Carlton, trzyliterowe trojany irc, i inne cuda

jojojo · 29 Grudzień 2007 21:38

Witam, mam problem. Od wczoraj mam net na tym komputerze i od razu niespodzianki. Mam NODa32, ale zainstalowałem go dopiero dzisiaj. Już wczoraj zaczęły wyskakiwać informacje o konieczności wyłączenia systemu za 1.00min, błędy, które chciał wysyłać do Microsoftu i inne. Dziś NOD znalazł carltona, którego usunął, ale po tym przy starcie systemu wyrzucał info o braku pliku (??shield.exe nie pamiętam dwóch liter) O wszystkim czytałem już tutaj, ale postanowiłem jednak zrobić format i… to samo od nowa. Jeszcze do tego pchają się jakieś trzyliterowe trojany.exe. Pomocy, proszę.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:22:57, on 2007-12-29

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\WScript.exe

C:\Documents and Settings\jojojo\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla HiJackThis(2).zip\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINDOWS\System32\firewall.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


--

End of file - 2577 bytes

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

"Windows Network Firewall" = "C:\WINDOWS\System32\firewall.exe" [file not found]


HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)

                                       \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]


HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]



Group Policies {policy setting}:

--------------------------------


Note: detected settings may not have any effect.


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 19

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]



---------- (launch time: 2007-12-29 22:22:12)

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 54 seconds, including 3 seconds for message boxes)



[color=#00FF00]COMBO FIX[/color]


ComboFix 07-12-21.4 - jojojo 2007-12-29 22:18:58.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.1.1250.1.1045.18.564 [GMT 1:00]

Running from: C:\Documents and Settings\jojojo\Pulpit\ComboFix.exe

.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.


C:\WINDOWS\system32\firewall.exe

.

---- Previous Run -------

.

C:\windows\system32\iexplore.exe


.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))

.


No new files created in this timespan


.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-29 20:43	---------	d-----w	C:\Program Files\Gadu-Gadu

2007-12-29 20:24	---------	d-----w	C:\Program Files\ACD

2007-12-29 20:18	---------	d-----w	C:\Documents and Settings\jojojo\Dane aplikacji\Gadu-Gadu

2007-12-29 20:02	512,096	----a-w	C:\WINDOWS\system32\drivers\amon.sys

2007-12-29 20:02	298,104	----a-w	C:\WINDOWS\system32\imon.dll

2007-12-29 20:02	15,424	----a-w	C:\WINDOWS\system32\drivers\nod32drv.sys

2007-12-29 19:53	---------	d--h--w	C:\Program Files\InstallShield Installation Information

2007-12-29 19:53	---------	d-----w	C:\Program Files\ATI Technologies

2007-12-29 19:47	---------	d-----w	C:\Program Files\Common Files\InstallShield

2007-12-29 19:47	---------	d-----w	C:\Program Files\Analog Devices

2007-12-29 19:38	---------	d-----w	C:\Program Files\microsoft frontpage

2007-12-29 19:34	---------	d-----w	C:\Program Files\Usługi online

.


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2003-04-16 13:00]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-29 21:02]

"Windows Network Firewall"="C:\WINDOWS\System32\firewall.exe" []


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-04-16 13:00]



.

**************************************************************************


catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-29 22:20:59

Windows 5.1.2600 Dodatek Service Pack. 1 NTFS


scanning hidden processes ... 


scanning hidden autostart entries ...


scanning hidden files ... 


scan completed successfully 

hidden files: 0 


**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes --------------------- 


PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.1106]

-> C:\Program Files\Eset\pr_imon.dll

.

Completion time: 2007-12-29 22:21:33 - machine was rebooted [jojojo]

Pozdrawiam, czekam na pomoc.

Tak ma to wyglądać

Asterisk

jojojo · 29 Grudzień 2007 22:20

Dzięki, wiem. Właśnie to doczytałem i miałem poprawić ,ale znów wysypał mi sie system. Na drugi raz będzie dobrze

Gutek · 30 Grudzień 2007 00:18

O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINDOWS\System32\firewall.exe

mamy wpis i plik do usunięcia

Daj log z ComboFix

jojojo · 30 Grudzień 2007 10:51

Niestety nie miałem już pliku firewall.exe w podanym miejscu. Był już w kwarantannie NODa. Do tego jeszcze coś mi się zrobiło, że nie miałem połączenia z netem.

Ponowny reinstal z formatem, na początku dobrze i nagle komunikat z NODa:

Nie wiem jak te syfy idą, czy to wina zarządcy sieci, czy czegoś innego? Może system? Ja mam xp. U mojej mamy jest neostrada na Windzie 98 i takie rzeczy się nie dzieją! Tam NOD praktycznie nie ma co robić.

Podaję logi:

HIJACK

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:36:42, on 2007-12-30 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Właściciel\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla HiJackThis(2).zip\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.o2.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe – End of file - 2537 bytes

COMBOFIX

ComboFix 07-12-21.4 - Właściciel 2007-12-30 11:31:11.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.1.1250.1.1045.18.515 [GMT 1:00] Running from: C:\Documents and Settings\Właściciel\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-30 10:27 483,328 ----a-w C:\WINDOWS\system32\amq.exe 2007-12-30 10:15 --------- d-----w C:\Documents and Settings\Właściciel\Dane aplikacji\Gadu-Gadu 2007-12-30 10:13 --------- d-----w C:\Program Files\Gadu-Gadu 2007-12-30 10:06 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys 2007-12-30 10:06 298,104 ----a-w C:\WINDOWS\system32\imon.dll 2007-12-30 10:06 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys 2007-12-30 09:50 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-12-30 09:49 --------- d-----w C:\Program Files\ATI Technologies 2007-12-30 09:45 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-12-30 09:45 --------- d-----w C:\Program Files\Analog Devices 2007-12-30 09:33 --------- d-----w C:\Program Files\microsoft frontpage 2007-12-30 09:30 --------- d-----w C:\Program Files\Usługi online . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Smapp”=“C:\Program Files\Analog Devices\SoundMAX\SMTray.exe” [2003-05-05 08:57] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2003-09-12 21:10] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-12-30 11:06] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2003-04-16 13:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{55ec0c03-b6c0-11dc-abde-806d6172696f}] \Shell\AutoRun\command - F:\Autorun.exe *Newly Created Service* - CATCHME *Newly Created Service* - NOD32DRV *Newly Created Service* - PROCEXP90 . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-30 11:31:50 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.1106] -> C:\Program Files\Eset\pr_imon.dll . Completion time: 2007-12-30 11:32:15

