ciacho191 utworzono 8 maja 2009 utworzono 8 maja 2009 Witam, Rownież mam problem z Rootkit boyedt.com Proszę o pomoc kod z hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:24:09, on 2009-05-08 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\\WINDOWS\\System32\\smss.exe C:\\WINDOWS\\system32\\winlogon.exe C:\\WINDOWS\\system32\\services.exe C:\\WINDOWS\\system32\\lsass.exe C:\\WINDOWS\\System32\\svchost.exe C:\\WINDOWS\\system32\\Ati2evxx.exe C:\\WINDOWS\\system32\\svchost.exe C:\\WINDOWS\\System32\\svchost.exe C:\\WINDOWS\\system32\\Ati2evxx.exe C:\\Program Files\\Alwil Software\\Avast4\\aswUpdSv.exe C:\\Program Files\\Alwil Software\\Avast4\\ashServ.exe C:\\WINDOWS\\system32\\spoolsv.exe C:\\Program Files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\AsGHost.exe C:\\WINDOWS\\Explorer.EXE C:\\WINDOWS\\RTHDCPL.EXE C:\\WINDOWS\\ATK0100\\HControl.exe C:\\Program Files\\ASUS\\Splendid\\ACMON.exe C:\\Program Files\\ASUS\\ATK Media\\DMEDIA.EXE C:\\WINDOWS\\system32\\ACEngSvr.exe C:\\Program Files\\ATKOSD2\\ATKOSD2.exe C:\\WINDOWS\\system32\\qttask.exe C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACE.EXE C:\\Program Files\\Nero\\Nero 7\\InCD\\NBHGui.exe C:\\Program Files\\Nero\\Nero 7\\InCD\\InCD.exe C:\\Program Files\\Java\\jre6\\bin\\jusched.exe C:\\WINDOWS\\ATK0100\\ATKOSD.exe C:\\WINDOWS\\system32\\ctfmon.exe D:\\PROGRAMY\\DAEMON Tools Lite\\daemon.exe C:\\Program Files\\Nero\\Nero 7\\InCD\\InCDsrv.exe C:\\Program Files\\Java\\jre6\\bin\\jqs.exe D:\\PROGRAMY\\Gadu-Gadu\\gg.exe C:\\Program Files\\Common Files\\LightScribe\\LSSrvc.exe C:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE C:\\WINDOWS\\system32\\svchost.exe C:\\WINDOWS\\system32\\wbem\\wmiapsrv.exe C:\\WINDOWS\\system32\\wscntfy.exe C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe C:\\WINDOWS\\system32\\wuauclt.exe R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q= R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q= R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=%s R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\\Program Files\\AskSearch\\bin\\DefaultSearch.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\\Program Files\\AskBarDis\\bar\\bin\\askBar.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\\Program Files\\Java\\jre6\\bin\\jp2ssv.dll O2 - BHO: ASUS Security Protect Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\\Program Files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ItIEAddIn.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\\Program Files\\Java\\jre6\\lib\\deploy\\jqs\\ie\\jqs_plugin.dll O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\\Program Files\\DAEMON Tools Toolbar\\DTToolbar.dll O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\\Program Files\\AskBarDis\\bar\\bin\\askBar.dll O4 - HKLM\\..\\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\\..\\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\\..\\Run: [HControl] C:\\WINDOWS\\ATK0100\\HControl.exe O4 - HKLM\\..\\Run: [CognizanceTS] rundll32.exe C:\\PROGRA~1\\ASUSSE~1\\ASUSSE~1\\Bin\\ASTSVCC.dll,RegisterModule O4 - HKLM\\..\\Run: [ACMON] \"C:\\Program Files\\ASUS\\Splendid\\ACMON.exe\" O4 - HKLM\\..\\Run: [ATKMEDIA] C:\\Program Files\\ASUS\\ATK Media\\DMEDIA.EXE O4 - HKLM\\..\\Run: [ATKOSD2] \"C:\\Program Files\\ATKOSD2\\ATKOSD2.exe\" O4 - HKLM\\..\\Run: [JMB36X IDE Setup] C:\\WINDOWS\\RaidTool\\xInsIDE.exe O4 - HKLM\\..\\Run: [QuickTime Task] \"C:\\WINDOWS\\system32\\qttask.exe\" -atboottime O4 - HKLM\\..\\Run: [avast!] C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe O4 - HKLM\\..\\Run: [EPSON Stylus DX3800 Series] C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACE.EXE /P26 \"EPSON Stylus DX3800 Series\" /O6 \"USB001\" /M \"Stylus DX3800\" O4 - HKLM\\..\\Run: [NeroFilterCheck] C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe O4 - HKLM\\..\\Run: [securDisc] C:\\Program Files\\Nero\\Nero 7\\InCD\\NBHGui.exe O4 - HKLM\\..\\Run: [inCD] C:\\Program Files\\Nero\\Nero 7\\InCD\\InCD.exe O4 - HKLM\\..\\Run: [sunJavaUpdateSched] \"C:\\Program Files\\Java\\jre6\\bin\\jusched.exe\" O4 - HKCU\\..\\Run: [CTFMON.EXE] C:\\WINDOWS\\system32\\ctfmon.exe O4 - HKCU\\..\\Run: [DAEMON Tools Lite] \"D:\\PROGRAMY\\DAEMON Tools Lite\\daemon.exe\" -autorun O4 - HKCU\\..\\Run: [Gadu-Gadu] \"D:\\PROGRAMY\\Gadu-Gadu\\gg.exe\" /tray O4 - HKCU\\..\\Run: [cdoosoft] C:\\WINDOWS\\system32\\olhrwef.exe O4 - HKUS\\S-1-5-19\\..\\Run: [CTFMON.EXE] C:\\WINDOWS\\system32\\CTFMON.EXE (User \'USŁUGA LOKALNA\') O4 - HKUS\\S-1-5-20\\..\\Run: [CTFMON.EXE] C:\\WINDOWS\\system32\\CTFMON.EXE (User \'USŁUGA SIECIOWA\') O4 - HKUS\\S-1-5-18\\..