Pejak utworzono 10 maja 2009 utworzono 10 maja 2009 (edytowane) Witam, ostatnio cos niedobrego zaczęło się dziać z moim kompem, tworzą się jakieś service.exe, shjmpmkk, reader_s i inny shit więc postanowiłem wrzucić logi. Proszę o pomoc. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 13:12:37, on 2009-05-10Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wdfmgr.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\wscntfy.exeC:\Documents and Settings\Ja\Dane aplikacji\Microsoft\Windows\lsass.exeC:\WINDOWS\system32\RunDll32.exeD:\Theodora\GammaAdjuster.exeC:\Program Files\Gadu-Gadu\gg.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Opera\opera.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dllO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [GammaAdjuster] D:\Theodora\GammaAdjuster.exeO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /autoO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [steam] "d:\gry\steam\steam.exe" -silentO4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-1869437130-8582227053-531412807-1740\service.exeO4 - HKLM\..\Policies\Explorer\Run: [Lsass Service] C:\Documents and Settings\Ja\Dane aplikacji\Microsoft\Windows\lsass.exeO4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} (PPLive Lite Class) - http://dl.pplive.com/PluginSetup.cabO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing)O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2 - Unknown owner - C:\PROGRA~1\EasyPHP 2.0b1\Apache\bin\apache.exe (file missing)O23 - Service: Usługa inteligentnego transferu w tle (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: MySQL - Unknown owner - C:\PROGRA~1\EasyPHP 2.0b1\MySql\bin\mysqld.exe (file missing)O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: OfficeIRC Server (OfficeIRC) - Unknown owner - D:\Theodora\IRC\Server\OfficeIRC.exe (file missing)O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: Aktualizacje automatyczne (wuauserv) - Unknown owner - C:\WINDOWS\--End of file - 4989 bytes
Pejak komentarz 10 maja 2009 Autor komentarz 10 maja 2009 combofix łapie jakąś dziwną zwieche i raczej nie dam rady nic z tym zrobić, daje log z Silent Runnersa: "Silent Runners.vbs", revision 59, http://www.silentrunners.org/Operating System: Windows XP SP2Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]"Steam" = ""d:\gry\steam\steam.exe" -silent" ["Valve Corporation"]"12ZFG94-F641-2SF-K31P-5N1ER6H6L2" = "C:\RECYCLER\S-1-5-21-1869437130-8582227053-531412807-1740\service.exe" [null data]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}"Lsass Service" = "C:\Documents and Settings\Ja\Dane aplikacji\Microsoft\Windows\lsass.exe" [null data]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]"GammaAdjuster" = "D:\Theodora\GammaAdjuster.exe" [empty string]"MSConfig" = "C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto" [MS]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03c80ce8-c88d-4722-8e17-d363697f6590}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\bvxxskwf.dll" [null data]{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]{09c0dfb2-2564-4ea3-b360-73bf3d4b33fb}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\pmnkHBsR.dll" [null data]{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\byXRiFww.dll" [null data]{7498CDF8-A95C-4F43-B554-BE3B4EBEFE0D}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "c:\windows\system32\sacqnwh.dll" [MS]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found]"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "Eset Smart Security - Context Menu Shell Extension" -> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"]"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów" -> {HKLM...CLSID} = "Eksplorator pulpitów" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser" -> {HKLM...CLSID} = "Nokia Phone Browser" \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 7\phonebrowser.dll" ["Nokia"]"{455fc877-79ed-4440-9ec6-3b89568a5f94}" = "MS Flash Adapter" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\lqikfh.dll" [null data]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\<<!>> "{455fc877-79ed-4440-9ec6-3b89568a5f94}" = "{49f5a865-98b3-6ce9-0444-de97778cf554}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\lqikfh.dll" [null data]<<!>> "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" = "*g" (unwritable string) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\byXRiFww.dll" [null data]HKLM\SYSTEM\CurrentControlSet\Control\Lsa\<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\pmnkHBsR"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<<!>> byXRiFww\DLLName = "byXRiFww.dll" [null data]<<!>> crypt\DLLName = "crypts.dll" [null data]<<!