SILENT RUNNERS

“Silent Runners.vbs”, revision 55, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Smapp” = “C:\Program Files\Analog Devices\SoundMAX\SMTray.exe” [“Analog Devices, Inc.”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 19 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] ---------- (launch time: 2007-12-30 11:39:11) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 52 seconds, including 3 seconds for message boxes)

Gutek · 30 Grudzień 2007 13:37

Otwórz Notatnik i wklej w nim to:

Windows Registry Editor Version 5.00 


[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

C:\WINDOWS\system32\amq.exe - przeskanuj plik na http://virusscan.jotti.org/

jojojo · 30 Grudzień 2007 13:57

nie mam takiego pliku C:\WINDOWS\system32\amq.exe

Żeby było śmieszniej nie mam go nigdzie, nawet w kwarantannie NODa

Gutek · 30 Grudzień 2007 14:00

2007-12-30 10:27 483,328 ----a-w C:\WINDOWS\system32\amq.exe musi być

jojojo · 30 Grudzień 2007 14:33

a ja nie mam. szukałem w różny sposób i nic. jako wyszukaj i nic, wyświetliłem wszystkie pliki w folderze system32 i pomiędzy plikiem amcompat.tlb a amstream.dll nie mam nic

jojojo · 30 Grudzień 2007 14:41

skopiowałem nawet adres w “uruchom” i nie znalazło

Gutek · 30 Grudzień 2007 14:52

Mój komputer >>> Narzędzia >>> Opcje folderów >>> Widok

Zaznaczone Pokaż ukryte pliki i foldery + odznaczone Ukryj chronione pliki systemu operacyjnego…

I jak będzie przeskanuj

jojojo · 30 Grudzień 2007 15:29

Od tego zacząłem i nie ma. Włączyłem ponownie ukrywanie i wyłączyłem jeszcze raz dla pewności i nie ma. Na prawdę nie ma!

Może zrobię format WSZYSTKICH partycji i zacznę od nowa, tylko jak i czym mam zabezpieczyć się, żeby znowu nie zawracać Wam głowy…?

Ciągle NOD coś znajduje, a ja wymiękam.

Gutek · 30 Grudzień 2007 15:35

W takim układzie Daj log z ComboFix

jojojo · 30 Grudzień 2007 16:09

zrobiłem raz:

i nie mogłem odpalić netu, zrobiłem drugi raz:

ComboFix 07-12-21.4 - Właściciel 2007-12-30 16:53:27.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.1.1250.1.1045.18.468 [GMT 1:00] Running from: C:\Documents and Settings\Właściciel\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 ))))))))))))))))))))))))))))))) . 2007-12-30 15:24 . 2007-12-30 15:24 20,724 --a------ C:\WINDOWS\system32\wrqv.exe 2007-12-30 15:24 . 2007-12-30 15:24 20,724 --a------ C:\WINDOWS\system32\lkhz.exe 2007-12-30 15:24 . 2007-12-30 15:24 6,358 --a------ C:\WINDOWS\system32\rggd.exe 2007-12-30 15:24 . 2007-12-30 15:24 6,358 --a------ C:\WINDOWS\system32\ojvps.exe 2007-12-30 14:50 . 2007-12-30 14:50 20,724 --a------ C:\WINDOWS\system32\htzosh.exe 2007-12-30 14:50 . 2007-12-30 14:50 20,724 --a------ C:\WINDOWS\system32\benmawmb.exe 2007-12-30 14:50 . 2007-12-30 14:50 6,358 --a------ C:\WINDOWS\system32\vdxdpk.exe 2007-12-30 14:50 . 2007-12-30 14:50 6,358 --a------ C:\WINDOWS\system32\rotq.exe 2007-12-30 14:38 . 2007-12-30 14:38 20,724 --a------ C:\WINDOWS\system32\xjutsm.exe 2007-12-30 14:38 . 2007-12-30 14:38 20,724 --a------ C:\WINDOWS\system32\uwnp.exe 2007-12-30 14:38 . 2007-12-30 14:38 6,358 --a------ C:\WINDOWS\system32\yojxka.exe 2007-12-30 14:38 . 2007-12-30 14:38 6,358 --a------ C:\WINDOWS\system32\gobfiza.exe 2007-12-30 14:37 . 2007-12-30 14:37 20,724 --a------ C:\WINDOWS\system32\kazdbut.exe 2007-12-30 14:37 . 2007-12-30 14:37 20,724 --a------ C:\WINDOWS\system32\cyevf.exe 2007-12-30 14:37 . 2007-12-30 14:37 6,358 --a------ C:\WINDOWS\system32\ljye.exe 2007-12-30 14:37 . 2007-12-30 14:37 6,358 --a------ C:\WINDOWS\system32\irnbki.exe 2007-12-30 14:35 . 2007-12-30 14:35 20,724 --a------ C:\WINDOWS\system32\uypwzo.exe 2007-12-30 14:35 . 2007-12-30 14:35 20,724 --a------ C:\WINDOWS\system32\olum.exe 2007-12-30 14:35 . 2007-12-30 14:35 6,358 --a------ C:\WINDOWS\system32\kqlix.exe 2007-12-30 14:35 . 2007-12-30 14:35 6,358 --a------ C:\WINDOWS\system32\ilhq.exe 2007-12-30 14:30 . 2007-12-30 14:30 69 --a------ C:\WINDOWS\NeroDigital.ini 2007-12-30 14:28 . 2007-12-30 14:28 20,724 --a------ C:\WINDOWS\system32\fbxuxvix.exe 2007-12-30 14:28 . 2007-12-30 14:28 20,724 --a------ C:\WINDOWS\system32\aehqwpu.exe 2007-12-30 14:28 . 2007-12-30 14:28 6,358 --a------ C:\WINDOWS\system32\jtsw.exe 2007-12-30 14:28 . 2007-12-30 14:28 6,358 --a------ C:\WINDOWS\system32\dkbmpssv.exe 2007-12-30 14:27 . 2007-12-30 14:27 20,724 --a------ C:\WINDOWS\system32\xhfaetik.exe 2007-12-30 14:27 . 2007-12-30 14:27 20,724 --a------ C:\WINDOWS\system32\vhdpmt.exe 2007-12-30 14:27 . 2007-12-30 14:27 6,358 --a------ C:\WINDOWS\system32\vcycpg.exe 2007-12-30 14:27 . 2007-12-30 14:27 6,358 --a------ C:\WINDOWS\system32\onzgl.exe 2007-12-30 14:07 . 2004-07-26 17:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll 2007-12-30 14:07 . 2004-07-26 17:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll 2007-12-30 14:07 . 2004-07-26 17:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll 2007-12-30 14:07 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll 2007-12-30 14:07 . 2004-07-26 17:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll 2007-12-30 14:07 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll 2007-12-30 14:06 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2007-12-30 14:05 . 2007-12-30 14:05 2007-12-30 14:05 . 2007-12-30 14:07 2007-12-30 13:59 . 2007-12-30 13:59 2007-12-30 13:56 . 2007-12-30 13:56 20,724 --a------ C:\WINDOWS\system32\qltpgece.exe 2007-12-30 13:56 . 2007-12-30 13:56 20,724 --a------ C:\WINDOWS\system32\omiprsaq.exe 2007-12-30 13:56 . 2007-12-30 13:56 6,358 --a------ C:\WINDOWS\system32\veatkop.exe 2007-12-30 13:56 . 2007-12-30 13:56 6,358 --a------ C:\WINDOWS\system32\cuep.exe 2007-12-30 13:55 . 2007-12-30 13:55 2007-12-30 13:51 . 2007-12-30 14:04 2007-12-30 13:51 . 2007-12-30 13:51 2007-12-30 13:51 . 2004-10-01 15:00 40,960 --a------ C:\Program Files\Uninstall_CDS.exe 2007-12-30 13:49 . 2007-12-30 13:49 2007-12-30 13:48 . 2007-12-30 15:24 2007-12-30 13:48 . 1998-06-24 00:00 115,016 --a------ C:\WINDOWS\system32\MSINET.OCX 2007-12-30 13:48 . 1998-07-22 00:00 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll 2007-12-30 13:48 . 1998-07-22 00:00 102,160 --a------ C:\WINDOWS\system32\VB6KO.DLL 2007-12-30 13:48 . 2006-02-17 14:19 16,384 --a------ C:\WINDOWS\system32\lgfwunis.exe 2007-12-30 13:48 . 2007-12-30 15:24 289 --a------ C:\WINDOWS\lgfwup.ini 2007-12-30 12:45 . 2007-12-30 12:45 20,724 --a------ C:\WINDOWS\system32\zghnjs.exe 2007-12-30 12:45 . 2007-12-30 12:45 20,724 --a------ C:\WINDOWS\system32\rtxlgm.exe 2007-12-30 12:45 . 2007-12-30 12:45 6,358 --a------ C:\WINDOWS\system32\bywkk.exe 2007-12-30 12:45 . 2007-12-30 12:45 6,358 --a------ C:\WINDOWS\system32\aintzotp.exe 2007-12-30 12:44 . 