Pomocy!!
Przy uruchamianiu kompa AVAST informuje mnie o wykryciu oprogramowania typu ROOTKIT i proponuje ponownie uruchomienie, by przeskanowanowac system przy starcie… Robilem to juz kilka razy i po tym skanie avast nic nie wykrywa. Uzywalem tez innych progarmow antywirusowych i tez nic…
Jak sie pozbyc tego czegos… ???
Kaj , edytuj swój post i popraw w nim pisownię! Piszemy tu po polsku, stosując np. znaki diakrytyczne ąćęłńóśźż, znaki interpunkcyjne etc.
Rookity są to programy,które instalują swoje komponenty głęboko w systemie przyczym program antywirusowy może ich nie wykryć…daj loga z hijackthisa
zrób scan tym
Logfile of HijackThis v1.99.1
Scan saved at 19:33, on 2008-05-26
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
D:\KAJETAN\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Tiny Personal Firewall\PERSFW.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Temp\Rar$EX00.500\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM…\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM…\Run: [!AVG Anti-Spyware] “D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU…\Run: [spybotSD TeaTimer] “D:\KAJETAN\Spybot - Search & Destroy\TeaTimer.exe”
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v … 5419354078
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Tiny Personal Firewall (PERSFW) - Tiny Software - C:\Program Files\Tiny Personal Firewall\PERSFW.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
W dniu 26.05.2008 , o godzinie 19:35 został dopisany post przez Kaj
Co o tym sądzicie?? Przypomniało mi się, że chyba jedynym poważniejszym wirusem, który był opisany przy skanie antywirusem, był trojan OnLine.games (??)
wpis
usuń HijackThisem >> Fix checked
Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 przeskanuj daj log
wywal go wykrada on hasła do kont graczy i próbuje przejąć je… :?
ComboFix 08-05-25.5 - xxx 2008-05-26 20:52:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.426 [GMT 2:00]
Running from: D:\KAJETAN\odebrane\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\xxx\Ulubione.url
.
---- Previous Run -------
.
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\smdat32m.sys
.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.
2008-05-26 20:55 . 2008-05-26 20:55
2008-05-26 20:55 . 2008-05-26 20:55 53,248 --a------ C:\Temp\catchme.dll
2008-05-26 20:54 . 2008-05-26 20:54
2008-05-26 20:54 . 2008-05-26 20:54 16,384 --a----t- C:\Temp\Perflib_Perfdata_674.dat
2008-05-26 19:07 . 2008-05-26 20:55
2008-05-23 22:32 . 2008-05-23 22:32 12,598 --a------ C:\WINDOWS\system32\wpa.bak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 18:47 --------- d-----w C:\Documents and Settings\xxx\Dane aplikacji\Skype
2008-05-26 14:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 14:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-04-20 14:07 --------- d-----w C:\Documents and Settings\xxx\Dane aplikacji\Lavasoft
2008-04-19 09:16 --------- d-----w C:\Documents and Settings\xxx\Dane aplikacji\OpenOffice.ux.pl2
2008-04-17 19:25 --------- d-----w C:\Program Files\English Translator 3
2008-04-04 11:04 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search Destroy
2008-03-22 10:10 150 ----a-w C:\System Volume Information.zip
2004-09-20 11:07 21,696,576 -c–a-w C:\Program Files\AdobeR…exe
2004-09-12 15:55 3,661,390 -c–a-w C:\Program Files\Gd-wygaszacz.exe
2004-11-01 15:18 56 --sh–r C:\WINDOWS\system32\D2A60B131A.sys
2004-11-01 15:18 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2004-09-16 22:47 0 -csha-w C:\WINDOWS\system32\mfcda.exe
2004-09-16 21:54 0 -csha-w C:\WINDOWS\system32\rkbuc.dll
2008-02-22 12:01 9,338,912 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-22 12:01 21,536 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2006-08-21 17:37 20053032]
“SpybotSD TeaTimer”=“D:\KAJETAN\Spybot - Search Destroy\TeaTimer.exe” [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-04-21 21:10 335872]
“SoundMan”=“SOUNDMAN.EXE” [2003-08-15 16:34 57344 C:\WINDOWS\SOUNDMAN.EXE]
“!AVG Anti-Spyware”=“D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 11:25 6731312]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 09:44 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^EPSON Status Monitor 3 Environment Check.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\EPSON Status Monitor 3 Environment Check.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
C:\WINDOWS\system32\amvo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
–a------ 2004-04-21 21:10 335872 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
–a------ 2004-08-04 09:44 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
–a------ 2004-01-14 13:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ILO_Office_Manager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
–a------ 2006-08-21 17:37 20053032 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
–a------ 2003-08-15 16:34 57344 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 D:\KAJETAN\Spybot - Search Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a--c— 2004-06-03 22:05 32881 C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\WINDOWS\system32\sessmgr.exe”=
“C:\Program Files\Tiny Personal Firewall\PERSFW.exe”=
“C:\Program Files\Internet Explorer\iexplore.exe”=
“D:\Program Files\Gadu-Gadu\gg.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3389:TCP”= 3389:TCP:@xpsp2res.dll,-22009
“1199:UDP”= 1199:UDP:Windows Media Format SDK (firefox.exe)
“1198:UDP”= 1198:UDP:Windows Media Format SDK (firefox.exe)
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 fwdrv;Tiny Personal Firewall Driver;C:\WINDOWS\system32\Drivers\fwdrv.sys [2001-10-22 17:54]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
S3 {A8303B2A-94C0-4a84-9C1F-BD9CCDD3A689};{A8303B2A-94C0-4a84-9C1F-BD9CCDD3A689};C:\WINDOWS\system32{A8303B2A-94C0-4a84-9C1F-BD9CCDD3A689} []
S3 ATICDSDr;ATICDSDr;C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\ATICDSDr.sys []
S3 DarkSpy;DarkSpy;C:\WINDOWS\system32\DarkSpyKernel.sys []
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\4A.tmp []
S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{29d0964c-265b-11dc-b256-00e04cbf69bf}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3bc680b5-e15e-11dc-b665-00e04cbf69bf}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{63cad018-b2ee-11dc-b4aa-00e04cbf69bf}]
\Shell\AutoRun\command - F:\fppg1.exe
\Shell\explore\Command - F:\fppg1.exe
\Shell\open\Command - F:\fppg1.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 20:55:16
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
“ImagePath”="??\C:\WINDOWS\system32\4A.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services{A8303B2A-94C0-4a84-9C1F-BD9CCDD3A689}]
“ImagePath”="??\C:\WINDOWS\system32{A8303B2A-94C0-4a84-9C1F-BD9CCDD3A689}"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Tiny Personal Firewall\PERSFW.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-05-26 20:58:02 - machine was rebooted [xxx]
ComboFix-quarantined-files.txt 2008-05-26 18:57:59
Pre-Run: 2,408,091,648 bajtów wolnych
Post-Run: 2,399,068,160 bajt˘w wolnych
147 — E O F — 2008-03-12 17:01:57
W dniu 26.05.2008 , o godzinie 20:58 został dopisany post przez Kaj
Log z combofixa… co dalej???
W dniu 26.05.2008 , o godzinie 21:22 został dopisany post przez Kaj
“Silent Runners.vbs”, revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]
“SpybotSD TeaTimer” = ““D:\KAJETAN\Spybot - Search Destroy\TeaTimer.exe”” [“Safer Networking Limited”]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“ATIPTA” = ““C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”” [“ATI Technologies, Inc.”]
“SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”]
“!AVG Anti-Spyware” = ““D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe” /minimized” [“GRISOFT s.r.o.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]
“{30D02401-6A81-11d0-8274-00C04FD5AE38}” = “IE Search Band”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}” = “Shell DocObject Viewer”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{FBF23B40-E3F0-101B-8488-00AA003E56F8}” = “InternetShortcut”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{3C374A40-BAE4-11CF-BF7D-00AA006946EE}” = “Microsoft Url History Service”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{FF393560-C2A7-11CF-BFF4-444553540000}” = “History”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{7BD29E00-76C1-11CF-9DD0-00A0C9034933}” = “Temporary Internet Files”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{7BD29E01-76C1-11CF-9DD0-00A0C9034933}” = “Temporary Internet Files”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{CFBFAE00-17A6-11D0-99CB-00C04FD64497}” = “Microsoft Url Search Hook”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
W dniu 26.05.2008 , o godzinie 21:22 został dopisany post przez Kaj
silent runners log
Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S … Tool.shtml lub format
Flash Disinfector http://www.searchengines.pl/index.php?s … ntry369724
Otwórz notatnik i wklej
zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe
http://img.wklej.org/images/88953CFScri … iemoes.gif
Powinno rozpocząć się usuwanie
Potem log z usuwania Combofix
ComboFix 08-05-25.5 - xxx 2008-05-26 21:41:49.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.391 [GMT 2:00]
Running from: D:\KAJETAN\odebrane\ComboFix.exe
Command switches used :: D:\KAJETAN\odebrane\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
FILE ::
C:\WINDOWS\system32\EXPLORER.EXE
C:\WINDOWS\system32\mfcda.exe
C:\WINDOWS\system32\rkbuc.dll
F:\fppg1.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\mfcda.exe
C:\WINDOWS\system32\rkbuc.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ATICDSDR
-------\Legacy_DARKSPY
-------\Legacy_MEMSWEEP2
-------\Legacy_{A8303B2A-94C0-4A84-9C1F-BD9CCDD3A689}
-------\Service_{A8303B2A-94C0-4a84-9C1F-BD9CCDD3A689}
-------\Service_ATICDSDr
-------\Service_DarkSpy
-------\Service_MEMSWEEP2
-------\Service_ZDCndis5
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.
2008-05-26 21:44 . 2008-05-26 21:44 53,248 --a------ C:\Temp\catchme.dll
2008-05-26 21:43 . 2008-05-26 21:43
2008-05-26 21:43 . 2008-05-26 21:43 16,384 --a----t- C:\Temp\Perflib_Perfdata_678.dat
2008-05-26 19:07 . 2008-05-26 21:44
2008-05-23 22:32 . 2008-05-23 22:32 12,598 --a------ C:\WINDOWS\system32\wpa.bak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 18:57 --------- d-----w C:\Documents and Settings\xxx\Dane aplikacji\Skype
2008-05-26 14:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 14:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-04-20 14:07 --------- d-----w C:\Documents and Settings\xxx\Dane aplikacji\Lavasoft
2008-04-19 09:16 --------- d-----w C:\Documents and Settings\xxx\Dane aplikacji\OpenOffice.ux.pl2
2008-04-17 19:25 --------- d-----w C:\Program Files\English Translator 3
2008-04-04 11:04 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search Destroy
2008-03-22 10:10 150 ----a-w C:\System Volume Information.zip
2004-09-20 11:07 21,696,576 -c–a-w C:\Program Files\AdobeR…exe
2004-09-12 15:55 3,661,390 -c–a-w C:\Program Files\Gd-wygaszacz.exe
2004-11-01 15:18 56 --sh–r C:\WINDOWS\system32\D2A60B131A.sys
2004-11-01 15:18 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-22 12:01 9,338,912 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-22 12:01 21,536 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((( snapshot@2008-05-26_20.57.47.82 )))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 19:43:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2006-08-21 17:37 20053032]
“SpybotSD TeaTimer”=“D:\KAJETAN\Spybot - Search Destroy\TeaTimer.exe” [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-04-21 21:10 335872]
“SoundMan”=“SOUNDMAN.EXE” [2003-08-15 16:34 57344 C:\WINDOWS\SOUNDMAN.EXE]
“!AVG Anti-Spyware”=“D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 11:25 6731312]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 09:44 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^EPSON Status Monitor 3 Environment Check.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\EPSON Status Monitor 3 Environment Check.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
–a------ 2004-04-21 21:10 335872 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
–a------ 2004-08-04 09:44 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
–a------ 2004-01-14 13:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
–a------ 2006-08-21 17:37 20053032 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
–a------ 2003-08-15 16:34 57344 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 D:\KAJETAN\Spybot - Search Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a--c— 2004-06-03 22:05 32881 C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\WINDOWS\system32\sessmgr.exe”=
“C:\Program Files\Tiny Personal Firewall\PERSFW.exe”=
“C:\Program Files\Internet Explorer\iexplore.exe”=
“D:\Program Files\Gadu-Gadu\gg.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3389:TCP”= 3389:TCP:@xpsp2res.dll,-22009
“1199:UDP”= 1199:UDP:Windows Media Format SDK (firefox.exe)
“1198:UDP”= 1198:UDP:Windows Media Format SDK (firefox.exe)
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 fwdrv;Tiny Personal Firewall Driver;C:\WINDOWS\system32\Drivers\fwdrv.sys [2001-10-22 17:54]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 21:44:04
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Tiny Personal Firewall\PERSFW.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-05-26 21:46:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 19:46:31
ComboFix2.txt 2008-05-26 18:58:03
Pre-Run: 2,358,677,504 bajtów wolnych
Post-Run: 2,304,741,376 bajt˘w wolnych
142 — E O F — 2008-03-12 17:01:57
Log wygląda na czysty
zrób optymalizacje uruchamiania http://cybertrash.netarteria.pl/cyber/index.php/topic,378.0.html
usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.
Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl
przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE
Dzięki!
Tylko jest jeden mały minus - kiedy robie defragmentację systemową przez pagedfgr to w C:/pagefile.sys jest aż 66 elementów a z tego co wiem, powinien być 1. System informuje mnie, że nie można już tego bardziej zdefragmentować…
Jest na to jakiś sposób???
