Dysk lokalny - wyniki wyszukiwania


(system) #1

Witam, chcąc otworzyć dysk otwiera się wyniki wyszukiwania czyli szukaj.

log:

ComboFix 08-12-29.02 - xxx 2008-12-30 13:04:06.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.256.35 [GMT 1:00]

Uruchomiony z: c:\documents and settings\xxx\Pulpit\ComboFix.exe

* Utworzono nowy punkt przywracania

* Resident AV is active

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA!!

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\08dgu.com

C:\0w.com

C:\2u.com

C:\68.exe

C:\autorun.inf

C:\b.exe

C:\ev60a2.cmd

C:\itsduel.exe

C:\nq0cq.cmd

C:\ov.cmd

C:\rs.cmd

C:\u9dyi.exe

c:\windows\system32\Bitkv0.dll

c:\windows\system32\gasretyw1.dll

C:\wjlfhtfm.cmd

C:\xih9.cmd

D:\0.com

D:\08dgu.com

D:\0w.com

D:\1rfw8hjr.com

D:\2u.com

D:\6.bat

D:\68.exe

D:\Autorun.inf

D:\b.exe

D:\b3b9u.com

D:\bpu.exe

D:\ev60a2.cmd

D:\itsduel.exe

D:\lky.exe

D:\n.com

D:\nfdmg.com

D:\nq0cq.cmd

D:\ov.cmd

D:\rs.cmd

D:\t1ypkh.exe

D:\tyktjfww.exe

D:\u9dyi.exe

D:\vxl.exe

D:\wjlfhtfm.cmd

D:\xih9.cmd

E:\0.com

E:\08dgu.com

E:\0w.com

E:\1rfw8hjr.com

E:\2u.com

E:\6.bat

E:\68.exe

E:\Autorun.inf

E:\b.exe

E:\b3b9u.com

E:\bpu.exe

E:\ev60a2.cmd

E:\itsduel.exe

E:\lky.exe

E:\n.com

E:\nfdmg.com

E:\nq0cq.cmd

E:\ov.cmd

E:\rs.cmd

E:\t1ypkh.exe

E:\tyktjfww.exe

E:\u9dyi.exe

E:\vxl.exe

E:\wjlfhtfm.cmd

E:\xih9.cmd

.

((((((((((((((((((((((((( Pliki utworzone od 2008-11-28 do 2008-12-30 )))))))))))))))))))))))))))))))

.

2008-12-30 12:23 . 2008-12-30 12:23

2008-12-30 11:34 . 2008-12-30 13:05

2008-12-30 11:34 . 2008-07-09 17:27

2008-12-30 11:34 . 2008-07-09 15:33

2008-12-30 11:34 . 2008-07-09 17:27

2008-12-30 11:34 . 2008-07-09 17:27

2008-12-30 11:34 . 2008-07-09 17:27

2008-12-30 11:34 . 2008-07-09 17:27

2008-12-30 11:34 . 2008-12-30 11:35

2008-12-30 10:54 . 2008-12-30 11:08

2008-12-30 10:53 . 2008-12-30 11:09

2008-12-30 10:53 . 2008-12-30 10:52 512,096 --a------ c:\windows\system32\drivers\amon.sys

2008-12-30 10:53 . 2008-12-30 10:52 298,104 --a------ c:\windows\system32\imon.dll

2008-12-30 10:53 . 2008-12-30 10:52 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys

2008-12-30 10:38 . 2008-12-30 10:38

2008-12-30 10:02 . 2008-12-30 11:20

2008-12-30 09:48 . 2008-12-30 10:16

2008-12-30 09:36 . 2008-12-30 09:36

2008-12-20 16:39 . 2008-12-08 21:16 107,045 -r-hs---- C:\1gk8ha.bat

2008-12-16 12:18 . 2008-12-08 21:16 107,045 -r-hs---- C:\p1y2.cmd

2008-12-14 20:37 . 2008-12-08 21:16 107,045 -r-hs---- C:\h3.bat

2008-12-10 16:40 . 2008-12-08 21:16 107,045 -r-hs---- C:\6fnlpetp.exe

2008-12-10 16:40 . 2008-12-26 14:45 85,504 -r-hs---- c:\windows\system32\vbsdfe1.dll

