Szczepi
(Szczepi0804)
12 Listopad 2007 15:02
#1
Raz pojawił mi się znany error RUNDLL wczoraj, ale juz chyba kilkanascie razy pojawił mi sie komunikat z nagłówkiem GSfx Archive o treści:
Ponadto wczoraj raz mi sie powiesiło GG wraz z paskiem zadań I raz nie chciała mi się włączyć żadna aplikacja ni plik
LOGI:
HJT
Logfile of HijackThis v1.99.1 Scan saved at 15:49:27, on 2007-11-12 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\dllcache\ibmpsa.exe C:\WINDOWS\System32\sys.exe C:\WINDOWS\System32\window.com C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\PnkBstrA.exe C:\Program Files\Messenger\msmsgs.exe C:\Programy\Xfire\Xfire.exe C:\Programy\Gadu-Gadu\gg.exe C:\Programy\Mozilla Firefox\firefox.exe D:\Instalki\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/pl/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.xfire.com/xf/firstupdate.php R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O4 - HKLM…\Run: [msmsger.exe] C:\WINDOWS\System32\sys.exe O4 - HKLM…\Run: [WinStartUp] C:\WINDOWS\System32\window.com O4 - HKLM…\Run: [b8ad2c7d] rundll32.exe “C:\WINDOWS\System32\dhjcmoit.dll”,b O4 - HKLM…\RunServices: [msmsger.exe] C:\WINDOWS\System32\sys.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [swfStartUp] C:\WINDOWS\System32\window.com O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: IBM PSA Access Driver Control - Unknown owner - C:\WINDOWS\System32\dllcache\ibmpsa.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
Silent:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “SwfStartUp” = “C:\WINDOWS\System32\window.com ” [“mIRC Co. Ltd.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “msmsger.exe” = “C:\WINDOWS\System32\sys.exe” [null data] “WinStartUp” = “C:\WINDOWS\System32\window.com ” [“mIRC Co. Ltd.”] “b8ad2c7d” = “rundll32.exe “C:\WINDOWS\System32\dhjcmoit.dll”,b” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {37B85A21-692B-4205-9CAD-2626E4993404}(Default) = “My Global Search Bar BHO” -> {HKLM…CLSID} = “My Global Search Bar BHO” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”] {47FD1D75-E4C0-4049-A882-60B57314032A}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\efcyyvu.dll” [null data] {813C168A-4163-4547-9562-DB0CEBD0DA9A}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\pmkhi.dll” [null data] {addcfba4-dd9b-4af6-a159-72e2d9598399}(Default) = “{9938959d-2e27-951a-6fa4-b9dd4abfcdda}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\iqerbpuk.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{47FD1D75-E4C0-4049-A882-60B57314032A}” = “*” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\efcyyvu.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> efcyyvu\DLLName = “efcyyvu.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{37B85A29-692B-4205-9CAD-2626E4993404}” = (no title provided) -> {HKLM…CLSID} = “My Global Search Bar” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] IBM PSA Access Driver Control, IBM PSA Access Driver Control, ““C:\WINDOWS\System32\dllcache\ibmpsa.exe”” [null data] PnkBstrA, PnkBstrA, “C:\WINDOWS\System32\PnkBstrA.exe” [null data] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 162 seconds, including 25 seconds for message boxes)
Olcia
(Olixxx94)
12 Listopad 2007 16:38
#2
Przyzwyczaj się do tego, że GG często się wiesza a razem z nim cały komp, więc…
Szczepi
(Szczepi0804)
12 Listopad 2007 17:48
#3
reszta w porządku? I co z tymi dwoma errorami? :?