>> mqlzozdr\DLLName = "sacqnwh.dll" [MS]HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"]Notepad++\(Default) = "{120B94B5-2E6A-4F13-94D0-414BCB64FA0F}" -> {HKLM...CLSID} = "Notepad++" \InProcServer32\(Default) = "C:\Program Files\Notepad++\nppcm.dll" ["Burgaud.com"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]Default executables:--------------------<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDrives" = (REG_DWORD) dword:0x00000000{unrecognized setting}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDrives" = (REG_DWORD) dword:0x00000000{unrecognized setting}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}"DisableRegistryTools" = (REG_DWORD) dword:0x00000000{unrecognized setting}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop enabled and wallpaper not set by Group Policy:HKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"Displayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"Windows Portable Device AutoPlay Handlers-----------------------------------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\BridgeCS3ImportMediaOnArrival\"Provider" = "Adobe Bridge CS3""InvokeProgID" = "Adobe.adobebridge""InvokeVerb" = "launch"HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "D:\Progsy\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]BSplayerCDDA\"Provider" = "BSplayer multimedia player""InvokeProgID" = "BSP.plist""InvokeVerb" = "play"HKCU\Software\Classes\BSP.plist\shell\play\command\(Default) = "D:\Progsy\Webteh\BSplayer\bsplayer.exe "%L"" ["Webteh"]MPCPlayCDAudioOnArrival\"Provider" = "Media Player Classi""InvokeProgID" = "MPC.CDAudio""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\MPC.CDAudio\shell\play\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /cd" ["Gabest"]MPCPlayDVDMovieOnArrival\"Provider" = "Media Player Classic""InvokeProgID" = "MPC.DVDMovie""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\MPC.DVDMovie\shell\play\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /dvd" ["Gabest"]NeroAutoPlayEmptyCD\"Provider" = "Nero StartSmart""InvokeProgID" = "Nero.AutoPlay""InvokeVerb" = "EmptyCD"HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\EmptyCD\command\(Default) = ""C:\Program Files\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]NMMPlayCDAudioOnArrival\"Provider" = "Nokia Music Manager""InvokeProgID" = "NokiaMusicManager""InvokeVerb" = "NMMPlayCD"HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 7\MusicManager.exe /playCD "%L"" ["Nokia"]NMMRipCDAudioOnArrival\"Provider" = "Nokia Music Manager""InvokeProgID" = "NokiaMusicManager""InvokeVerb" = "NMMRipCD"HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 7\MusicManager.exe /ripCD "%L"" ["Nokia"]WinampMTPHandler\"Provider" = "Winamp""ProgID" = "Shell.HWEventHandlerShellExecute""InitCmdLine" = "D:\Progsy\Winamp\winamp.exe"HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]WinampPlayMediaOnArrival\"Provider" = "Winamp""InvokeProgID" = "Winamp.File""InvokeVerb" = "Play"HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""D:\Progsy\Winamp\winamp.exe" "%1"" ["Nullsoft"]HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = ""D:\Progsy\Winamp\winamp.exe"" ["Nullsoft"]Enabled Scheduled Tasks:------------------------"GoogleUpdateTaskUserS-1-5-21-1454471165-1770027372-839522115-1003" -> launches: "C:\Documents and Settings\Ja\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe /c" ["Google Inc."]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]Transport Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05Toolbars, Explorer Bars, Extensions:------------------------------------ToolbarsHKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{D2F8F919-690B-4EA2-9FA7-A203D1E04F75}" = (no title provided) -> {HKLM...CLSID} = "StylerToolBar" \InProcServer32\(Default) = "C:\Program Files\Styler\TB\StylerTB.dll" ["StyleFantasist"]Extensions (Tools menu items, main toolbar menu buttons)HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\"MenuText" = "Sun Java Console""CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Windows Messenger""Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------Eset Service, ekrn, ""C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"" ["ESET"]PCANDIS5 NDIS Protocol Controller, zzcsvtlb, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\sacqnwh.dll" [MS]}Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]---------- (launch time: 2009-05-10 13:16:34)<<!>>: Suspicious data at a malware launch point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ The search for DESKTOP.INI DLL launch points on all local fixed drives took 295 seconds.---------- (total run time: 357 seconds)
