Creative rdr

Dla specjalistów Bezpieczeństwo
#1

Czolem ferajna! Potrzebuje pilnej pomocy. Wkurzaja mnie wyskakujace okna z reklamami CID. Moj Hijack log to:

Logfile of HijackThis v1.99.1

Scan saved at 9:39:26 AM, on 10/13/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Programy\Torrent\utorrent.exe

C:\toshiba\ivp\ism\ivpsvmgr.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Gry\Diablo II\Game.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Programy\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Marcin\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)

F2 - REG:system.ini: Shell=explorer.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programy\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM…\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM…\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM…\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM…\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM…\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM…\Run: [intelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”

O4 - HKLM…\Run: [intelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless

O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min

O4 - HKLM…\Run: [CFSServ.exe] CFSServ.exe -NoClient

O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU…\Run: [Komunikator] C:\Programy\Tlen.pl\tlen.exe

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [uTorrent] “C:\Programy\Torrent\utorrent.exe”

O4 - HKCU…\Run: [Team Draw] C:\DOCUME~1\Marcin\APPLIC~1\AXISBU~1\Save Phone Bend.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O15 - Trusted Zone: http://www.mks.com.pl

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar … vSniff.cab

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

co mam usunac?

Z gory dzieki

#2

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Masz infekcję “LOP” (to zaznaczone na czerwono).

Żeby zobaczyć i potem usunąć pozostałe dwa elementy tej infekcji, potrzebny jest jeszcze log z ComboFix (na dole tej strony z linku) -

Log wklej na http://wklej.org/, a w poście daj tylko link.(czyli skopiuj adres z paska adresów).

jessi

#3

MarcinMAL

Przeczytaj tematy przyklejone w tym dziale i popraw posta.JNJN

#4

Usunąłem R3 i 04 to trzecie zniknelo, stworzylem log combo oto on:

ComboFix 07-10-12.4 - Marcin 2007-10-13 13:11:47.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1009 [GMT 1:00]

Running from: C:\Documents and Settings\Marcin\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2007-09-13 to 2007-10-13 )))))))))))))))))))))))))))))))

.

2007-10-13 13:11 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-10-10 21:20

2007-10-10 19:44

2007-10-10 01:04 582,656 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll

2007-10-09 10:37

2007-10-05 18:54

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-13 12:12 --------- d-----w C:\Documents and Settings\Marcin\Application Data\uTorrent

2007-10-13 10:18 --------- d-----w C:\Documents and Settings\Marcin\Application Data\Tlen.pl

2007-10-12 16:57 --------- d-----w C:\Program Files\Zuma Deluxe

2007-10-12 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-10-12 14:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-10-12 07:43 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll

2007-10-12 07:43 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll

2007-10-12 07:43 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll

2007-10-10 20:56 --------- d-----w C:\Program Files\Protector Suite QL

2007-10-10 20:55 --------- d-----w C:\Program Files\Google

2007-10-10 18:39 --------- d-----w C:\Documents and Settings\Marcin\Application Data\Uniblue

2007-09-23 18:46 --------- d-----w C:\Documents and Settings\Marcin\Application Data\Skype

2007-09-22 14:27 --------- d–h--w C:\Program Files\InstallShield Installation Information

2007-09-22 14:24 --------- d-----w C:\Program Files\Zylom Games

2007-09-15 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic

2007-09-04 15:22 --------- d-----w C:\Program Files\PopCap Games

2007-09-04 14:46 --------- d-----w C:\Documents and Settings\Marcin\Application Data\Zylom

2007-09-04 13:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom

2007-08-29 16:43 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-08-20 14:20 --------- d-----w C:\Documents and Settings\Marcin\Application Data\gtk-2.0

2007-08-19 12:13 --------- d-----w C:\Documents and Settings\Marcin\Application Data\The Learning Company

2007-08-17 09:34 --------- d-----w C:\Program Files\Picasa2

2007-08-14 10:13 --------- d-----w C:\Program Files\GIMP-2.0

2007-08-14 10:08 --------- d-----w C:\Program Files\Common Files\GTK

2007-08-13 18:16 --------- d-----w C:\Program Files\SkanerOnline

2007-08-13 17:48 --------- d-----w C:\Documents and Settings\Marcin\Application Data\Media Player Classic

2007-08-13 17:47 --------- d-----w C:\Program Files\Media Player Classic

2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-07-30 18:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-07-14 13:40 53,248 ----a-w C:\WINDOWS\system32\unrar.dll

2007-04-12 11:58 39,600 ----a-w C:\Documents and Settings\Marcin\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“High Definition Audio Property Page Shortcut”=“CHDAudPropShortcut.exe” [2005-12-29 22:21 C:\WINDOWS\system32\CHDAudPropShortcut.exe]