PS. Jeszcze niedawno dużo szybciej odpowiadaliscie [;
Szczepi
(Szczepi0804)
13 Listopad 2007 17:57
#5
Masa nowych alertów, komunikatów, ze komputer jest zainfekowany spywarami, m.in System Alert: Trojan-Spy.win32@mx, System Alert: NetWorm-i.Virus@fp ale tez inne. Pomału mnie to zaczyna irytowac ale obiecuje sobie, ze jak sie uporam z tymi syfami to tak zabezpiecze system i bede dbal, ze nic mi sie nie wkradnie Najlepiej dam jeszcze raz wszystkie logi aktualne:
HJT
Logfile of HijackThis v1.99.1 Scan saved at 18:39:57, on 2007-11-13 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\lsas32.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\dllcache\ibmpsa.exe C:\WINDOWS\System32\dllcache\winsop.exe C:\WINDOWS\System32\PnkBstrA.exe C:\PROGRAMY\MOZILL~1\FIREFOX.EXE D:\Instalki\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.xfire.com/xf/firstupdate.php R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\System32\otyozrfy.dll O4 - HKLM…\Run: [Windows Service Agent] agl23.exe O4 - HKLM…\Run: [b8ad2c7d] rundll32.exe “C:\WINDOWS\System32\errmylay.dll”,b O4 - HKLM…\RunServices: [Windows Service Agent] agl23.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Windows Service Agent] agl23.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: IBM PSA Access Driver Control - Unknown owner - C:\WINDOWS\System32\dllcache\ibmpsa.exe O23 - Service: Microsoft Windows Update Manager - Unknown owner - C:\WINDOWS\System32\dllcache\winsop.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe O23 - Service: system32 master (windowsys) - Unknown owner - C:\WINDOWS\windowsys.com (file missing)
Silent Runners:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ZoneAlarm Client” = ““C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”” [“Zone Labs, LLC”] “RivaTunerStartupDaemon” = ““C:\Programy\RivaTuner v2.06\RivaTuner.exe” /S” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {37B85A21-692B-4205-9CAD-2626E4993404}(Default) = “My Global Search Bar BHO” -> {HKLM…CLSID} = “My Global Search Bar BHO” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” = “Multiscan” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] ZLAVShExt(Default) = “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] ZLAVShExt(Default) = “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{37B85A29-692B-4205-9CAD-2626E4993404}” -> {HKLM…CLSID} = “My Global Search Bar” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{37B85A29-692B-4205-9CAD-2626E4993404}” = (no title provided) -> {HKLM…CLSID} = “My Global Search Bar” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs, LLC”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 79 seconds, including 18 seconds for message boxes)
Combofix:
“Administrator” - 2007-11-13 18:49:05 - ComboFix 07-07-07.3 [sAFE MODE] (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\ihkmp.bak1 C:\WINDOWS\system32\ihkmp.bak2 C:\WINDOWS\system32\ihkmp.ini C:\WINDOWS\system32\pmkhi.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * C:\WINDOWS\system32\pmkhi.dll ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\myglobalsearch C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST C:\Program Files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL C:\Program Files\myglobalsearch\bar\1.bin\MGSBAR.DLL C:\Program Files\myglobalsearch\bar\1.bin\NPMYGLSH.DLL C:\Program Files\myglobalsearch\bar\Cache\00098A42 C:\Program Files\myglobalsearch\bar\Cache\00098DAD C:\Program Files\myglobalsearch\bar\Cache\00098F82.bin C:\Program Files\myglobalsearch\bar\Cache\000997FE.bin C:\Program Files\myglobalsearch\bar\Cache\00099A11.bin C:\Program Files\myglobalsearch\bar\Cache\files.ini C:\Program Files\myglobalsearch\bar\History\search C:\Program Files\myglobalsearch\bar\Settings\prevcfg.htm ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_RDRIV -------\rdriv ((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 ))))))))))))))))))))))))))))))) 2007-11-13 18:48 88,128 --a------ C:\WINDOWS\system32\tnpbwksf.dll 2007-11-13 18:48 80,448 --a------ C:\WINDOWS\system32\yidiksqj.dll 2007-11-13 18:48 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-11-13 18:38 80,448 --a------ C:\WINDOWS\system32\upqqpyrc.dll 2007-11-13 18:35 88,128 --a------ C:\WINDOWS\system32\errmylay.dll 2007-11-13 18:02 2007-11-13 18:00 18,432 --a------ C:\WINDOWS\syss_.exe 2007-11-13 18:00 15,392 --a------ C:\WINDOWS\lsas32.exe 2007-11-13 17:59 5,120 --a------ C:\WINDOWS\svcr32.dll 2007-11-12 23:21 61,440 --a------ C:\WINDOWS\system32\Process.exe 2007-11-12 23:21 57,856 --a------ C:\WINDOWS\system32\dumphive.exe 2007-11-12 23:21 426 --a------ C:\WINDOWS\system32\tmp.reg 2007-11-12 23:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-11-12 23:05 81,472 --a------ C:\WINDOWS\system32\ihhmhlwc.dll 2007-11-12 22:59 144,480 --a------ C:\WINDOWS\system32\otyozrfy.dll 2007-11-12 22:59 144,480 --a------ C:\WINDOWS\system32\ogfrldrq.dll 2007-11-12 21:42 33,280 --a------ C:\WINDOWS\system32\rqrpmli.dll 2007-11-12 19:43 2007-11-12 18:03 15 --a------ C:\WINDOWS\system32\sysingB32.dll 2007-11-12 14:25 89,664 --a------ C:\WINDOWS\system32\dhjcmoit.dll 2007-11-12 14:20 81,472 --a------ C:\WINDOWS\system32\iqerbpuk.dll 2007-11-11 22:10 319,072 --------- C:\WINDOWS\system32\pmkhi.dll 2007-11-11 22:04 33,280 --a------ C:\WINDOWS\system32\efcyyvu.dll 2007-11-11 21:52 2007-11-11 10:34 2,432 --a------ C:\WINDOWS\system32\unpr.sys 2007-11-10 22:22 2007-11-10 21:33 2007-11-10 19:09 245 --a------ C:\WINDOWS\system32\857.reg 2007-11-10 19:05 245 --a------ C:\WINDOWS\system32\1831.reg 2007-11-10 19:02 245 --a------ C:\WINDOWS\system32\946.reg 2007-11-10 18:59 245 --a------ C:\WINDOWS\system32\711.reg 2007-11-10 16:17 245 --a------ C:\WINDOWS\system32\1464.reg 2007-11-10 11:35 2007-11-10 09:47 0 --a------ C:\WINDOWS\ativpsrm.bin 2007-11-09 23:17 2007-11-09 21:56 2007-11-09 21:55 22,328 --a------ C:\DOCUME~1\ADMINI~1\DANEAP~1\PnkBstrK.sys 2007-11-09 21:18 2007-11-09 21:09 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:42 0 --a------ C:\WINDOWS\nsreg.dat 2007-11-09 19:39 2007-11-09 19:36 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-11-09 19:36 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-11-13 17:53:54 127,168 --sh–w C:\WINDOWS\system32\ihkmp.bak2 2007-11-09 18:41:46 49,492 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-11-09 18:41:46 355,486 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-11-09 18:13:31 -------- d-----w C:\Program Files\Usługi online 2007-09-29 03:21:29 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll 2007-09-29 03:07:23 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll 2007-09-29 03:06:17 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll 2007-09-29 03:05:59 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys 2007-09-29 02:58:34 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll 2007-09-29 02:58:22 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll 2007-09-29 02:58:15 32,768 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe 2007-09-29 02:58:07 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll 2007-09-29 02:57:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll 2007-09-29 02:56:32 491,520 ----a-w C:\WINDOWS\system32\ati2evxx.exe 2007-09-29 02:55:43 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL 2007-09-29 02:49:19 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll 2007-09-29 02:47:38 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll 2007-09-29 02:47:26 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll 2007-09-29 02:36:24 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll 2007-09-29 02:36:05 972,072 ----a-w C:\WINDOWS\system32\ativva6x.dat 2007-09-29 02:36:05 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat 2007-09-29 02:36:05 3,107,788 ----a-w C:\WINDOWS\system32\ativva5x.dat 2007-09-29 02:23:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll 2007-09-29 02:22:08 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll 2007-09-29 02:20:14 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll 2007-09-29 02:14:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll 2007-08-14 21:11:53 156,671 ----a-w C:\WINDOWS\system32\atiicdxx.dat ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{47FD1D75-E4C0-4049-A882-60B57314032A}] 2007-11-11 22:04 33280 --a------ C:\WINDOWS\System32\efcyyvu.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{77942063-8568-4347-98DD-2FE26C8B5688}] 2007-11-11 22:10 319072 --------- C:\WINDOWS\System32\pmkhi.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}] 2007-11-12 22:59 144480 --a------ C:\WINDOWS\System32\otyozrfy.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{c016c18e-25eb-4e28-823f-4765fa88fd53}] 2007-11-13 18:48 80448 --a------ C:\WINDOWS\System32\yidiksqj.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Windows Service Agent”=“agl23.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2001-10-26 18:29] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] “Windows Service Agent”=“agl23.exe” [] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] “combofix”=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] “Windows Service Agent”=agl23.exe [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “SwfStartUp”=C:\WINDOWS\System32\window.com “Windows Service Agent”=agl23.