\\Run: [CTFMON.EXE] C:\\WINDOWS\\system32\\CTFMON.EXE (User \'SYSTEM\') O4 - HKUS\\.DEFAULT\\..\\Run: [CTFMON.EXE] C:\\WINDOWS\\system32\\CTFMON.EXE (User \'Default user\') O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\\PROGRAMY\\MICROS~1\\OFFICE11\\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\\PROGRAMY\\MICROS~1\\OFFICE11\\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe O9 - Extra \'Tools\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe O20 - AppInit_DLLs: APSHook.dll O20 - Winlogon Notify: OneCard - C:\\Program Files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ASWLNPkg.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\\Program Files\\Alwil Software\\Avast4\\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\\WINDOWS\\system32\\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\\Program Files\\Alwil Software\\Avast4\\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\\Program Files\\Alwil Software\\Avast4\\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\\Program Files\\Alwil Software\\Avast4\\ashWebSv.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\\Program Files\\Nero\\Nero 7\\InCD\\InCDsrv.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\\Program Files\\Java\\jre6\\bin\\jqs.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\\Program Files\\Common Files\\LightScribe\\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\\Program Files\\Nero\\Nero 7\\Nero BackItUp\\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexingService.exe -- End of file - 6834 bytes kod z combofix: ComboFix 09-05-06.08 - Tomek 2009-05-08 13:26.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.2047.1564 [GMT 2:00] Uruchomiony z: c:\\documents and settings\\Tomek\\Pulpit\\ComboFix.exe AV: avast! antivirus 4.8.1335 [VPS 090507-0] *On-access scanning disabled* (Updated) . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\\autorun.inf c:\\windows\\system32\\olhrwef.exe D:\\Autorun.inf E:\\Autorun.inf F:\\Autorun.inf . ((((((((((((((((((((((((( Pliki utworzone od 2009-04-08 do 2009-05-08 ))))))))))))))))))))))))))))))) . 2009-05-08 11:23 . 2009-05-08 11:23 -------- d-----w c:\\program files\\Trend Micro 2009-05-02 21:07 . 2009-05-07 18:16 -------- d-----w c:\\documents and settings\\Tomek\\Dane aplikacji\\GanymedeNet 2009-05-02 21:06 . 2009-05-02 21:07 -------- d-----w c:\\program files\\Ganymede 2009-05-01 12:48 . 2003-02-28 07:00 5632 ----a-w c:\\windows\\system32\\CNMVS50.DLL 2009-05-01 12:48 . 2003-02-28 07:00 100352 ----a-w c:\\windows\\system32\\CNMLM50.DLL 2009-05-01 12:48 . 2003-02-14 17:01 73728 ----a-r c:\\windows\\system32\\CNMCP50.exe 2009-05-01 12:48 . 2009-05-02 18:45 -------- d--h--w C:\\BJPrinter 2009-04-26 15:44 . 2009-04-30 20:58 -------- d-----w c:\\documents and settings\\Tomek\\Dane aplikacji\\temp 2009-04-26 15:43 . 2009-04-26 15:43 -------- d-----w c:\\windows\\Logs 2009-04-19 09:17 . 2008-04-03 08:52 20005 ----a-w c:\\windows\\system32\\drivers\\keillp.sys 2009-04-19 09:17 . 2008-04-03 08:52 35306 ----a-w c:\\windows\\system32\\drivers\\keilul.sys 2009-04-19 09:17 . 2009-04-19 09:17 -------- d-----w C:\\Keil 2009-04-19 08:57 . 2009-04-19 08:57 -------- d-----w c:\\windows\\Sun 2009-04-19 08:56 . 2009-04-19 08:56 410984 ----a-w c:\\windows\\system32\\deploytk.dll 2009-04-19 08:56 . 2009-04-19 08:56 -------- d-----w c:\\program files\\Java 2009-04-09 20:08 . 2001-07-02 19:45 196608 ----a-w c:\\windows\\system32\\Ifc22.dll 2009-04-09 19:59 . 2001-12-12 09:37 30772 ----a-w c:\\windows\\system32\\drivers\\ImHidUsb.sys 2009-04-09 19:59 . 2001-12-12 09:37 16384 ----a-w c:\\windows\\system32\\imm_enu.dll 2009-04-09 19:59 . 2000-07-13 13:28 417792 ----a-w c:\\windows\\system32\\ImmSplsh.exe 2009-04-09 19:59 . 2001-12-12 09:38 106496 ----a-w c:\\windows\\system32\\ImmPID.dll 2009-04-09 19:59 . 2000-10-10 14:42 86016 ----a-w c:\\windows\\system32\\Immdx5.dll 2009-04-09 19:59 . 2001-12-12 09:37 1024000 ----a-w c:\\windows\\system32\\ImmCpl.dll 2009-04-09 19:59 . 2000-10-10 14:43 65536 ----a-w c:\\windows\\system32\\Immcheck.exe 2009-04-09 19:59 . 1998-11-03 15:31 61440 ----a-w c:\\windows\\system32\\Iforce2.dll 2009-04-09 19:59 . 2000-08-02 18:01 155648 ----a-w c:\\windows\\system32\\Ifc21.dll 2009-04-09 19:59 . 2009-04-09 19:59 -------- d-----w c:\\program files\\KYE 2009-04-09 19:59 . 1998-10-29 14:45 306688 ----a-w c:\\windows\\IsUninst.exe . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-02 20:28 . 2009-04-02 20:28 98304 ----a-w c:\\windows\\system32\\CmdLineExt.dll 2009-04-02 19:57 . 