2007-12-30 12:47 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-30 13:04 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-12-30 10:15 --------- d-----w C:\Documents and Settings\Właściciel\Dane aplikacji\Gadu-Gadu 2007-12-30 10:13 --------- d-----w C:\Program Files\Gadu-Gadu 2007-12-30 10:06 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys 2007-12-30 10:06 298,104 ----a-w C:\WINDOWS\system32\imon.dll 2007-12-30 10:06 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys 2007-12-30 09:49 --------- d-----w C:\Program Files\ATI Technologies 2007-12-30 09:45 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-12-30 09:45 --------- d-----w C:\Program Files\Analog Devices 2007-12-30 09:33 --------- d-----w C:\Program Files\microsoft frontpage 2007-12-30 09:30 --------- d-----w C:\Program Files\Usługi online . ((((((((((((((((((((((((((((( snapshot@2007-12-30_11.31.49.71 ))))))))))))))))))))))))))))))))))))))))) . - 2002-12-04 01:03:54 11,392 ----a-w C:\WINDOWS\Driver Cache\i386\bdasup.sys + 2003-02-17 09:16:26 11,392 ----a-w C:\WINDOWS\Driver Cache\i386\bdasup.sys - 2002-12-04 01:04:12 16,384 ----a-w C:\WINDOWS\Driver Cache\i386\ccdecode.sys + 2003-02-17 09:16:26 16,384 ----a-w C:\WINDOWS\Driver Cache\i386\ccdecode.sys - 2002-12-06 22:55:36 15,104 ----a-w C:\WINDOWS\Driver Cache\i386\mpe.sys + 2003-02-17 09:16:26 15,104 ----a-w C:\WINDOWS\Driver Cache\i386\mpe.sys - 2002-11-12 18:15:30 52,096 ----a-w C:\WINDOWS\Driver Cache\i386\msdv.sys + 2003-02-17 09:21:50 52,096 ----a-w C:\WINDOWS\Driver Cache\i386\msdv.sys - 2002-12-04 01:04:20 16,896 ----a-w C:\WINDOWS\Driver Cache\i386\msyuv.dll + 2003-02-17 09:16:28 16,896 ----a-w C:\WINDOWS\Driver Cache\i386\msyuv.dll - 2002-12-04 01:04:14 83,968 ----a-w C:\WINDOWS\Driver Cache\i386\nabtsfec.sys + 2003-02-17 09:16:28 83,968 ----a-w C:\WINDOWS\Driver Cache\i386\nabtsfec.sys - 2002-12-06 22:56:36 10,112 ----a-w C:\WINDOWS\Driver Cache\i386\ndisip.sys + 2003-02-17 09:16:28 10,112 ----a-w C:\WINDOWS\Driver Cache\i386\ndisip.sys - 2002-12-04 00:33:32 354,816 ----a-w C:\WINDOWS\Driver Cache\i386\psisdecd.dll + 2003-02-17 09:16:28 354,816 ----a-w C:\WINDOWS\Driver Cache\i386\psisdecd.dll - 2002-12-04 01:03:56 10,880 ----a-w C:\WINDOWS\Driver Cache\i386\slip.sys + 2003-02-17 09:16:28 10,880 ----a-w C:\WINDOWS\Driver Cache\i386\slip.sys - 2002-12-04 01:03:54 14,976 ----a-w C:\WINDOWS\Driver Cache\i386\streamip.sys + 2003-02-17 09:16:28 14,976 ----a-w C:\WINDOWS\Driver Cache\i386\streamip.sys - 2002-12-04 01:04:12 18,688 ----a-w C:\WINDOWS\Driver Cache\i386\wstcodec.sys + 2003-02-17 09:16:32 18,688 ----a-w C:\WINDOWS\Driver Cache\i386\wstcodec.sys - 2002-12-11 23:14:32 797,184 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\d3dim700.dll + 2003-05-30 08:00:02 797,184 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\d3dim700.dll - 2002-12-11 23:14:32 132,096 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\devenum.dll + 2003-05-30 08:00:02 132,608 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\devenum.dll - 2002-12-11 23:14:32 32,768 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpnhpast.dll + 2003-03-24 08:00:02 32,768 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpnhpast.dll - 2002-12-11 23:14:32 68,096 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpnhupnp.dll + 2003-03-24 08:00:02 68,096 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dpnhupnp.dll - 2002-12-11 23:14:32 1,189,888 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dx8vb.dll + 2003-05-30 08:00:02 1,189,888 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dx8vb.dll - 2002-12-11 23:14:32 937,984 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdiag.exe + 2003-05-30 08:00:02 937,984 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdiag.exe - 2002-12-11 23:14:32 449,024 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\qdvd.dll + 2003-05-30 08:00:02 449,024 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\qdvd.dll - 2002-12-11 23:14:32 1,962,496 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\quartz.dll + 2003-05-30 08:00:02 1,962,496 ----a-w C:\WINDOWS\RegisteredPackages{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\quartz.dll - 2002-12-04 01:03:54 11,392 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\bdasup.sys + 2003-02-17 09:16:26 11,392 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\bdasup.sys - 2002-12-04 01:04:12 16,384 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\ccdecode.sys + 2003-02-17 09:16:26 16,384 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\ccdecode.sys - 2002-12-06 22:55:36 15,104 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\mpe.sys + 2003-02-17 09:16:26 15,104 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\mpe.sys - 2002-12-04 00:34:46 1,230,336 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\msvidctl.dll + 2003-02-17 09:16:28 1,230,336 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\msvidctl.dll - 2002-12-04 01:04:20 16,896 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\msyuv.dll + 2003-02-17 09:16:28 16,896 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\msyuv.dll - 2002-12-04 01:04:14 83,968 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\nabtsfec.sys + 2003-02-17 09:16:28 83,968 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\nabtsfec.sys - 2002-12-06 22:56:36 10,112 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\ndisip.sys + 2003-02-17 09:16:28 10,112 