Arcy utworzono 17 lutego 2009 utworzono 17 lutego 2009 Mam 2 komputery i na obu mam ten sam problem i widzę że nie ja pierwszy, proszę o pomoc. Wrzucam logi z combofix'a i hijack'a z 2 komputerów. == KOMPUTER 1 == combofix ComboFix 09-02-15.01 - ARCY 2009-02-17 18:39:28.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.767.415 [GMT 1:00]Uruchomiony z: D:\ComboFix.exeAV: Kaspersky Internet Security *On-access scanning disabled* (Updated)FW: Kaspersky Internet Security *disabled*.((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))..---- Poprzednie uruchomienie -------.c:\windows\system32\pthreadGC2.dll.((((((((((((((((((((((((( Pliki utworzone od 2009-01-17 do 2009-02-17 ))))))))))))))))))))))))))))))).2009-02-14 12:31 . 2009-02-14 12:31 <DIR> d-------- c:\program files\NAPI-PROJEKT2009-02-08 13:27 . 2009-02-08 13:27 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment2009-02-06 20:22 . 2009-02-06 20:24 <DIR> d-------- c:\program files\sXe Injected2009-02-03 00:57 . 2009-02-03 00:57 106,496 --a------ c:\windows\DIIUnin.exe2009-02-03 00:57 . 2009-02-03 01:14 36,649 --a------ c:\windows\DIIUnin.dat2009-02-03 00:57 . 2009-02-03 01:10 21,840 --a----t- c:\windows\system32\SIntfNT.dll2009-02-03 00:57 . 2009-02-03 01:10 17,212 --a----t- c:\windows\system32\SIntf32.dll2009-02-03 00:57 . 2009-02-03 01:10 12,067 --a----t- c:\windows\system32\SIntf16.dll2009-02-03 00:57 . 2009-02-03 00:57 2,829 --a------ c:\windows\DIIUnin.pif2009-02-03 00:45 . 2009-02-03 00:45 43,520 --a------ c:\windows\system32\CmdLineExt03.dll2009-01-27 01:42 . 2009-01-27 01:43 <DIR> d-------- c:\program files\Common Files\Adobe2009-01-25 01:04 . 2009-01-25 01:04 <DIR> d-------- c:\program files\Winamp Toolbar2009-01-25 01:04 . 2009-01-25 01:04 <DIR> d-------- c:\program files\Winamp Remote2009-01-25 01:04 . 2009-01-25 01:04 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar2009-01-25 01:04 . 2009-01-25 01:05 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\OrbNetworks2009-01-25 01:02 . 2009-01-25 11:50 <DIR> d-------- c:\documents and settings\XXX\Dane aplikacji\Winamp2009-01-24 03:03 . 2009-01-24 03:17 <DIR> d-------- c:\windows\system32\CatRoot_bak2009-01-24 03:02 . 2008-08-14 14:46 2,181,632 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe2009-01-24 03:02 . 2008-08-14 14:46 2,137,600 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe2009-01-24 03:02 . 2008-08-14 14:46 2,059,008 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe2009-01-24 03:02 . 2008-08-14 14:46 2,017,280 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe2009-01-24 03:02 . 2008-06-14 19:01 273,024 -----c--- c:\windows\system32\dllcache\bthport.sys2009-01-24 03:01 . 2008-10-24 12:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys2009-01-23 18:39 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys2009-01-23 18:39 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys2009-01-23 18:37 . 2009-01-23 18:37 <DIR> d----c--- c:\windows\system32\DRVSTORE2009-01-23 18:37 . 2007-12-10 08:00 430,080 --a------ c:\windows\system32\ZSHP1018.EXE2009-01-23 18:37 . 2007-12-10 08:00 128,380 --a------ c:\windows\system32\hp1018.img2009-01-23 18:37 . 2007-12-10 08:00 106,496 --a------ c:\windows\system32\ZSPOOL.DLL2009-01-23 18:37 . 2007-12-10 08:00 102,400 --a------ c:\windows\system32\ZLhp1018.DLL2009-01-23 18:37 . 2007-12-10 08:00 61,440 --a------ c:\windows\system32\ZIMF.DLL2009-01-23 18:37 . 2007-12-10 08:00 53,248 --a------ c:\windows\system32\ZTAG.DLL2009-01-23 18:37 . 2007-12-10 08:00 10,632 --a------ c:\windows\system32\ZSHP1018.CHM2009-01-23 18:19 . 2009-01-23 18:19 <DIR> d-------- c:\windows\ServicePackFiles2009-01-23 18:19 . 2005-02-25 04:36 22,752 --a------ c:\windows\system32\spupdsvc.exe2009-01-23 18:19 . 2004-07-17 11:40 19,528 --a------ c:\windows\[u]0[/u]00001_.tmp2009-01-19 15:14 . 2009-01-22 16:56 <DIR> d-a------ c:\documents and settings\All Users\Dane aplikacji\TEMP.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-17 17:42 526,368 --sha-w c:\windows\system32\drivers\fidbox2.dat2009-02-17 17:42 10,603,296 --sha-w c:\windows\system32\drivers\fidbox.dat2009-02-17 14:16 --------- d-----w c:\program files\DC++2009-02-17 09:13 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab2009-02-16 23:10 56,672 --sha-w c:\windows\system32\drivers\fidbox2.idx2009-02-16 23:10 152,528 --sha-w c:\windows\system32\drivers\fidbox.idx2009-02-03 17:08 89,601 ----a-w c:\windows\system32\drivers\klick.dat2009-02-03 17:08 101,287 ----a-w c:\windows\system32\drivers\klin.dat2009-02-02 19:26 --------- d-----w c:\documents and settings\XXX\Dane aplikacji\DAEMON Tools Pro2009-01-22 22:52 --------- d-----w c:\program files\Google2009-01-16 15:17 --------- d-----w c:\program files\Real Alternative2009-01-16 15:17 --------- d-----w