Gawcio utworzono 3 sierpnia 2008 utworzono 3 sierpnia 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:52:44, on 2008-08-03Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\rundll32.exeC:\WINDOWS\System32\mssmpp.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Freedom\Freedom.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Gadu-Gadu\gg.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: (no name) - {76C475F2-E325-4334-8B19-94D983D807C5} - C:\WINDOWS\System32\csrsr.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBarO4 - HKLM\..\Run: [Microsft Security Monitor Process] mssmpp.exeO4 - HKLM\..\Run: [Microsoft Windows Update] ReKey.exeO4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exeO4 - HKLM\..\Run: [Microsoft Anivirus Monitor Process] antiv.exeO4 - HKLM\..\Run: [Windows Update] host.exeO4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\System32\explorer.exeO4 - HKLM\..\RunServices: [Microsft Security Monitor Process] mssmpp.exeO4 - HKLM\..\RunServices: [Microsoft Windows Update] ReKey.exeO4 - HKLM\..\RunServices: [Microsoft Anivirus Monitor Process] antiv.exeO4 - HKLM\..\RunServices: [Windows Update] host.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [Microsoft Windows Update] ReKey.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [Microsoft Windows Update] ReKey.exe (User 'Default user')O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO17 - HKLM\System\CCS\Services\Tcpip\..\{3ED59967-D132-4A50-909A-45E466B2451F}: NameServer = 217.116.100.65 217.116.100.66--End of file - 3042 bytes //logi wstawiamy w tagi code //vocativus
Mateusz J. komentarz 3 sierpnia 2008 komentarz 3 sierpnia 2008 O2 - BHO: (no name) - {76C475F2-E325-4334-8B19-94D983D807C5} - C:\WINDOWS\System32\csrsr.dllO4 - HKLM\..\Run: [Microsft Security Monitor Process] mssmpp.exeO4 - HKLM\..\Run: [Microsft Security Monitor Process] mssmpp.exeO4 - HKLM\..\Run: [Microsoft Windows Update] ReKey.exeO4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exeO4 - HKLM\..\Run: [Microsoft Anivirus Monitor Process] antiv.exeO4 - HKLM\..\Run: [Windows Update] host.exeO4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\System32\explorer.exeO4 - HKLM\..\RunServices: [Microsft Security Monitor Process] mssmpp.exeO4 - HKLM\..\RunServices: [Microsoft Windows Update] ReKey.exeO4 - HKLM\..\RunServices: [Microsoft Anivirus Monitor Process] antiv.exeO4 - HKLM\..\RunServices: [Windows Update] host.exeO4 - HKUS\S-1-5-18\..\RunOnce: [Microsoft Windows Update] ReKey.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [Microsoft Windows Update] ReKey.exe (User 'Default user')O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Fix w Hijackthis. Pobierz ComboFix. Do notatnika wklej: File::C:\WINDOWS\System32\csrsr.dllC:\WINDOWS\System32\mssmpp.exeC:\WINDOWS\System32\ReKey.exeC:\WINDOWS\mrofinu1001186.exeC:\WINDOWS\System32\iexplore.exeC:\WINDOWS\System32\antiv.exeC:\WINDOWS\System32\host.exeC:\WINDOWS\web\related.htmRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Microsft Security Monitor Process"=-"Microsoft Windows Update"=-"runner1"=-"Microsoft Anivirus Monitor Process"=-"Windows Update"=-"Windows Explorer"=- W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix wystartuj do trybu awaryjny. Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum. Zainstaluj SP2 oraz antywirusa.
Gawcio komentarz 3 sierpnia 2008 Autor komentarz 3 sierpnia 2008 Czy ten log się gdzieś zapisał?Bo po przeprowadzeniu tego zadania zgodnie z zaleceniami nie miałem tego jak skopiować. EDIT: Znalazlem: ComboFix 08-08-02.01 - Administrator 2008-08-03 13:29:13.1 - [b]FAT32[/b]x86 MINIMALMicrosoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.664 [GMT 2:00]Running from: C:\Documents and Settings\pehg\Pulpit\ComboFix.exe[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b].((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\mrofinu1001186.exeC:\WINDOWS\system32\setup.ini.((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 ))))))))))))))))))))))))))))))).2008-08-03 13:27 . 2008-08-02 16:13 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne2008-08-03 13:27 . 2008-08-02 16:13 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione2008-08-03 13:27 . 2008-08-02 16:13 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony2008-08-03 13:27 . 2008-08-02 16:13 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit2008-08-03 13:27 . 2008-08-02 16:13 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty2008-08-03 13:27 . 2008-08-02 16:13 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start2008-08-03 13:27 . 2008-08-02 16:13 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji2008-08-03 13:27 . 2008-08-03 13:27 <DIR> d-------- C:\Documents and Settings\Administrator2008-08-03 12:51 . 2008-08-03 12:51 <DIR> d-------- C:\Program Files\K-Lite Codec Pack2008-08-03 12:50 . 2008-08-03 12:50 <DIR> d-------- C:\Program Files\uTorrent2008-08-03 12:50 . 2008-08-03 12:50 <DIR> d-------- C:\Documents and Settings\pehg\Dane aplikacji\uTorrent2008-08-03 12:43 . 2008-08-03 12:43 <DIR> d--hs---- C:\FOUND.0022008-08-03 12:18 . 2008-08-03 12:18 1,160 --a------ C:\WINDOWS\mozver.dat2008-08-03 12:06 . 2008-08-03 12:06 <DIR> d-------- C:\Program Files\OpenOffice.ux.pl 2.2.12008-08-03 10:59 . 2003-08-25 18:06 182,880 --a------ C:\WINDOWS\system32\iuengine.dll2008-08-03 10:52 . 2008-08-03 10:52 <DIR> d-------- C:\Program Files\Trend Micro2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d-------- C:\WINDOWS\LogFiles2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d--hs---- C:\FOUND.0012008-08-03 10:20 . 2008-08-03 10:20 <DIR> d--hs---- C:\Recycled2008-08-03 10:16 . 2008-08-03 10:16 <DIR> d-------- C:\Documents and Settings\pehg\Dane aplikacji\Talkback2008-08-03 10:16 . 2008-08-03 10:16 0 --a------ C:\WINDOWS\nsreg.dat2008-08-02 18:55 . 2008-08-02 18:55 <DIR> d--hs---- C:\FOUND.0002008-08-02 17:14 . 2001-10-26 19:27 22,016 --a------ C:\WINDOWS\system32\dllcache\agt0408.dll2008-08-02 17:14 . 2001-10-26 19:27 19,968 --a------ C:\WINDOWS\system32\dllcache\agt040e.dll2008-08-02 17:14 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt041f.dll2008-08-02 17:14 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0419.dll2008-08-02 17:14 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0415.dll2008-08-02 17:14 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0405.dll2008-08-02 17:14 . 2001-10-26 19:29 6,656 --a------ C:\WINDOWS\system32\dllcache\batt.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-03 08:15 65,536 ----a-w C:\WINDOWS\DUMP3f41.tmp2008-08-02 14:44 --------- d-----w C:\Program Files\Gadu-Gadu2008-08-02 14:44 --------- d-----w C:\Documents and Settings\pehg\Dane aplikacji\Gadu-Gadu2008-08-02 14:43 143,872 ----a-r C:\WINDOWS\system32\mssmpp.exe2008-08-02 14:42 18,944 ----a-w C:\WINDOWS\system32\eftltwdh.exe2008-08-02 14:35 --------- d-----w C:\Program Files\ESET2008-08-02 14:33 18,944 ----a-w C:\WINDOWS\system32\ljxhxbpw.exe2008-08-02 14:29 --------- d-----w C:\Program Files\ZTE ZXDSL 8522008-08-02 14:29 --------- d-----w C:\Program Files\Freedom2008-08-02 14:23 --------- d-----w C:\Program Files\microsoft frontpage2008-08-02 14:19 --------- d-----w C:\Program Files\Usługi online.------- Sigcheck -------2001-10-26 17:29 1012224 22c7a909498375e8ea8bc0c5b005a01a C:\WINDOWS\explorer.exe2001-10-26 17:29 1012224 0d2b1ff59df5ee0d06482d340144e6e6 C:\WINDOWS\system32\dllcache\explorer.exe2001-10-26 17:29 23040 623772d22206a7982043fcda01b82db3 C:\WINDOWS\system32\ctfmon.exe2001-10-26 17:29 23040 a6061ccd6dac984d9afed1c9f58fa677 C:\WINDOWS\system32\dllcache\ctfmon.exe2001-10-26 17:30 60928 02c7b0858340cb7663fc82b55cf0f84a C:\WINDOWS\system32\spoolsv.exe2001-10-26 17:30 60928 89daefba339a29d0b0d64c271a5f7a8e C:\WINDOWS\system32\dllcache\spoolsv.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-26 17:29 23040][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.YV12"= yv12vfw.dll"msacm.ac3filter"= ac3filter.acmS3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\System32\DRIVERS\stmatm.sys [2007-01-22 11:52]S3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\System32\DRIVERS\torususb.sys [2007-02-06 16:08]*Newly Created Service* - CATCHME.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-03 13:30:14Windows 5.1.2600 FAT NTAPIdetected NTDLL code modification:ZwOpenFilescanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-08-03 13:30:49ComboFix-quarantined-files.txt 2008-08-03 11:30:48Pre-Run: 6,632,382,464 bajtów wolnychPost-Run: 6,748,422,144 bajtów wolnych95 //ostatni raz Ci powtarzam, że logi wstawiamy w tagi code! //vocativus
Mateusz J. komentarz 3 sierpnia 2008 komentarz 3 sierpnia 2008 Do notatnika wklej: File::C:\WINDOWS\DUMP3f41.tmpC:\WINDOWS\system32\mssmpp.exeC:\WINDOWS\system32\eftltwdh.exeC:\WINDOWS\system32\ljxhxbpw.exeFolder::C:\FOUND.002C:\FOUND.001C:\FOUND.000 W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix wystartuj do trybu awaryjny. Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum. Do tego proszę o nowego loga z HijackThis.
Gawcio komentarz 4 sierpnia 2008 Autor komentarz 4 sierpnia 2008 Zrobiłem formata ale dalej tak jest wiec daje nowe logi z HTJ: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 09:46:20, on 2008-08-04Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\logonui.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\fixweb.exeC:\WINDOWS\mrofinu1001186.exeC:\Program Files\Freedom\Freedom.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\17PHolmes1001186.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310O4 - HKLM\..\Run: [Windows has Layer] fixweb.exeO4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exeO4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exeO4 - HKCU\..\Run: [Windows has Layer] fixweb.exeO4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exeO4 - HKUS\S-1-5-21-329068152-1708537768-839522115-1003\..\Run: [Windows has Layer] fixweb.exe (User '?')O4 - HKUS\S-1-5-21-329068152-1708537768-839522115-1003\..\RunOnce: [Windows has Layer] fixweb.exe (User '?')O4 - HKUS\S-1-5-18\..\Run: [Microsoft Winedows Updateing] NinKey.exe (User '?')O4 - HKUS\S-1-5-18\..\RunOnce: [Microsoft Winedows Updateing] NinKey.exe (User '?')O4 - HKUS\.DEFAULT\..\Run: [Microsoft Winedows Updateing] NinKey.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [Microsoft Winedows Updateing] NinKey.exe (User 'Default user')O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO17 - HKLM\System\CCS\Services\Tcpip\..\{FBDD029A-42C5-4DCC-94AC-5CFF849E4CA9}: NameServer = 217.116.100.65 217.116.100.66--End of file - 2082 bytes
Mateusz J. komentarz 4 sierpnia 2008 komentarz 4 sierpnia 2008 Proszę dać od razu loga z ComboFix. Sam HijackThis nie wystarczy.
