fix01 utworzono 1 marca 2009 utworzono 1 marca 2009 Witam Wszystkich. Jako, że jestem nowicjusz proszę o łagodne potraktowanie. Pozwoliłem sobie prześledzić tematy związane z winfile, ale ponieważ jestem zielony (ale szybko się uczę) nie łapię niektórych zwrotów(nie wiem o co tam chodzi, lub jak to zrobić). pomimo moich poszukiwań i wysiłków na razie nie udało mi się pozbyć winfila. w załączniku przesyłam log Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:09, on 2009-03-01 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\bgsvcgen.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\WEB\KI.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\FinePixViewer\QuickDCF2.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe C:\Program Files\OpenOffice.org 2.3\program\soffice.exe C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Nowe Gadu-Gadu\gg.exe C:\Program Files\Nowe Gadu-Gadu\spellchecker_gg.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [spik] C:\Program Files\Spik\Spik.exe -autostart O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RavTimeXP] C:\WINDOWS\WEB\KI.exe O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE O4 - HKCU\..\Run: [Nowe Gadu-Gadu] "C:\Program Files\Nowe Gadu-Gadu\gg.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files\Spik\url_wpmsg.dll O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 7706 bytes będę wdzięczny za pomoc
fix01 komentarz 2 marca 2009 Autor komentarz 2 marca 2009 podaję log z combofixa ComboFix 09-03-01.01 - user 2009-03-02 9:09:14.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.511.132 [GMT 1:00] Uruchomiony z: c:\documents and settings\user\Pulpit\ComboFix.exe * Utworzono nowy punkt przywracania . ((((((((((((((((((((((((( Pliki utworzone od 2009-02-02 do 2009-03-02 ))))))))))))))))))))))))))))))) . 2009-02-28 22:40 . 2009-02-28 22:40 <DIR> d-------- c:\program files\Trend Micro 2009-02-28 22:01 . 2009-02-28 22:01 697 ---hs---- C:\comment.htt 2009-02-28 21:01 . 2009-02-28 21:15 <DIR> d-------- c:\program files\SkanerOnline 2009-02-28 10:18 . 2009-02-28 10:18 <DIR> d-------- c:\program files\Common Files\SWF Studio 2009-02-26 17:19 . 2009-02-26 17:19 <DIR> d-------- c:\documents and settings\Gość\Dane aplikacji\GanymedeNet 2009-02-25 18:42 . 2009-02-25 18:46 <DIR> d-------- c:\program files\Unlocker 2009-02-25 18:42 . 2009-02-25 18:42 <DIR> d-------- c:\documents and settings\user\Dane aplikacji\Desktopicon 2009-02-21 10:53 . 2009-02-21 10:53 <DIR> d-------- c:\documents and settings\user\.gstreamer-0.10 2009-02-20 15:38 . 2009-02-20 16:55 <DIR> d-------- c:\documents and settings\Gość\Dane aplikacji\Nowe Gadu-Gadu 2009-02-17 14:30 . 2009-02-18 09:26 <DIR> d-------- c:\documents and settings\user\Dane aplikacji\Nowe Gadu-Gadu 2009-02-17 14:29 . 2009-02-17 14:30 <DIR> d-------- c:\program files\Nowe Gadu-Gadu 2009-02-14 08:45 . 2009-02-14 08:45 72 ---hs---- C:\desktop.ini . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2026-10-18 13:05 65,024 ----a-w C:\WINFILE.EXE 2026-10-18 13:05 65,024 ----a-w c:\windows\Web\KI.exe 2009-03-02 08:11 --------- d-----w c:\documents and settings\user\Dane aplikacji\Skype 2009-03-02 08:01 --------- d-----w c:\documents and settings\user\Dane aplikacji\skypePM 2009-03-02 08:00 --------- d-----w c:\documents and settings\user\Dane aplikacji\OpenOffice.org2 2009-02-28 23:52 --------- d---a-w c:\documents and settings\All Users\Dane aplikacji\TEMP 2009-02-28 19:43 --------- d-----w c:\documents and settings\Gość\Dane aplikacji\OpenOffice.org2 2009-02-27 18:29 --------- d-----w c:\documents and settings\user\Dane aplikacji\GanymedeNet 2009-02-27 09:11 --------- d-----w c:\documents and settings\user\Dane aplikacji\Image Zone Express 2009-02-23 16:53 --------- d-----w c:\program files\FinePixViewer 2009-02-12 15:27 --------- d-----w c:\program files\Ganymede 2009-01-31 15:44 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-01-31 15:44 --------- d-----w c:\program files\Java 2009-01-31 09:37 --------- d-----w c:\program files\JetAudio 2009-01-21 16:11 473,600 ----a-w c:\windows\system32\SkanerOnline.dll 2008-12-20 23:03 826,368 ----a-w c:\windows\system32\wininet.dll 2007-12-22 20:53 32 ----a-w c:\documents and settings\All Users\Dane aplikacji\ezsid.dat 2008-08-05 06:55 32,768 -csha-w c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008080520080806\index.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-12-12 21686568] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-05 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Nowe Gadu-Gadu"="c:\program files\Nowe Gadu-Gadu\gg.exe" [2009-02-16 9302632] "EXPLORER.EXE"="EXPLORER.EXE" [2008-04-14 c:\windows\explorer.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-31 136600] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920] "Spik"="c:\program files\Spik\Spik.exe" [2008-02-20 103912] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920] "nwiz"="nwiz.exe" [2007-09-17 c:\windows\system32\nwiz.exe] "SoundMan"="SOUNDMAN.EXE" [2006-03-01 c:\windows\soundman.