2009-03-13 20:53 -------- d--h--w c:\\program files\\InstallShield Installation Information 2009-04-02 06:13 . 2009-03-16 12:47 -------- d-----w c:\\program files\\EPLAN 2009-03-29 19:17 . 2006-03-02 12:00 74648 ----a-w c:\\windows\\system32\\perfc015.dat 2009-03-29 19:17 . 2006-03-02 12:00 448586 ----a-w c:\\windows\\system32\\perfh015.dat 2009-03-22 15:29 . 2009-03-22 15:29 -------- d-----w c:\\program files\\Common Files\\LightScribe 2009-03-22 15:27 . 2009-03-22 15:20 -------- d-----w c:\\program files\\Common Files\\Ahead 2009-03-22 15:20 . 2009-03-22 15:20 -------- d-----w c:\\program files\\Nero 2009-03-17 20:11 . 2009-03-13 20:23 86327 ----a-w c:\\windows\\pchealth\\helpctr\\OfflineCache\\index.dat 2009-03-17 14:17 . 2009-03-17 14:16 -------- d-----w c:\\program files\\EPSON 2009-03-16 12:47 . 2009-03-16 12:47 191488 ----a-w c:\\windows\\system32\\hlvdd.dll 2009-03-15 18:13 . 2009-03-15 18:13 63592 ----a-w c:\\documents and settings\\Tomek\\Ustawienia lokalne\\Dane aplikacji\\GDIPFONTCACHEV1.DAT 2009-03-15 13:55 . 2009-03-15 13:55 -------- d-----w c:\\program files\\Microsoft.NET 2009-03-15 13:54 . 2009-03-15 13:54 -------- d-----w c:\\program files\\Microsoft Works 2009-03-15 11:19 . 2009-03-15 11:19 -------- d-----w c:\\program files\\Alwil Software 2009-03-14 12:21 . 2009-03-14 12:21 -------- d-----w c:\\program files\\AskSearch 2009-03-14 12:21 . 2009-03-14 12:21 -------- d-----w c:\\program files\\AskBarDis 2009-03-14 12:18 . 2009-03-14 12:18 -------- d-----w c:\\program files\\DAEMON Tools Toolbar 2009-03-14 12:16 . 2009-03-14 12:16 717296 ----a-w c:\\windows\\system32\\drivers\\sptd.sys 2009-03-13 22:11 . 2009-03-13 22:11 98304 ----a-w c:\\windows\\system32\\qttask.exe 2009-03-13 21:33 . 2009-03-13 21:33 0 ----a-w c:\\windows\\nsreg.dat 2009-03-13 21:25 . 2009-03-13 21:09 -------- d-----w c:\\program files\\ASUS 2009-03-13 21:25 . 2009-03-13 21:24 -------- d-----w c:\\program files\\ATKOSD2 2009-03-13 21:24 . 2009-03-13 20:52 -------- d-----w c:\\program files\\Common Files\\InstallShield 2009-03-13 21:08 . 2009-03-13 21:08 -------- d-----w c:\\program files\\ASUS Security Center 2009-03-13 21:08 . 2009-03-13 21:08 -------- d-----w c:\\program files\\Fingerprint Sensor 2009-03-13 20:53 . 2009-03-13 20:53 -------- d-----w c:\\program files\\Realtek 2009-03-13 20:53 . 2009-03-13 20:53 315392 ----a-w c:\\windows\\HideWin.exe 2009-03-13 20:52 . 2009-03-13 20:52 0 ----a-w c:\\windows\\ativpsrm.bin 2009-03-13 20:39 . 2009-03-13 20:39 -------- d-----w c:\\program files\\Intel 2009-03-13 20:24 . 2009-03-13 20:24 -------- d-----w c:\\program files\\microsoft frontpage 2009-03-13 20:23 . 2006-03-02 12:00 67 --sha-w c:\\windows\\Fonts\\desktop.ini 2009-03-13 20:22 . 2009-03-13 20:22 -------- d-----w c:\\program files\\Usługi online 2009-03-13 20:21 . 2009-03-13 20:21 21856 ----a-w c:\\windows\\system32\\emptyregdb.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\\~\\Browser Helper Objects\\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-11-18 11:58 333192 ----a-w c:\\program files\\AskBarDis\\bar\\bin\\askBar.dll [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Toolbar] \"{3041d03e-fd4b-44e0-b742-2d9b88305f98}\"= \"c:\\program files\\AskBarDis\\bar\\bin\\askBar.dll\" [2008-11-18 333192] [HKEY_CLASSES_ROOT\\clsid\\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\\TypeLib\\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Toolbar\\Webbrowser] \"{3041D03E-FD4B-44E0-B742-2D9B88305F98}\"= \"c:\\program files\\AskBarDis\\bar\\bin\\askBar.dll\" [2008-11-18 333192] [HKEY_CLASSES_ROOT\\clsid\\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\\TypeLib\\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] \"CTFMON.EXE\"=\"c:\\windows\\system32\\ctfmon.exe\" [2006-03-02 15360] \"DAEMON Tools Lite\"=\"d:\\programy\\DAEMON Tools Lite\\daemon.exe\" [2008-12-29 687560] \"Gadu-Gadu\"=\"d:\\programy\\Gadu-Gadu\\gg.exe\" [2008-03-20 2127296] [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] \"HControl\"=\"c:\\windows\\ATK0100\\HControl.exe\" [2006-07-28 110592] \"CognizanceTS\"=\"c:\\progra~1\\ASUSSE~1\\ASUSSE~1\\Bin\\ASTSVCC.dll\" [2008-06-16 17920] \"ACMON\"=\"c:\\program files\\ASUS\\Splendid\\ACMON.exe\" [2007-06-26 851968] \"ATKMEDIA\"=\"c:\\program files\\ASUS\\ATK Media\\DMEDIA.EXE\" [2006-11-02 61440] \"ATKOSD2\"=\"c:\\program files\\ATKOSD2\\ATKOSD2.exe\" [2007-07-03 7708672] \"JMB36X IDE Setup\"=\"c:\\windows\\RaidTool\\xInsIDE.exe\" [2008-06-16 36864] \"QuickTime Task\"=\"c:\\windows\\system32\\qttask.exe\" [2009-03-13 98304] \"avast!