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 11:04 2127296]"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 13:11 490952]"EPSON Stylus DX8400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE" [2007-04-12 07:00 182272][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2005-04-16 17:08 172032]"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-11-15 18:50 921600]"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 15:09 413696]"VTTimer"="VTTimer.exe" [2006-08-03 14:53 53248 C:\WINDOWS\system32\VTTimer.exe]"S3Trayp"="S3trayp.exe" [2006-07-11 02:33 176128 C:\WINDOWS\system32\S3Trayp.exe]"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 18:21 15360]C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Przyspieszenie uruchomienia programu AutoCAD.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 14:43:54 11000][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"msacm.sl_anet"= C:\PROGRA~1\ACEMEG~1\SystemS\sl_anet.acm"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll"vidc.iyuv"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll"vidc.yvu9"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll"vidc.uyvy"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll"vidc.yuy2"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll"vidc.yvyu"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll"msacm.msaudio1"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm"SENTINEL"= snti386.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JobManagerService.exe"="C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMAdmin.exe"="C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMPassword.exe"="C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\ScriptHostService.exe"="C:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CommonFiles\\intel\\AnsysWBU.exe"="C:\\Program Files\\ANSYS Inc\\v110\\ANSYS\\bin\\intel\\ANSYS.exe"="C:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ActivePIMgrU.exe"="C:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ReaderHostU.exe"="C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\tclsh.exe"="C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\wish.exe"=R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:34]R2 JobManagerService110;Ansys JobManager Service V11;C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe [2007-01-16 15:20]R2 ScriptHostService110;Ansys ScriptHost Service V11;C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe [2007-01-16 15:20]R2 UGS License Server (ugslmd);UGS License Server (ugslmd);C:\Program Files\UGS\UGSLicensing\lmgrd.exe [2007-02-02 16:02]R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-09-12 10:43][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c7f397b-b652-11dd-b699-00140b0ff1ff}]\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explore.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30535963-c3b4-11dd-b6b4-00140b0ff1ff}]\Shell\AutoRun\command - H:\qoes.bat\Shell\open\Command - H:\qoes.bat[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46880cf5-ec90-11dd-b6ec-00140b0ff1ff}]\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explore.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49d5af35-dce6-11dd-b6ca-00140b0ff1ff}]\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explore.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bccfa00-d98f-11dd-b6c6-00140b0ff1ff}]\Shell\AutoRun\command - H:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d727dbb4-f0b9-11dd-b6fc-00140b0ff1ff}]\Shell\AutoRun\command - c:\windows\explorer.exe %1\Shell\open\Command - c:\windows\explorer.exe %1[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5871f7e-b4b0-11dd-b694-00140b0ff1ff}]\Shell\AutoRun\command - H:\ve.exe\Shell\open\Command - H:\ve.exe..------- Supplementary Scan -------.R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://clk.tradedoubler.com/click?p=55647&a=1324857&g=16827436&pools=175516O8 -: E&ksport do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-04 21:57:12Windows 5.1.2600 Dodatek Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINDOWS\system32\lsass.exe-> C:\Program Files\Eset\pr_imon.dll.Completion time: 2009-02-04 21:58:58ComboFix-quarantined-files.txt 2009-02-04 20:58:54Pre-Run: 11,413,270,528 bajtów wolnychPost-Run: 11,403,145,216 bajtów wolnych150 --- E O F --- 2009-02-04 15:24:06
Ender08 komentarz 24 września 2009 komentarz 24 września 2009 Witam! Ja także ostatnio zachorowałem na tego trojana. Wykrył go Kasperky i gdy klikałem usuń, to od razu znów wyskakiwał komunikat, że znaleziono tego trojana (jak plik .exe na dysku C, lub D). Mogę klikać usuń w nieskończoność i nic się nie zmieni ;/ To jest log z Combofixa: [url]http://www.wklejto.pl/43094[/url] A to jest z Hijackthis: [url]http://www.wklejto.pl/43093[/url]
MarekM25 komentarz 24 września 2009 komentarz 24 września 2009 Załóż nowy własny wątek, ale przed tym zapoznaj się z regulaminem tego działu.
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.