Gawcio komentarz 4 sierpnia 2008 Autor komentarz 4 sierpnia 2008 ComboFix 08-08-03.03 - a 2008-08-04 10:46:13.1 - [b]FAT32[/b]x86Running from: C:\Documents and Settings\a\Pulpit\ComboFix.exe[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b].((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\delextra.exeC:\WINDOWS\mrofinu1001186.exeC:\WINDOWS\mrofinu1001186.exe.tmpC:\WINDOWS\system\delnew.exeC:\WINDOWS\system\run.exeC:\WINDOWS\system\temp2.exeC:\WINDOWS\system32\csrcs.exeC:\WINDOWS\system32\fixweb.exeC:\WINDOWS\system32\NinKey.exeC:\WINDOWS\system32\setup.iniC:\WINDOWS\system32\windowsupdate.exeC:\WINDOWS\system32\WinTrack.exeC:\WINDOWS\WPlayer.exeC:\winlogon.exe.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_FLYS.Q8PILOTS.NET-------\Service_flys.q8pilots.net((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 ))))))))))))))))))))))))))))))).2008-08-04 10:22 . 2008-08-04 10:23 511,358 --a------ C:\WINDOWS\system32\ReKey.exe2008-08-04 10:21 . 2008-08-04 10:21 <DIR> d--hs---- C:\FOUND.0012008-08-03 19:30 . 2008-08-03 19:30 <DIR> d-------- C:\Program Files\Trend Micro2008-08-03 19:28 . 2008-08-03 19:28 78,336 --a------ C:\WINDOWS\system32\wzgtuf.exe2008-08-03 19:28 . 2008-08-03 19:28 43,008 --a------ C:\WINDOWS\system32\etvhcso.exe2008-08-03 19:28 . 2008-08-03 19:28 18,944 --a------ C:\WINDOWS\system32\fbcuplv.exe2008-08-03 19:24 . 2001-10-26 19:27 22,016 --a------ C:\WINDOWS\system32\dllcache\agt0408.dll2008-08-03 19:24 . 2001-10-26 19:27 19,968 --a------ C:\WINDOWS\system32\dllcache\agt040e.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt041f.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0419.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0415.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0405.dll2008-08-03 19:24 . 2001-10-26 19:29 6,656 --a------ C:\WINDOWS\system32\dllcache\batt.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-03 17:28 15,360 ----a-w C:\mstsc.exe2008-08-03 16:59 41,984 ----a-w C:\WINDOWS\system32\setup_03307.exe2008-08-03 16:58 73,216 ----a-r C:\WINDOWS\system32\antiv.exe2008-08-03 16:58 147,907 ----a-w C:\spool32.exe2008-08-03 16:57 209 ----a-w C:\Documents and Settings\a\runmgr.bat2008-08-03 16:57 20,480 ----a-w C:\Documents and Settings\a\symant.exe2008-08-03 16:57 131,072 ----a-w C:\WINDOWS\system32\runmgr.exe2008-08-03 16:57 131,072 ----a-w C:\Documents and Settings\a\runmgr.exe2008-08-03 16:56 41,984 ----a-w C:\WINDOWS\system32\setup_32071.exe2008-08-03 16:47 78,336 ----a-w C:\WINDOWS\system32\luyxcd.exe2008-08-03 16:47 43,008 ----a-w C:\WINDOWS\system32\rvgoi.exe2008-08-03 16:47 18,944 ----a-w C:\WINDOWS\system32\ozwd.exe2008-08-03 16:47 116,736 ---ha-w C:\WINDOWS\system32\bbiag.exe2008-08-03 16:47 --------- d-----w C:\Documents and Settings\a\Dane aplikacji\Gadu-Gadu2008-08-03 16:46 --------- d-----w C:\Program Files\Gadu-Gadu2008-08-03 16:40 --------- d-----w C:\Program Files\ZTE ZXDSL 8522008-08-03 16:40 --------- d-----w C:\Program Files\Freedom2008-08-03 16:33 --------- d-----w C:\Program Files\microsoft frontpage2008-08-03 16:29 --------- d-----w C:\Program Files\Usługi online.------- Sigcheck -------2001-10-26 17:29 1012224 5e7d1d898c5bdd5436d0ac9c2fe83f4d C:\WINDOWS\explorer.exe2001-10-26 17:29 1012224 1bf80bca22c3e13d7fe201700d092241 C:\WINDOWS\system32\dllcache\explorer.exe2001-10-26 17:29 23040 8e1455014ec1efa01355eb557eb7d35c C:\WINDOWS\system32\ctfmon.exe2001-10-26 17:29 23040 214b202b48a542c0b1d738f18141df16 C:\WINDOWS\system32\dllcache\ctfmon.exe2001-10-26 17:30 60928 3929898c832e5fcdbc8edd20cfa724f9 C:\WINDOWS\system32\spoolsv.exe2001-10-26 17:30 60928 d87214cd180e33a6a2224d53acc61ac0 C:\WINDOWS\system32\dllcache\spoolsv.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296]"Microsoft Windows Update"="ReKey.exe" [2008-08-04 10:23 511358 C:\WINDOWS\system32\ReKey.exe][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]"Microsoft Windows Update"="ReKey.exe" [2008-08-04 10:23 511358 C:\WINDOWS\system32\ReKey.exe][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Microsoft Windows Update"="ReKey.exe" [2008-08-04 10:23 511358 C:\WINDOWS\system32\ReKey.exe][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]"Microsoft Windows Update"="ReKey.exe" [2008-08-04 10:23 511358 C:\WINDOWS\system32\ReKey.exe][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]"Microsoft Windows Update"="ReKey.exe" [2008-08-04 10:23 511358 C:\WINDOWS\system32\ReKey.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"Microsoft Windows Update"="ReKey.exe" [2008-08-04 10:23 511358 C:\WINDOWS\system32\ReKey.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"Microsoft Windows Update"="ReKey.exe" [2008-08-04 10:23 511358 C:\WINDOWS\system32\ReKey.exe][HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001"AntiVirusDisableNotify"=dword:00000001"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\System32\DRIVERS\stmatm.sys [2003-08-12 12:51]R3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\System32\DRIVERS\torususb.sys [2006-07-05 13:50]R4 flys.q8pilots.net;Microsoft Windows Update;C:\WINDOWS\System32\ReKey.exe [2008-08-04 10:23]S4 b438958747a7r91053;b438958747a7r91053;C:\WINDOWS\system32\csrcs.exe []S4 Windows Applications Manager;Windows Applications Manager;C:\WINDOWS\system32\csrcs.exe []*Newly Created Service* - ALG*Newly Created Service* - FLYS.Q8PILOTS.NET*Newly Created Service* - IPNAT.- - - - ORPHANS REMOVED - - - -HKU-Default-Run-Microsoft Winedows Updateing - NinKey.exeHKU-Default-Run-Windows has Layer - fixweb.exeHKU-Default-RunOnce-Microsoft Winedows Updateing - NinKey.exeHKU-Default-RunOnce-Windows has Layer - fixweb.exe.------- Supplementary Scan -------.FireFox -: Profile - C:\Documents and Settings\a\Dane aplikacji\Mozilla\Firefox\Profiles\fpcso0s9.default\**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-04 10:50:03Windows 5.1.2600 FAT NTAPIdetected NTDLL code modification:ZwOpenFilescanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-08-04 10:50:50 - machine was rebootedComboFix-quarantined-files.txt 2008-08-04 08:50:46Pre-Run: 7,003,774,976 bajtów wolnychPost-Run: 6,962,601,984 bajt˘w wolnych131
Mateusz J. komentarz 4 sierpnia 2008 komentarz 4 sierpnia 2008 Do notatnika wklej: File::C:\WINDOWS\system32\ReKey.exeC:\WINDOWS\system32\wzgtuf.exeC:\WINDOWS\system32\etvhcso.exeC:\WINDOWS\system32\fbcuplv.exeC:\mstsc.exeC:\WINDOWS\system32\setup_03307.exeC:\WINDOWS\system32\antiv.exeC:\spool32.exeC:\WINDOWS\system32\csrcs.exeC:\Documents and Settings\a\runmgr.batC:\Documents and Settings\a\symant.exeC:\WINDOWS\system32\runmgr.exeC:\Documents and Settings\a\runmgr.exeC:\WINDOWS\system32\setup_32071.exeC:\WINDOWS\system32\luyxcd.exeC:\WINDOWS\system32\rvgoi.exeC:\WINDOWS\system32\ozwd.exeC:\WINDOWS\system32\bbiag.exeC:\WINDOWS\web\related.htmFolder::C:\FOUND.001[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Microsoft Windows Update"=-[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]"Microsoft Windows Update"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Microsoft Windows Update"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]"Microsoft Windows Update"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]"Microsoft Windows Update"=-[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"Microsoft Windows Update"=-[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"Microsoft Windows Update"=-Driver::Windows Applications Managerb438958747a7r91053flys W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix wystartuj do trybu awaryjny. Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum. O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310O4 - HKLM\..\Run: [Windows has Layer] fixweb.exeO4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exeO4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exeO4 - HKCU\..\Run: [Windows has Layer] fixweb.exeO4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exeO4 - HKUS\S-1-5-21-329068152-1708537768-839522115-1003\..\Run: [Windows has Layer] fixweb.exe (User '?')O4 - HKUS\S-1-5-21-329068152-1708537768-839522115-1003\..\RunOnce: [Windows has Layer] fixweb.exe (User '?')O4 - HKUS\S-1-5-18\..\Run: [Microsoft Winedows Updateing] NinKey.exe (User '?')O4 - HKUS\S-1-5-18\..\RunOnce: [Microsoft Winedows Updateing] NinKey.exe (User '?')O4 - HKUS\.DEFAULT\..\Run: [Microsoft Winedows Updateing] NinKey.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [Microsoft Winedows Updateing] NinKey.exe (User 'Default user')O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Fix w HijackThis, większość wpisów już nie będzie. Prócz utworzonego loga z CobmoFix, pokaż nowy z HijackThis.
Gawcio komentarz 4 sierpnia 2008 Autor komentarz 4 sierpnia 2008 Log Combo: ComboFix 08-08-03.03 - Administrator 2008-08-04 11:11:21.2 - [b]FAT32[/b]x86 MINIMALMicrosoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.665 [GMT 2:00]Running from: C:\Documents and Settings\a\Pulpit\ComboFix.exeCommand switches used :: C:\Documents and Settings\a\Pulpit\CFScript.txt[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b].((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\mrofinu1001186.exeC:\WINDOWS\system32\csrcs.exeC:\WINDOWS\system32\fixweb.exeC:\WINDOWS\system32\msgsv.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_B438958747A7R91053-------\Legacy_WINDOWS_APPLICATIONS_MANAGER-------\Service_b438958747a7r91053-------\Service_Windows Applications Manager((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 ))))))))))))))))))))))))))))))).2008-08-04 11:09 . 2008-08-04 11:09 <DIR> d--hs---- C:\FOUND.0022008-08-04 11:09 . 2008-08-03 18:24 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne2008-08-04 11:09 . 2008-08-03 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione2008-08-04 11:09 . 2008-08-03 18:24 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony2008-08-04 11:09 . 2008-08-03 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit2008-08-04 11:09 . 2008-08-03 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty2008-08-04 11:09 . 2008-08-03 18:24 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start2008-08-04 11:09 . 2008-08-03 18:24 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji2008-08-04 11:09 . 2008-08-04 11:09 <DIR> d-------- C:\Documents and Settings\Administrator2008-08-04 11:02 . 2008-08-04 11:03 258,048 -ra------ C:\WINDOWS\system32\mssmpp.exe2008-08-04 10:59 . 2008-08-04 10:59 41,984 --a------ C:\WINDOWS\system32\setup_13738.exe2008-08-04 10:59 . 2008-08-04 10:59 0 -ra------ C:\WINDOWS\system32\TFTP39402008-08-04 10:51 . 2008-08-04 10:52 165,376 -ra------ C:\WINDOWS\system32\TFTP31402008-08-04 10:50 . 