\"=\"c:\\progra~1\\ALWILS~1\\Avast4\\ashDisp.exe\" [2009-02-05 81000] \"EPSON Stylus DX3800 Series\"=\"c:\\windows\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACE.EXE\" [2005-02-08 98304] \"NeroFilterCheck\"=\"c:\\program files\\Common Files\\Ahead\\Lib\\NeroCheck.exe\" [2007-03-01 153136] \"SecurDisc\"=\"c:\\program files\\Nero\\Nero 7\\InCD\\NBHGui.exe\" [2007-11-26 1629480] \"InCD\"=\"c:\\program files\\Nero\\Nero 7\\InCD\\InCD.exe\" [2007-11-26 1057064] \"SunJavaUpdateSched\"=\"c:\\program files\\Java\\jre6\\bin\\jusched.exe\" [2009-04-19 148888] \"RTHDCPL\"=\"RTHDCPL.EXE\" - c:\\windows\\RTHDCPL.exe [2008-05-28 16862720] [HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run] \"CTFMON.EXE\"=\"c:\\windows\\system32\\CTFMON.EXE\" [2006-03-02 15360] [HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\winlogon\\notify\\OneCard] 2008-06-16 16:16 74240 ----a-r c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ASWLNPkg.dll [HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\windows] \"AppInit_DLLs\"=c:\\windows\\system32\\APSHook.dll HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\drivers32 \"wave1\"= serwvdrv.dll [HKEY_LOCAL_MACHINE\\system\\currentcontrolset\\control\\lsa] Notification Packages REG_MULTI_SZ scecli ASWLNPkg [HKLM\\~\\services\\sharedaccess\\parameters\\firewallpolicy\\standardprofile\\AuthorizedApplications\\List] \"%windir%\\\\system32\\\\sessmgr.exe\"= \"d:\\\\PROGRAMY\\\\Gadu-Gadu\\\\gg.exe\"= \"c:\\\\Program Files\\\\EPLAN\\\\Education\\\\1.9.6\\\\BIN\\\\W3u.exe\"= R0 lullaby;lullaby;c:\\windows\\system32\\drivers\\lullaby.sys [2009-03-13 15416] R1 aswSP;avast! Self Protection;c:\\windows\\system32\\drivers\\aswSP.sys [2009-03-15 114768] R2 ASBroker;Logon Session Broker;c:\\windows\\System32\\svchost.exe -k Cognizance [2006-03-02 14336] R2 ASChannel;Local Communication Channel;c:\\windows\\System32\\svchost.exe -k Cognizance [2006-03-02 14336] R2 aswFsBlk;aswFsBlk;c:\\windows\\system32\\drivers\\aswFsBlk.sys [2009-03-15 20560] R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\\windows\\system32\\drivers\\l151x86.sys [2009-03-13 36864] S3 imhidusb;Immersion\'s HID USB Driver;c:\\windows\\system32\\drivers\\ImHidUsb.sys [2009-04-09 30772] [HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\svchost] Cognizance REG_MULTI_SZ ASBroker ASChannel [HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\explorer\\mountpoints2\\{23ee4807-19e4-11de-b0a2-001f3c0b475e}] \\Shell\\AutoRun\\command - I:\\mt.bat \\Shell\\open\\Command - I:\\mt.bat [HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\explorer\\mountpoints2\\{32095c84-1092-11de-b098-001f3c0b475e}] \\Shell\\AutoRun\\command - I:\\boyedt.com \\Shell\\open\\Command - I:\\boyedt.com [HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\explorer\\mountpoints2\\{36f245b2-1152-11de-b09b-001f3c0b475e}] \\Shell\\AutoRun\\command - mt.bat \\Shell\\open\\Command - mt.bat [HKEY_LOCAL_MACHINE\\software\\microsoft\\active setup\\installed components\\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] \"c:\\program files\\Common Files\\LightScribe\\LSRunOnce.exe\" . - - - - USUNIĘTO PUSTE WPISY - - - - HKCU-Run-cdoosoft - c:\\windows\\system32\\olhrwef.exe . ------- Skan uzupełniający ------- . uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=%s IE: E&ksport do programu Microsoft Excel - d:\\programy\\MICROS~1\\OFFICE11\\EXCEL.EXE/3000 FF - ProfilePath - c:\\documents and settings\\Tomek\\Dane aplikacji\\Mozilla\\Firefox\\Profiles\\wlqlgpc2.default\\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.onet.pl FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q= FF - plugin: c:\\program files\\Mozilla Firefox\\plugins\\np-mswmp.dll FF - plugin: c:\\program files\\Mozilla Firefox\\plugins\\npFoxitReaderPlugin.dll FF - plugin: c:\\program files\\Mozilla Firefox\\plugins\\npganymedenet.dll FF - plugin: d:\\programy\\ACE Mega CoDecS Pack\\SystemS\\RealMedia\\Browser\\plugins\\nppl3260.dll FF - plugin: d:\\programy\\ACE Mega CoDecS Pack\\SystemS\\RealMedia\\Browser\\plugins\\nprpjplug.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-08 13:28 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\\S-1-5-21-1343024091-412668190-839522115-1003\\Software\\SecuROM\\!CAUTION! NEVER A OR CHANGE ANY KEY*] \"??\"=hex:38,5e,29,2f,d7,8d,1f,3c,69,94,8a,ac,32,2b,28,22,c3,b3,9d,18,51,1b,56, 6e,9f,27,97,39,91,24,0f,ae,bf,03,f8,fe,a7,9b,2f,db,1d,76,3a,e0,3e,1a,7b,d3,\\ \"??\"=hex:d5,e0,b9,b1,ef,b6,08,91,2d,a4,8d,56,1f,44,89,10 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > \'winlogon.exe\'(1496) c:\\windows\\system32\\APSHook.dll c:\\windows\\system32\\Ati2evxx.