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\ndisip.sys - 2002-12-04 00:33:32 354,816 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\psisdecd.dll + 2003-02-17 09:16:28 354,816 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\psisdecd.dll - 2002-12-04 01:03:56 10,880 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\slip.sys + 2003-02-17 09:16:28 10,880 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\slip.sys - 2002-12-04 01:03:54 14,976 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\streamip.sys + 2003-02-17 09:16:28 14,976 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\streamip.sys - 2002-12-04 01:04:12 18,688 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\wstcodec.sys + 2003-02-17 09:16:32 18,688 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\wstcodec.sys - 2002-12-04 01:04:14 47,104 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\wstdecod.dll + 2003-02-17 09:16:32 47,104 ----a-w C:\WINDOWS\RegisteredPackages{AA936DF4-2B08-4B1F-B071-72192E287704}\wstdecod.dll - 2003-04-16 12:00:00 204,800 ----a-w C:\WINDOWS\system32\blackbox.dll + 2002-12-11 17:09:20 232,960 ----a-w C:\WINDOWS\system32\blackbox.dll - 2007-12-30 10:07:19 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2007-12-30 13:09:08 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2007-12-30 10:07:19 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat + 2007-12-30 13:09:08 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat - 2007-12-30 10:07:19 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat + 2007-12-30 13:09:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat - 2002-12-11 23:14:32 1,634,304 ----a-w C:\WINDOWS\system32\d3d9.dll + 2003-05-30 08:00:02 1,634,304 ----a-w C:\WINDOWS\system32\d3d9.dll - 2002-12-11 23:14:32 797,184 ----a-w C:\WINDOWS\system32\d3dim700.dll + 2003-05-30 08:00:02 797,184 ----a-w C:\WINDOWS\system32\d3dim700.dll - 2002-12-11 23:14:32 132,096 ----a-w C:\WINDOWS\system32\devenum.dll + 2003-05-30 08:00:02 132,608 ----a-w C:\WINDOWS\system32\devenum.dll - 2002-12-04 01:03:54 11,392 -c–a-w C:\WINDOWS\system32\dllcache\bdasup.sys + 2003-02-17 09:16:26 11,392 -c–a-w C:\WINDOWS\system32\dllcache\bdasup.sys - 2003-04-16 12:00:00 204,800 -c–a-w C:\WINDOWS\system32\dllcache\blackbox.dll + 2002-12-11 17:09:20 232,960 -c–a-w C:\WINDOWS\system32\dllcache\blackbox.dll - 2002-12-04 01:04:12 16,384 -c–a-w C:\WINDOWS\system32\dllcache\ccdecode.sys + 2003-02-17 09:16:26 16,384 -c–a-w C:\WINDOWS\system32\dllcache\ccdecode.sys - 2002-12-11 23:14:32 797,184 -c–a-w C:\WINDOWS\system32\dllcache\d3dim700.dll + 2003-05-30 08:00:02 797,184 -c–a-w C:\WINDOWS\system32\dllcache\d3dim700.dll - 2002-12-11 23:14:32 132,096 -c–a-w C:\WINDOWS\system32\dllcache\devenum.dll + 2003-05-30 08:00:02 132,608 -c–a-w C:\WINDOWS\system32\dllcache\devenum.dll - 2002-12-11 23:14:32 32,768 -c–a-w C:\WINDOWS\system32\dllcache\dpnhpast.dll + 2003-03-24 08:00:02 32,768 -c–a-w C:\WINDOWS\system32\dllcache\dpnhpast.dll - 2002-12-11 23:14:32 68,096 -c–a-w C:\WINDOWS\system32\dllcache\dpnhupnp.dll + 2003-03-24 08:00:02 68,096 -c–a-w C:\WINDOWS\system32\dllcache\dpnhupnp.dll - 2003-04-16 12:00:00 266,240 -c–a-w C:\WINDOWS\system32\dllcache\drmclien.dll + 2002-12-11 17:50:18 301,712 -c–a-w C:\WINDOWS\system32\dllcache\drmclien.dll - 2003-04-16 12:00:00 76,830 -c–a-w C:\WINDOWS\system32\dllcache\drmstor.dll + 2002-12-11 16:34:42 82,432 -c–a-w C:\WINDOWS\system32\dllcache\drmstor.dll - 2003-04-16 12:00:00 602,112 -c–a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll + 2002-12-11 17:09:22 678,912 -c–a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll - 2002-12-11 23:14:32 1,189,888 -c–a-w C:\WINDOWS\system32\dllcache\dx8vb.dll + 2003-05-30 08:00:02 1,189,888 -c–a-w C:\WINDOWS\system32\dllcache\dx8vb.dll - 2002-12-11 23:14:32 937,984 -c–a-w C:\WINDOWS\system32\dllcache\dxdiag.exe + 2003-05-30 08:00:02 937,984 -c–a-w C:\WINDOWS\system32\dllcache\dxdiag.exe - 2003-04-16 12:00:00 6,656 -c–a-w C:\WINDOWS\system32\dllcache\laprxy.dll + 2002-12-11 14:16:58 6,656 -c–a-w C:\WINDOWS\system32\dllcache\laprxy.dll - 2003-04-16 12:00:00 24,576 -c–a-w C:\WINDOWS\system32\dllcache\logagent.exe + 2002-12-11 14:04:20 81,408 -c–a-w C:\WINDOWS\system32\dllcache\logagent.exe - 2002-12-06 22:55:36 15,104 -c–a-w C:\WINDOWS\system32\dllcache\mpe.sys + 2003-02-17 09:16:26 15,104 -c–a-w C:\WINDOWS\system32\dllcache\mpe.sys - 2003-04-16 12:00:00 233,472 -c–a-w C:\WINDOWS\system32\dllcache\mpg4dmod.dll + 2002-12-11 16:34:40 241,664 -c–a-w C:\WINDOWS\system32\dllcache\mpg4dmod.dll - 2002-11-12 18:15:30 52,096 -c–a-w C:\WINDOWS\system32\dllcache\msdv.sys + 2003-02-17 09:21:50 52,096 -c–a-w C:\WINDOWS\system32\dllcache\msdv.sys - 2003-04-16 12:00:00 174,592 -c–a-w C:\WINDOWS\system32\dllcache\msnetobj.dll + 2002-12-11 17:09:22 253,952 -c–a-w C:\WINDOWS\system32\dllcache\msnetobj.dll - 2002-12-04 00:34:46 1,230,336 -c–a-w C:\WINDOWS\system32\dllcache\msvidctl.dll + 2003-02-17 09:16:28 1,230,336 -c–a-w C:\WINDOWS\system32\dllcache\msvidctl.dll - 2002-12-04 01:04:20 16,896 -c–a-w C:\WINDOWS\system32\dllcache\msyuv.dll + 2003-02-17 09:16:28 