2008-08-04 10:50 <DIR> d--hs---- C:\Recycled2008-08-04 10:21 . 2008-08-04 10:21 <DIR> d--hs---- C:\FOUND.0012008-08-03 19:30 . 2008-08-03 19:30 <DIR> d-------- C:\Program Files\Trend Micro2008-08-03 19:28 . 2008-08-03 19:28 78,336 --a------ C:\WINDOWS\system32\wzgtuf.exe2008-08-03 19:28 . 2008-08-03 19:28 43,008 --a------ C:\WINDOWS\system32\etvhcso.exe2008-08-03 19:28 . 2008-08-03 19:28 18,944 --a------ C:\WINDOWS\system32\fbcuplv.exe2008-08-03 19:24 . 2001-10-26 19:27 22,016 --a------ C:\WINDOWS\system32\dllcache\agt0408.dll2008-08-03 19:24 . 2001-10-26 19:27 19,968 --a------ C:\WINDOWS\system32\dllcache\agt040e.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt041f.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0419.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0415.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0405.dll2008-08-03 19:24 . 2001-10-26 19:29 6,656 --a------ C:\WINDOWS\system32\dllcache\batt.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-03 17:28 15,360 ----a-w C:\mstsc.exe2008-08-03 16:59 41,984 ----a-w C:\WINDOWS\system32\setup_03307.exe2008-08-03 16:58 147,907 ----a-w C:\spool32.exe2008-08-03 16:57 32,768 ----a-w C:\Documents and Settings\a\symant.exe2008-08-03 16:57 209 ----a-w C:\Documents and Settings\a\runmgr.bat2008-08-03 16:57 131,072 ----a-w C:\WINDOWS\system32\runmgr.exe2008-08-03 16:57 131,072 ----a-w C:\Documents and Settings\a\runmgr.exe2008-08-03 16:56 41,984 ----a-w C:\WINDOWS\system32\setup_32071.exe2008-08-03 16:47 78,336 ----a-w C:\WINDOWS\system32\luyxcd.exe2008-08-03 16:47 43,008 ----a-w C:\WINDOWS\system32\rvgoi.exe2008-08-03 16:47 18,944 ----a-w C:\WINDOWS\system32\ozwd.exe2008-08-03 16:47 116,736 ---ha-w C:\WINDOWS\system32\bbiag.exe2008-08-03 16:47 --------- d-----w C:\Documents and Settings\a\Dane aplikacji\Gadu-Gadu2008-08-03 16:46 --------- d-----w C:\Program Files\Gadu-Gadu2008-08-03 16:40 --------- d-----w C:\Program Files\ZTE ZXDSL 8522008-08-03 16:40 --------- d-----w C:\Program Files\Freedom2008-08-03 16:33 --------- d-----w C:\Program Files\microsoft frontpage2008-08-03 16:29 --------- d-----w C:\Program Files\Usługi online.------- Sigcheck -------2001-10-26 17:29 1012224 5e7d1d898c5bdd5436d0ac9c2fe83f4d C:\WINDOWS\explorer.exe2001-10-26 17:29 1012224 1bf80bca22c3e13d7fe201700d092241 C:\WINDOWS\system32\dllcache\explorer.exe2001-10-26 17:29 23040 8e1455014ec1efa01355eb557eb7d35c C:\WINDOWS\system32\ctfmon.exe2001-10-26 17:29 23040 214b202b48a542c0b1d738f18141df16 C:\WINDOWS\system32\dllcache\ctfmon.exe2001-10-26 17:30 60928 3929898c832e5fcdbc8edd20cfa724f9 C:\WINDOWS\system32\spoolsv.exe2001-10-26 17:30 60928 d87214cd180e33a6a2224d53acc61ac0 C:\WINDOWS\system32\dllcache\spoolsv.exe.((((((((((((((((((((((((((((( snapshot@2008-08-04_10.50.23.61 ))))))))))))))))))))))))))))))))))))))))).- 2005-07-07 13:02:26 65,536 ----a-w C:\WINDOWS\DSLTest.exe+ 2005-07-07 13:02:26 255,452 ----a-w C:\WINDOWS\DSLTest.exe- 2000-08-31 06:00:00 101,792 ----a-w C:\WINDOWS\fdsv.exe+ 2000-08-31 06:00:00 280,030 ----a-w C:\WINDOWS\fdsv.exe- 2000-08-31 06:00:00 90,140 ----a-w C:\WINDOWS\grep.exe+ 2000-08-31 06:00:00 268,256 ----a-w C:\WINDOWS\grep.exe- 2001-10-26 15:29:54 26,647 ----a-w C:\WINDOWS\hh.exe+ 2001-10-26 15:29:54 36,375 ----a-w C:\WINDOWS\hh.exe- 2001-10-26 17:29:54 692,224 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe+ 2001-10-26 17:29:54 701,952 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe- 2000-08-31 06:00:00 108,544 ----a-w C:\WINDOWS\sed.exe+ 2000-08-31 06:00:00 286,174 ----a-w C:\WINDOWS\sed.exe- 2006-06-27 08:53:58 102,400 ----a-w C:\WINDOWS\stmtrace.exe+ 2006-06-27 08:53:58 292,312 ----a-w C:\WINDOWS\stmtrace.exe- 2000-08-31 06:00:00 146,432 ----a-w C:\WINDOWS\swsc.exe+ 2000-08-31 06:00:00 324,064 ----a-w C:\WINDOWS\swsc.exe- 2000-08-31 06:00:00 222,208 ----a-w C:\WINDOWS\swxcacls.exe+ 2000-08-31 06:00:00 399,836 ----a-w C:\WINDOWS\swxcacls.exe- 2001-10-26 17:29:48 99,328 ----a-w C:\WINDOWS\system32\clipbrd.exe+ 2001-10-26 17:29:48 109,056 ----a-w C:\WINDOWS\system32\clipbrd.exe- 2008-08-04 08:49:52 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat+ 2008-08-04 09:13:30 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat- 2008-08-04 08:49:52 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat+ 2008-08-04 09:13:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat- 2008-08-04 08:49:52 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat+ 2008-08-04 09:13:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat- 2001-10-26 17:29:56 118,272 ----a-w C:\WINDOWS\system32\mplay32.exe+ 2001-10-26 17:29:56 128,000 ----a-w C:\WINDOWS\system32\mplay32.exe- 2001-10-26 15:29:58 24,064 ----a-w C:\WINDOWS\system32\mshta.exe+ 2001-10-26 15:29:58 33,792 ----a-w C:\WINDOWS\system32\mshta.exe- 2008-08-04 08:26:00 40,128 ----a-w C:\WINDOWS\system32\perfc009.dat+ 2008-08-04 08:54:38 40,128 ----a-w C:\WINDOWS\system32\perfc009.dat- 2008-08-04 08:26:00 49,712 ----a-w C:\WINDOWS\system32\perfc015.dat+ 2008-08-04 08:54:38 49,712 ----a-w C:\WINDOWS\system32\perfc015.dat- 2008-08-04 08:26:00 311,740 ----a-w C:\WINDOWS\system32\perfh009.dat+ 2008-08-04 08:54:38 311,740 ----a-w C:\WINDOWS\system32\perfh009.dat- 2008-08-04 08:26:00 355,830 ----a-w C:\WINDOWS\system32\perfh015.dat+ 2008-08-04 08:54:38 355,830 ----a-w C:\WINDOWS\system32\perfh015.dat- 2001-10-26 17:30:04 16,384 ----a-w C:\WINDOWS\system32\tskill.exe+ 2001-10-26 17:30:04 26,112 ----a-w C:\WINDOWS\system32\tskill.exe- 2001-10-26 15:30:06 118,834 ----a-w C:\WINDOWS\system32\wscript.exe+ 2001-10-26 15:30:06 131,122 ----a-w C:\WINDOWS\system32\wscript.exe- 2000-08-31 06:00:00 61,440 ----a-w C:\WINDOWS\VFind.exe+ 2000-08-31 06:00:00 239,062 ----a-w C:\WINDOWS\VFind.exe- 2000-08-31 06:00:00 77,824 ----a-w C:\WINDOWS\zip.exe+ 2000-08-31 06:00:00 255,454 ----a-w C:\WINDOWS\zip.exe.-- Snapshot reset to current date --.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Microsft Security Monitor Process"="mssmpp.exe" [2008-08-04 11:03 258048 C:\WINDOWS\system32\mssmpp.exe][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]"Microsft Security Monitor Process"="mssmpp.exe" [2008-08-04 11:03 258048 C:\WINDOWS\system32\mssmpp.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"Microsoft Winedows Updateing"="NinKey.exe" [bU]"Windows has Layer"="fixweb.exe" [bU][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"Microsoft Winedows Updateing"="NinKey.exe" [bU]"Windows has Layer"="fixweb.exe" [bU][HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001"AntiVirusDisableNotify"=dword:00000001"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\System32\DRIVERS\stmatm.sys [2003-08-12 12:51]R3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\System32\DRIVERS\torususb.sys [2006-07-05 13:50]S2 ffor.mylifez.net;Windows has Layer;C:\WINDOWS\System32\fixweb.exe [].- - - - ORPHANS REMOVED - - - -HKCU-Run-Microsoft Winedows Updateing - NinKey.exeHKLM-Run-Microsoft Anivirus Monitor Process - antiv.exeHKLM-RunServices-Microsoft Anivirus Monitor Process - antiv.exeHKU-Default-Run-Microsoft Windows Update - ReKey.exeHKU-Default-RunOnce-Microsoft Windows Update - ReKey.exe**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-04 11:13:43Windows 5.1.2600 FAT NTAPIdetected NTDLL code modification:ZwOpenFilescanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-08-04 11:14:24 - machine was rebooted [a]ComboFix-quarantined-files.txt 2008-08-04 09:14:20ComboFix2.txt 2008-08-04 08:50:52Pre-Run: 7,736,827,904 bajtów wolnychPost-Run: 6,908,174,336 bajt˘w wolnych178 Lod HJT Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:18, on 2008-08-04Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\explorer.exeC:\Program Files\Freedom\Freedom.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\antiv.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\ftp.exeC:\WINDOWS\System32\mssmpp.exeC:\WINDOWS\mrofinu.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: (no name) - {296B7018-4782-4E4A-AD15-05157A8A8B6E} - C:\WINDOWS\System32\olesvr3.dllO4 - HKLM\..\Run: [Microsft Security Monitor Process] mssmpp.exeO4 - HKLM\..\Run: [Microsoft Anivirus Monitor Process] antiv.exeO4 - HKLM\..\RunServices: [Microsft Security Monitor Process] mssmpp.exeO4 - HKLM\..\RunServices: [Microsoft Anivirus Monitor Process] antiv.exeO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKUS\S-1-5-18\..\RunOnce: [Windows has Layer] fixweb.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [Windows has Layer] fixweb.exe (User 'Default user')O17 - HKLM\System\CCS\Services\Tcpip\..\{FBDD029A-42C5-4DCC-94AC-5CFF849E4CA9}: NameServer = 217.116.100.65 217.116.100.66O23 - Service: Windows has Layer (ffor.mylifez.net) - Unknown owner - C:\WINDOWS\System32\fixweb.exe (file missing)--End of file - 1981 bytes
Mateusz J. komentarz 4 sierpnia 2008 komentarz 4 sierpnia 2008 Użyj programu The Avenger, skrypt do wklejanie: Files to delete:C:\WINDOWS\system32\ReKey.exeC:\WINDOWS\system32\wzgtuf.exeC:\WINDOWS\System32\olesvr3.dllC:\WINDOWS\system32\etvhcso.exeC:\WINDOWS\system32\fbcuplv.exeC:\mstsc.exeC:\WINDOWS\system32\setup_03307.exeC:\WINDOWS\system32\antiv.exeC:\spool32.exeC:\WINDOWS\system32\csrcs.exeC:\Documents and Settings\a\runmgr.batC:\Documents and Settings\a\symant.exeC:\WINDOWS\system32\runmgr.exeC:\Documents and Settings\a\runmgr.exeC:\WINDOWS\system32\setup_32071.exeC:\WINDOWS\system32\luyxcd.exeC:\WINDOWS\system32\rvgoi.exeC:\WINDOWS\system32\ozwd.exeC:\WINDOWS\system32\bbiag.exeC:\WINDOWS\web\related.htmFolders to delete:C:\FOUND.001C:\FOUND.002Registry values to delete:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices | Microsft Security Monitor ProcessHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Microsft Security Monitor ProcessDrivers to delete:Windows Applications Managerb438958747a7r91053flysffor.mylifez.net Raport pokaż na forum. Stwórz nowy log z ComboFix, HijackThis i Silent Runners. Pliki non stop wracają :/ Skąd masz gadu-gadu? pobrałeś z oficjalnej strony?
Gawcio komentarz 4 sierpnia 2008 Autor komentarz 4 sierpnia 2008 Tak, z oficjalnej, po za tym w menadżerze zadań są dwa procesy antiv.exe o których przeczytałem w googlach ze to trojany, wczoraj po usinieciu avastem wsyztskich 20038 wirósów z katalogu windows system nie chciał się wlaczyć, tzn. pisało logowanie nie pokazywał sie pulpit i zaraz wylogowywanie.Po za tym często pokazuję się ze komputer musi zostać uruchomiony ponowanie, i ze mam 1 minutę na pozamykanie wsyztskich aplikacji. Sciągam tego Avengera. EDIT: Po klknieciu executa pokazuje się błąd: Errod:Invalid registry syntax in command...