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ASWLNPkg.dll c:\\program files\\asus security center\\asus security protect manager\\bin\\ItMsg.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\TrayIcon.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\bin\\brand.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\AsChnl.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ItDAC.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ItReports.DLL c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\BioAuth.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ASBioAT.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ItVCClient.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\AuthWiz.dll - - - - - - - > \'lsass.exe\'(1552) c:\\windows\\system32\\APSHook.dll c:\\program files\\asus security center\\asus security protect manager\\bin\\ASWLNPkg.dll c:\\program files\\asus security center\\asus security protect manager\\bin\\ItMsg.dll . Czas ukończenia: 2009-05-08 13:29 ComboFix-quarantined-files.txt 2009-05-08 11:29 Przed: 38 091 624 448 bajtów wolnych Po: 38 279 815 168 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\\WINDOWS [operating systems] c:\\cmdcons\\BOOTSECT.DAT=\"Microsoft Windows Recovery Console\" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\\WINDOWS=\"Microsoft Windows XP Professional\" /fastdetect /NoExecute=OptOut 215 // Nie podpinaj się pod cudze tematy. // Logi wstawiamy w tagi *code // Robię odzielny temat. // Wstawiam logi w tagi code // djdresik
Gość komentarz 8 maja 2009 komentarz 8 maja 2009 Wklej do Notatnika: Folder::c:\program files\AskBarDisRegistry::[-HKEY_LOCAL_MACHINE\\~\\Browser Helper Objects\\{201f27d4-3704-41d6-89c1-aa35e39143ed}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}\"=-[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}\"=-[-HKEY_CLASSES_ROOT\\clsid\\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [-HKEY_CLASSES_ROOT\\TypeLib\\{4b1c1e16-6b34-430e-b074-5928eca4c150}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] >>Plik>>Zapisz jako... >>> CFScript Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe --> Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania. Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox. .
ciacho191 komentarz 8 maja 2009 Autor komentarz 8 maja 2009 Dziekuje Ci bardzo I przepraszam za robienie balaganu na forum Pozdrawiam kod po poprawieniu ComboFix 09-05-06.08 - Tomek 2009-05-08 19:34.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.2047.1560 [GMT 2:00] Uruchomiony z: c:\\documents and settings\\Tomek\\Pulpit\\ComboFix.exe Użyto następujących komend :: c:\\documents and settings\\Tomek\\Pulpit\\CFScript.txt AV: avast! antivirus 4.8.1335 [VPS 090507-0] *On-access scanning disabled* (Updated) . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\\program files\\AskBarDis c:\\program files\\AskBarDis\\bar\\bin\\askBar.dll c:\\program files\\AskBarDis\\bar\\bin\\askPopStp.dll c:\\program files\\AskBarDis\\bar\\bin\\psvince.dll c:\\program files\\AskBarDis\\bar\\Cache\\[u]0[/u]A265A67 c:\\program files\\AskBarDis\\bar\\Cache\\[u]0[/u]A265D65.bin c:\\program files\\AskBarDis\\bar\\Cache\\[u]0[/u]F49D5F4.bin c:\\program files\\AskBarDis\\bar\\Cache\\[u]0[/u]F49D901.bin c:\\program files\\AskBarDis\\bar\\Cache\\[u]0[/u]F49DA4A.bin c:\\program files\\AskBarDis\\bar\\Cache\\[u]0[/u]F49DBA1.bin c:\\program files\\AskBarDis\\bar\\Cache\\[u]0[/u]F49DD47.bin c:\\program files\\AskBarDis\\bar\\Cache\\[u]0[/u]F49DE9F.bin c:\\program files\\AskBarDis\\bar\\Cache\\[u]0[/u]F49DFE7.bin c:\\program files\\AskBarDis\\bar\\Cache\\[u]0[/u]F49E120.bin c:\\program files\\AskBarDis\\bar\\Cache\\[u]0[/u]F49E277.bin c:\\program files\\AskBarDis\\bar\\Cache\\files.ini c:\\program files\\AskBarDis\\bar\\History\\search c:\\program files\\AskBarDis\\bar\\Settings\\config.dat c:\\program files\\AskBarDis\\bar\\Settings\\config.dat.bak c:\\program files\\AskBarDis\\bar\\Settings\\prevcfg.htm c:\\program files\\AskBarDis\\bar\\Settings\\prevCfg2.htm c:\\program files\\AskBarDis\\unins000.dat c:\\program files\\AskBarDis\\unins000.exe . ((((((((((((((((((((((((( Pliki utworzone od 2009-04-08 do 2009-05-08 ))))))))))))))))))))))))))))))) . 2009-05-08 11:23 . 2009-05-08 11:23 -------- d-----w c:\\program files\\Trend Micro 2009-05-02 21:07 . 2009-05-08 14:34 -------- d-----w c:\\documents and settings\\Tomek\\Dane aplikacji\\GanymedeNet 2009-05-02 21:06 . 2009-05-02 21:07 -------- d-----w c:\\program files\\Ganymede 2009-05-01 12:48 . 