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Go†\Menu Start\Programy\Autostart\ OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216] c:\documents and settings\user\Menu Start\Programy\Autostart\ OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216] Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-11-19 344064] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696] ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-11-20 303104] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Outlook Express\\msimn.exe"= "c:\\Program Files\\Spik\\Spik.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\\kopia\\Wiolka\\Gadu-Gadu\\gg.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23ca9a51-a40e-11dc-aa55-00161713e7b8}] \Shell\AutoRun\command - F:\EXPLORER.EXE \Shell\explore\Command - F:\EXPLORER.EXE \Shell\open\Command - F:\EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38c127f0-7463-11dd-acba-00161713e7b8}] \Shell\AutoRun\command - F:\EXPLORER.EXE \Shell\explore\Command - F:\EXPLORER.EXE \Shell\open\Command - F:\EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdc55a4e-f50f-11dd-ae96-00161713e7b8}] \Shell\AutoRun\command - F:\EXPLORER.EXE \Shell\explore\Command - F:\EXPLORER.EXE \Shell\open\Command - F:\EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7268e07-677c-11dd-aca1-00161713e7b8}] \Shell\AutoRun\command - F:\EXPLORER.EXE \Shell\explore\Command - F:\EXPLORER.EXE \Shell\open\Command - F:\EXPLORER.EXE . - - - - USUNIĘTO PUSTE WPISY - - - - HKCU-Run-Gadu-Gadu - c:\program files\Gadu-Gadu\gg.exe HKCU-Run-wsctf.exe - wsctf.exe HKLM-Run-WinampAgent - c:\program files\Winamp\Winampa.exe HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe . ------- Skan uzupełniający ------- . uStart Page = hxxp://search.bearshare.com/pl/ uDefault_Search_URL = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Handler: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - c:\program files\Spik\url_wpmsg.dll DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab FF - ProfilePath - c:\documents and settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\yhns4wi6.default\ FF - prefs.js: browser.search.selectedEngine - Live Search FF - prefs.js: browser.startup.homepage - hxxp://pl.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:pl:official FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?mkt=pl-pl&FORM=MICPPL&q= FF - plugin: c:\documents and settings\All Users\Dane aplikacji\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPBOARDS.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPDARTS.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPDEMON.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMARBLES.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPPOKER.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSLOTS70.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npwpk.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll FF - plugin: c:\program files\Spik\mozilla\npwpk.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-02 09:11:14 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . Czas ukończenia: 2009-03-02 9:14:12 ComboFix-quarantined-files.txt 2009-03-02 08:13:21 Przed: 12,140,322,816 bajtów wolnych Po: 12,285,640,704 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 164 --- E O F --- 2009-02-25 15:42:44 śliczne dzięki za pomoc
Mateusz J. komentarz 2 marca 2009 komentarz 2 marca 2009 Do notatnika wklej: File::C:\WINFILE.EXEc:\windows\Web\KI.exeRegistry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"EXPLORER.EXE"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RavTimeXP"=-[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum.
fix01 komentarz 2 marca 2009 Autor komentarz 2 marca 2009 taki wynik się pokazał ComboFix 09-03-01.01 - user 2009-03-02 15:50:57.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.511.173 [GMT 1:00] Uruchomiony z: c:\documents and settings\user\Pulpit\ComboFix.exe Użyto następujących komend :: c:\documents and settings\user\Pulpit\CFScript.txt.txt * Utworzono nowy punkt przywracania FILE :: c:\windows\Web\KI.exe C:\WINFILE.EXE . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Web\KI.exe C:\WINFILE.EXE . ((((((((((((((((((((((((( Pliki utworzone od 2009-02-02 do 2009-03-02 ))))))))))))))))))))))))))))))) . 2009-02-28 22:40 . 2009-02-28 22:40 <DIR> d-------- c:\program files\Trend Micro 2009-02-28 22:01 . 2009-02-28 22:01 697 ---hs---- C:\comment.htt 2009-02-28 21:01 . 2009-02-28 21:15 <DIR> d-------- c:\program files\SkanerOnline 2009-02-28 10:18 . 2009-02-28 10:18 <DIR> d-------- c:\program files\Common Files\SWF Studio 2009-02-26 17:19 . 2009-02-26 17:19 <DIR> d-------- c:\documents and settings\Gość\Dane aplikacji\GanymedeNet 2009-02-25 18:42 . 2009-02-25 18:46 <DIR> d-------- c:\program files\Unlocker 2009-02-25 18:42 . 2009-02-25 18:42 <DIR> d-------- c:\documents and settings\user\Dane aplikacji\Desktopicon 2009-02-21 10:53 . 2009-02-21 10:53 <DIR> d-------- c:\documents and settings\user\.gstreamer-0.10 2009-02-20 15:38 . 2009-02-20 16:55 <DIR> d-------- c:\documents and settings\Gość\Dane aplikacji\Nowe Gadu-Gadu 2009-02-17 14:30 . 2009-02-18 09:26 <DIR> d-------- c:\documents and settings\user\Dane aplikacji\Nowe Gadu-Gadu 2009-02-17 14:29 . 