2008-12-09 15:31 . 2008-12-08 21:16 107,045 -r-hs---- C:\3rl3lqbq.bat

2008-12-09 15:30 . 2008-12-26 14:45 115,869 -r-hs---- c:\windows\system32\vamsoft.exe

2008-12-09 15:30 . 2008-12-30 11:51 85,504 -r-hs---- c:\windows\system32\vbsdfe0.dll

2008-12-03 17:46 . 2008-12-03 17:46 108,963 -r-hs---- C:\rcukd.cmd

2008-12-02 14:18 . 2008-12-02 14:18

2008-12-02 14:16 . 2008-12-02 14:16 43,520 --a------ c:\windows\system32\CmdLineExt03.dll

2008-12-02 14:15 . 2008-12-02 14:15

2008-12-02 14:14 . 2008-12-02 14:14

2008-12-02 14:14 . 2002-02-27 18:50 197,120 --a------ c:\windows\patchw32.dll

2008-11-30 21:38 . 2008-11-30 21:38

2008-11-30 18:00 . 2008-12-02 14:48 108,698 -r-hs---- C:\e.cmd

2008-11-28 00:58 . 2008-11-28 00:58 108,477 -r-hs---- C:\m2nl.bat

2008-11-26 23:22 . 2008-11-26 23:21 109,489 -r-hs---- C:\ij.bat

2008-11-18 19:23 . 2008-11-24 21:19 108,888 -r-hs---- C:\abk.bat

2008-11-17 13:23 . 2008-11-17 13:22 106,174 -r-hs---- C:\yannh.cmd

2008-11-12 12:52 . 2008-10-24 12:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-10 20:01 . 2008-11-11 09:47 108,271 -r-hs---- C:\whi.com

2008-11-10 20:00 . 2008-11-08 15:07 108,973 -r-hs---- C:\sq.com

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-30 11:53 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Microsoft Help

2008-12-30 11:04 --------- d-----w c:\program files\Neostrada TP

2008-12-30 11:03 --------- d-----w c:\program files\Google

2008-12-30 10:36 --------- d-----w c:\program files\Alwil Software

2008-12-30 10:03 --------- d-----w c:\documents and settings\xxx\Dane aplikacji\Autodesk

2008-12-30 10:03 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Autodesk

2008-12-30 10:01 --------- d-----w c:\program files\Common Files\InstallShield

2008-12-30 08:59 --------- d-----w c:\program files\BearShare

2008-12-30 08:36 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-30 08:22 --------- d-----w c:\program files\AutoCAD 2005

2008-12-05 19:58 --------- d-----w c:\documents and settings\xxx\Dane aplikacji\Skype

2008-11-11 08:48 --------- d-----w c:\documents and settings\xxx\Dane aplikacji\BearShare

2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll

2008-10-22 19:29 104,123 --sh--r C:\xlk9.com

2008-10-21 20:56 103,973 --sh--r C:\2fiji.com

2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 10:39 662,016 ----a-w c:\windows\system32\wininet.dll

2008-10-12 09:08 103,109 --sh--r C:\bo1dhu.bat

2008-10-08 17:58 101,132 --sh--r C:\n6t1h.cmd

2008-10-08 16:00 90,834 --sh--r C:\r1y1.bat

2008-10-07 06:55 92,932 --sh--r C:\ktnquo.exe

2008-10-03 17:56 90,911 --sh--r C:\kk3.bat

2008-10-03 10:17 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-10-01 17:54 101,735 --sh--r C:\otyh.cmd

2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-15 15:40 1,846,272 ----a-w c:\windows\system32\win32k.sys

2008-09-04 16:46 1,106,944 ----a-w c:\windows\system32\msxml3.dll

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{6D023EBF-70B8-45A6-9ED5-556515FA0FE4}]

2008-07-07 10:27 398776 --a------ c:\program files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-12-30 949376]

"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2006-10-22 11:22 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2008-11-04 17:15 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vamsoft]

-r-hs---- 2008-12-26 14:45 115869 c:\windows\system32\vamsoft.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Pml Driver HPZ12"=2 (0x2)