Pejak komentarz 10 maja 2009 Autor komentarz 10 maja 2009 ComboFix 09-05-08.03 - Ja 2009-05-10 13:29.3 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.511.237 [GMT 2:00]Uruchomiony z: d:\instalki\ComboFix.exeAV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Outdated) * Resident AV is active.((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Ja\Dane aplikacji\Microsoft\Windows\lsass.exeC:\e2.cmdC:\ej10fkdo.batC:\em8tqm.cmdC:\hkn6k.batC:\i.cmdC:\minm.cmdC:\mt.batC:\nu.cmdC:\rbj9jn1n.batC:\rwj0.cmdc:\windows\system32\bvxxskwf.dllc:\windows\system32\byXRiFww.dllc:\windows\system32\crypts.dllc:\windows\system32\drivers\52300a51.sysc:\windows\system32\efcCrRHx.dllc:\windows\system32\iwfxgaif.dllc:\windows\system32\kkmpmjhs.inic:\windows\system32\lqikfh.dllc:\windows\system32\mcrh.tmpc:\windows\system32\pmnkHBsR.dllc:\windows\system32\reader_s.exec:\windows\system32\RsBHknmp.inic:\windows\system32\RsBHknmp.ini2c:\windows\system32\sacqnwh.dllc:\windows\system32\shjmpmkk.dllC:\xsia.batD:\e2.cmdD:\ej10fkdo.batD:\em8tqm.cmdD:\hkn6k.batD:\i.cmdD:\minm.cmdD:\mt.batD:\nu.cmdD:\rbj9jn1n.batD:\rwj0.cmdD:\xsia.batZainfekowana kopia została znaleziona. Problem naprawiono Plik odzyskano z - .((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_zzcsvtlb-------\Service_52300a51-------\Service_zzcsvtlb((((((((((((((((((((((((( Pliki utworzone od 2009-04-10 do 2009-05-10 ))))))))))))))))))))))))))))))).2009-05-10 11:34 . 2009-05-10 11:39 94588 ----a-w c:\windows\system32\drivers\296a9116.sys2009-05-10 11:34 . 2009-05-10 11:34 39425 ----a-w c:\documents and settings\Ja\reader_s.exe2009-05-10 11:34 . 2009-05-10 11:34 0 ----a-w C:\wjcl.exe2009-05-10 11:34 . 2009-05-10 11:34 81920 ----a-w C:\vfmf.exe2009-05-10 11:34 . 2009-05-10 11:34 7680 ----a-w C:\ueksxwdu.exe2009-05-10 11:12 . 2009-05-10 11:12 -------- d-----w c:\program files\Trend Micro2009-05-10 10:56 . 2009-05-10 10:56 20480 ---h--r c:\windows\system32\svcht.exe2009-05-10 10:40 . 2009-05-10 10:40 -------- d-----w c:\documents and settings\NetworkService\Dane aplikacji\wurjtydv2009-05-10 10:40 . 2009-05-10 10:40 -------- d-----w c:\documents and settings\NetworkService\Ustawienia lokalne\Dane aplikacji\wurjtydv2009-05-10 09:31 . 2009-05-10 09:31 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\wurjtydv2009-05-10 09:31 . 2009-05-10 09:31 -------- d-----w c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\wurjtydv2009-05-10 07:22 . 2009-05-10 07:22 -------- d-----w c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\Opera2009-05-10 07:22 . 2009-05-10 07:22 -------- d-----w c:\program files\Opera2009-05-10 05:36 . 2009-05-10 08:10 -------- d-----w c:\program files\Total Video Converter2009-05-09 20:38 . 2009-05-09 20:37 108772 --sh--r C:\ysep1.exe2009-05-06 19:42 . 2009-05-06 19:41 107719 --sh--r C:\boyedt.com2009-05-05 19:27 . 2009-05-05 19:27 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\AccurateRip2009-05-05 19:27 . 2009-05-05 19:26 5433520 ----a-w c:\windows\system32\SpoonUninstall.exe2009-05-05 19:27 . 2009-05-05 19:27 -------- d-----w c:\program files\Illustrate2009-05-03 10:38 . 2009-05-10 04:37 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\Moyea2009-05-03 10:38 . 2009-05-10 04:43 -------- d-----w c:\program files\Moyea2009-05-03 10:35 . 2009-05-03 10:35 -------- d-----w C:\output2009-05-01 17:57 . 2009-05-02 15:02 108001 --sh--r C:\fbak.exe2009-05-01 17:14 . 2009-05-01 17:14 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\ViStart2009-05-01 16:01 . 2009-05-01 16:01 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\Styler2009-05-01 15:48 . 2009-05-01 16:01 -------- d-----w c:\program files\Styler2009-05-01 15:40 . 2004-11-28 19:25 219136 ----a-w c:\windows\system\uxtheme.dll2009-04-28 18:48 . 2009-04-28 18:47 105774 --sh--r C:\ymxf2.exe2009-04-28 15:23 . 2009-04-28 15:24 -------- d-----w c:\program files\NAPI-PROJEKT2009-04-28 15:12 . 2009-04-28 15:13 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\BESTplayer2009-04-25 19:15 . 2009-04-27 05:33 106709 --sh--r C:\eyt.exe2009-04-25 08:26 . 2009-04-25 08:25 106749 --sh--r C:\npee.com2009-04-21 18:22 . 2009-04-22 18:51 109601 --sh--r C:\g1ljsm.com2009-04-14 21:02 . 2009-04-14 21:02 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\PC Suite2009-04-14 21:02 . 2009-04-14 21:02 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\PC Suite2009-04-14 21:01 . 2009-04-14 21:01 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\Nokia2009-04-14 20:59 . 2009-04-14 20:59 -------- d-----w c:\program files\Common Files\PCSuite2009-04-14 20:59 . 2009-04-14 20:59 -------- d-----w c:\program files\Common Files\Nokia2009-04-14 20:58 . 2007-09-17 13:53 21632 ----a-w c:\windows\system32\drivers\pccsmcfd.sys2009-04-14 20:58 . 2009-04-14 20:58 -------- d-----w c:\program files\PC Connectivity Solution2009-04-14 20:58 . 2009-04-14 20:59 -------- d-----w c:\program files\Nokia2009-04-14 20:57 . 2009-04-14 20:57 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Installations2009-04-14 20:28 . 2009-04-15 19:02 109249 --sh--r C:\[u]0[/u]xuc.com2009-04-13 17:25 . 2009-04-13 17:25 109163 --sh--r C:\qwtb.com2009-04-11 11:34 . 2009-04-11 11:34 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\Octoshape.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-05-10 08:02 . 2008-12-01 13:40 -------- d-----w c:\program files\sXe Injected2009-05-10 08:00 . 