16,896 -c–a-w C:\WINDOWS\system32\dllcache\msyuv.dll - 2002-12-04 01:04:14 83,968 -c–a-w C:\WINDOWS\system32\dllcache\nabtsfec.sys + 2003-02-17 09:16:28 83,968 -c–a-w C:\WINDOWS\system32\dllcache\nabtsfec.sys - 2002-12-06 22:56:36 10,112 -c–a-w C:\WINDOWS\system32\dllcache\ndisip.sys + 2003-02-17 09:16:28 10,112 -c–a-w C:\WINDOWS\system32\dllcache\ndisip.sys - 2003-04-16 12:00:00 157,696 -c–a-w C:\WINDOWS\system32\dllcache\npdrmv2.dll + 2002-12-11 17:09:24 217,600 -c–a-w C:\WINDOWS\system32\dllcache\npdrmv2.dll - 2003-04-16 12:00:00 8,223 -c–a-w C:\WINDOWS\system32\dllcache\npwmsdrm.dll + 2002-12-11 16:34:42 9,728 -c–a-w C:\WINDOWS\system32\dllcache\npwmsdrm.dll - 2002-12-04 00:33:32 354,816 -c–a-w C:\WINDOWS\system32\dllcache\psisdecd.dll + 2003-02-17 09:16:28 354,816 -c–a-w C:\WINDOWS\system32\dllcache\psisdecd.dll - 2002-12-11 23:14:32 173,056 -c–a-w C:\WINDOWS\system32\dllcache\qasf.dll + 2002-12-11 16:34:40 241,664 -c–a-w C:\WINDOWS\system32\dllcache\qasf.dll - 2002-12-11 23:14:32 449,024 -c–a-w C:\WINDOWS\system32\dllcache\qdvd.dll + 2003-05-30 08:00:02 449,024 -c–a-w C:\WINDOWS\system32\dllcache\qdvd.dll - 2002-12-11 23:14:32 1,962,496 -c–a-w C:\WINDOWS\system32\dllcache\quartz.dll + 2003-05-30 08:00:02 1,962,496 -c–a-w C:\WINDOWS\system32\dllcache\quartz.dll - 2002-12-04 01:03:56 10,880 -c–a-w C:\WINDOWS\system32\dllcache\slip.sys + 2003-02-17 09:16:28 10,880 -c–a-w C:\WINDOWS\system32\dllcache\slip.sys - 2002-12-04 01:03:54 14,976 -c–a-w C:\WINDOWS\system32\dllcache\streamip.sys + 2003-02-17 09:16:28 14,976 -c–a-w C:\WINDOWS\system32\dllcache\streamip.sys - 2003-04-16 12:00:00 184,320 -c–a-w C:\WINDOWS\system32\dllcache\wmadmod.dll + 2002-12-11 18:11:02 410,248 -c–a-w C:\WINDOWS\system32\dllcache\wmadmod.dll - 2003-04-16 12:00:00 442,398 -c–a-w C:\WINDOWS\system32\dllcache\wmadmoe.dll + 2002-12-11 16:34:40 670,208 -c–a-w C:\WINDOWS\system32\dllcache\wmadmoe.dll - 2003-04-16 12:00:00 274,432 -c–a-w C:\WINDOWS\system32\dllcache\wmasf.dll + 2002-12-11 16:23:48 218,112 -c–a-w C:\WINDOWS\system32\dllcache\wmasf.dll - 2003-04-16 12:00:00 253,952 -c–a-w C:\WINDOWS\system32\dllcache\wmnetmgr.dll + 2002-12-11 16:23:58 981,504 -c–a-w C:\WINDOWS\system32\dllcache\wmnetmgr.dll - 2003-04-16 12:00:00 110,592 -c–a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll + 2002-12-11 18:12:50 760,968 -c–a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll - 2003-04-16 12:00:00 1,220,608 -c–a-w C:\WINDOWS\system32\dllcache\wmvcore.dll + 2002-12-11 18:02:38 2,058,888 -c–a-w C:\WINDOWS\system32\dllcache\wmvcore.dll - 2003-04-16 12:00:00 294,912 -c–a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll + 2002-12-11 18:10:00 816,264 -c–a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll - 2002-12-04 01:04:12 18,688 -c–a-w C:\WINDOWS\system32\dllcache\wstcodec.sys + 2003-02-17 09:16:32 18,688 -c–a-w C:\WINDOWS\system32\dllcache\wstcodec.sys - 2002-12-04 01:04:14 47,104 -c–a-w C:\WINDOWS\system32\dllcache\wstdecod.dll + 2003-02-17 09:16:32 47,104 -c–a-w C:\WINDOWS\system32\dllcache\wstdecod.dll - 2002-12-11 23:14:32 32,768 ----a-w C:\WINDOWS\system32\dpnhpast.dll + 2003-03-24 08:00:02 32,768 ----a-w C:\WINDOWS\system32\dpnhpast.dll - 2002-12-11 23:14:32 68,096 ----a-w C:\WINDOWS\system32\dpnhupnp.dll + 2003-03-24 08:00:02 68,096 ----a-w C:\WINDOWS\system32\dpnhupnp.dll - 2002-12-04 01:03:54 11,392 ----a-w C:\WINDOWS\system32\drivers\bdasup.sys + 2003-02-17 09:16:26 11,392 ----a-w C:\WINDOWS\system32\drivers\bdasup.sys - 2002-12-04 01:04:12 16,384 ----a-w C:\WINDOWS\system32\drivers\ccdecode.sys + 2003-02-17 09:16:26 16,384 ----a-w C:\WINDOWS\system32\drivers\ccdecode.sys - 2002-12-06 22:55:36 15,104 ----a-w C:\WINDOWS\system32\drivers\mpe.sys + 2003-02-17 09:16:26 15,104 ----a-w C:\WINDOWS\system32\drivers\mpe.sys - 2002-11-12 18:15:30 52,096 ----a-w C:\WINDOWS\system32\drivers\msdv.sys + 2003-02-17 09:21:50 52,096 ----a-w C:\WINDOWS\system32\drivers\msdv.sys - 2002-12-04 01:04:14 83,968 ----a-w C:\WINDOWS\system32\drivers\nabtsfec.sys + 2003-02-17 09:16:28 83,968 ----a-w C:\WINDOWS\system32\drivers\nabtsfec.sys - 2002-12-06 22:56:36 10,112 ----a-w C:\WINDOWS\system32\drivers\ndisip.sys + 2003-02-17 09:16:28 10,112 ----a-w C:\WINDOWS\system32\drivers\ndisip.sys - 2002-12-04 01:03:56 10,880 ----a-w C:\WINDOWS\system32\drivers\slip.sys + 2003-02-17 09:16:28 10,880 ----a-w C:\WINDOWS\system32\drivers\slip.sys - 2002-12-04 01:03:54 14,976 ----a-w C:\WINDOWS\system32\drivers\streamip.sys + 2003-02-17 09:16:28 14,976 ----a-w C:\WINDOWS\system32\drivers\streamip.sys - 2002-12-04 01:04:12 18,688 ----a-w C:\WINDOWS\system32\drivers\wstcodec.sys + 2003-02-17 09:16:32 18,688 ----a-w C:\WINDOWS\system32\drivers\wstcodec.sys - 2003-04-16 12:00:00 266,240 ----a-w C:\WINDOWS\system32\drmclien.dll + 2002-12-11 17:50:18 301,712 ----a-w C:\WINDOWS\system32\drmclien.dll - 2003-04-16 12:00:00 76,830 ----a-w C:\WINDOWS\system32\drmstor.dll + 2002-12-11 16:34:42 82,432 ----a-w C:\WINDOWS\system32\drmstor.dll - 2003-04-16 12:00:00 602,112 ----a-w C:\WINDOWS\system32\drmv2clt.dll + 2002-12-11 17:09:22 678,912 ----a-w C:\WINDOWS\system32\drmv2clt.dll - 2002-12-11 23:14:32 1,189,888 ----a-w C:\WINDOWS\system32\dx8vb.dll + 2003-05-30 08:00:02 1,189,888 ----a-w C:\WINDOWS\system32\dx8vb.dll - 2002-12-11 23:14:32 937,984 ----a-w C:\WINDOWS\system32\dxdiag.exe + 2003-05-30 08:00:02 937,984 ----a-w C:\WINDOWS\system32\dxdiag.exe - 2002-12-11 23:14:32 1,675,264 ----a-w C:\WINDOWS\system32\dxdiagn.dll + 2003-05-30 08:00:02 1,675,264 ----a-w C:\WINDOWS\system32\dxdiagn.dll - 2003-04-16 12:00:00 6,656 ----a-w C:\WINDOWS\system32\laprxy.dll + 2002-12-11 14:16:58 6,656 ----a-w C:\WINDOWS\system32\laprxy.dll - 2003-04-16 12:00:00 24,576 ----a-w C:\WINDOWS\system32\logagent.exe + 2002-12-11 14:04:20 81,408 ----a-w C:\WINDOWS\system32\logagent.exe + 2003-04-16 12:00:00 80,391 —h–w C:\WINDOWS\system32\lssas.exe + 2002-12-11 18:12:02 316,040 ----a-w C:\WINDOWS\system32\mp43dmod.dll + 2002-12-11 14:16:58 384,512 ----a-w C:\WINDOWS\system32\mp4sdmod.dll - 2003-04-16 12:00:00 233,472 ----a-w C:\WINDOWS\system32\mpg4dmod.dll + 2002-12-11 16:34:40 241,664 ----a-w C:\WINDOWS\system32\mpg4dmod.dll - 2003-04-16 12:00:00 174,592 ----a-w C:\WINDOWS\system32\msnetobj.dll + 2002-12-11 17:09:22 253,952 ----a-w C:\WINDOWS\system32\msnetobj.dll - 2002-12-04 00:34:46 1,230,336 ----a-w C:\WINDOWS\system32\msvidctl.dll + 2003-02-17 09:16:28 1,230,336 ----a-w C:\WINDOWS\system32\msvidctl.dll - 2002-12-04 01:04:20 16,896 ----a-w C:\WINDOWS\system32\msyuv.dll + 2003-02-17 09:16:28 16,896 ----a-w C:\WINDOWS\system32\msyuv.dll - 2007-12-30 10:05:00 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat + 2007-12-30 10:36:24 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat - 2007-12-30 10:05:00 49,492 ----a-w C:\WINDOWS\system32\perfc015.dat + 2007-12-30 10:36:24 49,492 ----a-w C:\WINDOWS\system32\perfc015.dat - 2007-12-30 10:05:00 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat + 2007-12-30 10:36:24 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat - 2007-12-30 10:05:00 355,486 ----a-w C:\WINDOWS\system32\perfh015.dat + 2007-12-30 10:36:24 355,486 ----a-w C:\WINDOWS\system32\perfh015.dat - 2002-12-04 00:33:32 354,816 ----a-w C:\WINDOWS\system32\psisdecd.dll + 2003-02-17 09:16:28 354,816 ----a-w C:\WINDOWS\system32\psisdecd.dll - 2002-12-11 23:14:32 173,056 ----a-w C:\WINDOWS\system32\qasf.dll + 2002-12-11 16:34:40 241,664 ----a-w C:\WINDOWS\system32\qasf.dll - 2002-12-11 23:14:32 449,024 ----a-w C:\WINDOWS\system32\qdvd.dll + 2003-05-30 08:00:02 449,024 ----a-w C:\WINDOWS\system32\qdvd.dll - 2002-12-11 23:14:32 1,962,496 ----a-w C:\WINDOWS\system32\quartz.dll + 2003-05-30 08:00:02 1,962,496 ----a-w C:\WINDOWS\system32\quartz.dll + 2003-04-16 12:00:00 76,540 —h–w C:\WINDOWS\system32\winamp.exe - 2003-04-16 12:00:00 184,320 ----a-w C:\WINDOWS\system32\wmadmod.dll + 2002-12-11 18:11:02 410,248 ----a-w C:\WINDOWS\system32\wmadmod.dll - 2003-04-16 12:00:00 442,398 ----a-w C:\WINDOWS\system32\wmadmoe.dll + 2002-12-11 16:34:40 670,208 ----a-w C:\WINDOWS\system32\wmadmoe.dll - 2003-04-16 12:00:00 274,432 ----a-w C:\WINDOWS\system32\wmasf.dll + 2002-12-11 16:23:48 218,112 ----a-w C:\WINDOWS\system32\wmasf.dll + 2002-12-11 14:16:58 143,360 ----a-w C:\WINDOWS\system32\wmidx.dll - 2003-04-16 12:00:00 253,952 ----a-w C:\WINDOWS\system32\wmnetmgr.dll + 2002-12-11 16:23:58 981,504 ----a-w C:\WINDOWS\system32\wmnetmgr.dll - 2003-04-16 12:00:00 110,592 ----a-w C:\WINDOWS\system32\wmsdmod.dll + 2002-12-11 18:12:50 760,968 ----a-w C:\WINDOWS\system32\wmsdmod.dll + 2002-12-11 16:34:40 1,111,040 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll + 2002-12-11 18:07:54 486,536 ----a-w C:\WINDOWS\system32\wmspdmod.dll + 2002-12-11 16:34:40 892,416 ----a-w C:\WINDOWS\system32\wmspdmoe.dll - 2003-04-16 12:00:00 1,220,608 ----a-w C:\WINDOWS\system32\wmvcore.dll + 2002-12-11 18:02:38 2,058,888 ----a-w C:\WINDOWS\system32\wmvcore.dll - 2003-04-16 12:00:00 294,912 ----a-w C:\WINDOWS\system32\wmvdmod.dll + 2002-12-11 18:10:00 816,264 ----a-w C:\WINDOWS\system32\wmvdmod.dll + 2002-12-11 16:34:40 997,888 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll - 2002-12-04 01:04:14 47,104 ----a-w C:\WINDOWS\system32\wstdecod.dll + 2003-02-17 09:16:32 47,104 ----a-w C:\WINDOWS\system32\wstdecod.dll . – Snapshot reset to current date – . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Smapp”=“C:\Program Files\Analog Devices\SoundMAX\SMTray.exe” [2003-05-05 08:57] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2003-09-12 21:10] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-12-30 11:06] “Local Security Authority Service”=“C:\WINDOWS\System32\lssas.exe” [2003-04-16 13:00] “Advanced DHTML Enable”=“C:\WINDOWS\system32\benmawmb.exe” [2007-12-30 14:50] “LGODDFU”=“C:\Program Files\lg_fwupdate\fwupdate.exe” [2007-12-30 13:49] “RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 20:24] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2003-04-16 13:00] . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-30 16:54:12 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.1106] -> C:\Program Files\Eset\pr_imon.dll . Completion time: 2007-12-30 16:54:39 C:\ComboFix2.txt … 2007-12-30 11:32

