krig
(Krig22)
27 Październik 2007 21:05
#1
Tak jak w temacie elementy docelowe do skrótów zostały w dziwny sposób wyrzucone i to do programów typu Spybot - Search & Destroy, avast . Stało sie to w momencie kiedy prze pewien czas komputer był w sieci bez żadnej ochrony antyvirusowej i w związku z tym wydaje mi się, że się jakiś wirusek zainstalował na kompie. Ponadto komputer strasznie wolno sie uruchamia i wywala jakiś błąd. W związku z tym moja prośba o sprawdzenie logów. Z góry dziękuję za pomoc
Hijackthis:
Logfile of HijackThis v1.99.1 Scan saved at 23:00:53, on 2007-10-27 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Digitop\LightMail\LightMail.exe C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe D:\Nowy folder\CH128\ch.exe C:\windows\system32\umonit.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Gadu-Gadu\gg.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Documents and Settings\krig\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch_1.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {E09962E7-A39E-4F60-8003-66D57BED27B7} - (no file) O2 - BHO: Kwyshell MidpX BHO - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O4 - HKLM…\Run: [LightMail] C:\Program Files\Digitop\LightMail\LightMail.exe O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe O4 - HKLM…\Run: [Copy Handler] D:\Nowy folder\CH128\ch.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [uMonit] C:\windows\system32\umonit.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [kpx] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\fastRX.dll DllInitApp O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Link to MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l … cfscan.cab O17 - HKLM\System\CCS\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip…{ED354F1A-89B5-43B4-A71E-1147C65C23CB}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip…{EE94F6B3-FD30-4F10-99A8-C894942FFB19}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CS1\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CS2\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
silent:
“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” = ““C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”” [“Nero AG”] “Odkurzacz-MCD” = “C:\Program Files\Odkurzacz\odk_mcd.exe” [null data] “Twoje TVN24” = “(empty string)” [file not found] “H/PC Connection Agent” = ““C:\Program Files\Microsoft ActiveSync\wcescomm.exe”” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “LightMail” = “C:\Program Files\Digitop\LightMail\LightMail.exe” [“Digitop”] “WheelMouse” = “C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [“A4Tech Co., Ltd.”] “Copy Handler” = “D:\Nowy folder\CH128\ch.exe” [" "] “NeroFilterCheck” = “C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [“Nero AG”] “UMonit” = “C:\windows\system32\umonit.exe” [“General”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “AtiPTA” = “atiptaxx.exe” [“ATI Technologies, Inc.”] “kpx” = “C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\fastRX.dll DllInitApp” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}(Default) = “Winamp Toolbar BHO” - {HKLM…CLSID} = “Winamp Toolbar BHO” \InProcServer32(Default) = “C:\Program Files\Winamp Toolbar\winamptb.dll” [“AOL LLC”] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = “flashget urlcatch” - {HKLM…CLSID} = “FGCatchUrl” \InProcServer32(Default) = “C:\Program Files\FlashGet\jccatch_1.dll” [“www.flashget.com ”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Spybot - Search Destroy\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) - {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] {EBE9E2B5-B526-48BC-AD46-687263EDCB0E}(Default) = “Kwyshell MidpX BHO” - {HKLM…CLSID} = “Kwyshell MidpX” \InProcServer32(Default) = “C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll” [“Kwyshell G.Corp”] {F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided) - {HKLM…CLSID} = “FlashGet GetFlash Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\getflash.dll” [“www.flashget.com ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” - {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler” - {HKLM…CLSID} = “Microsoft Office Metadata Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler” - {HKLM…CLSID} = “Microsoft Office Thumbnail Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}” = “NeroCoverEd Live Icons” - {HKLM…CLSID} = “NeroCoverEdLiveIcons Class” \InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” - {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] “{49BF5420-FA7F-11cf-8011-00A0C90A8F78}” = “Mobile Device” - {HKLM…CLSID} = “Urządzenie przenośne” \InProcServer32(Default) = “C:\PROGRA~1\MI3AA1~1\Wcesview.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ “{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}” = “Microsoft AntiMalware ShellExecuteHook” - {HKLM…CLSID} = “Microsoft AntiMalware ShellExecuteHook” \InProcServer32(Default) = “C:\PROGRA~1\WIFD1F~1\MpShHook.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” - {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\System\CurrentControlSet\Control\Session Manager\ “BootExecute” = “autocheck autochk *”|“OODBS” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] CopyHandlerShellExt(Default) = “{E7A4C2DA-F3AF-4145-AC19-E3B215306A54}” - {HKLM…CLSID} = “MenuExt Class” \InProcServer32(Default) = “D:\Nowy folder\CH128\chext.dll” [empty string] Cover Designer(Default) = “{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}” - {HKLM…CLSID} = “NeroCoverEdContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ CopyHandlerShellExt(Default) = “{E7A4C2DA-F3AF-4145-AC19-E3B215306A54}” - {HKLM…CLSID} = “MenuExt Class” \InProcServer32(Default) = “D:\Nowy folder\CH128\chext.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] CopyHandlerShellExt(Default) = “{E7A4C2DA-F3AF-4145-AC19-E3B215306A54}” - {HKLM…CLSID} = “MenuExt Class” \InProcServer32(Default) = “D:\Nowy folder\CH128\chext.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoSharedDocuments” = (REG_DWORD) hex:0x00000001 {Remove Shared Documents from My Computer} “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {Don’t save settings at exit} “ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoRemoteRecursiveEvents” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoCDBurning” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Moje dokumenty\Moje obrazy\Prace z programu Picasa\picasabackground.