2008-11-02 14:52 -------- d-----w c:\program files\ATI Technologies2009-05-10 08:00 . 2008-05-23 07:59 -------- d--h--w c:\program files\InstallShield Installation Information2009-05-10 07:51 . 2008-09-17 13:45 -------- d-----w c:\program files\Gamers.IRC2009-05-10 05:48 . 2008-05-23 09:40 16384 ----a-w c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT2009-04-10 07:35 . 2009-04-09 06:54 110321 --sh--r C:\1ogf.exe2009-04-04 08:01 . 2009-04-03 05:28 110157 --sh--r C:\cqxj.exe2009-04-01 16:51 . 2009-04-01 16:51 108083 --sh--r C:\o3n9k.com2009-03-31 20:41 . 2009-03-29 08:11 108693 --sh--r C:\[u]0[/u]bcobed.exe2009-03-29 08:14 . 2001-10-26 16:15 76208 ----a-w c:\windows\system32\perfc015.dat2009-03-29 08:14 . 2001-10-26 16:15 454178 ----a-w c:\windows\system32\perfh015.dat2009-03-26 11:55 . 2009-03-26 11:55 13824 ----a-w c:\windows\system32\drivers\splitcam.sys2009-03-26 11:54 . 2009-03-26 11:54 -------- d-----w c:\program files\SplitCam2009-03-23 20:45 . 2008-05-23 08:01 -------- d-----w c:\program files\C-Media 3D Audio2009-03-18 15:14 . 2009-03-18 15:15 110053 --sh--r C:\q0dhfjf.exe.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]"Steam"="d:\gry\steam\steam.exe" [2009-03-24 1410296]"12ZFG94-F641-2SF-K31P-5N1ER6H6L2"="c:\recycler\S-1-5-21-1869437130-8582227053-531412807-1740\service.exe" [2009-05-10 39936]"reader_s"="c:\documents and settings\Ja\reader_s.exe" [2009-05-10 39425][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"GammaAdjuster"="d:\theodora\GammaAdjuster.exe" [2007-09-08 191488][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360][HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\pmnkHBsR[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BlueSoleil.lnk]path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\BlueSoleil.lnkbackup=c:\windows\pss\BlueSoleil.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Kalendarz XP.lnk]path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Kalendarz XP.lnkbackup=c:\windows\pss\Kalendarz XP.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Ja^Menu Start^Programy^Autostart^lsass.exe]path=c:\documents and settings\Ja\Menu Start\Programy\Autostart\lsass.exebackup=c:\windows\pss\lsass.exeStartup[HKLM\~\startupfolder\c:^documents and settings^ja^menu start^programy^autostart^styler.lnk]path=c:\documents and settings\Ja\Menu Start\Programy\Autostart\Styler.lnkbackup=c:\windows\pss\Styler.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Ja^Menu Start^Programy^Autostart^WampServer.lnk]path=c:\documents and settings\Ja\Menu Start\Programy\Autostart\WampServer.lnkbackup=c:\windows\pss\WampServer.lnkStartup[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Gadu-Gadu\\gg.exe"="d:\\Programy\\BlueSoleil.exe"="d:\\Progsy\\BitTorrent\\bittorrent.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"80:UDP"= 80:UDP:http"3724:TCP"= 3724:TCP:wowR0 Ramdisk;Ramdisk Driver;c:\windows\system32\drivers\RamDsk.sys [2004-09-28 26240]R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-11-23 30728]R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-11-23 455936]S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);c:\windows\system32\Drivers\e4ldr.sys --> c:\windows\system32\Drivers\e4ldr.sys [?]S2 OfficeIRC;OfficeIRC Server;d:\theodora\IRC\Server\OfficeIRC.exe --> d:\theodora\IRC\Server\OfficeIRC.exe [?]S3 ddsxeiservice;ddsxeiservice2;c:\program files\sXe Injected\ddsxei.sys [2009-02-22 50560]S3 e4usbaw;USB ADSL2 WAN Adapter;c:\windows\system32\DRIVERS\e4usbaw.sys --> c:\windows\system32\DRIVERS\e4usbaw.sys [?]S3 GT680xNT;USB Scanner Driver;c:\windows\system32\drivers\Gt680x.sys [2008-08-21 17932]--- Inne Usługi/Sterowniki w Pamięci ---*NewlyCreated* - ZZCSVTLB[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{412ce2e2-1221-11de-8bba-101111111111}]\Shell\AutoRun\command - H:\xsia.bat\Shell\open\Command - H:\xsia.bat[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a541edd1-e897-11dd-8af5-101111111111}]\Shell\AutoRun\command - G:\e2.cmd\Shell\open\Command - G:\e2.cmd[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a541edd2-e897-11dd-8af5-101111111111}]\Shell\AutoRun\command - G:\ysep1.exe\Shell\open\Command - G:\ysep1.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af28f926-3688-11de-8c6c-101111111111}]\Shell\AutoRun\command - G:\fbak.exe\Shell\open\Command - G:\fbak.exe.Zawartość folderu 'Zaplanowane zadania'2009-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-1770027372-839522115-1003.job- c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2008-09-09 13:52].- - - - USUNIĘTO PUSTE WPISY - - - -BHO-{03c80ce8-c88d-4722-8e17-d363697f6590} - c:\windows\system32\bvxxskwf.dllBHO-{09c0dfb2-2564-4ea3-b360-73bf3d4b33fb} - c:\windows\system32\pmnkHBsR.dllBHO-{7498CDF8-A95C-4F43-B554-BE3B4EBEFE0D} - c:\windows\system32\sacqnwh.dllHKLM-Run-reader_s - c:\windows\System32\reader_s.exeHKLM-Run-Cmaudio - cmicnfg.cplHKLM-Explorer_Run-Lsass Service - c:\documents and settings\Ja\Dane aplikacji\Microsoft\Windows\lsass.exeShellExecuteHooks-{455fc877-79ed-4440-9ec6-3b89568a5f94} - c:\windows\system32\lqikfh.dll.------- Skan uzupełniający -------.uStart Page = hxxp://www.neostrada.pl/uInternet Settings,ProxyOverride = *.localDPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cabFF - ProfilePath - c:\documents and settings\Ja\Dane aplikacji\Mozilla\Firefox\Profiles\v4fph69d.default\FF - component: c:\documents and settings\Ja\Dane aplikacji\Mozilla\Firefox\Profiles\v4fph69d.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dllFF - plugin: c:\documents and settings\Ja\Dane aplikacji\Mozilla\plugins\npoctoshape.dllFF - plugin: c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\Google\Update\1.2.145.5\npGoogleOneClick8.dllFF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dllFF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPSOCCER.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPWORDSSINGLE.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-05-10 13:38Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Lsass Service = c:\documents and settings\Ja\Dane aplikacji\Microsoft\Windows\lsass.exe???????????????????????????????????????????????????????? skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\296a9116]"ImagePath"="\SystemRoot\System32\drivers\296a9116.sys".--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'explorer.exe'(660)c:\windows\system32\msi.dllc:\windows\system32\browselc.dllc:\program files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxc:\program files\Bonjour\mdnsNSP.dllc:\program files\ESET\ESET NOD32 Antivirus\shellExt.dllc:\program files\WinRAR\rarext.dllc:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dllc:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLLc:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_pol.nlrc:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr.------------------------ Pozostałe uruchomione procesy ------------------------.c:\program files\IVT Corporation\BlueSoleil\BTNtService.exec:\program files\Bonjour\mDNSResponder.exec:\windows\system32\nvsvc32.exec:\windows\system32\PnkBstrA.exec:\windows\system32\wdfmgr.exec:\windows\system32\wscntfy.exec:\windows\system32\rundll32.exec:\qoobox\Quarantine\C\WINDOWS\system32\reader_s.exe.virc:\windows\system32\svchost.exec:\docume~1\Ja\USTAWI~1\temp\696.exec:\program files\Trend Micro\HijackThis\HijackThis.exec:\windows\system32\notepad.exe.**************************************************************************.Czas ukończenia: 2009-05-10 13:40 - komputer został uruchomiony ponownieComboFix-quarantined-files.txt 2009-05-10 11:40Przed: 2 385 903 616 bajtów wolnychPo: 2 331 332 608 bajtów wolnych264
Gość komentarz 10 maja 2009 komentarz 10 maja 2009 1. Zamknij robaczywe porty przy pomocy --> Windows Worms Doors Cleaner (niżej na stronie linku).. Ustaw znaczki na zielono, Netbios może być na żółto. Po użyciu narzędzia wymagany jest restart. 2. Wklej do Notatnika: File::c:\windows\system32\drivers\296a9116.sysc:\documents and settings\Ja\reader_s.exeC:\wjcl.exeD:\wjcl.exeC:\vfmf.exeD:\vfmf.exeC:\ueksxwdu.exeD:\ueksxwdu.exec:\windows\system32\svcht.exeC:\ysep1.exeD:\ysep1.exeC:\boyedt.comD:\boyedt.comc:\windows\system32\SpoonUninstall.exeC:\fbak.exeD:\fbak.exeC:\ymxf2.exeD:\ymxf2.exeC:\eyt.exeD:\eyt.exeC:\npee.comD:\npee.comC:\g1ljsm.comD:\g1ljsm.comC:\*0xuc.comD:\*0xuc.comC:\qwtb.comD:\qwtb.comC:\1ogf.exeD:\1ogf.exeC:\cqxj.exeD:\cqxj.exeC:\o3n9k.comD:\o3n9k.comC:\*0bcobed.exeD:\*0bcobed.exeC:\1ogf.exeD:\1ogf.exeC:\cqxj.exeD:\cqxj.exeC:\o3n9k.comD:\o3n9k.comC:\q0dhfjf.exeD:\q0dhfjf.exec:\documents and settings\Ja\Menu Start\Programy\Autostart\lsass.exeFolder::c:\documents and settings\NetworkService\Dane aplikacji\wurjtydvc:\documents and settings\NetworkService\Ustawienia lokalne\Dane aplikacji\wurjtydvc:\documents and settings\Ja\Dane aplikacji\wurjtydvc:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\wurjtydvc:\documents and settings\Ja\Dane aplikacji\Moyeac:\program files\Moyeac:\recyclerDriver::296a9116Registry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Steam"=-"12ZFG94-F641-2SF-K31P-5N1ER6H6L2"=-"reader_s"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"GammaAdjuster"=-[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00[-HKLM\~\startupfolder\C:^Documents and Settings^Ja^Menu Start^Programy^Autostart^lsass.exe][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2][-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\296a9116] Uwaga.! Po wklejeniu do Notatnika usuń gwiazdki "*" z tekstu. >>Plik>>Zapisz jako... >>> CFScript Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe --> Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania. Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:\Qoobox. 3. Proszę zainstalaować i przeskanować tym --> MBAM, (pełne skanowanie, po znalezieniu proszę zaznaczyć "Usuń zaznaczone".) .
Pejak komentarz 10 maja 2009 Autor komentarz 10 maja 2009 ComboFix 09-05-08.03 - Ja 2009-05-10 14:05.4 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.511.205 [GMT 2:00]Uruchomiony z: c:\documents and settings\Ja\Pulpit\ComboFix.exeUżyto następujących komend :: c:\documents and settings\Ja\Pulpit\CFScript.txtAV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Outdated) * Resident AV is activeFILE ::C:\[u]0[/u]bcobed.exeC:\[u]0[/u]xuc.comC:\1ogf.exeC:\boyedt.comC:\cqxj.exec:\documents and settings\Ja\Menu Start\Programy\Autostart\lsass.exec:\documents and settings\Ja\reader_s.exeC:\eyt.exeC:\fbak.exeC:\g1ljsm.comC:\npee.comC:\o3n9k.comC:\q0dhfjf.exeC:\qwtb.comC:\ueksxwdu.exeC:\vfmf.exec:\windows\system32\drivers\296a9116.sysc:\windows\system32\SpoonUninstall.exec:\windows\system32\svcht.exeC:\wjcl.exeC:\ymxf2.exeC:\ysep1.exeD:\[u]0[/u]bcobed.exeD:\[u]0[/u]xuc.comD:\1ogf.exeD:\boyedt.comD:\cqxj.exeD:\eyt.exeD:\fbak.exeD:\g1ljsm.comD:\npee.comD:\o3n9k.comD:\q0dhfjf.exeD:\qwtb.comD:\ueksxwdu.exeD:\vfmf.exeD:\wjcl.exeD:\ymxf2.exeD:\ysep1.exe.((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).C:\[u]0[/u]bcobed.exeC:\[u]0[/u]xuc.comC:\1ogf.exeC:\boyedt.comC:\cqxj.exec:\documents and settings\Ja\Dane aplikacji\Moyeac:\documents and settings\Ja\Dane aplikacji\Moyea\FLV Downloader\AdvanceSet.inic:\documents and settings\Ja\Dane aplikacji\Moyea\FLV Downloader\ComContrl.inic:\documents and settings\Ja\Dane aplikacji\Moyea\FLV Downloader\DownloadInfo_history.xmlc:\documents and settings\Ja\Dane aplikacji\Moyea\FLV to Video Converter Pro 2\CodecProfile.xmlc:\documents and settings\Ja\Dane aplikacji\Moyea\FLV to Video Converter Pro 2\DefProfile.xmlc:\documents and settings\Ja\Dane aplikacji\Moyea\FLV to Video Converter Pro 2\Flv2VJobs.xmlc:\documents and settings\Ja\Dane aplikacji\Moyea\FLV to Video Converter Pro 2\UserInfo.inic:\documents and settings\Ja\Dane aplikacji\wurjtydvc:\documents and settings\Ja\Dane aplikacji\wurjtydv\profiles.inic:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\cert8.dbc:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\compatibility.inic:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\compreg.datc:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\cookies.sqlitec:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\formhistory.sqlitec:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\key3.dbc:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\localstore.rdfc:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\permissions.sqlitec:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\places.sqlitec:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\pluginreg.datc:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\prefs.jsc:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\secmod.dbc:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\webappsstore.sqlitec:\documents and settings\Ja\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\xpti.datc:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\wurjtydvc:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\urlclassifier3.sqlitec:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\wurjtydv\Profiles\vifa6xte.default\XPC.mflc:\documents and settings\NetworkService\Dane aplikacji\wurjtydvc:\documents and settings\NetworkService\Dane aplikacji\wurjtydv\profiles.inic:\documents and settings\NetworkService\Dane aplikacji\wurjtydv\Profiles\or16e2g7.default\compatibility.inic:\documents and settings\NetworkService\Dane aplikacji\wurjtydv\Profiles\or16e2g7.default\compreg.datc:\documents and settings\NetworkService\Dane aplikacji\wurjtydv\Profiles\or16e2g7.default\permissions.sqlitec:\documents and settings\NetworkService\Dane aplikacji\wurjtydv\Profiles\or16e2g7.default\prefs.jsc:\documents and settings\NetworkService\Dane aplikacji\wurjtydv\Profiles\or16e2g7.default\xpti.datc:\documents and settings\NetworkService\Ustawienia lokalne\Dane aplikacji\wurjtydvc:\documents and settings\NetworkService\Ustawienia lokalne\Dane aplikacji\wurjtydv\Profiles\or16e2g7.default\XPC.mflC:\eyt.exeC:\fbak.exeC:\g1ljsm.comC:\npee.comC:\o3n9k.comc:\program files\MoyeaC:\q0dhfjf.exeC:\qwtb.comc:\recyclerc:\recycler\S-1-5-21-1454471165-1770027372-839522115-1003\desktop.inic:\recycler\S-1-5-21-1454471165-1770027372-839522115-1003\INFO2c:\recycler\S-1-5-21-1869437130-8582227053-531412807-1740\Desktop.inic:\recycler\S-1-5-21-1869437130-8582227053-531412807-1740\service.exec:\windows\system32\crypts.dllc:\windows\system32\drivers\296a9116.sysc:\windows\system32\SpoonUninstall.exec:\windows\system32\svcht.exeC:\ymxf2.exeC:\ysep1.exeD:\[u]0[/u]bcobed.exeD:\[u]0[/u]xuc.comD:\1ogf.exeD:\boyedt.comD:\cqxj.exeD:\eyt.exeD:\fbak.exeD:\g1ljsm.comD:\npee.comD:\o3n9k.comD:\q0dhfjf.exeD:\qwtb.comD:\ymxf2.exeD:\ysep1.exe.