“Pinger”=“c:\toshiba\ivp\ism\pinger.exe” [2005-03-18 02:37]

“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-11-03 23:25]

“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2005-11-03 23:22]

“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2005-11-03 23:26]

“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2005-12-05 21:37]

“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2005-11-28 20:41]

“avgnt”=“C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” [2007-10-10 20:15]

“CFSServ.exe”=“CFSServ.exe” []

“MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe” [2004-08-10 13:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Komunikator”=“C:\Programy\Tlen.pl\tlen.exe” [2006-10-11 10:48]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-10 13:00]

“uTorrent”=“C:\Programy\Torrent\utorrent.exe” [2007-10-10 07:01]

“Team Draw”=“C:\DOCUME~1\Marcin\APPLIC~1\AXISBU~1\Save Phone Bend.exe” []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“InstallVisualStyle”=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

“InstallTheme”=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

psqlpwd.dll 2005-12-22 06:42 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“appinit_dlls”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

“Notification Packages”= scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settin

#5

Niestety, log się nie zmieścił do postu - zresztą dlatego zaleciłam wklejenie go na “wklej.org”.

Ponieważ nie widać dolnej części logu, więc nie widać z tego powodu ostatniego elementu tej infekcji.

Zrób tak:

>>START>>Panel Sterowania>>Zaplanowane Zadania>>znajdź zadanie podobne do tego: " AEE1EF7090BE60F4" - (u Ciebie będą inne syferki i literki) >>prawoklik>>usuń

Potem:

Wklej do Notatnika :

Folder::

C:\Documents and Settings\Marcin\Application Data\axisbuild

C:\Program Files\axisbuild 

C:\Documents and Settings\All Users\Application Data\live 64 math does

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Daj ten log z ComboFixa (na wklej.org)

Widzę, że nie umiesz dać logów w tagi:

po prostu zaznacz cały tekst logu i kliknij przycisk “Quote” nad postem.

To naprawdę nic trudnego, a temat uchroni się przed wylądowaniem w “Śmietniku”.

jessi

#6

ComboFix 07-10-12.4 - Marcin 2007-10-13 14:14:50.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1205 [GMT 1:00]

Running from: C:\Documents and Settings\Marcin\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Marcin\Desktop\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Marcin\Application Data\axisbuild

C:\Program Files\axisbuild

C:\Documents and Settings\All Users\Application Data\live 64 math does

.

((((((((((((((((((((((((( Files Created from 2007-09-13 to 2007-10-13 )))))))))))))))))))))))))))))))

.

2007-10-13 13:11 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-10-10 01:04 582,656 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-13 13:15 --------- d-----w C:\Documents and Settings\Marcin\Application Data\uTorrent

2007-10-13 10:18 --------- d-----w C:\Documents and Settings\Marcin\Application Data\Tlen.pl

2007-10-12 16:57 --------- d-----w C:\Program Files\Zuma Deluxe

2007-10-12 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-10-12 14:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-10-10 20:56 --------- d-----w C:\Program Files\Protector Suite QL

2007-10-10 20:55 --------- d-----w C:\Program Files\Google

2007-10-10 18:39 --------- d-----w C:\Documents and Settings\Marcin\Application Data\Uniblue

2007-09-23 18:46 --------- d-----w C:\Documents and Settings\Marcin\Application Data\Skype

2007-09-22 14:27 --------- d–h--w C:\Program Files\InstallShield Installation Information

2007-09-22 14:24 --------- d-----w C:\Program Files\Zylom Games

2007-09-15 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic

2007-09-04 15:22 --------- d-----w C:\Program Files\PopCap Games

2007-09-04 14:46 --------- d-----w C:\Documents and Settings\Marcin\Application Data\Zylom

2007-09-04 13:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom

2007-08-29 16:43 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-08-20 14:20 --------- d-----w C:\Documents and Settings\Marcin\Application Data\gtk-2.0

2007-08-19 12:13 --------- d-----w C:\Documents and Settings\Marcin\Application Data\The Learning Company

2007-08-17 09:34 --------- d-----w C:\Program Files\Picasa2

2007-08-14 10:13 --------- d-----w C:\Program Files\GIMP-2.0

2007-08-14 10:08 --------- d-----w C:\Program Files\Common Files\GTK

2007-08-13 18:16 --------- d-----w C:\Program Files\SkanerOnline

2007-08-13 17:48 --------- d-----w C:\Documents and Settings\Marcin\Application Data\Media Player Classic

2007-08-13 17:47 --------- d-----w C:\Program Files\Media Player Classic

2007-04-12 11:58 39,600 ----a-w C:\Documents and Settings\Marcin\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“High Definition Audio Property Page Shortcut”=“CHDAudPropShortcut.exe” [2005-12-29 22:21 C:\WINDOWS\system32\CHDAudPropShortcut.exe]