c:\program files\ffdshow2009-01-11 15:22 --------- d-----w c:\program files\Microsoft.NET2009-01-08 17:34 --------- d-----w c:\documents and settings\XXX\Dane aplikacji\DAEMON Tools Lite2009-01-08 12:39 --------- d-----w c:\documents and settings\XXX\Dane aplikacji\DAEMON Tools2009-01-08 12:38 --------- d-----w c:\program files\DAEMON Tools Toolbar2009-01-08 12:38 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\DAEMON Tools Lite2009-01-08 12:37 717,296 ----a-w c:\windows\system32\drivers\sptd.sys2009-01-03 01:16 60,416 ----a-w c:\windows\ALCFDRTM.EXE2009-01-01 19:34 --------- d-----w c:\documents and settings\XXX\Dane aplikacji\Media Player Classic2008-12-29 23:23 --------- d-----w c:\program files\DevalVR2008-12-17 21:38 --------- d-----w c:\documents and settings\XXX\Dane aplikacji\Gadu-Gadu2008-12-17 21:33 410,984 ----a-w c:\windows\system32\deploytk.dll2008-12-17 21:33 --------- d-----w c:\program files\Java2008-12-17 21:29 112,144 ----a-w c:\windows\system32\drivers\kl1.sys2008-12-17 20:58 --------- d--h--w c:\program files\InstallShield Installation Information2008-12-17 20:58 --------- d-----w c:\program files\MultiRes2008-12-17 20:58 --------- d-----w c:\program files\Common Files\InstallShield2008-12-17 20:57 472,576 ----a-w c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe2008-12-17 20:57 --------- d-----w c:\program files\Radeon Omega Drivers2008-12-17 20:50 --------- d-----w c:\program files\AMD2008-12-17 20:49 --------- d-----w c:\program files\Realtek Sound Manager2008-12-17 20:49 --------- d-----w c:\program files\Realtek AC972008-12-17 20:49 --------- d-----w c:\program files\AvRack2008-12-17 20:27 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files2008-12-17 20:21 --------- d-----w c:\program files\microsoft frontpage2008-12-17 20:20 --------- d-----w c:\program files\Usługi online2008-12-08 11:53 57,344 ----a-w c:\windows\system32\ff_vfw.dll2008-12-19 03:49 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll2008-12-19 03:49 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll2008-12-19 03:49 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll2008-12-19 03:49 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll2008-12-19 03:49 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992][HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}][HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1][HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}][HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="d:\program files\Gadu-Gadu\gg.exe" [2008-03-20 2127296]"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520]"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]"WinampAgent"="d:\program files\Winamp\winampa.exe" [2008-08-04 36352]"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]"SoundMan"="SOUNDMAN.EXE" [2006-11-17 c:\windows\soundman.exe]"AtiPTA"="atiptaxx.exe" [2006-02-22 c:\windows\system32\atiptaxx.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]c:\documents and settings\XXX\Menu Start\Programy\Autostart\Skr˘t do gammacontrol.lnk - c:\documents and settings\XXX\Moje dokumenty\gammacontrol.exe [2008-12-17 22528][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"VIDC.FFDS"= d:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center]"FirewallOverride"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-04-04 24344][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5b8600a-cc7a-11dd-8766-806d6172696f}]\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explore.exe..------- Skan uzupełniający -------.IE: &Winamp Search - c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.htmlIE: E&ksport do programu Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\ARCY\Dane aplikacji\Mozilla\Firefox\Profiles\lqvmkmur.default\FF - prefs.js: browser.search.selectedEngine - AllegroFF - component: c:\documents and settings\ARCY\Dane aplikacji\Mozilla\Firefox\Profiles\lqvmkmur.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dllFF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dllFF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-17 18:42:16Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'winlogon.exe'(1032)d:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dllc:\windows\system32\Ati2evxx.dllc:\windows\system32\klogon.dll- - - - - - - > 'lsass.exe'(1096)d:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dlld:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll.Czas ukończenia: 2009-02-17 18:43:26ComboFix-quarantined-files.txt 2009-02-17 17:43:24Przed: 398,360,576 bajtów wolnychPo: 380,030,976 bajtów wolnych177 --- E O F --- 2009-02-12 01:19:51 hijack Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:37, on 2009-02-17Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jusched.exeD:\Program Files\Winamp\winampa.exeD:\Program Files\DAEMON Tools Lite\daemon.