Mateusz J. komentarz 4 sierpnia 2008 komentarz 4 sierpnia 2008 Spróbuj teraz, tylko scrypt skopiuj jeszcze raz
Gawcio komentarz 4 sierpnia 2008 Autor komentarz 4 sierpnia 2008 ////////////////////////////////////////// Avenger Pre-Processor log//////////////////////////////////////////Platform: Windows XP (build 2600)Mon Aug 04 11:38:27 200811:38:22: Error: Invalid registry syntax in command:"HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run|Microsoft Winedows Updateing"Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.Skipping line. (Registry value deletion mode) 11:38:25: Error: Invalid registry syntax in command:"HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run|Windows has Layer"Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.Skipping line. (Registry value deletion mode) 11:38:27: Error: Execution aborted by user!//////////////////////////////////////////////////////////////////////////////////// Avenger Pre-Processor log//////////////////////////////////////////Platform: Windows XP (build 2600)Mon Aug 04 11:38:47 200811:38:45: Error: Invalid registry syntax in command:"HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run|Microsoft Winedows Updateing"Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.Skipping line. (Registry value deletion mode) 11:38:47: Error: Execution aborted by user!//////////////////////////////////////////////////////////////////////////////////// Avenger Pre-Processor log//////////////////////////////////////////Platform: Windows XP (build 2600)Mon Aug 04 11:41:56 200811:41:54: Error: Invalid registry syntax in command:"HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run|Microsoft Winedows Updateing"Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.Skipping line. (Registry value deletion mode) 11:41:55: Error: Execution aborted by user!//////////////////////////////////////////////////////////////////////////////////// Avenger Pre-Processor log//////////////////////////////////////////Platform: Windows XP (build 2600)Mon Aug 04 11:42:17 200811:42:15: Error: Invalid registry syntax in command:"HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run|Microsoft Winedows Updateing"Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.Skipping line. (Registry value deletion mode) 11:42:17: Error: Execution aborted by user!//////////////////////////////////////////////////////////////////////////////////// Avenger Pre-Processor log//////////////////////////////////////////Platform: Windows XP (build 2600)Mon Aug 04 11:42:31 200811:42:29: Error: Invalid registry syntax in command:"HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run|Microsoft Winedows Updateing"Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.Skipping line. (Registry value deletion mode) 11:42:30: Error: Invalid registry syntax in command:"HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run|Windows has Layer"Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.Skipping line. (Registry value deletion mode) 11:42:31: Error: Execution aborted by user!//////////////////////////////////////////Logfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!Error: file "C:\WINDOWS\system32\ReKey.exe" not found!Deletion of file "C:\WINDOWS\system32\ReKey.exe" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existFile "C:\WINDOWS\system32\wzgtuf.exe" deleted successfully.File "C:\WINDOWS\System32\olesvr3.dll" deleted successfully.File "C:\WINDOWS\system32\etvhcso.exe" deleted successfully.File "C:\WINDOWS\system32\fbcuplv.exe" deleted successfully.File "C:\mstsc.exe" deleted successfully.File "C:\WINDOWS\system32\setup_03307.exe" deleted successfully.File "C:\WINDOWS\system32\antiv.exe" deleted successfully.File "C:\spool32.exe" deleted successfully.Error: file "C:\WINDOWS\system32\csrcs.exe" not found!Deletion of file "C:\WINDOWS\system32\csrcs.exe" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existFile "C:\Documents and Settings\a\runmgr.bat" deleted successfully.File "C:\Documents and Settings\a\symant.exe" deleted successfully.File "C:\WINDOWS\system32\runmgr.exe" deleted successfully.File "C:\Documents and Settings\a\runmgr.exe" deleted successfully.File "C:\WINDOWS\system32\setup_32071.exe" deleted successfully.File "C:\WINDOWS\system32\luyxcd.exe" deleted successfully.File "C:\WINDOWS\system32\rvgoi.exe" deleted successfully.File "C:\WINDOWS\system32\ozwd.exe" deleted successfully.File "C:\WINDOWS\system32\bbiag.exe" deleted successfully.File "C:\WINDOWS\web\related.htm" deleted successfully.Folder "C:\FOUND.001" deleted successfully.Folder "C:\FOUND.002" deleted successfully.Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Windows Applications Manager" not found!Deletion of driver "Windows Applications Manager" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existDriver "b438958747a7r91053" deleted successfully.Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\flys" not found!Deletion of driver "flys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existDriver "ffor.mylifez.net" deleted successfully.Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|Microsft Security Monitor Process" deleted successfully.Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Microsft Security Monitor Process" deleted successfully.Completed script processing.*******************Finished! Terminate. Dawać jeszcze z HJT?
Mateusz J. komentarz 4 sierpnia 2008 komentarz 4 sierpnia 2008 Musisz dać Hjt i ComboFix. Mam nadzieje, że znowu wszystko nie wróciło
Gawcio komentarz 4 sierpnia 2008 Autor komentarz 4 sierpnia 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:02, on 2008-08-04Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\logonui.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\windows\system\temp2.exeC:\Program Files\Freedom\Freedom.exeC:\WINDOWS\system32\cmd.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\17PHolmes1001186.exeC:\WINDOWS\System32\windowsupdate.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: (no name) - {296B7018-4782-4E4A-AD15-05157A8A8B6E} - C:\WINDOWS\System32\olesvr3.dll (file missing)O4 - HKLM\..\Run: [Microsoft Anivirus Monitor Process] antiv.exeO4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310O4 - HKLM\..\Run: [temp2] C:\windows\system\temp2.exeO4 - HKLM\..\Run: [windowsupdate] C:\WINDOWS\System32\windowsupdate.exeO4 - HKLM\..\RunServices: [Microsoft Anivirus Monitor Process] antiv.exeO4 - HKLM\..\RunServices: [windowsupdate] C:\WINDOWS\System32\windowsupdate.exeO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKUS\S-1-5-21-329068152-1708537768-839522115-1003\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray (User '?')O4 - HKUS\S-1-5-18\..\RunOnce: [Windows has Layer] fixweb.exe (User '?')O4 - HKUS\.DEFAULT\..\RunOnce: [Windows has Layer] fixweb.exe (User 'Default user')O17 - HKLM\System\CCS\Services\Tcpip\..\{FBDD029A-42C5-4DCC-94AC-5CFF849E4CA9}: NameServer = 217.116.100.65 217.116.100.66--End of file - 2228 bytes CF ComboFix 08-08-03.03 - a 2008-08-04 12:03:48.3 - [b]FAT32[/b]x86Running from: C:\Documents and Settings\a\Pulpit\ComboFix.exe[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b].((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\delextra.exeC:\WINDOWS\mrofinu1001186.exeC:\WINDOWS\system\delnew.exeC:\WINDOWS\system\run.exeC:\WINDOWS\system\temp2.exeC:\WINDOWS\system32\windowsupdate.exeC:\winlogon.exe.((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 ))))))))))))))))))))))))))))))).2008-08-04 11:34 . 2008-08-04 11:34 <DIR> d--hs---- C:\FOUND.0032008-08-04 11:22 . 2008-08-04 11:22 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione2008-08-04 11:20 . 2008-08-04 11:20 112,128 -ra------ C:\WINDOWS\system32\TFTP27642008-08-04 11:20 . 2008-08-04 11:20 73,216 -ra------ C:\WINDOWS\system32\TFTP24202008-08-04 11:15 . 2008-08-04 11:15 0 -ra------ C:\WINDOWS\system32\TFTP9162008-08-04 11:09 . 2008-08-03 18:24 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne2008-08-04 11:09 . 2008-08-03 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione2008-08-04 11:09 . 2008-08-03 18:24 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony2008-08-04 11:09 . 2008-08-03 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit2008-08-04 11:09 . 2008-08-03 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty2008-08-04 11:09 . 2008-08-03 18:24 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start2008-08-04 11:09 . 2008-08-03 18:24 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji2008-08-04 11:09 . 2008-08-04 11:09 <DIR> d-------- C:\Documents and Settings\Administrator2008-08-04 10:59 . 2008-08-04 10:59 41,984 --a------ C:\WINDOWS\system32\setup_13738.exe2008-08-04 10:59 . 2008-08-04 10:59 0 -ra------ C:\WINDOWS\system32\TFTP39402008-08-04 10:51 . 2008-08-04 10:52 165,376 -ra------ C:\WINDOWS\system32\TFTP31402008-08-04 10:50 . 2008-08-04 10:50 <DIR> d--hs---- C:\Recycled2008-08-03 19:30 . 2008-08-03 19:30 <DIR> d-------- C:\Program Files\Trend Micro2008-08-03 19:24 . 2001-10-26 19:27 22,016 --a------ C:\WINDOWS\system32\dllcache\agt0408.dll2008-08-03 19:24 . 2001-10-26 19:27 19,968 --a------ C:\WINDOWS\system32\dllcache\agt040e.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt041f.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0419.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0415.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0405.dll2008-08-03 19:24 . 2001-10-26 19:29 6,656 --a------ C:\WINDOWS\system32\dllcache\batt.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-03 16:47 --------- d-----w C:\Documents and Settings\a\Dane aplikacji\Gadu-Gadu2008-08-03 16:46 --------- d-----w C:\Program Files\Gadu-Gadu2008-08-03 16:40 --------- d-----w C:\Program Files\ZTE ZXDSL 8522008-08-03 16:40 --------- d-----w C:\Program Files\Freedom2008-08-03 16:33 --------- d-----w C:\Program Files\microsoft frontpage2008-08-03 16:29 --------- d-----w C:\Program Files\Usługi online.------- Sigcheck -------2001-10-26 17:29 1012224 5e7d1d898c5bdd5436d0ac9c2fe83f4d C:\WINDOWS\explorer.exe2001-10-26 17:29 1012224 1bf80bca22c3e13d7fe201700d092241 C:\WINDOWS\system32\dllcache\explorer.exe2001-10-26 17:29 23040 8e1455014ec1efa01355eb557eb7d35c C:\WINDOWS\system32\ctfmon.exe2001-10-26 17:29 23040 214b202b48a542c0b1d738f18141df16 C:\WINDOWS\system32\dllcache\ctfmon.exe2001-10-26 17:30 60928 3929898c832e5fcdbc8edd20cfa724f9 C:\WINDOWS\system32\spoolsv.exe2001-10-26 17:30 60928 d87214cd180e33a6a2224d53acc61ac0 C:\WINDOWS\system32\dllcache\spoolsv.exe.