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] “7X29C2X78Y”=C:\WINDOWS\syss_.exe “Service”=C:\WINDOWS\lsas32.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{47FD1D75-E4C0-4049-A882-60B57314032A}”=“C:\WINDOWS\System32\efcyyvu.dll” [2007-11-11 22:04] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcyyvu] efcyyvu.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\otyozrfy] otyozrfy.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages msv1_0 C:\WINDOWS\System32\pmkhi.dll *Newly Created Service* - ALG HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{ACC563BC-4266-43f0-B6ED-9D38C4202C7E} rundll32 iesetup.dll,IEAccessUserInst ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-13 18:53:31 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … C:\WINDOWS\system32\ihkmp.bak2 C:\WINDOWS\system32\ihkmp.ini scan completed successfully hidden files: 2 ************************************************************************** Completion time: 2007-11-13 18:54:49 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-11-13 18:54 — E O F —
Gutek
(Gutek)
13 Listopad 2007 19:57
#6
Wklej do Notatnika:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=-
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
Z menu Notatnika >>> Plik >>> Zapisz jako >>> Ustaw rozszerzenie na “Wszystkie pliki” >>> Zapisz jako FIX.REG >>> uruchom ten plik (dwuklik) .
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo
Szczepi
(Szczepi0804)
13 Listopad 2007 20:31
#7
ok zrobione…
log:
“Administrator” - 2007-11-13 21:21:30 - ComboFix 07-07-07.3 [sAFE MODE] Command switches used :: D:\Instalki\CFScript.txt (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\ihkmp.bak2 C:\WINDOWS\system32\ihkmp.ini C:\WINDOWS\system32\pmkhi.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\lsas32.exe C:\WINDOWS\svcr32.dll C:\WINDOWS\syss_.exe C:\WINDOWS\system32\1464.reg C:\WINDOWS\system32\1831.reg C:\WINDOWS\system32\711.reg C:\WINDOWS\system32\857.reg C:\WINDOWS\system32\946.reg C:\WINDOWS\system32\dhjcmoit.dll C:\WINDOWS\system32\efcyyvu.dll C:\WINDOWS\system32\errmylay.dll C:\WINDOWS\system32\ihhmhlwc.dll C:\WINDOWS\system32\iqerbpuk.dll C:\WINDOWS\system32\ogfrldrq.dll C:\WINDOWS\system32\otyozrfy.dll C:\WINDOWS\system32\pmkhi.dll C:\WINDOWS\system32\rqrpmli.dll C:\WINDOWS\system32\sysingB32.dll C:\WINDOWS\system32\tnpbwksf.dll C:\WINDOWS\system32\unpr.sys C:\WINDOWS\system32\upqqpyrc.dll C:\WINDOWS\system32\yidiksqj.dll ((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 ))))))))))))))))))))))))))))))) 2007-11-13 21:13 18,432 --a------ C:\wingfx.exe 2007-11-13 20:21 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-11-13 20:20 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-11-13 18:59 88,128 --a------ C:\WINDOWS\system32\vuyjsjgi.dll 2007-11-13 18:56 80,448 --a------ C:\WINDOWS\system32\hehnvwri.dll 2007-11-13 18:48 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-11-13 18:02 2007-11-12 23:21 61,440 --a------ C:\WINDOWS\system32\Process.exe 2007-11-12 23:21 57,856 --a------ C:\WINDOWS\system32\dumphive.exe 2007-11-12 23:21 426 --a------ C:\WINDOWS\system32\tmp.reg 2007-11-12 23:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-11-12 19:43 2007-11-11 21:52 2007-11-10 22:22 2007-11-10 21:33 2007-11-10 11:35 2007-11-10 09:47 0 --a------ C:\WINDOWS\ativpsrm.bin 2007-11-09 23:17 2007-11-09 21:56 2007-11-09 21:55 22,328 --a------ C:\DOCUME~1\ADMINI~1\DANEAP~1\PnkBstrK.sys 2007-11-09 21:18 2007-11-09 21:09 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:59 2007-11-09 19:42 0 --a------ C:\WINDOWS\nsreg.dat 2007-11-09 19:39 2007-11-09 19:36 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-11-09 19:36 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-11-09 19:36 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-11-09 19:36 2007-11-09 19:30 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll 2007-11-09 19:30 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll 2007-11-09 19:30 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll 2007-11-09 19:30 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll 2007-11-09 19:30 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll 2007-11-09 19:30 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll 2007-11-09 19:30 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll 2007-11-09 19:30 