i znowu nie mogłem odpalić netu. Teraz nic nie robiłem i jakoś to wysyłam.

Gutek · 30 Grudzień 2007 16:24

No i jesteś drugim na forum userem ktory ma najnowsza odmianę VUNDO. NA forum SE

Na forum były trzy przypadki tej infekcji (dwóch gości już sformatowało system, a trzeci = zaginął).

Metoda na razie jedna - format, albo reinstalacja + przeinstalowanie wszystkich programów

jojojo · 30 Grudzień 2007 16:30

Czuję sie mwyróżniony. Dziękuję! biorę się do pracy. Pozdrawiam, mam nadzieję, że nie będę Wam często zawracał głowy, ale w razie czego nie omieszkam!

Gutek · 30 Grudzień 2007 17:53

No niestety wszystko zarażone na kompie. Pamiętaj, aby od razu zainstalować XP z SP2

jojojo · 30 Grudzień 2007 22:00

Jestem znowu. Zrobiłem format wszystkiego.

Mam nadzieję, że już nic nie mam. Przynajmniej na razie spokój.

Może jednak ktoś rzuci na to okiem?

ComboFix 07-12-21.4 - Paweł Fabiszewski 2007-12-30 22:50:32.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.1.1250.1.1045.18.537 [GMT 1:00]

Running from: C:\Documents and Settings\Paweł Fabiszewski\Pulpit\ComboFix.exe

.


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))

.


No new files created in this timespan


.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-30 21:17	---------	d-----w	C:\Documents and Settings\Paweł Fabiszewski\Dane aplikacji\Gadu-Gadu

2007-12-30 21:16	---------	d-----w	C:\Program Files\Gadu-Gadu

2007-12-30 21:00	512,096	----a-w	C:\WINDOWS\system32\drivers\amon.sys

2007-12-30 21:00	298,104	----a-w	C:\WINDOWS\system32\imon.dll

2007-12-30 21:00	15,424	----a-w	C:\WINDOWS\system32\drivers\nod32drv.sys

2007-12-30 20:47	---------	d--h--w	C:\Program Files\InstallShield Installation Information

2007-12-30 20:47	---------	d-----w	C:\Program Files\ATI Technologies

2007-12-30 20:42	---------	d-----w	C:\Program Files\Common Files\InstallShield

2007-12-30 20:42	---------	d-----w	C:\Program Files\Analog Devices

2007-12-30 20:31	---------	d-----w	C:\Program Files\microsoft frontpage

2007-12-30 20:27	---------	d-----w	C:\Program Files\Usługi online

.


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2003-04-16 13:00]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-30 22:00]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-04-16 13:00]



*Newly Created Service* - CATCHME 

*Newly Created Service* - NOD32DRV 

*Newly Created Service* - PROCEXP90 

.

**************************************************************************


catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-30 22:51:02

Windows 5.1.2600 Dodatek Service Pack. 1 NTFS


scanning hidden processes ... 


scanning hidden autostart entries ...


scanning hidden files ... 


scan completed successfully 

hidden files: 0 


**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes --------------------- 


PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.1106]

-> C:\Program Files\Eset\pr_imon.dll

.

Completion time: 2007-12-30 22:51:27

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:52:44, on 2007-12-30

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Paweł Fabiszewski\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla HiJackThis.zip\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


--

End of file - 2576 bytes

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]


HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)

                                       \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]


HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

Będę wdzięczny za info

Gutek · 30 Grudzień 2007 22:12

Teraz jest Ok

jojojo · 30 Grudzień 2007 22:23

taki mam wpis w NODzie

2007-12-30 23:09:49 AMON plik C:\WINDOWS\system32\aav.exe IRC/SdBot trojan Kwarantanna - usunięty ZARZĄDZANIE NT\SYSTEM Zdarzenie miało miejsce podczas próby tworzenia nowego pliku przez program: C:\WINDOWS\system32\svchost.exe. Plik został przeniesiony do kwarantanny.

Gutek · 30 Grudzień 2007 22:29

To daj teraz log z Combo, co ty zgrywasz na kompa?