((((((((((((((((((((((((((((( snapshot_2008-08-04_11.14.00,95 ))))))))))))))))))))))))))))))))))))))))).- 2008-08-03 17:28:16 21,504 ----a-w C:\WINDOWS\system\del.exe+ 2008-08-04 09:22:18 21,504 ----a-w C:\WINDOWS\system\del.exe- 2008-08-03 16:58:48 17,055 ----a-w C:\WINDOWS\system\helper.exe+ 2008-08-04 09:22:26 17,055 ----a-w C:\WINDOWS\system\helper.exe- 2008-08-04 09:13:30 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat+ 2008-08-04 09:59:46 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat- 2008-08-04 09:13:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat+ 2008-08-04 09:59:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat- 2008-08-04 09:13:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat+ 2008-08-04 09:59:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat- 2001-10-26 17:30:04 15,360 ----a-w C:\WINDOWS\system32\tsdiscon.exe+ 2001-10-26 17:30:04 25,088 ----a-w C:\WINDOWS\system32\tsdiscon.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Microsoft Anivirus Monitor Process"="antiv.exe" [bU][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]"Microsoft Anivirus Monitor Process"="antiv.exe" [bU][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"Windows has Layer"="fixweb.exe" [bU][HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001"AntiVirusDisableNotify"=dword:00000001"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001*Newly Created Service* - CATCHME.- - - - ORPHANS REMOVED - - - -BHO-{296B7018-4782-4E4A-AD15-05157A8A8B6E} - C:\WINDOWS\System32\olesvr3.dllHKLM-Run-temp2 - C:\windows\system\temp2.exe.------- Supplementary Scan -------.FireFox -: Profile - C:\Documents and Settings\a\Dane aplikacji\Mozilla\Firefox\Profiles\fpcso0s9.default\**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-04 12:04:52Windows 5.1.2600 FAT NTAPIdetected NTDLL code modification:ZwOpenFilescanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-08-04 12:05:22ComboFix-quarantined-files.txt 2008-08-04 10:05:22ComboFix3.txt 2008-08-04 08:50:52ComboFix2.txt 2008-08-04 09:14:26Pre-Run: 6,835,068,928 bajtów wolnychPost-Run: 6,821,748,736 bajtów wolnych120
Mateusz J. komentarz 4 sierpnia 2008 komentarz 4 sierpnia 2008 Użyj programu FixWareOut raport pokaż na forum. Nowy skrypt do wklejenia w The Avenger: Files to delete:C:\WINDOWS\system\del.exeC:\WINDOWS\system\helper.exeC:\WINDOWS\system32\tsdiscon.exeC:\windows\system\temp2.exeC:\WINDOWS\system32\setup_13738.exeFolders to delete:C:\WINDOWS\system32\TFTP3940C:\WINDOWS\system32\TFTP3140 Do notatnika wklej: Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Microsoft Anivirus Monitor Process"=-[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"Windows has Layer"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]"Microsoft Anivirus Monitor Process"=- Plik ==> Zapisz jako ==> Zmień rozszerzenie na Wszystkie pliki ==> Zapisz pod nazwą FIX.REG Uruchom utworzony plik FIX.REG i potwierdź dodanie do Rejestru i zresetuj komputer. Wpisy do sfixowania w Hiajckthis: O2 - BHO: (no name) - {296B7018-4782-4E4A-AD15-05157A8A8B6E} - C:\WINDOWS\System32\olesvr3.dll (file missing)O4 - HKLM\..\Run: [Microsoft Anivirus Monitor Process] antiv.exeO4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310O4 - HKLM\..\Run: [temp2] C:\windows\system\temp2.exeO4 - HKLM\..\Run: [windowsupdate] C:\WINDOWS\System32\windowsupdate.exeO4 - HKLM\..\RunServices: [Microsoft Anivirus Monitor Process] antiv.exeO4 - HKLM\..\RunServices: [windowsupdate] C:\WINDOWS\System32\windowsupdate.exeO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKUS\S-1-5-21-329068152-1708537768-839522115-1003\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray (User '?')O4 - HKUS\S-1-5-18\..\RunOnce: [Windows has Layer] fixweb.exe (User '?')O4 - HKUS\.DEFAULT\..\RunOnce: [Windows has Layer] fixweb.exe (User 'Default user')
Gawcio komentarz 4 sierpnia 2008 Autor komentarz 4 sierpnia 2008 Username "a" - 2008-08-04 12:25:58 [Fixwareout edited 9/01/2007]~~~~~ Prerun checkPomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS.System was rebooted successfully. ~~~~~ Postrun check HKLM\SOFTWARE\~\Winlogon\ "System"="" ........~~~~~ Misc files. ....~~~~~ Checking for older varients.....~~~~~ Current runs (hklm hkcu "run" Keys Only)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]"Microsoft Anivirus Monitor Process"="antiv.exe"[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]"Gadu-Gadu"="\"C:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"....Hosts file was reset, If you use a custom hosts file please replace it...~~~~~ End report ~~~~~ EDIT: Nowy log z Avangera Logfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!File "C:\WINDOWS\system\del.exe" deleted successfully.File "C:\WINDOWS\system\helper.exe" deleted successfully.File "C:\WINDOWS\system32\tsdiscon.exe" deleted successfully.Error: file "C:\windows\system\temp2.exe" not found!Deletion of file "C:\windows\system\temp2.exe" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existFile "C:\WINDOWS\system32\setup_13738.exe" deleted successfully.Error: "C:\WINDOWS\system32\TFTP3940" is not a folder! It may instead be a file.Deletion of folder "C:\WINDOWS\system32\TFTP3940" failed!Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY) --> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary fileError: "C:\WINDOWS\system32\TFTP3140" is not a folder! It may instead be a file.Deletion of folder "C:\WINDOWS\system32\TFTP3140" failed!Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY) --> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary fileCompleted script processing.*******************Finished! Terminate. EDIT2: Nowy log z HJT po sfixowaniu o których mówiłeś(nie wszystkie były ale usunąłem te co napsiałes) Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:38, on 2008-08-04Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Freedom\Freedom.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\17PHolmes1001186.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\System32\fixweb.exeC:\WINDOWS\system32\mssmpp.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O4 - HKLM\..\Run: [Microsft Security Monitor Process] mssmpp.exeO4 - HKLM\..\Run: [Windows has Layer] fixweb.exeO4 - HKLM\..\RunServices: [Microsft Security Monitor Process] mssmpp.exeO4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exeO4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exeO4 - HKUS\S-1-5-18\..\Run: [Windows has Layer] fixweb.exe (User '?')O4 - HKUS\S-1-5-18\..\RunOnce: [Windows has Layer] fixweb.exe (User '?')O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [Windows has Layer] fixweb.exe (User 'Default user')O17 - HKLM\System\CCS\Services\Tcpip\..\{FBDD029A-42C5-4DCC-94AC-5CFF849E4CA9}: NameServer = 217.116.100.65 217.116.100.66--End of file - 1815 bytes Jakie kroki dalej? ComboFix ComboFix 08-08-03.03 - a 2008-08-04 12:49:14.4 - [b]FAT32[/b]x86Running from: C:\Documents and Settings\a\Pulpit\ComboFix.exe[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b].((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\mrofinu1001186.exeC:\WINDOWS\system32\NinKey.exe.((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 ))))))))))))))))))))))))))))))).2008-08-04 12:47 . 2008-08-04 12:47 112,128 -ra------ C:\WINDOWS\system32\antiv.exe2008-08-04 12:39 . 2008-08-04 12:39 0 -ra------ C:\WINDOWS\system32\TFTP26962008-08-04 12:25 . 2008-08-04 12:25 <DIR> d-------- C:\fixwareout2008-08-04 11:34 . 2008-08-04 11:34 <DIR> d--hs---- C:\FOUND.0032008-08-04 11:22 . 2008-08-04 11:22 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione2008-08-04 11:20 . 2008-08-04 11:20 112,128 -ra------ C:\WINDOWS\system32\TFTP27642008-08-04 11:20 . 2008-08-04 11:20 73,216 -ra------ C:\WINDOWS\system32\TFTP24202008-08-04 11:15 . 2008-08-04 11:15 0 -ra------ C:\WINDOWS\system32\TFTP9162008-08-04 11:09 . 2008-08-03 18:24 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne2008-08-04 11:09 . 2008-08-03 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione2008-08-04 11:09 . 2008-08-03 18:24 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony2008-08-04 11:09 . 2008-08-03 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit2008-08-04 11:09 . 2008-08-03 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty2008-08-04 11:09 . 2008-08-03 18:24 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start2008-08-04 11:09 . 2008-08-03 18:24 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji2008-08-04 11:09 . 2008-08-04 11:09 <DIR> d-------- C:\Documents and Settings\Administrator2008-08-04 10:59 . 2008-08-04 10:59 0 -ra------ C:\WINDOWS\system32\TFTP39402008-08-04 10:51 . 2008-08-04 10:52 165,376 -ra------ C:\WINDOWS\system32\TFTP31402008-08-04 10:50 . 2008-08-04 10:50 <DIR> d--hs---- C:\Recycled2008-08-03 19:30 . 2008-08-03 19:30 <DIR> d-------- C:\Program Files\Trend Micro2008-08-03 19:24 . 2001-10-26 19:27 22,016 --a------ C:\WINDOWS\system32\dllcache\agt0408.dll2008-08-03 19:24 . 2001-10-26 19:27 19,968 --a------ C:\WINDOWS\system32\dllcache\agt040e.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt041f.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0419.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0415.dll2008-08-03 19:24 . 2001-10-26 19:27 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0405.dll2008-08-03 19:24 . 2001-10-26 19:29 6,656 --a------ C:\WINDOWS\system32\dllcache\batt.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-03 16:47 --------- d-----w C:\Documents and Settings\a\Dane aplikacji\Gadu-Gadu2008-08-03 16:46 --------- d-----w C:\Program Files\Gadu-Gadu2008-08-03 16:40 --------- d-----w C:\Program Files\ZTE ZXDSL 8522008-08-03 16:40 --------- d-----w C:\Program Files\Freedom2008-08-03 16:33 --------- d-----w C:\Program Files\microsoft frontpage2008-08-03 16:29 --------- d-----w C:\Program Files\Usługi online.------- Sigcheck -------2001-10-26 17:29 1012224 5e7d1d898c5bdd5436d0ac9c2fe83f4d C:\WINDOWS\explorer.exe2001-10-26 17:29 1012224 1bf80bca22c3e13d7fe201700d092241 C:\WINDOWS\system32\dllcache\explorer.exe2001-10-26 17:29 23040 8e1455014ec1efa01355eb557eb7d35c C:\WINDOWS\system32\ctfmon.exe2001-10-26 17:29 23040 214b202b48a542c0b1d738f18141df16 C:\WINDOWS\system32\dllcache\ctfmon.exe2001-10-26 17:30 60928 3929898c832e5fcdbc8edd20cfa724f9 C:\WINDOWS\system32\spoolsv.exe2001-10-26 17:30 60928 d87214cd180e33a6a2224d53acc61ac0 C:\WINDOWS\system32\dllcache\spoolsv.exe.