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll 2007-11-09 19:30 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll 2007-11-09 19:30 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll 2007-11-09 19:30 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll 2007-11-09 19:30 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll 2007-11-09 19:30 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll 2007-11-09 19:30 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll 2007-11-09 19:30 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-11-13 20:20:07 49,492 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-11-13 20:20:07 355,486 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-11-09 18:13:31 -------- d-----w C:\Program Files\Usługi online 2007-09-29 03:21:29 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll 2007-09-29 03:07:23 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll 2007-09-29 03:06:17 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll 2007-09-29 03:05:59 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys 2007-09-29 02:58:34 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll 2007-09-29 02:58:22 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll 2007-09-29 02:58:15 32,768 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe 2007-09-29 02:58:07 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll 2007-09-29 02:57:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll 2007-09-29 02:56:32 491,520 ----a-w C:\WINDOWS\system32\ati2evxx.exe 2007-09-29 02:55:43 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL 2007-09-29 02:49:19 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll 2007-09-29 02:47:38 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll 2007-09-29 02:47:26 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll 2007-09-29 02:36:24 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll 2007-09-29 02:36:05 972,072 ----a-w C:\WINDOWS\system32\ativva6x.dat 2007-09-29 02:36:05 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat 2007-09-29 02:36:05 3,107,788 ----a-w C:\WINDOWS\system32\ativva5x.dat 2007-09-29 02:23:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll 2007-09-29 02:22:08 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll 2007-09-29 02:20:14 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll 2007-09-29 02:14:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll 2007-08-14 21:11:53 156,671 ----a-w C:\WINDOWS\system32\atiicdxx.dat ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{210ba9ac-e7b7-4200-bf72-b4905ee4fedc}] 2007-11-13 18:56 80448 --a------ C:\WINDOWS\System32\hehnvwri.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}] C:\WINDOWS\System32\otyozrfy.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2001-10-26 18:29] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] “combofix”=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “SwfStartUp”=C:\WINDOWS\System32\window.com [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages msv1_0 C:\WINDOWS\System32\pmkhi.dll HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{ACC563BC-4266-43f0-B6ED-9D38C4202C7E} rundll32 iesetup.dll,IEAccessUserInst ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-13 21:26:27 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-11-13 21:27:39 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-11-13 21:27 C:\ComboFix2.txt … 2007-11-13 18:54 — E O F —
PS. Czynności wykonałem w trybie awaryjnym z obslugą sieci, poniewaz w normalnym trybie mi sie zawieszal system, albo w ogole nie uruchamial Mam nadzieje ze to niczemu nie szkodzi?
Wszystko w porządku, system czysty?
Gutek
(Gutek)
13 Listopad 2007 21:54
#8
Wklej do Notatnika:
b]>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo, ale zanim wykonasz(po wykonaniu polecenia):
Wklej do Notatnika:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=-
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
Z menu Notatnika Plik Zapisz jako Ustaw rozszerzenie na “Wszystkie pliki” Zapisz jako FIX.REG uruchom ten plik (dwuklik) .
Gutek
(Gutek)
16 Listopad 2007 19:31
#10
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo, ale przed nowym logiem:
Wklej do Notatnika:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=-
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
Z menu Notatnika Plik Zapisz jako Ustaw rozszerzenie na “Wszystkie pliki” Zapisz jako FIX.REG uruchom ten plik (dwuklik) .
Gutek
(Gutek)
17 Listopad 2007 16:45
#12
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo