mishi93 utworzono 14 września 2009 utworzono 14 września 2009 (edytowane) z góry dzieki Hijackthis Log do sprawdzenia Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:59:51, on 2009-09-14 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\WINDOWS\Tibia.exe C:\WINDOWS\system32\temp1.exe C:\Program Files\iPlus\iPlusChecker.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\1\Dane aplikacji\Save\Save.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\WINDOWS\system32\notepad.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Java\jre6\bin\jucheck.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: UrlHelper Class - {6D023EBF-70B8-45A6-9ED5-556515FA0FE4} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll O2 - BHO: Mario Forever Toolbar Helper - {A20854FD-DDB5-4931-8F76-D11EA2364D94} - C:\Program Files\Mario Forever Toolbar\v3.2.0.0\MarioForever_Toolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: IEPluginBHO - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\1\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll O3 - Toolbar: Mario Forever Toolbar - {71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7} - C:\Program Files\Mario Forever Toolbar\v3.2.0.0\MarioForever_Toolbar.dll O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare Applications\BearShare MediaBar\BSMediaBar.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule O4 - HKLM\..\Run: [Windows] C:\WINDOWS\services.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [services] C:\windows\services.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ALLUpdate] "C:\Program Files\ALLPlayer\ALLUpdate.exe" "sleep" O4 - HKCU\..\Run: [save] C:\Documents and Settings\1\Dane aplikacji\Save\Save.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: Wyślij do interfejsu &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: APSHook.dll O20 - Winlogon Notify: OneCard - C:\Program Files\Bioscrypt\VeriSoft\Bin\ASWLNPkg.dll O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 7916 bytes Combofix Log do sprawdzenia ComboFix 08-11-26.03 - 1 2009-09-14 18:02:23.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.623 [GMT 2:00] Uruchomiony z: c:\documents and settings\1\Moje dokumenty\Pobieranie\ComboFix.exe * Utworzono nowy punkt przywracania . - TRYB ZREDUKOWANEJ FUNKCJONALNOŚCI - . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.inf c:\windows\autorun.inf c:\windows\services.exe c:\windows\svchost.exe c:\windows\system32\firefox.exe c:\windows\system32\temp1.exe c:\windows\system32\temp2.exe c:\windows\xcopy.exe C:\x.exe D:\Autorun.inf . ((((((((((((((((((((((((( Pliki utworzone od 2009-08-14 do 2009-09-14 ))))))))))))))))))))))))))))))) . 2009-09-14 17:59 . 2009-09-14 17:59 <DIR> d-------- c:\program files\Trend Micro 2009-09-12 12:49 . 2009-09-12 13:17 <DIR> d-------- c:\program files\Burn4Free 2009-08-21 21:15 . 2009-08-21 21:15 557,568 --a------ c:\windows\system32\B4FM.dll 2009-08-20 20:43 . 2009-08-20 20:43 <DIR> dr------- c:\program files\Skype 2009-08-20 20:43 . 2009-08-20 20:43 <DIR> d-------- c:\program files\Common Files\Skype 2009-08-20 19:09 . 2004-08-03 23:44 221,184 --a------ c:\windows\system32\wmpns.dll 2009-08-20 19:07 . 2009-08-20 19:07 <DIR> d-------- c:\windows\ServicePackFiles . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-14 08:15 --------- d-----w c:\documents and settings\1\Dane aplikacji\Save 2009-09-13 19:42 --------- d-----w c:\program files\ALLPlayer 2009-08-25 20:03 --------- d-----w c:\documents and settings\1\Dane aplikacji\Skype 2009-08-25 16:17 --------- d-----w c:\documents and settings\1\Dane aplikacji\skypePM 2009-08-20 18:43 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Skype 2009-08-20 17:11 --------- d-----w c:\program files\Nowe Gadu-Gadu 2009-08-05 09:08 205,312 ----a-w c:\windows\system32\mswebdvd.dll 2009-07-24 13:45 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\OpenFM 2009-07-24 13:42 --------- d-----w c:\documents and settings\1\Dane aplikacji\OpenFM 2009-07-17 18:57 58,880 ----a-w c:\windows\system32\atl.dll 2009-07-15 18:52 --------- d-----w c:\documents and settings\1\Dane aplikacji\Nowe Gadu-Gadu 2009-07-13 21:43 286,208 ----a-w c:\windows\system32\wmpdxm.dll 2009-06-26 16:19 81,920 ----a-w c:\windows\system32\ieencode.dll 2009-06-26 16:19 662,016 ----a-w c:\windows\system32\wininet.dll 2009-06-25 18:37 95,744 ----a-w c:\windows\system32\mqsec.dll 2009-06-25 18:37 661,504 ----a-w c:\windows\system32\mqqm.dll 2009-06-25 18:37 517,120 ----a-w c:\windows\system32\mqsnap.dll 2009-06-25 18:37 512,000 ----a-w c:\windows\system32\mqutil.dll 2009-06-25 18:37 48,640 ----a-w c:\windows\system32\mqupgrd.dll 2009-06-25 18:37 47,104 ----a-w c:\windows\system32\mqdscli.dll 2009-06-25 18:37 225,280 ----a-w c:\windows\system32\mqoa.dll 2009-06-25 18:37 186,880 ----a-w c:\windows\system32\mqtrig.dll 2009-06-25 18:37 177,152 ----a-w c:\windows\system32\mqrt.dll 2009-06-25 18:37 16,896 ----a-w c:\windows\system32\mqise.dll 2009-06-25 18:37 138,240 ----a-w c:\windows\system32\mqad.dll 2009-06-25 18:37 123,392 ----a-w c:\windows\system32\mqrtdep.dll 2009-06-25 08:48 726,528 ----a-w c:\windows\system32\lsasrv.dll 2009-06-25 08:48 59,392 ----a-w c:\windows\system32\wdigest.dll 2009-06-25 08:48 56,320 ----a-w c:\windows\system32\secur32.dll 2009-06-25 08:48 298,496 ----a-w c:\windows\system32\kerberos.dll 2009-06-25 08:48 168,448 ----a-w c:\windows\system32\schannel.dll 2009-06-25 08:48 133,632 ----a-w c:\windows\system32\msv1_0.dll 2009-06-22 11:49 4,608 ----a-w c:\windows\system32\mqsvc.exe 2009-06-22 11:49 19,968 ----a-w c:\windows\system32\mqbkup.exe 2009-06-22 11:49 117,248 ----a-w c:\windows\system32\mqtgsvc.exe 2009-06-16 14:55 82,432 ----a-w c:\windows\system32\fontsub.dll 2009-06-16 14:55 119,808 ----a-w c:\windows\system32\t2embed.dll 2009-06-15 11:33 82,944 ----a-w c:\windows\system32\tlntsess.exe 2009-06-15 11:33 78,336 ----a-w c:\windows\system32\telnet.exe . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D023EBF-70B8-45A6-9ED5-556515FA0FE4}] 2008-07-07 11:27 398776 --a------ c:\program files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D}] 2009-05-28 11:23 42088 --a------ c:\documents and settings\1\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] "ALLUpdate"="c:\program files\ALLPlayer\ALLUpdate.exe" [2008-11-24 869888] "Save"="c:\documents and settings\1\Dane aplikacji\Save\Save.exe" [2009-03-23 198576] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-17 8437760] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-17 81920] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744] "CognizanceTS"="c:\progra~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [2003-12-22 17920] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-16 148888] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 159744] "nwiz"="nwiz.exe" [2007-04-17 c:\windows\system32\nwiz.exe] "RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-05-09 113664] BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "HonorAutoRunSetting"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2006-10-09 21:38 69120 c:\program files\Bioscrypt\VeriSoft\Bin\ASWLNPkg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=APSHook.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ASWLNPkg [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPlusManager] --a------ 2007-01-04 16:07 339968 c:\program files\iPlus\iPlusChecker.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Save] --a------ 2009-03-23 15:01 198576 c:\documents and settings\1\Dane aplikacji\Save\Save.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tibia] --a------ 2008-04-30 15:48 561693 c:\windows\Tibia.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2004-08-03 14336] R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2004-08-03 14336] S3 gsplittm;gsplittm;\??\c:\docume~1\1\USTAWI~1\Temp\gsplittm.sys [] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Cognizance REG_MULTI_SZ ASBroker ASChannel [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b3d90c6-dca8-11dc-9bd9-001cbf5832de}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{360e0f6b-15e5-11dd-9c16-001e3769eaa7}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e5e6fa6-3f02-11dd-9c6f-001e3769eaa7}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ecf9a6a-3fb5-11dd-9c71-001e3769eaa7}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51350a38-832f-11dd-9cd3-001e3769eaa7}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a2fe466-722e-11de-9e18-001cbf5832de}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81f6413e-3cc8-11de-9df6-001e3769eaa7}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a50ea879-9dbe-11dd-9cfe-001e3769eaa7}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bde35f96-c9bc-11dd-9d1e-001e3769eaa7}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce9a7133-af58-11dd-9d12-001e3769eaa7}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs *Newly Created Service* - CATCHME . Zawartość folderu 'Zaplanowane zadania' 2009-08-26 c:\windows\Tasks\Norton Security Scan for 1.job - c:\program files\Norton Security Scan\Nss.exe [2009-03-11 21:20] . - - - - USUNIĘTO PUSTE WPISY - - - - WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file) MSConfigStartUp-Load - c:\windows\svchost.exe MSConfigStartUp-SpeedTouch USB Diagnostics - c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe MSConfigStartUp-WhenUSave - c:\program files\Save\Save.exe . ------- Skan uzupełniający ------- . FireFox -: Profile - c:\documents and settings\1\Dane aplikacji\Mozilla\Firefox\Profiles\ggnqnobg.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.pl FF -: plugin - c:\documents and settings\1\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll FF -: plugin - c:\program files\Java\j2re1.4.0_03\bin\NPJava11.dll FF -: plugin - c:\program files\Java\j2re1.4.0_03\bin\NPJava12.dll FF -: plugin - c:\program files\Java\j2re1.4.0_03\bin\NPJava13.dll FF -: plugin - c:\program files\Java\j2re1.4.0_03\bin\NPJava32.dll FF -: plugin - c:\program files\Java\j2re1.4.0_03\bin\NPJPI140_03.dll FF -: plugin - c:\program files\Java\j2re1.4.0_03\bin\NPOJI610.dll FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-14 18:02:45 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(848) c:\windows\system32\APSHook.dll c:\program files\Bioscrypt\VeriSoft\Bin\ASWLNPkg.dll c:\program files\Bioscrypt\VeriSoft\bin\ItMsg.dll - - - - - - - > 'lsass.exe'(904) c:\windows\system32\APSHook.dll c:\program files\Bioscrypt\VeriSoft\bin\ASWLNPkg.dll c:\program files\Bioscrypt\VeriSoft\bin\ItMsg.dll . Czas ukończenia: 2009-09-14 18:03:36 ComboFix-quarantined-files.txt 2009-09-14 16:03:14 Przed: 108 669 026 304 bajtów wolnych Po: 112,562,601,984 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 208 --- E O F --- 2009-09-12 10:40:15
Gość komentarz 14 września 2009 komentarz 14 września 2009 Wklej do Notatnika: Folder::c:\documents and settings\1\Dane aplikacji\Savec:\program files\Burn4FreeFile::c:\windows\Tibia.exeRegistry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Save"=-[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Save][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tibia][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]Driver::gsplittmNetSvc::ASBrokerASChannel >>Plik>>Zapisz jako... >>> CFScript Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe --> Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania. .