“Pinger”=“c:\toshiba\ivp\ism\pinger.exe” [2005-03-18 02:37]

“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-11-03 23:25]

“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2005-11-03 23:22]

“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2005-11-03 23:26]

“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2005-12-05 21:37]

“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2005-11-28 20:41]

“avgnt”=“C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” [2007-10-10 20:15]

“CFSServ.exe”=“CFSServ.exe” []

“MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe” [2004-08-10 13:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Komunikator”=“C:\Programy\Tlen.pl\tlen.exe” [2006-10-11 10:48]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-10 13:00]

“uTorrent”=“C:\Programy\Torrent\utorrent.exe” [2007-10-10 07:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“InstallVisualStyle”=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

“InstallTheme”=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

psqlpwd.dll 2005-12-22 06:42 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

“appinit_dlls”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

“Notification Packages”= scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk

backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Marcin^Start Menu^Programs^Startup^Demonstone Registration.lnk]

path=C:\Documents and Settings\Marcin\Start Menu\Programs\Startup\Demonstone Registration.lnk

backup=C:\WINDOWS\pss\Demonstone Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Marcin^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=C:\Documents and Settings\Marcin\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]

“C:\Programy\Alcohol 120\axcmd.exe” /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

“C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]

KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MATH DOES FIRST MODE]

C:\Documents and Settings\All Users\Application Data\live 64 math does\Poke way.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

“C:\Program Files\Messenger\msmsgs.exe” /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]

NDSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]

C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]

“C:\Program Files\Protector Suite QL\launcher.exe” /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]

“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Team Draw]

C:\DOCUME~1\Marcin\APPLIC~1\AXISBU~1\Save Phone Bend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]

“c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe” /lang en

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” AcRdB7_0_8

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WooCnxMon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOTASKBARICON]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOWATCH]

R2 FdRedir;FdRedir;??\C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys

R2 FileDisk2;FileDisk Protector Kernel Driver;??\C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys

R2 SBKUPNT;SBKUPNT;??\C:\WINDOWS\system32\Drivers\SBKUPNT.SYS

R2 smihlp;SMI helper driver;??\C:\Program Files\Protector Suite QL\smihlp.sys

R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys

R3 LUsbFilt;Logitech SetPoint KMDF USB Filter;C:\WINDOWS\system32\Drivers\LUsbFilt.Sys

R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys

R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys

R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys

S3 ddxgb;ddxgb;??\C:\DOCUME~1\Marcin\LOCALS~1\Temp\ddxgb.sys

S3 MOUSEWDFilter;MOUSEWDFilter;??\C:\WINDOWS\System32\Drivers\MOUSEWD.SYS

S3 SMCB000;SMSC CIR HID Miniport Device Driver;C:\WINDOWS\system32\DRIVERS\hidsmsc.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{379beb78-2d5d-11dc-8b76-001302d53275}]

AutoRun\command - F:\LaunchU3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{35F5040A-E2E2-3EAB-0705-080400020700}]

C:\WINDOWS\system32\iexplorer.exe

.

Contents of the ‘Scheduled Tasks’ folder

“2007-10-11 10:13:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job”

  • C:\Programy\SpeedUpMyPC 3\SpeedUpMyPC.exe

“2007-06-03 10:13:46 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job”

  • C:\Programy\SpeedUpMyPC 3\SpeedUpMyPC.exe

.

**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-13 14:18:03

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\WindowsUpdate.log

C:\WINDOWS\winhelp.exe

C:\WINDOWS\winhlp32.exe

C:\WINDOWS\wininit.ini

C:\WINDOWS\winnt.bmp

C:\WINDOWS\winnt256.bmp

C:\WINDOWS\WinSxS

C:\WINDOWS\WMSysPr9.prx

C:\WINDOWS\Zapotec.bmp

C:\WINDOWS_default.pif

scan completed successfully

hidden files: 11

**************************************************************************

.

Completion time: 2007-10-13 14:19:32 - machine was rebooted

.

— E O F —

Złączono Posta : 13.10.2007 (Sob) 15:27

http://wklej.org/id/fe78939eab

#7

Wklej do Notatnika :

File::

C:\WINDOWS\system32\iexplorer.exe

C:\DOCUME~1\Marcin\LOCALS~1\Temp\ddxgb.sys


Driver::

ddxgb


Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{35F5040A-E2E2-3EAB-0705-080400020700}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MATH DOES FIRST MODE]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Team Draw]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Daj ten log do kontroli.

jessi

#8

http://www.wklej.org/id/317742dca0

#9

Ja nie widzę już nic więcej podejrzanego. :slight_smile:

jessi

#10

W takim razie wielkie dzieki! !!

Prawde mowiac nie wiem jak to zrobilas, ale grunt, ze sie udalo.

Caluje raczki.

Marcin