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\svchost.exeD:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeD:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeD:\-=GAME=-\cs\Steam.exeD:\Program Files\Gadu-Gadu\gg.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeD:\HiJackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaR3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dllO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [AtiPTA] atiptaxx.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -uO4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /trayO4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorunO4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /backgroundO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: Skrót do gammacontrol.lnk = C:\Documents and Settings\XXX\Moje dokumenty\gammacontrol.exeO8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.htmlO8 - Extra context menu item: Dodaj do blokowanych banerów - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htmO8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dllO9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe--End of file - 4634 bytes == KOMPUTER 2 == combofix ComboFix 09-02-15.01 - Karolina 2009-02-17 19:03:53.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.3063.2565 [GMT 1:00]Uruchomiony z: c:\documents and settings\Karolina\Pulpit\ComboFix.exeAV: Kaspersky Internet Security *On-access scanning disabled* (Updated)FW: Kaspersky Internet Security *enabled* * Utworzono nowy punkt przywracania.((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))).C:\autorun.infc:\windows\system\mmtaskclean.logc:\windows\system32\Panel sterowania.{21EC2020-3AEA-1069-A2DD-08002B30309D}c:\windows\system32\settings.dllD:\Autorun.infF:\autorun.infF:\explore.exef:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213f:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exef:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\Desktop.ini.((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_CREATEPROCESS((((((((((((((((((((((((( Pliki utworzone od 2009-01-17 do 2009-02-17 ))))))))))))))))))))))))))))))).2009-02-17 18:26 . 2009-02-17 18:26 <DIR> d-------- c:\program files\MSXML 6.02009-02-17 18:03 . 2009-02-17 18:08 <DIR> d-------- c:\windows\system32\CatRoot_bak2009-02-17 18:03 . 2008-06-14 19:01 273,024 --------- c:\windows\system32\drivers\bthport.sys2009-02-17 18:03 . 2008-06-14 19:01 273,024 -----c--- c:\windows\system32\dllcache\bthport.sys2009-02-17 18:00 . 2008-08-14 14:40 2,187,264 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe2009-02-17 18:00 . 2008-08-14 14:40 2,144,256 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe2009-02-17 18:00 . 2008-08-14 14:40 2,064,256 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe2009-02-17 18:00 . 2008-08-14 14:40 2,022,400 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe2009-02-17 17:58 . 2008-10-24 12:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys2009-02-17 17:49 . 2009-02-17 17:49 <DIR> d-------- c:\program files\Java2009-02-17 17:49 . 2009-02-17 17:49 410,984 --a------ c:\windows\system32\deploytk.dll2009-02-17 17:49 . 2009-02-17 17:49 73,728 --a------ c:\windows\system32\javacpl.cpl2009-02-17 17:45 . 2009-02-17 17:45 <DIR> dr------- c:\documents and settings\LocalService\Ulubione.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-17 18:07 869,152 --sha-w c:\windows\system32\drivers\fidbox.dat2009-02-17 18:06 53,280 --sha-w c:\windows\system32\drivers\fidbox2.dat2009-02-17 18:06 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab2009-02-17 18:05 7,016 --sha-w c:\windows\system32\drivers\fidbox2.idx2009-02-17 18:05 14,660 --sha-w c:\windows\system32\drivers\fidbox.idx2009-02-17 16:53 112,144 ----a-w c:\windows\system32\drivers\kl1.sys2009-02-17 15:46 82,258 ----a-w c:\windows\system32\drivers\klin.dat2009-02-17 15:46 82,258 ----a-w c:\windows\system32\drivers\klick.dat2009-02-17 15:45 --------- d-----w c:\program files\Kaspersky Lab2009-02-17 15:43 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files2009-02-17 15:12 --------- d-----w c:\program files\Synaptics2009-02-17 15:12 --------- d-----w c:\program files\Common Files\InstallShield2009-02-17 15:11 --------- d--h--w c:\program files\InstallShield Installation Information2009-02-17 15:09 356,352 ----a-w c:\windows\system32\AegisI5Installer.exe2009-02-17 15:09 21,393 ----a-w c:\windows\system32\drivers\AegisP.sys2009-02-17 15:09 21,393 ----a-w c:\windows\AegisP.sys2009-02-17 15:09 --------- d-----w c:\documents and settings\NetworkService\Dane aplikacji\Intel2009-02-17 15:09 --------- d-----w c:\documents and settings\LocalService\Dane