mishi93 komentarz 14 września 2009 Autor komentarz 14 września 2009 Log do sprawdzenia ComboFix 09-09-13.06 - 1 2009-09-14 18:37.2.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.1022.563 [GMT 2:00]Uruchomiony z: c:\documents and settings\1\Pulpit\aaaaaaaaaaaa\ComboFix.exeUżyto następujących komend :: c:\documents and settings\1\Pulpit\aaaaaaaaaaaa\CFScript.exeFILE ::"c:\windows\Tibia.exe".((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).C:\copy.exec:\documents and settings\1\Dane aplikacji\Savec:\documents and settings\1\Dane aplikacji\Save\about_Save.mhtc:\documents and settings\1\Dane aplikacji\Save\save.cfgc:\documents and settings\1\Dane aplikacji\Save\Save.exec:\documents and settings\1\Dane aplikacji\Save\save.mhtc:\documents and settings\1\Dane aplikacji\Save\SaveUninst.exeC:\host.exec:\program files\Burn4Freec:\program files\Burn4Free\bass.dllc:\program files\Burn4Free\bass_ape.dllc:\program files\Burn4Free\bass_mpc.dllc:\program files\Burn4Free\basscd.dllc:\program files\Burn4Free\bassflac.dllc:\program files\Burn4Free\basswma.dllc:\program files\Burn4Free\basswv.dllc:\program files\Burn4Free\BURN4FREE.CFGc:\program files\Burn4Free\Burn4Free.exec:\program files\Burn4Free\languages\ARABIC.INIc:\program files\Burn4Free\languages\BELARUSSIAN.INIc:\program files\Burn4Free\languages\CATALAN.INIc:\program files\Burn4Free\languages\CHINESEBIG5.INIc:\program files\Burn4Free\languages\CHINESEGB.INIc:\program files\Burn4Free\languages\CROATIAN_FUN.INIc:\program files\Burn4Free\languages\CZECH.INIc:\program files\Burn4Free\languages\DUTCH.INIc:\program files\Burn4Free\languages\ENGLISH.INIc:\program files\Burn4Free\languages\FRENCH.INIc:\program files\Burn4Free\languages\GALEGO.INIc:\program files\Burn4Free\languages\GERMAN.INIc:\program files\Burn4Free\languages\GERMAN_2.INIc:\program files\Burn4Free\languages\HEBREW.INIc:\program files\Burn4Free\languages\HELLENIC.INIc:\program files\Burn4Free\languages\ITALIANO.INIc:\program files\Burn4Free\languages\JAPANESE.INIc:\program files\Burn4Free\languages\KOREAN.INIc:\program files\Burn4Free\languages\LITHUANIAN.INIc:\program files\Burn4Free\languages\MACEDONIAN.INIc:\program files\Burn4Free\languages\MAGYAR.INIc:\program files\Burn4Free\languages\NORSK.INIc:\program files\Burn4Free\languages\POLISH.INIc:\program files\Burn4Free\languages\PORTUGUESE.INIc:\program files\Burn4Free\languages\ROMANA.INIc:\program files\Burn4Free\languages\RUSSIAN.INIc:\program files\Burn4Free\languages\RUSSIAN_2.INIc:\program files\Burn4Free\languages\SERBIAN.INIc:\program files\Burn4Free\languages\SLOVAK.INIc:\program files\Burn4Free\languages\SLOVENIAN.INIc:\program files\Burn4Free\languages\SPANISH.INIc:\program files\Burn4Free\languages\SUOMI.INIc:\program files\Burn4Free\languages\SVENSKA.INIc:\program files\Burn4Free\languages\TURKISH.INIc:\program files\Burn4Free\languages\UKRAINIAN.INIc:\program files\Burn4Free\languages\VALENCIAN.INIc:\program files\Burn4Free\license.txtc:\program files\Burn4Free\uninstall.exec:\windows\clofghls.dllc:\windows\system32\B4FM.dllc:\windows\system32\ieuinit.infc:\windows\Tibia.exeD:\copy.exeD:\host.exeD:\Uninstall.exe.((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_GSPLITTM-------\Service_gsplittm((((((((((((((((((((((((( Pliki utworzone od 2009-08-14 do 2009-09-14 ))))))))))))))))))))))))))))))).2009-09-14 15:59 . 2009-09-14 15:59 -------- d-----w- c:\program files\Trend Micro2009-08-20 18:43 . 2009-08-20 18:43 -------- d-----w- c:\program files\Common Files\Skype2009-08-20 18:43 . 2009-08-20 18:43 -------- d-----r- c:\program files\Skype2009-08-20 17:09 . 2004-08-03 21:44 221184 ----a-w- c:\windows\system32\wmpns.dll2009-08-20 17:07 . 2009-08-20 17:07 -------- d-----w- c:\windows\ServicePackFiles.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-09-14 16:36 . 2001-10-26 16:15 566748 ----a-w- c:\windows\system32\perfh015.dat2009-09-14 16:36 . 