"ose"=3 (0x3)

"odserv"=3 (0x3)

"Microsoft Office Groove Audit Service"=3 (0x3)

"gusvc"=3 (0x3)

"Autodesk Licensing Service"=3 (0x3)

"NVSvc"=2 (0x2)

"avast! Web Scanner"=3 (0x3)

"avast! Mail Scanner"=3 (0x3)

"avast! Antivirus"=2 (0x2)

"aswUpdSv"=2 (0x2)

"Schedule"=2 (0x2)

"wscsvc"=2 (0x2)

"wuauserv"=2 (0x2)

"aspnet_state"=3 (0x3)

"clr_optimization_v2.0.50727_32"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"c:\Program Files\BearShare\BearShare.exe"=

"c:\Program Files\Microsoft Office\Office12\GROOVE.EXE"=

"c:\Documents and Settings\xxx\Dane aplikacji\PowerChallenge\PowerSoccer\PowerSoccer.exe"=

"d:\sterowniki\Digital Imaging\bin\hpqtra08.exe"=

"d:\sterowniki\Digital Imaging\bin\hpqste08.exe"=

"d:\sterowniki\Digital Imaging\bin\hpofxm08.exe"=

"d:\sterowniki\Digital Imaging\bin\hposfx08.exe"=

"d:\sterowniki\Digital Imaging\bin\hposid01.exe"=

"d:\sterowniki\Digital Imaging\bin\hpqscnvw.exe"=

"d:\sterowniki\Digital Imaging\bin\hpqkygrp.exe"=

"d:\sterowniki\Digital Imaging\bin\hpqCopy.exe"=

"d:\sterowniki\Digital Imaging\bin\hpfccopy.exe"=

"d:\sterowniki\Digital Imaging\bin\hpzwiz01.exe"=

"d:\sterowniki\Digital Imaging\Unload\HpqPhUnl.exe"=

"d:\sterowniki\Digital Imaging\Unload\HpqDIA.exe"=

"d:\sterowniki\Digital Imaging\bin\hpoews01.exe"=

"d:\sterowniki\Digital Imaging\bin\hpqnrs08.exe"=

"e:\Skype\Phone\Skype.exe"=

"e:\Gadu-Gadu\gg.exe"=

"d:\Skype\Phone\Skype.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-12-30 15424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0a02d7a0-8180-11dd-ae84-4d6564696130}]

\Shell\AutoRun\command - H:\2fiji.com

\Shell\explore\Command - H:\2fiji.com

\Shell\open\Command - H:\2fiji.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1338e720-832a-11dd-af4c-806d6172696f}]

\Shell\AutoRun\command - F:\31n3b2h.exe

\Shell\explore\Command - F:\31n3b2h.exe

\Shell\open\Command - F:\31n3b2h.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1338e721-832a-11dd-af4c-806d6172696f}]

\Shell\AutoRun\command - G:\31n3b2h.exe

\Shell\explore\Command - G:\31n3b2h.exe

\Shell\open\Command - G:\31n3b2h.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{18bfc5a0-88c5-11dd-af6f-000c6e9675d5}]

\Shell\AutoRun\command - H:\fooool.exe

\Shell\explore\Command - H:\fooool.exe

\Shell\open\Command - H:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{31679910-620c-11dd-ad9e-4d6564696130}]

\Shell\AutoRun\command - H:\6fnlpetp.exe

\Shell\explore\Command - H:\6fnlpetp.exe

\Shell\open\Command - H:\6fnlpetp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3cf99310-c879-11dd-b13c-4d6564696130}]

\Shell\AutoRun\command - H:\m9ma.exe

\Shell\explore\Command - H:\m9ma.exe

\Shell\open\Command - H:\m9ma.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{53285880-95d2-11dd-afd0-4d6564696130}]

\Shell\AutoRun\command - I:\08dgu.com

\Shell\explore\Command - I:\08dgu.com

\Shell\open\Command - I:\08dgu.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{55e65120-6241-11dd-ada2-000c6e9675d5}]

\Shell\AutoRun\command - xqf.com

\Shell\explore\Command - xqf.com

\Shell\open\Command - xqf.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6cb82d63-d64d-11dd-b16f-4d6564696130}]