2003-02-28 07:00 5632 ----a-w c:\\windows\\system32\\CNMVS50.DLL 2009-05-01 12:48 . 2003-02-28 07:00 100352 ----a-w c:\\windows\\system32\\CNMLM50.DLL 2009-05-01 12:48 . 2003-02-14 17:01 73728 ----a-r c:\\windows\\system32\\CNMCP50.exe 2009-05-01 12:48 . 2009-05-02 18:45 -------- d--h--w C:\\BJPrinter 2009-04-26 15:44 . 2009-04-30 20:58 -------- d-----w c:\\documents and settings\\Tomek\\Dane aplikacji\\temp 2009-04-26 15:43 . 2009-04-26 15:43 -------- d-----w c:\\windows\\Logs 2009-04-19 09:17 . 2008-04-03 08:52 20005 ----a-w c:\\windows\\system32\\drivers\\keillp.sys 2009-04-19 09:17 . 2008-04-03 08:52 35306 ----a-w c:\\windows\\system32\\drivers\\keilul.sys 2009-04-19 09:17 . 2009-04-19 09:17 -------- d-----w C:\\Keil 2009-04-19 08:57 . 2009-04-19 08:57 -------- d-----w c:\\windows\\Sun 2009-04-19 08:56 . 2009-04-19 08:56 410984 ----a-w c:\\windows\\system32\\deploytk.dll 2009-04-19 08:56 . 2009-04-19 08:56 -------- d-----w c:\\program files\\Java 2009-04-09 20:08 . 2001-07-02 19:45 196608 ----a-w c:\\windows\\system32\\Ifc22.dll 2009-04-09 19:59 . 2001-12-12 09:37 30772 ----a-w c:\\windows\\system32\\drivers\\ImHidUsb.sys 2009-04-09 19:59 . 2001-12-12 09:37 16384 ----a-w c:\\windows\\system32\\imm_enu.dll 2009-04-09 19:59 . 2000-07-13 13:28 417792 ----a-w c:\\windows\\system32\\ImmSplsh.exe 2009-04-09 19:59 . 2001-12-12 09:38 106496 ----a-w c:\\windows\\system32\\ImmPID.dll 2009-04-09 19:59 . 2000-10-10 14:42 86016 ----a-w c:\\windows\\system32\\Immdx5.dll 2009-04-09 19:59 . 2001-12-12 09:37 1024000 ----a-w c:\\windows\\system32\\ImmCpl.dll 2009-04-09 19:59 . 2000-10-10 14:43 65536 ----a-w c:\\windows\\system32\\Immcheck.exe 2009-04-09 19:59 . 1998-11-03 15:31 61440 ----a-w c:\\windows\\system32\\Iforce2.dll 2009-04-09 19:59 . 2000-08-02 18:01 155648 ----a-w c:\\windows\\system32\\Ifc21.dll 2009-04-09 19:59 . 2009-04-09 19:59 -------- d-----w c:\\program files\\KYE 2009-04-09 19:59 . 1998-10-29 14:45 306688 ----a-w c:\\windows\\IsUninst.exe . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-02 20:28 . 2009-04-02 20:28 98304 ----a-w c:\\windows\\system32\\CmdLineExt.dll 2009-04-02 19:57 . 2009-03-13 20:53 -------- d--h--w c:\\program files\\InstallShield Installation Information 2009-04-02 06:13 . 2009-03-16 12:47 -------- d-----w c:\\program files\\EPLAN 2009-03-29 19:17 . 2006-03-02 12:00 74648 ----a-w c:\\windows\\system32\\perfc015.dat 2009-03-29 19:17 . 2006-03-02 12:00 448586 ----a-w c:\\windows\\system32\\perfh015.dat 2009-03-22 15:29 . 2009-03-22 15:29 -------- d-----w c:\\program files\\Common Files\\LightScribe 2009-03-22 15:27 . 2009-03-22 15:20 -------- d-----w c:\\program files\\Common Files\\Ahead 2009-03-22 15:20 . 2009-03-22 15:20 -------- d-----w c:\\program files\\Nero 2009-03-17 20:11 . 2009-03-13 20:23 86327 ----a-w c:\\windows\\pchealth\\helpctr\\OfflineCache\\index.dat 2009-03-17 14:17 . 2009-03-17 14:16 -------- d-----w c:\\program files\\EPSON 2009-03-16 12:47 . 2009-03-16 12:47 191488 ----a-w c:\\windows\\system32\\hlvdd.dll 2009-03-15 18:13 . 2009-03-15 18:13 63592 ----a-w c:\\documents and settings\\Tomek\\Ustawienia lokalne\\Dane aplikacji\\GDIPFONTCACHEV1.DAT 2009-03-15 13:55 . 2009-03-15 13:55 -------- d-----w c:\\program files\\Microsoft.NET 2009-03-15 13:54 . 2009-03-15 13:54 -------- d-----w c:\\program files\\Microsoft Works 2009-03-15 11:19 . 2009-03-15 11:19 -------- d-----w c:\\program files\\Alwil Software 2009-03-14 12:21 . 2009-03-14 12:21 -------- d-----w c:\\program files\\AskSearch 2009-03-14 12:18 . 2009-03-14 12:18 -------- d-----w c:\\program files\\DAEMON Tools Toolbar 2009-03-14 12:16 . 2009-03-14 12:16 717296 ----a-w c:\\windows\\system32\\drivers\\sptd.sys 2009-03-13 22:11 . 2009-03-13 22:11 98304 ----a-w c:\\windows\\system32\\qttask.exe 2009-03-13 21:33 . 2009-03-13 21:33 0 ----a-w c:\\windows\\nsreg.dat 2009-03-13 21:25 . 2009-03-13 21:09 -------- d-----w c:\\program files\\ASUS 2009-03-13 21:25 . 2009-03-13 21:24 -------- d-----w c:\\program files\\ATKOSD2 2009-03-13 21:24 . 2009-03-13 20:52 -------- d-----w c:\\program files\\Common Files\\InstallShield 2009-03-13 21:08 . 2009-03-13 21:08 -------- d-----w c:\\program files\\ASUS Security Center 2009-03-13 21:08 . 2009-03-13 21:08 -------- d-----w c:\\program files\\Fingerprint Sensor 2009-03-13 20:53 . 2009-03-13 20:53 -------- d-----w c:\\program files\\Realtek 2009-03-13 20:53 . 2009-03-13 20:53 315392 ----a-w c:\\windows\\HideWin.exe 2009-03-13 20:52 . 2009-03-13 20:52 0 ----a-w c:\\windows\\ativpsrm.bin 2009-03-13 20:39 . 2009-03-13 20:39 -------- d-----w c:\\program files\\Intel 2009-03-13 20:24 . 