2009-02-17 14:30 <DIR> d-------- c:\program files\Nowe Gadu-Gadu 2009-02-14 08:45 . 2009-02-14 08:45 72 ---hs---- C:\desktop.ini . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-02 14:39 --------- d-----w c:\documents and settings\user\Dane aplikacji\Skype 2009-03-02 12:38 --------- d-----w c:\documents and settings\user\Dane aplikacji\OpenOffice.org2 2009-03-02 11:43 --------- d-----w c:\documents and settings\user\Dane aplikacji\skypePM 2009-02-28 23:52 --------- d---a-w c:\documents and settings\All Users\Dane aplikacji\TEMP 2009-02-28 19:43 --------- d-----w c:\documents and settings\Gość\Dane aplikacji\OpenOffice.org2 2009-02-27 18:29 --------- d-----w c:\documents and settings\user\Dane aplikacji\GanymedeNet 2009-02-27 09:11 --------- d-----w c:\documents and settings\user\Dane aplikacji\Image Zone Express 2009-02-23 16:53 --------- d-----w c:\program files\FinePixViewer 2009-02-12 15:27 --------- d-----w c:\program files\Ganymede 2009-01-31 15:44 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-01-31 15:44 --------- d-----w c:\program files\Java 2009-01-31 09:37 --------- d-----w c:\program files\JetAudio 2009-01-21 16:11 473,600 ----a-w c:\windows\system32\SkanerOnline.dll 2008-12-20 23:03 826,368 ----a-w c:\windows\system32\wininet.dll 2007-12-22 20:53 32 ----a-w c:\documents and settings\All Users\Dane aplikacji\ezsid.dat 2008-08-05 06:55 32,768 -csha-w c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008080520080806\index.dat . ((((((((((((((((((((((((((((( SnapShot@2009-03-02_ 9.12.30.28 ))))))))))))))))))))))))))))))))))))))))) . + 2009-03-02 12:37:53 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_344.dat + 2009-03-02 12:37:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_b8.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-12-12 21686568] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-05 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Nowe Gadu-Gadu"="c:\program files\Nowe Gadu-Gadu\gg.exe" [2009-02-16 9302632] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-31 136600] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920] "Spik"="c:\program files\Spik\Spik.exe" [2008-02-20 103912] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920] "nwiz"="nwiz.exe" [2007-09-17 c:\windows\system32\nwiz.exe] "SoundMan"="SOUNDMAN.EXE" [2006-03-01 c:\windows\soundman.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Go†\Menu Start\Programy\Autostart\ OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216] c:\documents and settings\user\Menu Start\Programy\Autostart\ OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216] Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-11-19 344064] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696] ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-11-20 303104] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Outlook Express\\msimn.exe"= "c:\\Program Files\\Spik\\Spik.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\\kopia\\Wiolka\\Gadu-Gadu\\gg.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . . ------- Skan uzupełniający ------- . uStart Page = hxxp://search.bearshare.com/pl/ uDefault_Search_URL = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Handler: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - c:\program files\Spik\url_wpmsg.dll DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab FF - ProfilePath - c:\documents and settings\user\Dane aplikacji\Mozilla\Firefox\Profiles\yhns4wi6.default\ FF - prefs.js: browser.search.selectedEngine - Live Search FF - prefs.js: browser.startup.homepage - hxxp://pl.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:pl:official FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?mkt=pl-pl&FORM=MICPPL&q= FF - plugin: c:\documents and settings\All Users\Dane aplikacji\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPBOARDS.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPDARTS.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPDEMON.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMARBLES.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPPOKER.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSLOTS70.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npwpk.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll FF - plugin: c:\program files\Spik\mozilla\npwpk.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-02 15:53:27 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . Czas ukończenia: 2009-03-02 15:55:46 ComboFix-quarantined-files.txt 2009-03-02 14:54:35 ComboFix2.txt 2009-03-02 08:14:13 Przed: 12 163 751 936 bajtów wolnych Po: 12,152,369,152 bajtów wolnych 148 --- E O F --- 2009-02-25 15:42:44
Mateusz J. komentarz 2 marca 2009 komentarz 2 marca 2009 Usuń folder c:\QooBox. Sprawdź czy nie ma plików WINFILE.EXE na innych dyskach niż C. Log czysty.
fix01 komentarz 2 marca 2009 Autor komentarz 2 marca 2009 Usuń folder c:\QooBox.Sprawdź czy nie ma plików WINFILE.EXE na innych dyskach niż C. Log czysty. Bardzo,Bardzo Wielkie Dzięki Był jeszcze na D. Po usunięciu na razie nie pojawił się. Jeszcze raz dzięki.
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.