((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Service_296a9116((((((((((((((((((((((((( Pliki utworzone od 2009-04-10 do 2009-05-10 ))))))))))))))))))))))))))))))).2009-05-10 11:12 . 2009-05-10 11:12 -------- d-----w c:\program files\Trend Micro2009-05-10 07:22 . 2009-05-10 07:22 -------- d-----w c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\Opera2009-05-10 07:22 . 2009-05-10 07:22 -------- d-----w c:\program files\Opera2009-05-10 05:36 . 2009-05-10 08:10 -------- d-----w c:\program files\Total Video Converter2009-05-05 19:27 . 2009-05-05 19:27 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\AccurateRip2009-05-05 19:27 . 2009-05-05 19:27 -------- d-----w c:\program files\Illustrate2009-05-03 10:35 . 2009-05-03 10:35 -------- d-----w C:\output2009-05-01 17:14 . 2009-05-01 17:14 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\ViStart2009-05-01 16:01 . 2009-05-01 16:01 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\Styler2009-05-01 15:48 . 2009-05-01 16:01 -------- d-----w c:\program files\Styler2009-05-01 15:40 . 2004-11-28 19:25 219136 ----a-w c:\windows\system\uxtheme.dll2009-04-28 15:23 . 2009-04-28 15:24 -------- d-----w c:\program files\NAPI-PROJEKT2009-04-28 15:12 . 2009-04-28 15:13 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\BESTplayer2009-04-14 21:02 . 2009-04-14 21:02 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\PC Suite2009-04-14 21:02 . 2009-04-14 21:02 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\PC Suite2009-04-14 21:01 . 2009-04-14 21:01 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\Nokia2009-04-14 20:59 . 2009-04-14 20:59 -------- d-----w c:\program files\Common Files\PCSuite2009-04-14 20:59 . 2009-04-14 20:59 -------- d-----w c:\program files\Common Files\Nokia2009-04-14 20:58 . 2007-09-17 13:53 21632 ----a-w c:\windows\system32\drivers\pccsmcfd.sys2009-04-14 20:58 . 2009-04-14 20:58 -------- d-----w c:\program files\PC Connectivity Solution2009-04-14 20:58 . 2009-04-14 20:59 -------- d-----w c:\program files\Nokia2009-04-14 20:57 . 2009-04-14 20:57 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Installations2009-04-11 11:34 . 2009-04-11 11:34 -------- d-----w c:\documents and settings\Ja\Dane aplikacji\Octoshape.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-05-10 08:02 . 2008-12-01 13:40 -------- d-----w c:\program files\sXe Injected2009-05-10 08:00 . 2008-11-02 14:52 -------- d-----w c:\program files\ATI Technologies2009-05-10 08:00 . 2008-05-23 07:59 -------- d--h--w c:\program files\InstallShield Installation Information2009-05-10 07:51 . 2008-09-17 13:45 -------- d-----w c:\program files\Gamers.IRC2009-05-10 05:48 . 2008-05-23 09:40 16384 ----a-w c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT2009-03-29 08:14 . 2001-10-26 16:15 76208 ----a-w c:\windows\system32\perfc015.dat2009-03-29 08:14 . 2001-10-26 16:15 454178 ----a-w c:\windows\system32\perfh015.dat2009-03-26 11:55 . 2009-03-26 11:55 13824 ----a-w c:\windows\system32\drivers\splitcam.sys2009-03-26 11:54 . 2009-03-26 11:54 -------- d-----w c:\program files\SplitCam2009-03-23 20:45 . 2008-05-23 08:01 -------- d-----w c:\program files\C-Media 3D Audio.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BlueSoleil.lnk]path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\BlueSoleil.lnkbackup=c:\windows\pss\BlueSoleil.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Kalendarz XP.lnk]path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Kalendarz XP.lnkbackup=c:\windows\pss\Kalendarz XP.lnkCommon Startup[HKLM\~\startupfolder\c:^documents and settings^ja^menu start^programy^autostart^styler.lnk]path=c:\documents and settings\Ja\Menu Start\Programy\Autostart\Styler.lnkbackup=c:\windows\pss\Styler.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Ja^Menu Start^Programy^Autostart^WampServer.lnk]path=c:\documents and settings\Ja\Menu Start\Programy\Autostart\WampServer.lnkbackup=c:\windows\pss\WampServer.lnkStartup[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Gadu-Gadu\\gg.exe"="d:\\Programy\\BlueSoleil.exe"="d:\\Progsy\\BitTorrent\\bittorrent.