aplikacji\Intel2009-02-17 15:09 --------- d-----w c:\documents and settings\Karolina\Dane aplikacji\Intel2009-02-17 15:08 --------- d-----w c:\program files\Intel2009-02-17 15:08 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Intel2009-02-17 15:07 --------- d-----w c:\program files\Motorola2009-02-17 15:06 --------- d-----w c:\program files\Realtek2009-02-17 15:03 --------- d-----w c:\program files\ATKOSD22009-02-17 15:02 --------- d-----w c:\program files\ATK Hotkey2009-02-17 15:02 --------- d-----w c:\documents and settings\Karolina\Dane aplikacji\InstallShield2009-02-17 14:50 --------- d-----w c:\program files\microsoft frontpage2009-02-17 14:49 --------- d-----w c:\program files\Usługi online2008-12-18 00:26 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll2008-12-18 00:26 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll2008-12-18 00:26 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll2008-12-18 00:26 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll2008-12-18 00:26 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-06-29 225280]"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2007-07-03 7708672]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-11 141848]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-11 166424]"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-11 137752]"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-08-10 573440]"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-15 815104]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-17 148888]"RTHDCPL"="RTHDCPL.EXE" [2006-11-17 c:\windows\RTHDCPL.exe]"SkyTel"="SkyTel.EXE" [2006-05-19 c:\windows\SkyTel.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360][HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"=R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-02-17 36864]R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-04-04 24344]..------- Skan uzupełniający -------.FF - ProfilePath - c:\documents and settings\Karolina\Dane aplikacji\Mozilla\Firefox\Profiles\p31swnpg.default\FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-17 19:06:42Windows 5.1.2600 Dodatek Service Pack 2 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'winlogon.exe'(784)c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dllc:\windows\system32\klogon.dll- - - - - - - > 'lsass.exe'(840)c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dllc:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll.------------------------ Pozostałe uruchomione procesy ------------------------.c:\program files\Intel\Wireless\Bin\S24EvMon.exec:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Intel\Wireless\Bin\RegSrvc.exec:\windows\system32\wbem\wmiapsrv.exec:\windows\system32\igfxsrvc.exec:\program files\ATK Hotkey\ATKOSD.exec:\program files\Intel\Wireless\Bin\Dot1XCfg.exec:\windows\system32\wscntfy.exe.**************************************************************************.Czas ukończenia: 2009-02-17 19:08:02 - komputer został uruchomiony ponownieComboFix-quarantined-files.txt 2009-02-17 18:07:59Przed: 186 456 576 000 bajtów wolnychPo: 186,455,384,064 bajtów wolnychWindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect156 --- E O F --- 2009-02-17 17:53:17 hijack Logfile of Trend Micro HijackThis v2.0.2Scan saved at 19:00:02, on 2009-02-17Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\ATK Hotkey\Hcontrol.exeC:\Program Files\ATKOSD2\ATKOSD2.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Motorola\SMSERIAL\sm56hlpr.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\ATK Hotkey\ATKOSD.exeC:\WINDOWS\system32\wbem\wmiapsrv.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Karolina\Pulpit\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [ATKHOTKEY] "C:\Program Files\ATK Hotkey\Hcontrol.exe"O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exeO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htmO9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dllO23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeO23 - Service: Intel? PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Intel? PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel? PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe--End of file - 4882 bytes
Mateusz J. komentarz 19 lutego 2009 komentarz 19 lutego 2009 Komputer 1 Usuń folder c:\Qoobox. Do notatnika wklej: Windows Registry Editor Version 5.00[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] Plik ==> Zapisz jako ==> Zmień rozszerzenie na Wszystkie pliki ==> Zapisz pod nazwą FIX.REG Uruchom utworzony plik FIX.REG i potwierdź dodanie do Rejestru i zresetuj komputer. Komputer 2 Log wygląda na czysty, ComboFix sam usunął infekcję. Usuń folder c:\QooBox.
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.