\Shell\AutoRun\command - H:\iqe68o.bat

\Shell\explore\Command - H:\iqe68o.bat

\Shell\open\Command - H:\iqe68o.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{83d54a80-8bea-11dd-af8a-4d6564696130}]

\Shell\AutoRun\command - I:\b0j6j16.bat

\Shell\explore\Command - I:\b0j6j16.bat

\Shell\open\Command - I:\b0j6j16.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b6a915f0-9084-11dd-afb1-000c6e9675d5}]

\Shell\AutoRun\command - H:\abk.bat

\Shell\explore\Command - H:\abk.bat

\Shell\open\Command - H:\abk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d44330b6-7f19-11dd-ae71-4d6564696130}]

\Shell\AutoRun\command - I:\fooool.exe

\Shell\explore\Command - I:\fooool.exe

\Shell\open\Command - I:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d76b32e0-8a33-11dd-adf5-4d6564696130}]

\Shell\AutoRun\command - fooool.exe

\Shell\explore\Command - fooool.exe

\Shell\open\Command - fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f3103a10-c070-11dd-b107-4d6564696130}]

\Shell\AutoRun\command - H:\e.cmd

\Shell\explore\Command - H:\e.cmd

\Shell\open\Command - H:\e.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f5a25510-91ee-11dd-afbe-4d6564696130}]

\Shell\AutoRun\command - H:\08dgu.com

\Shell\explore\Command - H:\08dgu.com

\Shell\open\Command - H:\08dgu.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ff7fac21-92c6-11dd-ae48-4d6564696130}]

\Shell\AutoRun\command - H:\2fiji.com

\Shell\explore\Command - H:\2fiji.com

\Shell\open\Command - H:\2fiji.com

*Newly Created Service* - PROCEXP90

.

  • USUNIĘTO PUSTE WPISY - - - -

MSConfigStartUp-kamsoft - c:\windows\system32\kamsoft.exe

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.onet.pl/

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Eksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: { - c:\program files\Messenger\msmsgs.exe

LSP: c:\windows\system32\imon.dll

TCP: {04910802-3691-443D-9103-F0DFA89B732F} = 194.204.152.34 217.98.63.164

c:\windows\system32\SkanerOnlineUninstall.exe - c:\windows\system32\SkanerOnline.dll

O16 -: {68282C51-9459-467B-95BF-3C0E89627E55}

hxxp://www.mks.com.pl/skaner/SkanerOnline.cab

c:\windows\Downloaded Program Files\SkanerOnline.inf

FF - ProfilePath - c:\documents and settings\xxx\Dane aplikacji\Mozilla\Firefox\Profiles\wv3eo0jj.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/

FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPJPI140_03.dll

FF - plugin: c:\program files\Java\j2re1.4.0_03\bin\NPOJI610.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-30 13:06:14

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

  • 'lsass.exe'(600)

c:\windows\system32\imon.dll

c:\program files\Eset\pr_imon.dll

.

Czas ukończenia: 2008-12-30 13:07:33

ComboFix-quarantined-files.txt 2008-12-30 12:07:16

Przed: 1 379 950 592 bajtów wolnych

Po: 1,394,614,272 bajtów wolnych

332 --- E O F --- 2008-12-20 08:07:56


(huber2t) #2

Do wyleczenia pendrive z wirusów użyj tych programów

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\1gk8ha.bat

C:\p1y2.cmd

C:\h3.bat

C:\6fnlpetp.exe

c:\windows\system32\vbsdfe1.dll

C:\3rl3lqbq.bat

c:\windows\system32\vamsoft.exe

c:\windows\system32\vbsdfe0.dll

C:\rcukd.cmd

C:\e.cmd

C:\m2nl.bat

C:\ij.bat

C:\abk.bat

C:\yannh.cmd

C:\whi.com

C:\sq.com

C:\xlk9.com

C:\2fiji.com

C:\bo1dhu.bat

C:\n6t1h.cmd

C:\r1y1.bat

C:\ktnquo.exe

C:\kk3.bat

C:\otyh.cmd


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->

cfscript10uc2.gif

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link