2009-03-13 20:24 -------- d-----w c:\\program files\\microsoft frontpage 2009-03-13 20:23 . 2006-03-02 12:00 67 --sha-w c:\\windows\\Fonts\\desktop.ini 2009-03-13 20:22 . 2009-03-13 20:22 -------- d-----w c:\\program files\\Usługi online 2009-03-13 20:21 . 2009-03-13 20:21 21856 ----a-w c:\\windows\\system32\\emptyregdb.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] \"CTFMON.EXE\"=\"c:\\windows\\system32\\ctfmon.exe\" [2006-03-02 15360] \"DAEMON Tools Lite\"=\"d:\\programy\\DAEMON Tools Lite\\daemon.exe\" [2008-12-29 687560] \"Gadu-Gadu\"=\"d:\\programy\\Gadu-Gadu\\gg.exe\" [2008-03-20 2127296] [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] \"HControl\"=\"c:\\windows\\ATK0100\\HControl.exe\" [2006-07-28 110592] \"CognizanceTS\"=\"c:\\progra~1\\ASUSSE~1\\ASUSSE~1\\Bin\\ASTSVCC.dll\" [2008-06-16 17920] \"ACMON\"=\"c:\\program files\\ASUS\\Splendid\\ACMON.exe\" [2007-06-26 851968] \"ATKMEDIA\"=\"c:\\program files\\ASUS\\ATK Media\\DMEDIA.EXE\" [2006-11-02 61440] \"ATKOSD2\"=\"c:\\program files\\ATKOSD2\\ATKOSD2.exe\" [2007-07-03 7708672] \"JMB36X IDE Setup\"=\"c:\\windows\\RaidTool\\xInsIDE.exe\" [2008-06-16 36864] \"QuickTime Task\"=\"c:\\windows\\system32\\qttask.exe\" [2009-03-13 98304] \"avast!\"=\"c:\\progra~1\\ALWILS~1\\Avast4\\ashDisp.exe\" [2009-02-05 81000] \"EPSON Stylus DX3800 Series\"=\"c:\\windows\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACE.EXE\" [2005-02-08 98304] \"NeroFilterCheck\"=\"c:\\program files\\Common Files\\Ahead\\Lib\\NeroCheck.exe\" [2007-03-01 153136] \"SecurDisc\"=\"c:\\program files\\Nero\\Nero 7\\InCD\\NBHGui.exe\" [2007-11-26 1629480] \"InCD\"=\"c:\\program files\\Nero\\Nero 7\\InCD\\InCD.exe\" [2007-11-26 1057064] \"SunJavaUpdateSched\"=\"c:\\program files\\Java\\jre6\\bin\\jusched.exe\" [2009-04-19 148888] \"RTHDCPL\"=\"RTHDCPL.EXE\" - c:\\windows\\RTHDCPL.exe [2008-05-28 16862720] [HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run] \"CTFMON.EXE\"=\"c:\\windows\\system32\\CTFMON.EXE\" [2006-03-02 15360] [HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\winlogon\\notify\\OneCard] 2008-06-16 16:16 74240 ----a-r c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ASWLNPkg.dll [HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\windows] \"AppInit_DLLs\"=c:\\windows\\system32\\APSHook.dll HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\drivers32 \"wave1\"= serwvdrv.dll [HKEY_LOCAL_MACHINE\\system\\currentcontrolset\\control\\lsa] Notification Packages REG_MULTI_SZ scecli ASWLNPkg [HKLM\\~\\services\\sharedaccess\\parameters\\firewallpolicy\\standardprofile\\AuthorizedApplications\\List] \"%windir%\\\\system32\\\\sessmgr.exe\"= \"d:\\\\PROGRAMY\\\\Gadu-Gadu\\\\gg.exe\"= \"c:\\\\Program Files\\\\EPLAN\\\\Education\\\\1.9.6\\\\BIN\\\\W3u.exe\"= R0 lullaby;lullaby;c:\\windows\\system32\\drivers\\lullaby.sys [2009-03-13 15416] R1 aswSP;avast! Self Protection;c:\\windows\\system32\\drivers\\aswSP.sys [2009-03-15 114768] R2 ASBroker;Logon Session Broker;c:\\windows\\System32\\svchost.exe -k Cognizance [2006-03-02 14336] R2 ASChannel;Local Communication Channel;c:\\windows\\System32\\svchost.exe -k Cognizance [2006-03-02 14336] R2 aswFsBlk;aswFsBlk;c:\\windows\\system32\\drivers\\aswFsBlk.sys [2009-03-15 20560] R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\\windows\\system32\\drivers\\l151x86.sys [2009-03-13 36864] S3 imhidusb;Immersion\'s HID USB Driver;c:\\windows\\system32\\drivers\\ImHidUsb.sys [2009-04-09 30772] [HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\svchost] Cognizance REG_MULTI_SZ ASBroker ASChannel [HKEY_LOCAL_MACHINE\\software\\microsoft\\active setup\\installed components\\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] \"c:\\program files\\Common Files\\LightScribe\\LSRunOnce.exe\" . - - - - USUNIĘTO PUSTE WPISY - - - - Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file) WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file) . ------- Skan uzupełniający ------- . uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=%s IE: E&ksport do programu Microsoft Excel - d:\\programy\\MICROS~1\\OFFICE11\\EXCEL.EXE/3000 FF - ProfilePath - c:\\documents and settings\\Tomek\\Dane aplikacji\\Mozilla\\Firefox\\Profiles\\wlqlgpc2.default\\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.onet.pl FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q= FF - plugin: c:\\program files\\Mozilla Firefox\\plugins\\np-mswmp.dll FF - plugin: c:\\program files\\Mozilla Firefox\\plugins\\npFoxitReaderPlugin.dll FF - plugin: c:\\program files\\Mozilla Firefox\\plugins\\npganymedenet.dll FF - plugin: d:\\programy\\ACE Mega CoDecS Pack\\SystemS\\RealMedia\\Browser\\plugins\\nppl3260.dll FF - plugin: d:\\programy\\ACE Mega CoDecS Pack\\SystemS\\RealMedia\\Browser\\plugins\\nprpjplug.