((((((((((((((((((((((((((((( snapshot_2008-08-04_11.14.00,95 ))))))))))))))))))))))))))))))))))))))))).- 2001-10-26 15:29:46 4,096 ----a-w C:\WINDOWS\system32\actmovie.exe+ 2001-10-26 15:29:46 13,824 ----a-w C:\WINDOWS\system32\actmovie.exe- 2001-10-26 15:29:46 84,992 ----a-w C:\WINDOWS\system32\ahui.exe+ 2001-10-26 15:29:46 94,720 ----a-w C:\WINDOWS\system32\ahui.exe- 2001-10-26 15:29:46 19,968 ----a-w C:\WINDOWS\system32\arp.exe+ 2001-10-26 15:29:46 29,696 ----a-w C:\WINDOWS\system32\arp.exe- 2001-10-26 15:29:46 27,136 ----a-w C:\WINDOWS\system32\asr_fmt.exe+ 2001-10-26 15:29:46 36,864 ----a-w C:\WINDOWS\system32\asr_fmt.exe- 2001-10-26 15:29:46 33,792 ----a-w C:\WINDOWS\system32\asr_ldm.exe+ 2001-10-26 15:29:46 43,520 ----a-w C:\WINDOWS\system32\asr_ldm.exe- 2001-10-26 15:29:46 23,040 ----a-w C:\WINDOWS\system32\at.exe+ 2001-10-26 15:29:46 32,768 ----a-w C:\WINDOWS\system32\at.exe- 2001-10-26 15:29:46 10,240 ----a-w C:\WINDOWS\system32\atmadm.exe+ 2001-10-26 15:29:46 19,968 ----a-w C:\WINDOWS\system32\atmadm.exe- 2001-10-26 15:29:48 148,480 ----a-w C:\WINDOWS\system32\bootcfg.exe+ 2001-10-26 15:29:48 158,208 ----a-w C:\WINDOWS\system32\bootcfg.exe- 2001-10-26 15:29:48 5,120 ----a-w C:\WINDOWS\system32\bootvrfy.exe+ 2001-10-26 15:29:48 14,848 ----a-w C:\WINDOWS\system32\bootvrfy.exe- 2001-10-26 15:29:48 19,456 ----a-w C:\WINDOWS\system32\cacls.exe+ 2001-10-26 15:29:48 29,184 ----a-w C:\WINDOWS\system32\cacls.exe- 2001-10-26 15:29:48 11,776 ----a-w C:\WINDOWS\system32\chkdsk.exe+ 2001-10-26 15:29:48 21,504 ----a-w C:\WINDOWS\system32\chkdsk.exe- 2001-10-26 15:29:48 11,264 ----a-w C:\WINDOWS\system32\chkntfs.exe+ 2001-10-26 15:29:48 20,992 ----a-w C:\WINDOWS\system32\chkntfs.exe- 2001-10-26 15:29:48 8,192 ----a-w C:\WINDOWS\system32\cidaemon.exe+ 2001-10-26 15:29:48 17,920 ----a-w C:\WINDOWS\system32\cidaemon.exe- 2001-10-26 15:29:48 45,056 ----a-w C:\WINDOWS\system32\cipher.exe+ 2001-10-26 15:29:48 54,784 ----a-w C:\WINDOWS\system32\cipher.exe- 2001-10-26 15:29:48 7,680 ----a-w C:\WINDOWS\system32\ckcnv.exe+ 2001-10-26 15:29:48 17,408 ----a-w C:\WINDOWS\system32\ckcnv.exe- 2001-08-17 18:16:10 45,632 ----a-w C:\WINDOWS\system32\cliconfg.exe+ 2001-08-17 18:16:10 57,920 ----a-w C:\WINDOWS\system32\cliconfg.exe- 2001-10-26 15:29:50 41,472 ----a-w C:\WINDOWS\system32\cmdl32.exe+ 2001-10-26 15:29:50 51,200 ----a-w C:\WINDOWS\system32\cmdl32.exe- 2001-10-26 15:29:50 35,840 ----a-w C:\WINDOWS\system32\cmmon32.exe+ 2001-10-26 15:29:50 45,568 ----a-w C:\WINDOWS\system32\cmmon32.exe- 2001-10-26 15:29:50 55,808 ----a-w C:\WINDOWS\system32\cmstp.exe+ 2001-10-26 15:29:50 65,536 ----a-w C:\WINDOWS\system32\cmstp.exe- 2001-10-26 15:29:50 15,872 ----a-w C:\WINDOWS\system32\comp.exe+ 2001-10-26 15:29:50 25,600 ----a-w C:\WINDOWS\system32\comp.exe- 2001-10-26 15:29:50 17,920 ----a-w C:\WINDOWS\system32\compact.exe+ 2001-10-26 15:29:50 27,648 ----a-w C:\WINDOWS\system32\compact.exe- 2008-08-04 09:13:30 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat+ 2008-08-04 10:47:58 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat- 2008-08-04 09:13:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat+ 2008-08-04 10:47:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat- 2008-08-04 09:13:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat+ 2008-08-04 10:47:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat- 2001-10-26 15:29:50 24,576 ----a-w C:\WINDOWS\system32\conime.exe+ 2001-10-26 15:29:50 34,304 ----a-w C:\WINDOWS\system32\conime.exe- 2001-10-26 15:29:50 8,192 ----a-w C:\WINDOWS\system32\control.exe+ 2001-10-26 15:29:50 17,920 ----a-w C:\WINDOWS\system32\control.exe- 2001-10-26 15:29:50 13,824 ----a-w C:\WINDOWS\system32\convert.exe+ 2001-10-26 15:29:50 23,552 ----a-w C:\WINDOWS\system32\convert.exe- 2001-10-26 17:29:50 5,120 ----a-w C:\WINDOWS\system32\dcomcnfg.exe+ 2001-10-26 17:29:50 14,848 ----a-w C:\WINDOWS\system32\dcomcnfg.exe- 2001-10-26 15:29:50 27,648 ----a-w C:\WINDOWS\system32\ddeshare.exe+ 2001-10-26 15:29:50 37,376 ----a-w C:\WINDOWS\system32\ddeshare.exe- 2001-10-26 15:29:50 85,504 ----a-w C:\WINDOWS\system32\dfrgntfs.exe+ 2001-10-26 15:29:50 95,232 ----a-w C:\WINDOWS\system32\dfrgntfs.exe- 2001-10-26 15:29:50 79,360 ----a-w C:\WINDOWS\system32\diantz.exe+ 2001-10-26 15:29:50 89,088 ----a-w C:\WINDOWS\system32\diantz.exe- 2001-10-26 15:29:50 146,944 ----a-w C:\WINDOWS\system32\diskpart.exe+ 2001-10-26 15:29:50 156,672 ----a-w C:\WINDOWS\system32\diskpart.exe- 2001-10-26 15:29:50 4,608 ----a-w C:\WINDOWS\system32\dllhst3g.exe+ 2001-10-26 15:29:50 14,336 ----a-w C:\WINDOWS\system32\dllhst3g.exe- 2001-10-26 15:29:52 14,336 ----a-w C:\WINDOWS\system32\dmremote.exe+ 2001-10-26 15:29:52 24,064 ----a-w C:\WINDOWS\system32\dmremote.exe- 2001-10-26 15:29:52 10,752 ----a-w C:\WINDOWS\system32\doskey.exe+ 2001-10-26 15:29:52 20,480 ----a-w C:\WINDOWS\system32\doskey.exe- 2001-10-26 15:29:52 26,112 ----a-w C:\WINDOWS\system32\dplaysvr.exe+ 2001-10-26 15:29:52 35,840 ----a-w C:\WINDOWS\system32\dplaysvr.exe- 2001-10-26 15:29:52 18,944 ----a-w C:\WINDOWS\system32\dpnsvr.exe+ 2001-10-26 15:29:52 28,672 ----a-w C:\WINDOWS\system32\dpnsvr.exe- 2001-10-26 15:29:52 59,392 ----a-w C:\WINDOWS\system32\dpvsetup.exe+ 2001-10-26 15:29:52 69,120 ----a-w C:\WINDOWS\system32\dpvsetup.exe- 2001-10-26 15:29:52 60,416 ----a-w C:\WINDOWS\system32\driverquery.exe+ 2001-10-26 15:29:52 70,144 ----a-w C:\WINDOWS\system32\driverquery.exe- 2001-10-26 15:29:52 30,208 ----a-w C:\WINDOWS\system32\dumprep.exe+ 2001-10-26 15:29:52 39,936 ----a-w C:\WINDOWS\system32\dumprep.exe- 2001-10-26 16:03:24 57,856 ----a-w C:\WINDOWS\system32\dvdplay.exe+ 2001-10-26 16:03:24 67,584 ----a-w C:\WINDOWS\system32\dvdplay.exe- 2001-10-26 15:29:52 15,872 ----a-w C:\WINDOWS\system32\dvdupgrd.exe+ 2001-10-26 15:29:52 25,600 ----a-w C:\WINDOWS\system32\dvdupgrd.exe- 2001-10-26 15:29:52 786,432 ----a-w C:\WINDOWS\system32\dxdiag.exe+ 2001-10-26 15:29:52 798,720 ----a-w C:\WINDOWS\system32\dxdiag.exe- 2001-10-26 15:29:52 39,424 ----a-w C:\WINDOWS\system32\esentutl.exe+ 2001-10-26 15:29:52 49,152 ----a-w C:\WINDOWS\system32\esentutl.exe- 2001-10-26 15:29:52 179,712 ----a-w C:\WINDOWS\system32\eudcedit.exe+ 2001-10-26 15:29:52 189,440 ----a-w C:\WINDOWS\system32\eudcedit.exe- 2001-10-26 15:29:52 49,664 ----a-w C:\WINDOWS\system32\eventcreate.exe+ 2001-10-26 15:29:52 59,392 ----a-w C:\WINDOWS\system32\eventcreate.exe- 2001-10-26 15:29:52 80,896 ----a-w C:\WINDOWS\system32\eventtriggers.exe+ 2001-10-26 15:29:52 90,624 ----a-w C:\WINDOWS\system32\eventtriggers.exe- 2001-10-26 15:29:52 9,216 ----a-w C:\WINDOWS\system32\eventvwr.exe+ 2001-10-26 15:29:52 18,944 ----a-w C:\WINDOWS\system32\eventvwr.exe- 2001-10-26 15:29:52 16,384 ----a-w C:\WINDOWS\system32\expand.exe+ 2001-10-26 15:29:52 26,112 ----a-w C:\WINDOWS\system32\expand.exe- 2001-10-26 15:29:54 40,960 ----a-w C:\WINDOWS\system32\extrac32.exe+ 2001-10-26 15:29:54 50,688 ----a-w C:\WINDOWS\system32\extrac32.exe- 2001-10-26 15:29:54 14,848 ----a-w C:\WINDOWS\system32\fc.exe+ 2001-10-26 15:29:54 24,576 ----a-w C:\WINDOWS\system32\fc.exe- 2001-10-26 15:29:54 9,728 ----a-w C:\WINDOWS\system32\finger.exe+ 2001-10-26 15:29:54 19,456 ----a-w C:\WINDOWS\system32\finger.exe- 2001-10-26 15:29:54 3,072 ----a-w C:\WINDOWS\system32\fixmapi.exe+ 2001-10-26 15:29:54 12,800 ----a-w C:\WINDOWS\system32\fixmapi.exe- 2001-10-26 15:29:54 7,168 ----a-w C:\WINDOWS\system32\forcedos.exe+ 2001-10-26 15:29:54 16,896 ----a-w C:\WINDOWS\system32\forcedos.exe- 2001-10-26 15:29:54 62,976 ----a-w C:\WINDOWS\system32\fsutil.exe+ 2001-10-26 15:29:54 72,704 ----a-w C:\WINDOWS\system32\fsutil.exe- 2001-10-26 15:29:54 56,832 ----a-w C:\WINDOWS\system32\getmac.exe+ 2001-10-26 15:29:54 66,560 ----a-w C:\WINDOWS\system32\getmac.exe- 2001-10-26 15:29:54 114,688 ----a-w C:\WINDOWS\system32\gpresult.exe+ 2001-10-26 15:29:54 124,416 ----a-w C:\WINDOWS\system32\gpresult.exe- 2001-10-26 15:29:54 58,368 ----a-w C:\WINDOWS\system32\gpupdate.exe+ 2001-10-26 15:29:54 68,096 ----a-w C:\WINDOWS\system32\gpupdate.exe- 2001-10-26 15:29:54 14,848 ----a-w C:\WINDOWS\system32\help.exe+ 2001-10-26 15:29:54 24,576 ----a-w C:\WINDOWS\system32\help.exe- 2001-10-26 15:29:54 8,192 ----a-w C:\WINDOWS\system32\hostname.exe+ 2001-10-26 15:29:54 17,920 ----a-w C:\WINDOWS\system32\hostname.exe- 2001-10-26 15:29:54 99,840 ----a-w C:\WINDOWS\system32\iexpress.exe+ 2001-10-26 15:29:54 109,568 ----a-w C:\WINDOWS\system32\iexpress.exe- 2001-10-26 15:29:54 50,688 ----a-w C:\WINDOWS\system32\ipconfig.exe+ 2001-10-26 15:29:54 60,416 ----a-w C:\WINDOWS\system32\ipconfig.exe- 2001-10-26 15:29:54 45,056 ----a-w C:\WINDOWS\system32\ipsec6.exe+ 2001-10-26 15:29:54 54,784 ----a-w C:\WINDOWS\system32\ipsec6.exe- 2001-10-26 15:29:54 59,904 ----a-w C:\WINDOWS\system32\ipv6.exe+ 2001-10-26 15:29:54 69,632 ----a-w C:\WINDOWS\system32\ipv6.exe- 2001-10-26 15:29:54 22,528 ----a-w C:\WINDOWS\system32\ipxroute.exe+ 2001-10-26 15:29:54 32,256 ----a-w C:\WINDOWS\system32\ipxroute.exe- 2001-10-26 15:29:54 9,728 ----a-w C:\WINDOWS\system32\label.exe+ 2001-10-26 15:29:54 19,456 ----a-w C:\WINDOWS\system32\label.exe- 2001-10-26 15:29:54 29,696 ----a-w C:\WINDOWS\system32\lights.exe+ 2001-10-26 15:29:54 39,424 ----a-w C:\WINDOWS\system32\lights.exe- 2001-10-26 15:29:54 26,624 ----a-w C:\WINDOWS\system32\lnkstub.exe+ 2001-10-26 15:29:54 36,352 ----a-w C:\WINDOWS\system32\lnkstub.exe- 2001-10-26 15:29:56 5,120 ----a-w C:\WINDOWS\system32\lodctr.exe+ 2001-10-26 15:29:56 14,848 ----a-w C:\WINDOWS\system32\lodctr.exe- 2001-10-26 15:29:56 24,576 ----a-w C:\WINDOWS\system32\logagent.exe+ 2001-10-26 15:29:56 34,304 ----a-w C:\WINDOWS\system32\logagent.exe- 2001-10-26 15:29:56 56,832 ----a-w C:\WINDOWS\system32\logman.exe+ 2001-10-26 15:29:56 66,560 ----a-w C:\WINDOWS\system32\logman.exe- 2001-10-26 17:29:56 15,872 ----a-w C:\WINDOWS\system32\logoff.exe+ 2001-10-26 17:29:56 25,600 ----a-w C:\WINDOWS\system32\logoff.exe- 2001-10-26 15:29:56 6,144 ----a-w C:\WINDOWS\system32\lpq.exe+ 2001-10-26 15:29:56 15,872 ----a-w C:\WINDOWS\system32\lpq.exe- 2001-10-26 15:29:56 8,192 ----a-w