2001-10-26 16:15 172730 ----a-w- c:\windows\system32\perfc015.dat2009-09-13 19:42 . 2009-02-04 14:05 -------- d-----w- c:\program files\ALLPlayer2009-08-25 20:03 . 2008-09-22 14:33 -------- d-----w- c:\documents and settings\1\Dane aplikacji\Skype2009-08-25 16:17 . 2008-09-22 14:34 -------- d-----w- c:\documents and settings\1\Dane aplikacji\skypePM2009-08-20 18:43 . 2008-09-22 14:32 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Skype2009-08-20 17:11 . 2009-03-08 12:09 -------- d-----w- c:\program files\Nowe Gadu-Gadu2009-08-05 09:08 . 2004-08-03 21:44 205312 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-24 13:45 . 2009-07-24 13:42 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\OpenFM2009-07-24 13:42 . 2009-07-24 13:42 -------- d-----w- c:\documents and settings\1\Dane aplikacji\OpenFM2009-07-17 18:57 . 2004-08-03 21:43 58880 ----a-w- c:\windows\system32\atl.dll2009-07-13 21:43 . 2004-08-03 21:44 286208 ----a-w- c:\windows\system32\wmpdxm.dll2009-06-26 16:19 . 2004-08-03 21:44 662016 ----a-w- c:\windows\system32\wininet.dll2009-06-26 16:19 . 2004-08-03 21:44 81920 ----a-w- c:\windows\system32\ieencode.dll2009-06-25 18:37 . 2004-08-03 21:44 95744 ----a-w- c:\windows\system32\mqsec.dll2009-06-25 18:37 . 2004-08-03 21:44 661504 ----a-w- c:\windows\system32\mqqm.dll2009-06-25 18:37 . 2004-08-03 21:44 517120 ----a-w- c:\windows\system32\mqsnap.dll2009-06-25 18:37 . 2004-08-03 21:44 512000 ----a-w- c:\windows\system32\mqutil.dll2009-06-25 18:37 . 2004-08-03 21:44 48640 ----a-w- c:\windows\system32\mqupgrd.dll2009-06-25 18:37 . 2004-08-03 21:44 47104 ----a-w- c:\windows\system32\mqdscli.dll2009-06-25 18:37 . 2004-08-03 21:44 225280 ----a-w- c:\windows\system32\mqoa.dll2009-06-25 18:37 . 2004-08-03 21:44 186880 ----a-w- c:\windows\system32\mqtrig.dll2009-06-25 18:37 . 2004-08-03 21:44 177152 ----a-w- c:\windows\system32\mqrt.dll2009-06-25 18:37 . 2004-08-03 21:44 16896 ----a-w- c:\windows\system32\mqise.dll2009-06-25 18:37 . 2004-08-03 21:44 138240 ----a-w- c:\windows\system32\mqad.dll2009-06-25 18:37 . 2004-08-03 21:44 123392 ----a-w- c:\windows\system32\mqrtdep.dll2009-06-25 08:48 . 2004-08-03 21:44 59392 ----a-w- c:\windows\system32\wdigest.dll2009-06-25 08:48 . 2004-08-03 21:44 56320 ----a-w- c:\windows\system32\secur32.dll2009-06-25 08:48 . 2004-08-03 21:44 168448 ----a-w- c:\windows\system32\schannel.dll2009-06-25 08:48 . 2004-08-03 21:44 133632 ----a-w- c:\windows\system32\msv1_0.dll2009-06-25 08:48 . 2004-08-03 21:44 726528 ----a-w- c:\windows\system32\lsasrv.dll2009-06-25 08:48 . 2004-08-03 21:44 298496 ----a-w- c:\windows\system32\kerberos.dll2009-06-22 11:49 . 2004-08-03 21:44 19968 ----a-w- c:\windows\system32\mqbkup.exe2009-06-22 11:49 . 2004-08-03 21:44 117248 ----a-w- c:\windows\system32\mqtgsvc.exe2009-06-22 11:49 . 2004-08-03 21:44 4608 ----a-w- c:\windows\system32\mqsvc.exe2009-06-22 11:48 . 2004-08-03 19:58 91776 ----a-w- c:\windows\system32\drivers\mqac.sys2009-06-22 11:34 . 2004-08-03 19:59 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys2009-03-23 13:02 . 2009-03-23 13:02 222720 ----a-w- c:\program files\mozilla firefox\components\SaveComponent.dll.------- Sigcheck -------[-] 2008-04-14 . A9ED600F08A92143253C10EDB5651ECF . 1571840 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\85612d9569f9a4d033130e1ccf6503f1\sfcfiles.dll[-] 2008-01-10 . 1A3B01CFF31B660EB43F228F4C468273 . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D023EBF-70B8-45A6-9ED5-556515FA0FE4}]2008-07-07 09:27 398776 ----a-w- c:\program files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ALLUpdate"="c:\program files\ALLPlayer\ALLUpdate.exe" [2008-11-24 869888][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-17 8437760]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-17 81920]"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]"CognizanceTS"="c:\progra~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [2003-12-22 17920]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-16 148888]"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-17 1626112]"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-05-10 16342528][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-9 113664]BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-12 581693][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]2006-10-09 19:38 69120 ----a-r- c:\program files\Bioscrypt\VeriSoft\Bin\ASWLNPkg.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=c:\windows\system32\APSHook.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli ASWLNPkg[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\WINDOWS\\system32\\sessmgr.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2004-08-03 14336]R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2004-08-03 14336]S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]Cognizance REG_MULTI_SZ ASBroker ASChannel.Zawartość folderu 'Zaplanowane zadania'2009-08-26 c:\windows\Tasks\Norton Security Scan for 1.job- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 19:20]..------- Skan uzupełniający -------.uStart Page = hxxp://www.google.pl/uInternet Connection Wizard,ShellNext = iexploreuInternet Settings,ProxyOverride = *.localuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: Wyślij do interfejsu &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmFF - ProfilePath - c:\documents and settings\1\Dane aplikacji\Mozilla\Firefox\Profiles\ggnqnobg.default\FF - prefs.js: browser.startup.homepage - www.google.plFF - component: c:\program files\Mozilla Firefox\components\SaveComponent.dllFF - plugin: c:\documents and settings\1\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dllFF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava11.dllFF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava12.dllFF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava13.dllFF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava32.dllFF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJPI140_03.dllFF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPOJI610.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-09-14 18:43Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'winlogon.exe'(852)c:\program files\Bioscrypt\VeriSoft\Bin\ASWLNPkg.dllc:\program files\Bioscrypt\VeriSoft\bin\ItMsg.dll- - - - - - - > 'lsass.exe'(908)c:\program files\Bioscrypt\VeriSoft\bin\ASWLNPkg.dllc:\program files\Bioscrypt\VeriSoft\bin\ItMsg.dll- - - - - - - > 'explorer.exe'(1688)c:\windows\system32\APSHook.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\btncopy.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Pozostałe uruchomione procesy ------------------------.c:\windows\system32\dllhost.exec:\program files\Bioscrypt\VeriSoft\Bin\asghost.exec:\windows\system32\rundll32.exec:\program files\Bonjour\mDNSResponder.exec:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exec:\program files\Java\jre6\bin\jqs.exec:\windows\system32\nvsvc32.exec:\program files\Hewlett-Packard\Shared\hpqwmiex.exec:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exec:\windows\system32\scardsvr.exec:\windows\system32\wbem\wmiapsrv.exe.**************************************************************************.Czas ukończenia: 2009-09-14 18:46 - komputer został uruchomiony ponownieComboFix-quarantined-files.txt 2009-09-14 16:46ComboFix2.txt 2009-09-14 16:03Przed: 112 573 370 368 bajtów wolnychPo: 112 485 433 344 bajtów wolnych240 --- E O F --- 2009-09-12 10:40 a zrobic cos z hijackiem?
Gość komentarz 14 września 2009 komentarz 14 września 2009 Usuń szczątki ComboFixa programem OTC. Do poczytania/wykonania: Usuwanie infekcji z dysków przenośnych. .
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.