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-08 19:36 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\\S-1-5-21-1343024091-412668190-839522115-1003\\Software\\SecuROM\\!CAUTION! NEVER A OR CHANGE ANY KEY*] \"??\"=hex:38,5e,29,2f,d7,8d,1f,3c,69,94,8a,ac,32,2b,28,22,c3,b3,9d,18,51,1b,56, 6e,9f,27,97,39,91,24,0f,ae,bf,03,f8,fe,a7,9b,2f,db,1d,76,3a,e0,3e,1a,7b,d3,\\ \"??\"=hex:d5,e0,b9,b1,ef,b6,08,91,2d,a4,8d,56,1f,44,89,10 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > \'winlogon.exe\'(1496) c:\\windows\\system32\\APSHook.dll c:\\windows\\system32\\Ati2evxx.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ASWLNPkg.dll c:\\program files\\asus security center\\asus security protect manager\\bin\\ItMsg.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\TrayIcon.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\bin\\brand.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\AsChnl.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ItDAC.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ItReports.DLL c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\BioAuth.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ASBioAT.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\ItVCClient.dll c:\\program files\\ASUS Security Center\\ASUS Security Protect Manager\\Bin\\AuthWiz.dll - - - - - - - > \'lsass.exe\'(1552) c:\\windows\\system32\\APSHook.dll c:\\program files\\asus security center\\asus security protect manager\\bin\\ASWLNPkg.dll c:\\program files\\asus security center\\asus security protect manager\\bin\\ItMsg.dll . Czas ukończenia: 2009-05-08 19:37 ComboFix-quarantined-files.txt 2009-05-08 17:36 Przed: 37 497 802 752 bajtów wolnych Po: 37 486 047 232 bajtów wolnych 208 // Upominam Cię poraz kolejny, logi wstawiamy w tagi code/code // Poprawiam. // djdresik
Gość komentarz 9 maja 2009 komentarz 9 maja 2009 Czysto. 1. Posprzątaj po ComboFixie i różnych narzędziach >>> OTCleanIt. 2. Z folderu "System Volume Information" usuniesz poprzez chwilowe wyłączenie "Przywracania Systemu": >Panel Sterowania>System>Przywracanie Systemu>>zaznacz w okienku przy "Wyłącz przywracanie na wszystkich dyskach">Zastosuj>OK.Potem możesz powrócić do poprzedniego ustawienia (czyli usunąć zaznaczenie z okienka). 3. Wykonaj optymalizację systemu 4.Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum. .
ciacho191 komentarz 9 maja 2009 Autor komentarz 9 maja 2009 Raport z kasperskyego: -------------------------------------------------------------------------------- RAPORT KASPERSKY ONLINE SCANNER 7.0 sobota, 9 maj 2009 System operacyjny: Microsoft Windows XP Professional Dodatek Service Pack 2 (build 2600) Wersja Kaspersky Online Scanner: 7.0.26.12 Data ostatniej aktualizacji bazy danych: Saturday, May 09, 2009 17:03:25 Liczba wpisów: 2151382 -------------------------------------------------------------------------------- Ustawienia skanowania: Typ bazy danych użytej do skanowania: rozszerzona Skanuj archiwa: tak Skanuj pocztowe bazy danych: tak Obszar skanowania - Mój komputer: C:\\ D:\\ E:\\ F:\\ G:\\ H:\\ Statystyki skanowania: Przeskanowanych plików: 161886 Nazwa zagrożenia: 1 Zainfekowanych obiektów: 3 Podejrzanych obiektów: 0 Czas skanowania: 02:18:05 Nazwa pliku / Nazwa zagrożenia / Liczba zagrożeń D:\\boyedt.com Zainfekowany: Trojan-GameThief.Win32.OnLineGames.blzx 1 E:\\boyedt.com Zainfekowany: Trojan-GameThief.Win32.OnLineGames.blzx 1 F:\\boyedt.com Zainfekowany: Trojan-GameThief.Win32.OnLineGames.blzx 1 Wybrany obszar został przeskanowany.
Gość komentarz 9 maja 2009 komentarz 9 maja 2009 Pobierz ---> The Avenger Wklej do niego ten tekst: Files to delete:D:\boyedt.com E:\boyedt.com F:\boyedt.com Kopiujesz - Klikasz na Paste Script from Clipboard - Execute - Potwierdzasz i zgadzasz się na restart klikając OK. Po wykonaniu skasuj z dysku plik: C:\Avenger\backup.zip i wklej raport na forum C:\avenger.txt .
ciacho191 komentarz 9 maja 2009 Autor komentarz 9 maja 2009 (edytowane) Logfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!File "D:\boyedt.com" deleted successfully.File "E:\boyedt.com" deleted successfully.File "F:\boyedt.com" deleted successfully.Completed script processing. Przepraszam za moj brak czytania ze zrozumieniem
Gość komentarz 9 maja 2009 komentarz 9 maja 2009 Posprzątaj po Avengerze i różnych narzędziach >>> OTCleanIt. I to wszystko z mojej strony. .
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.