C:\WINDOWS\system32\lpr.exe+ 2001-10-26 15:29:56 17,920 ----a-w C:\WINDOWS\system32\lpr.exe- 2001-10-26 15:29:56 79,360 ----a-w C:\WINDOWS\system32\makecab.exe+ 2001-10-26 15:29:56 89,088 ----a-w C:\WINDOWS\system32\makecab.exe- 2001-10-26 15:29:56 52,224 ----a-w C:\WINDOWS\system32\migpwd.exe+ 2001-10-26 15:29:56 61,952 ----a-w C:\WINDOWS\system32\migpwd.exe- 2001-10-26 15:29:56 8,192 ----a-w C:\WINDOWS\system32\mountvol.exe+ 2001-10-26 15:29:56 17,920 ----a-w C:\WINDOWS\system32\mountvol.exe- 2001-10-26 15:29:58 22,016 ----a-w C:\WINDOWS\system32\mpnotify.exe+ 2001-10-26 15:29:58 31,744 ----a-w C:\WINDOWS\system32\mpnotify.exe- 2001-10-26 15:29:58 17,408 ----a-w C:\WINDOWS\system32\mqbkup.exe+ 2001-10-26 15:29:58 27,136 ----a-w C:\WINDOWS\system32\mqbkup.exe- 2001-10-26 15:29:58 4,608 ----a-w C:\WINDOWS\system32\mqsvc.exe+ 2001-10-26 15:29:58 14,336 ----a-w C:\WINDOWS\system32\mqsvc.exe- 2001-10-26 15:29:58 97,792 ----a-w C:\WINDOWS\system32\mqtgsvc.exe+ 2001-10-26 15:29:58 107,520 ----a-w C:\WINDOWS\system32\mqtgsvc.exe- 2001-10-26 15:29:58 13,824 ----a-w C:\WINDOWS\system32\mrinfo.exe+ 2001-10-26 15:29:58 23,552 ----a-w C:\WINDOWS\system32\mrinfo.exe- 2001-10-26 17:29:58 22,528 ----a-w C:\WINDOWS\system32\msg.exe+ 2001-10-26 17:29:58 32,256 ----a-w C:\WINDOWS\system32\msg.exe- 2001-10-26 15:29:58 6,656 ----a-w C:\WINDOWS\system32\msswchx.exe+ 2001-10-26 15:29:58 16,384 ----a-w C:\WINDOWS\system32\msswchx.exe- 2001-10-26 15:29:58 52,736 ----a-w C:\WINDOWS\system32\narrator.exe+ 2001-10-26 15:29:58 62,464 ----a-w C:\WINDOWS\system32\narrator.exe- 2001-10-26 15:29:58 21,504 ----a-w C:\WINDOWS\system32\nbtstat.exe+ 2001-10-26 15:29:58 31,232 ----a-w C:\WINDOWS\system32\nbtstat.exe- 2001-10-26 15:29:58 4,096 ----a-w C:\WINDOWS\system32\nddeapir.exe+ 2001-10-26 15:29:58 13,824 ----a-w C:\WINDOWS\system32\nddeapir.exe- 2001-10-26 15:30:34 325,632 ----a-w C:\WINDOWS\system32\netsetup.exe+ 2001-10-26 15:30:34 335,360 ----a-w C:\WINDOWS\system32\netsetup.exe- 2001-10-26 15:29:58 83,968 ----a-w C:\WINDOWS\system32\netsh.exe+ 2001-10-26 15:29:58 93,696 ----a-w C:\WINDOWS\system32\netsh.exe- 2001-10-26 15:29:58 32,256 ----a-w C:\WINDOWS\system32\netstat.exe+ 2001-10-26 15:29:58 41,984 ----a-w C:\WINDOWS\system32\netstat.exe- 2001-10-26 15:29:58 74,752 ----a-w C:\WINDOWS\system32\nslookup.exe+ 2001-10-26 15:29:58 84,480 ----a-w C:\WINDOWS\system32\nslookup.exe- 2001-10-26 15:30:00 31,744 ----a-w C:\WINDOWS\system32\ntsd.exe+ 2001-10-26 15:30:00 41,472 ----a-w C:\WINDOWS\system32\ntsd.exe- 2001-10-26 15:30:00 128,512 ----a-w C:\WINDOWS\system32\nwscript.exe+ 2001-10-26 15:30:00 138,240 ----a-w C:\WINDOWS\system32\nwscript.exe- 2001-10-26 15:30:00 53,248 ----a-w C:\WINDOWS\system32\odbcconf.exe+ 2001-10-26 15:30:00 65,536 ----a-w C:\WINDOWS\system32\odbcconf.exe- 2001-10-26 15:30:00 64,000 ----a-w C:\WINDOWS\system32\openfiles.exe+ 2001-10-26 15:30:00 73,728 ----a-w C:\WINDOWS\system32\openfiles.exe- 2001-10-26 15:30:00 41,472 ----a-w C:\WINDOWS\system32\osuninst.exe+ 2001-10-26 15:30:00 51,200 ----a-w C:\WINDOWS\system32\osuninst.exe- 2001-10-26 15:30:00 53,248 ----a-w C:\WINDOWS\system32\packager.exe+ 2001-10-26 15:30:00 62,976 ----a-w C:\WINDOWS\system32\packager.exe- 2001-10-26 15:30:00 22,528 ----a-w C:\WINDOWS\system32\pathping.exe+ 2001-10-26 15:30:00 32,256 ----a-w C:\WINDOWS\system32\pathping.exe- 2001-10-26 15:30:00 15,360 ----a-w C:\WINDOWS\system32\pentnt.exe+ 2001-10-26 15:30:00 25,088 ----a-w C:\WINDOWS\system32\pentnt.exe- 2001-10-26 15:30:00 14,336 ----a-w C:\WINDOWS\system32\perfmon.exe+ 2001-10-26 15:30:00 24,064 ----a-w C:\WINDOWS\system32\perfmon.exe- 2001-10-26 15:30:00 15,872 ----a-w C:\WINDOWS\system32\ping.exe+ 2001-10-26 15:30:00 25,600 ----a-w C:\WINDOWS\system32\ping.exe- 2001-10-26 15:30:00 33,792 ----a-w C:\WINDOWS\system32\ping6.exe+ 2001-10-26 15:30:00 43,520 ----a-w C:\WINDOWS\system32\ping6.exe- 2001-10-26 15:30:00 9,216 ----a-w C:\WINDOWS\system32\print.exe+ 2001-10-26 15:30:00 18,944 ----a-w C:\WINDOWS\system32\print.exe- 2001-10-26 15:30:00 207,360 ----a-w C:\WINDOWS\system32\progman.exe+ 2001-10-26 15:30:00 217,088 ----a-w C:\WINDOWS\system32\progman.exe- 2001-10-26 15:30:00 45,568 ----a-w C:\WINDOWS\system32\proquota.exe+ 2001-10-26 15:30:00 55,296 ----a-w C:\WINDOWS\system32\proquota.exe- 2001-10-26 17:30:00 17,408 ----a-w C:\WINDOWS\system32\qappsrv.exe+ 2001-10-26 17:30:00 27,136 ----a-w C:\WINDOWS\system32\qappsrv.exe- 2001-10-26 17:30:00 22,528 ----a-w C:\WINDOWS\system32\qwinsta.exe+ 2001-10-26 17:30:00 32,256 ----a-w C:\WINDOWS\system32\qwinsta.exe- 2001-10-26 15:30:00 11,776 ----a-w C:\WINDOWS\system32\rasautou.exe+ 2001-10-26 15:30:00 21,504 ----a-w C:\WINDOWS\system32\rasautou.exe- 2001-10-26 15:30:00 11,776 ----a-w C:\WINDOWS\system32\rasdial.exe+ 2001-10-26 15:30:00 21,504 ----a-w C:\WINDOWS\system32\rasdial.exe- 2001-10-26 15:30:00 54,272 ----a-w C:\WINDOWS\system32\rasphone.exe+ 2001-10-26 15:30:00 64,000 ----a-w C:\WINDOWS\system32\rasphone.exe- 2001-10-26 15:30:00 20,480 ----a-w C:\WINDOWS\system32\rcp.exe+ 2001-10-26 15:30:00 30,208 ----a-w C:\WINDOWS\system32\rcp.exe- 2001-10-26 17:30:00 41,984 ----a-w C:\WINDOWS\system32\rdpclip.exe+ 2001-10-26 17:30:00 51,712 ----a-w C:\WINDOWS\system32\rdpclip.exe- 2001-10-26 17:30:00 12,288 ----a-w C:\WINDOWS\system32\rdsaddin.exe+ 2001-10-26 17:30:00 22,016 ----a-w C:\WINDOWS\system32\rdsaddin.exe- 2001-10-26 17:30:00 61,952 ----a-w C:\WINDOWS\system32\rdshost.exe+ 2001-10-26 17:30:00 71,680 ----a-w C:\WINDOWS\system32\rdshost.exe- 2001-10-26 15:30:00 7,168 ----a-w C:\WINDOWS\system32\recover.exe+ 2001-10-26 15:30:00 16,896 ----a-w C:\WINDOWS\system32\recover.exe- 2001-10-26 15:30:00 51,200 ----a-w C:\WINDOWS\system32\reg.exe+ 2001-10-26 15:30:00 60,928 ----a-w C:\WINDOWS\system32\reg.exe- 2001-10-26 15:30:00 3,584 ----a-w C:\WINDOWS\system32\regedt32.exe+ 2001-10-26 15:30:00 13,312 ----a-w C:\WINDOWS\system32\regedt32.exe- 2001-10-26 17:30:00 33,792 ----a-w C:\WINDOWS\system32\regini.exe+ 2001-10-26 17:30:00 43,520 ----a-w C:\WINDOWS\system32\regini.exe- 2001-10-26 15:30:00 4,608 ----a-w C:\WINDOWS\system32\regwiz.exe+ 2001-10-26 15:30:00 14,336 ----a-w C:\WINDOWS\system32\regwiz.exe- 2001-10-26 15:30:00 33,792 ----a-w C:\WINDOWS\system32\relog.exe+ 2001-10-26 15:30:00 43,520 ----a-w C:\WINDOWS\system32\relog.exe- 2001-10-26 15:30:00 12,800 ----a-w C:\WINDOWS\system32\replace.exe+ 2001-10-26 15:30:00 22,528 ----a-w C:\WINDOWS\system32\replace.exe- 2001-10-26 17:30:00 9,728 ----a-w C:\WINDOWS\system32\reset.exe+ 2001-10-26 17:30:00 19,456 ----a-w C:\WINDOWS\system32\reset.exe- 2001-10-26 15:30:00 12,288 ----a-w C:\WINDOWS\system32\rexec.exe+ 2001-10-26 15:30:00 22,016 ----a-w C:\WINDOWS\system32\rexec.exe- 2001-10-26 15:03:18 25,600 ----a-w C:\WINDOWS\system32\routemon.exe+ 2001-10-26 15:03:18 35,328 ----a-w C:\WINDOWS\system32\routemon.exe- 2001-10-26 15:30:00 13,824 ----a-w C:\WINDOWS\system32\rsh.exe+ 2001-10-26 15:30:00 23,552 ----a-w C:\WINDOWS\system32\rsh.exe- 2001-10-26 15:30:02 54,272 ----a-w C:\WINDOWS\system32\rsm.exe+ 2001-10-26 15:30:02 64,000 ----a-w C:\WINDOWS\system32\rsm.exe- 2001-10-26 15:30:02 24,576 ----a-w C:\WINDOWS\system32\rsmsink.exe+ 2001-10-26 15:30:02 34,304 ----a-w C:\WINDOWS\system32\rsmsink.exe- 2001-10-26 15:30:02 49,152 ----a-w C:\WINDOWS\system32\rsmui.exe+ 2001-10-26 15:30:02 58,880 ----a-w C:\WINDOWS\system32\rsmui.exe- 2001-10-26 15:30:02 103,424 ----a-w C:\WINDOWS\system32\rsnotify.exe+ 2001-10-26 15:30:02 113,152 ----a-w C:\WINDOWS\system32\rsnotify.exe- 2001-10-26 15:30:02 62,976 ----a-w C:\WINDOWS\system32\rsopprov.exe+ 2001-10-26 15:30:02 72,704 ----a-w C:\WINDOWS\system32\rsopprov.exe- 2001-10-26 15:30:02 74,752 ----a-w C:\WINDOWS\system32\rtcshare.exe+ 2001-10-26 15:30:02 84,480 ----a-w C:\WINDOWS\system32\rtcshare.exe- 2001-10-26 15:30:02 16,896 ----a-w C:\WINDOWS\system32\runas.exe+ 2001-10-26 15:30:02 26,624 ----a-w C:\WINDOWS\system32\runas.exe- 2001-10-26 17:30:02 16,384 ----a-w C:\WINDOWS\system32\rwinsta.exe+ 2001-10-26 17:30:02 26,112 ----a-w C:\WINDOWS\system32\rwinsta.exe- 2001-10-26 15:30:02 31,232 ----a-w C:\WINDOWS\system32\sc.exe+ 2001-10-26 15:30:02 40,960 ----a-w C:\WINDOWS\system32\sc.exe- 2001-10-26 15:30:02 119,808 ----a-w C:\WINDOWS\system32\schtasks.exe+ 2001-10-26 15:30:02 129,536 ----a-w C:\WINDOWS\system32\schtasks.exe- 2001-10-26 15:30:02 38,400 ----a-w C:\WINDOWS\system32\sdbinst.exe+ 2001-10-26 15:30:02 48,128 ----a-w C:\WINDOWS\system32\sdbinst.exe- 2001-10-26 15:30:02 17,408 ----a-w C:\WINDOWS\system32\secedit.exe+ 2001-10-26 15:30:02 27,136 ----a-w C:\WINDOWS\system32\secedit.exe- 2001-10-26 15:30:02 30,208 ----a-w C:\WINDOWS\system32\sethc.exe+ 2001-10-26 15:30:02 39,936 ----a-w C:\WINDOWS\system32\sethc.exe- 2001-08-18 04:36:54 20,992 ----a-w C:\WINDOWS\system32\setup.exe+ 2001-08-18 04:36:54 30,720 ----a-w C:\WINDOWS\system32\setup.exe- 2001-10-26 15:30:02 9,728 ----a-w C:\WINDOWS\system32\sfc.exe+ 2001-10-26 15:30:02 19,456 ----a-w C:\WINDOWS\system32\sfc.exe- 2001-10-26 17:30:02 15,360 ----a-w C:\WINDOWS\system32\shadow.exe+ 2001-10-26 17:30:02 25,088 ----a-w C:\WINDOWS\system32\shadow.exe- 2001-10-26 15:30:02 21,504 ----a-w C:\WINDOWS\system32\shmgrate.exe+ 2001-10-26 15:30:02 31,232 ----a-w C:\WINDOWS\system32\shmgrate.exe- 2001-10-26 15:30:02 70,144 ----a-w C:\WINDOWS\system32\shrpubw.exe+ 2001-10-26 15:30:02 79,872 ----a-w C:\WINDOWS\system32\shrpubw.exe- 2001-10-26 15:30:02 66,560 ----a-w C:\WINDOWS\system32\sigverif.exe+ 2001-10-26 15:30:02 76,288 ----a-w C:\WINDOWS\system32\sigverif.exe- 2001-10-26 15:30:02 24,064 ----a-w C:\WINDOWS\system32\skeys.exe+ 2001-10-26 15:30:02 33,792 ----a-w C:\WINDOWS\system32\skeys.exe- 2001-10-26 15:30:02 20,992 ----a-w C:\WINDOWS\system32\stimon.exe+ 2001-10-26 15:30:02 30,720 ----a-w C:\WINDOWS\system32\stimon.exe- 2004-07-27 14:18:00 36,864 ----a-w C:\WINDOWS\system32\stmclean.exe+ 2004-07-27 14:18:00 49,152 ----a-w C:\WINDOWS\system32\stmclean.exe- 2001-10-26 15:30:02 9,216 ----a-w C:\WINDOWS\system32\subst.exe+ 2001-10-26 15:30:02 18,944 ----a-w C:\WINDOWS\system32\subst.exe- 2001-10-26 15:30:02 51,200 ----a-w C:\WINDOWS\system32\syncapp.exe+ 2001-10-26 15:30:02 60,928 ----a-w C:\WINDOWS\system32\syncapp.exe- 2001-10-26 15:30:02 37,376 ----a-w C:\WINDOWS\system32\syskey.exe+ 2001-10-26 15:30:02 47,104 ----a-w C:\WINDOWS\system32\syskey.exe- 