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"80:UDP"= 80:UDP:http"3724:TCP"= 3724:TCP:wowR0 Ramdisk;Ramdisk Driver;c:\windows\system32\drivers\RamDsk.sys [2004-09-28 26240]R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-11-23 30728]R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-11-23 455936]S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);c:\windows\system32\Drivers\e4ldr.sys --> c:\windows\system32\Drivers\e4ldr.sys [?]S2 OfficeIRC;OfficeIRC Server;d:\theodora\IRC\Server\OfficeIRC.exe --> d:\theodora\IRC\Server\OfficeIRC.exe [?]S3 ddsxeiservice;ddsxeiservice2;c:\program files\sXe Injected\ddsxei.sys [2009-02-22 50560]S3 e4usbaw;USB ADSL2 WAN Adapter;c:\windows\system32\DRIVERS\e4usbaw.sys --> c:\windows\system32\DRIVERS\e4usbaw.sys [?]S3 GT680xNT;USB Scanner Driver;c:\windows\system32\drivers\Gt680x.sys [2008-08-21 17932][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{412ce2e2-1221-11de-8bba-101111111111}]\Shell\AutoRun\command - H:\xsia.bat\Shell\open\Command - H:\xsia.bat[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a541edd1-e897-11dd-8af5-101111111111}]\Shell\AutoRun\command - G:\e2.cmd\Shell\open\Command - G:\e2.cmd[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a541edd2-e897-11dd-8af5-101111111111}]\Shell\AutoRun\command - G:\ysep1.exe\Shell\open\Command - G:\ysep1.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af28f926-3688-11de-8c6c-101111111111}]\Shell\AutoRun\command - G:\fbak.exe\Shell\open\Command - G:\fbak.exe.Zawartość folderu 'Zaplanowane zadania'2009-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-1770027372-839522115-1003.job- c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2008-09-09 13:52]..------- Skan uzupełniający -------.uStart Page = hxxp://www.neostrada.pl/uInternet Settings,ProxyOverride = *.localDPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cabFF - ProfilePath - c:\documents and settings\Ja\Dane aplikacji\Mozilla\Firefox\Profiles\v4fph69d.default\FF - component: c:\documents and settings\Ja\Dane aplikacji\Mozilla\Firefox\Profiles\v4fph69d.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dllFF - plugin: c:\documents and settings\Ja\Dane aplikacji\Mozilla\plugins\npoctoshape.dllFF - plugin: c:\documents and settings\Ja\Ustawienia lokalne\Dane aplikacji\Google\Update\1.2.145.5\npGoogleOneClick8.dllFF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dllFF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPSOCCER.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPWORDSSINGLE.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-05-10 14:09Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'explorer.exe'(2776)c:\windows\system32\msi.dll.------------------------ Pozostałe uruchomione procesy ------------------------.c:\program files\IVT Corporation\BlueSoleil\BTNtService.exec:\program files\Bonjour\mDNSResponder.exec:\windows\system32\nvsvc32.exec:\windows\system32\PnkBstrA.exec:\windows\system32\wdfmgr.exec:\windows\system32\wscntfy.exe.**************************************************************************.Czas ukończenia: 2009-05-10 14:11 - komputer został uruchomiony ponowniePrzed: 2 331 844 608 bajtów wolnychPo: 2 324 733 952 bajtów wolnych271
Gość komentarz 10 maja 2009 komentarz 10 maja 2009 Czekam na raport z MBAMa, potem powiem Ci co masz dalej robić. .
Pejak komentarz 10 maja 2009 Autor komentarz 10 maja 2009 Malwarebytes' Anti-Malware 1.36Wersja bazy definicji: 1945Windows 5.1.2600 Dodatek Service Pack 22009-05-10 14:35:32mbam-log-2009-05-10 (14-35-32).txtTyp skanowania: Pełne skanowanie (C:\|)Przeskanowane obiekty: 116784Upłynęło: 20 minute(s), 7 second(s)Zainfekowane procesy w pamięci: 0Zainfekowane moduły pamięci: 0Zainfekowane klucze rejestru: 0Zainfekowane wartości rejestru: 0Zainfekowane pliki rejestru: 0Zainfekowane foldery: 0Zainfekowane pliki: 4Zainfekowane procesy w pamięci:(Nie wykryto groźnych plików)Zainfekowane moduły pamięci:(Nie wykryto groźnych plików)Zainfekowane klucze rejestru:(Nie wykryto groźnych plików)Zainfekowane wartości rejestru:(Nie wykryto groźnych plików)Zainfekowane pliki rejestru:(Nie wykryto groźnych plików)Zainfekowane foldery:(Nie wykryto groźnych plików)Zainfekowane pliki:C:\Program Files\Gamers.IRC\bin\dll\dmu.dll (Trojan.Bot) -> Quarantined and deleted successfully.C:\Program Files\Gamers.IRC\bin\dll\SysTray.dll (Trojan.Bot) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{B6FB3F5D-F1F2-4644-A2F1-476A8EF8D46D}\RP220\A0164916.cmd (Trojan.OnlineGames) -> Quarantined and deleted successfully.C:\WINDOWS\system32\secpol.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Gość komentarz 10 maja 2009 komentarz 10 maja 2009 Końcówka. 1. Do Notatnika wklej: Windows Registry Editor Version 5.00[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] Z menu Notatnika >>> Plik >>> Zapisz jako >>> Ustaw rozszerzenie na: "Wszystkie pliki" >>> Zapisz jako FIX.REG>>> plik uruchom (dwuklik i OK- zgódź się na dodanie do Rejestru). Zrestartuj komputer. 2. Posprzątaj po ComboFixie i różnych narzędziach >>> OTCleanIt. 3. Przeczyść komputer CCleanerem + ATF-Cleaner. 4. Przeskanuj obszar swojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum. .
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.