2001-10-26 15:30:02 104,448 ----a-w C:\WINDOWS\system32\sysocmgr.exe+ 2001-10-26 15:30:02 114,176 ----a-w C:\WINDOWS\system32\sysocmgr.exe- 2001-10-26 15:30:02 70,144 ----a-w C:\WINDOWS\system32\systeminfo.exe+ 2001-10-26 15:30:02 79,872 ----a-w C:\WINDOWS\system32\systeminfo.exe- 2001-10-26 15:30:02 3,072 ----a-w C:\WINDOWS\system32\systray.exe+ 2001-10-26 15:30:02 12,800 ----a-w C:\WINDOWS\system32\systray.exe- 2001-10-26 15:30:02 74,752 ----a-w C:\WINDOWS\system32\taskkill.exe+ 2001-10-26 15:30:02 84,480 ----a-w C:\WINDOWS\system32\taskkill.exe- 2001-10-26 15:30:02 73,728 ----a-w C:\WINDOWS\system32\tasklist.exe+ 2001-10-26 15:30:02 83,456 ----a-w C:\WINDOWS\system32\tasklist.exe- 2001-10-26 15:30:02 15,360 ----a-w C:\WINDOWS\system32\taskman.exe+ 2001-10-26 15:30:02 25,088 ----a-w C:\WINDOWS\system32\taskman.exe- 2001-10-26 15:30:02 19,456 ----a-w C:\WINDOWS\system32\tcpsvcs.exe+ 2001-10-26 15:30:02 29,184 ----a-w C:\WINDOWS\system32\tcpsvcs.exe- 2001-10-26 15:30:02 72,192 ----a-w C:\WINDOWS\system32\telnet.exe+ 2001-10-26 15:30:02 81,920 ----a-w C:\WINDOWS\system32\telnet.exe- 2001-10-26 15:30:02 54,272 ----a-w C:\WINDOWS\system32\tlntadmn.exe+ 2001-10-26 15:30:02 64,000 ----a-w C:\WINDOWS\system32\tlntadmn.exe- 2001-10-26 15:30:02 72,192 ----a-w C:\WINDOWS\system32\tlntsess.exe+ 2001-10-26 15:30:02 81,920 ----a-w C:\WINDOWS\system32\tlntsess.exe- 2001-10-26 15:30:04 232,448 ----a-w C:\WINDOWS\system32\tracerpt.exe+ 2001-10-26 15:30:04 242,176 ----a-w C:\WINDOWS\system32\tracerpt.exe- 2001-10-26 15:30:04 10,240 ----a-w C:\WINDOWS\system32\tracert.exe+ 2001-10-26 15:30:04 19,968 ----a-w C:\WINDOWS\system32\tracert.exe- 2001-10-26 15:30:04 32,256 ----a-w C:\WINDOWS\system32\tracert6.exe+ 2001-10-26 15:30:04 41,984 ----a-w C:\WINDOWS\system32\tracert6.exe- 2001-10-26 17:30:04 15,360 ----a-w C:\WINDOWS\system32\tscon.exe+ 2001-10-26 17:30:04 25,088 ----a-w C:\WINDOWS\system32\tscon.exe- 2001-10-26 15:30:04 36,864 ----a-w C:\WINDOWS\system32\typeperf.exe+ 2001-10-26 15:30:04 46,592 ----a-w C:\WINDOWS\system32\typeperf.exe- 2001-10-26 15:30:04 4,096 ----a-w C:\WINDOWS\system32\unlodctr.exe+ 2001-10-26 15:30:04 13,824 ----a-w C:\WINDOWS\system32\unlodctr.exe- 2001-10-26 15:30:04 14,848 ----a-w C:\WINDOWS\system32\upnpcont.exe+ 2001-10-26 15:30:04 24,576 ----a-w C:\WINDOWS\system32\upnpcont.exe- 2001-10-26 16:03:24 77,891 ----a-w C:\WINDOWS\system32\usrmlnka.exe+ 2001-10-26 16:03:24 90,179 ----a-w C:\WINDOWS\system32\usrmlnka.exe- 2001-10-26 16:03:24 61,508 ----a-w C:\WINDOWS\system32\usrprbda.exe+ 2001-10-26 16:03:24 73,796 ----a-w C:\WINDOWS\system32\usrprbda.exe- 2001-10-26 16:03:24 69,700 ----a-w C:\WINDOWS\system32\usrshuta.exe+ 2001-10-26 16:03:24 81,988 ----a-w C:\WINDOWS\system32\usrshuta.exe- 2001-10-26 15:30:04 102,400 ----a-w C:\WINDOWS\system32\verifier.exe+ 2001-10-26 15:30:04 112,128 ----a-w C:\WINDOWS\system32\verifier.exe- 2001-10-26 15:30:04 33,792 ----a-w C:\WINDOWS\system32\vssadmin.exe+ 2001-10-26 15:30:04 43,520 ----a-w C:\WINDOWS\system32\vssadmin.exe- 2001-10-26 15:30:06 51,200 ----a-w C:\WINDOWS\system32\w32tm.exe+ 2001-10-26 15:30:06 60,928 ----a-w C:\WINDOWS\system32\w32tm.exe- 2001-10-26 15:30:06 61,440 ----a-w C:\WINDOWS\system32\wextract.exe+ 2001-10-26 15:30:06 71,168 ----a-w C:\WINDOWS\system32\wextract.exe- 2001-10-26 15:30:06 11,776 ----a-w C:\WINDOWS\system32\winmsd.exe+ 2001-10-26 15:30:06 21,504 ----a-w C:\WINDOWS\system32\winmsd.exe- 2001-10-26 15:30:06 4,096 ----a-w C:\WINDOWS\system32\winver.exe+ 2001-10-26 15:30:06 13,824 ----a-w C:\WINDOWS\system32\winver.exe- 2001-10-26 15:30:06 77,824 ----a-w C:\WINDOWS\system32\wmpstub.exe+ 2001-10-26 15:30:06 90,112 ----a-w C:\WINDOWS\system32\wmpstub.exe- 2001-10-26 15:30:06 31,232 ----a-w C:\WINDOWS\system32\wpabaln.exe+ 2001-10-26 15:30:06 40,960 ----a-w C:\WINDOWS\system32\wpabaln.exe- 2001-10-26 17:30:06 5,632 ----a-w C:\WINDOWS\system32\write.exe+ 2001-10-26 17:30:06 15,360 ----a-w C:\WINDOWS\system32\write.exe- 2001-10-26 15:30:06 28,160 ----a-w C:\WINDOWS\system32\xcopy.exe+ 2001-10-26 15:30:06 37,888 ----a-w C:\WINDOWS\system32\xcopy.exe.-- Snapshot reset to current date --.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Microsoft Anivirus Monitor Process"="antiv.exe" [2008-08-04 12:47 112128 C:\WINDOWS\system32\antiv.exe][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]"Microsoft Anivirus Monitor Process"="antiv.exe" [2008-08-04 12:47 112128 C:\WINDOWS\system32\antiv.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"Windows has Layer"="fixweb.exe" [bU][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"Windows has Layer"="fixweb.exe" [bU][HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001"AntiVirusDisableNotify"=dword:00000001"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001.- - - - ORPHANS REMOVED - - - -HKLM-Run-Microsft Security Monitor Process - mssmpp.exeHKLM-RunServices-Microsft Security Monitor Process - mssmpp.exe.------- Supplementary Scan -------.FireFox -: Profile - C:\Documents and Settings\a\Dane aplikacji\Mozilla\Firefox\Profiles\fpcso0s9.default\**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-04 12:50:15Windows 5.1.2600 FAT NTAPIdetected NTDLL code modification:ZwOpenFilescanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-08-04 12:50:46ComboFix-quarantined-files.txt 2008-08-04 10:50:44ComboFix4.txt 2008-08-04 08:50:52ComboFix3.txt 2008-08-04 09:14:26ComboFix2.txt 2008-08-04 10:05:24Pre-Run: 6,773,325,824 bajtów wolnychPost-Run: 6,757,752,832 bajtów wolnych467
Mateusz J. komentarz 4 sierpnia 2008 komentarz 4 sierpnia 2008 Po co założyłeś jeszcze jeden temat: http://www.forumpc.pl/index.php?showtopic=59503 Jest on nie potrzebny. antiv.exe to wirus, non stop próbuje go wywalić, lecz wszystkie wirusy wracają z powrotem. Nie wiem co jest "źródłem" tych wirusów. Jak zrobiłeś formata, to czy od razu był problem z wirusami, czy dopiero po zainstalowaniu jakiegoś oprogramowania? np.FreeDom Do notatnika wklej: File::C:\WINDOWS\17PHolmes1001186.exeC:\WINDOWS\system32\antiv.exeC:\WINDOWS\system32\TFTP2696C:\WINDOWS\system32\TFTP2764C:\WINDOWS\system32\TFTP2420C:\WINDOWS\system32\TFTP916C:\WINDOWS\system32\TFTP3940C:\WINDOWS\system32\TFTP3140C:\WINDOWS\system32\fixweb.exeFolder::C:\FOUND.003Registry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Microsoft Anivirus Monitor Process"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]"Microsoft Anivirus Monitor Process"=-[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"Windows has Layer"=-[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"Windows has Layer"=- W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix wystartuj do trybu awaryjny. Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum. Po restarcie usuń ręcznie folder C: \Qoobox. O4 - HKLM\..\Run: [Microsft Security Monitor Process] mssmpp.exeO4 - HKLM\..\Run: [Windows has Layer] fixweb.exeO4 - HKLM\..\RunServices: [Microsft Security Monitor Process] mssmpp.exeO4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exeO4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exeO4 - HKUS\S-1-5-18\..\Run: [Windows has Layer] fixweb.exe (User '?')O4 - HKUS\S-1-5-18\..\RunOnce: [Windows has Layer] fixweb.exe (User '?')O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [Windows has Layer] fixweb.exe (User 'Default user') Fix w HiajckThis. Przeskanuj komputer SpyBotem. Jaki dokładnie błąd się pojawia? chodzi mi o ftp.exe.
Gawcio komentarz 4 sierpnia 2008 Autor komentarz 4 sierpnia 2008 Po skanie avastem i usunięciem wirusów nie moge uruchomić notatnika, nie ma tez painta Boje sie restartowąc kompa bo myślę że może już nie ruszyc. Jestem juz chyba absolutnie pewien że to od Orange, przed instalacja orange komputer chodzi normlanie bez zadnych błędów a po instalacji zaczynają sie pojawiac błedy ftp.exe itp.
Mateusz J. komentarz 4 sierpnia 2008 komentarz 4 sierpnia 2008 Kiedyś miałem z tym do czynienia, ale się z tym tak nie męczyłem ufff... Pracuj tylko w Trybie Awaryjnym. Pozamykaj porty programem WWDC. Zrób scana SpyBotem. Spróbuj zainstalować FireWall-a oraz antywirusa. Następnie wklejasz nowe logi z Hjt i CS. W razie konieczności zrobienia formata, odłączasz internet, robisz format, po zainstalowaniu systemu instalujesz antywirusa + firewalla, podłączasz internet i instalujesz potrzebne ci stery, programy itp. Nie instaluj avasta, to jest sitko.
Gawcio komentarz 4 sierpnia 2008 Autor komentarz 4 sierpnia 2008 Poszedł format. Zainstalowane przed orange: Avira AntiVir Premium mam oryginał z licencją. Kerio Firewall 4.40 na 30 dni. Czy Kerio moze mi rozłączać orange? EDIT: Nowy log hjt: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 16:58:54, on 2008-08-04Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AntiVir PersonalEdition Premium\avguard.exeC:\Program Files\AntiVir PersonalEdition Premium\avgnt.exeC:\WINDOWS\System32\rundll32.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\AntiVir PersonalEdition Premium\sched.exeC:\Program Files\AntiVir PersonalEdition Premium\avesvc.exeC:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exeC:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exeC:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exeC:\Program Files\Freedom\Freedom.exeC:\Program Files\Gadu-Gadu\gg.exeC:\Program Files\AntiVir PersonalEdition Premium\avscan.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Premium\avgnt.exe" /minO4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBarO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO17 - HKLM\System\CCS\Services\Tcpip\..\{DF22AC5B-E6FD-4B4B-8233-ECF2A600DF02}: NameServer = 217.116.100.65 217.116.100.66O23 - Service: AntiVir PersonalEdition Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\avmailc.exeO23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\sched.exeO23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\avguard.exeO23 - Service: AntiVir PersonalEdition Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Premium\avesvc.exeO23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe--End of file - 3252 bytes
Mateusz J. komentarz 4 sierpnia 2008 komentarz 4 sierpnia 2008 Log czysty. Zainstaluj jeszcze SP2 lub SP3.
nidhogg komentarz 4 sierpnia 2008 komentarz 4 sierpnia 2008 To do kolegi Gawcio czy do mnie? :unsure:
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.