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\krig\Moje dokumenty\Moje obrazy\Prace z programu Picasa\picasabackground.bmp” Enabled Scheduled Tasks: ------------------------ “MP Scheduled Scan” - launches: “C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{EBE9E2B5-B526-48BC-AD46-687263EDCB0E}” - {HKLM…CLSID} = “Kwyshell MidpX” \InProcServer32(Default) = “C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll” [“Kwyshell G.Corp”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EBE9E2B5-B526-48BC-AD46-687263EDCB0E}” - {HKLM…CLSID} = “Kwyshell MidpX” \InProcServer32(Default) = “C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll” [“Kwyshell G.Corp”] “{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}” - {HKLM…CLSID} = “Winamp Toolbar” \InProcServer32(Default) = “C:\Program Files\Winamp Toolbar\winamptb.dll” [“AOL LLC”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet” - {HKLM…CLSID} = “FlashGet” \InProcServer32(Default) = “C:\Program Files\FlashGet\fgiebar.dll” [“Amaze Soft”] “{EBE9E2B5-B526-48BC-AD46-687263EDCB0E}” = “Kwyshell MidpX” - {HKLM…CLSID} = “Kwyshell MidpX” \InProcServer32(Default) = “C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll” [“Kwyshell G.Corp”] “{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}” = “Winamp Toolbar” - {HKLM…CLSID} = “Winamp Toolbar” \InProcServer32(Default) = “C:\Program Files\Winamp Toolbar\winamptb.dll” [“AOL LLC”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” - {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] - {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\ “ButtonText” = “Create Mobile Favorite” “CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}” - {HKLM…CLSID} = “Create Mobile Favorite” \InProcServer32(Default) = “C:\PROGRA~1\MI3AA1~1\INetRepl.dll” [MS] {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\ “MenuText” = “Utwórz Ulubione dla urządzenia przenośnego…” “CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}” - {HKLM…CLSID} = “Create Mobile Favorite” \InProcServer32(Default) = “C:\PROGRA~1\MI3AA1~1\INetRepl.dll” [MS] {85D1F590-48F4-11D9-9669-0800200C9A66}\ “MenuText” = “Uninstall BitDefender Online Scanner v8” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “FlashGet” “Exec” = “C:\Program Files\FlashGet\FlashGet.exe” [“FlashGet.com ”] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll ,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ BlueSoleil Hid Service, BlueSoleil Hid Service, “C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe” [null data] Canon Camera Access Library 8, CCALib8, “C:\Program Files\Canon\CAL\CALMAIN.exe” [“Canon Inc.”] NMIndexingService, NMIndexingService, ““C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe”” [“Nero AG”] StarWind iSCSI Service, StarWindService, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] ---------- (launch time: 2007-10-27 22:58:53) : Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 78 seconds. ---------- (total run time: 110 seconds)
Gutek
(Gutek)
27 Październik 2007 22:38
#2
usuń wpisy HJT, a plik ręcznie
Daj log z ComboFix
krig
(Krig22)
28 Październik 2007 06:52
#3
Nie wiedzieć czemu combo nie działało daję logi z Deckard’s System Scanner:
Deckard’s System Scanner v20071014.68 Run by krig on 2007-10-28 07:47:02 Computer is in Normal Mode. -------------------------------------------------------------------------------- – System Restore -------------------------------------------------------------- Successfully created a Deckard’s System Scanner Restore Point. – Last 5 Restore Point(s) – 89: 2007-10-28 06:47:05 UTC - RP163 - Deckard’s System Scanner Restore Point 88: 2007-10-27 13:20:58 UTC - RP162 - Installed ESET NOD32 Antivirus 87: 2007-10-27 13:19:32 UTC - RP161 - Zainstalowany Kaspersky Internet Security 7.0. 86: 2007-10-27 13:13:45 UTC - RP160 - Zainstalowany Kaspersky Internet Security 7.0. 85: 2007-10-27 12:42:41 UTC - RP159 - is 7.01 build 128 Installation – First Restore Point – 1: 2007-07-04 08:14:13 UTC - RP75 - Software Distribution Service 3.0 Backed up registry hives. Performed disk cleanup. – HijackThis (run as krig.exe) ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 07:48:28, on 2007-10-28 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Digitop\LightMail\LightMail.exe C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe D:\Nowy folder\CH128\ch.exe C:\windows\system32\umonit.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Gadu-Gadu\gg.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\ComboFix\nircmd.cfexe C:\ComboFix\nircmd.cfexe C:\ComboFix\nircmd.cfexe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\krig\Pulpit\dss.exe C:\DOCUME~1\krig\Pulpit\HIJACK~1\krig.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch_1.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Kwyshell MidpX BHO - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O4 - HKLM…\Run: [LightMail] C:\Program Files\Digitop\LightMail\LightMail.exe O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe O4 - HKLM…\Run: [Copy Handler] D:\Nowy folder\CH128\ch.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [uMonit] C:\windows\system32\umonit.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Link to &MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l … cfscan.cab O17 - HKLM\System\CCS\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip…{ED354F1A-89B5-43B4-A71E-1147C65C23CB}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip…{EE94F6B3-FD30-4F10-99A8-C894942FFB19}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CS1\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CS2\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe – HijackThis Fixed Entries (C:\DOCUME~1\krig\Pulpit\HIJACK~1\backups) -------- backup-20071028-073233-320 O4 - HKLM…\Run: [kpx] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\fastRX.dll DllInitApp backup-20071028-073233-402 O2 - BHO: (no name) - {E09962E7-A39E-4F60-8003-66D57BED27B7} - (no file) – File Associations ----------------------------------------------------------- .cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL “%1”,%* .cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser “%1”,%* – Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys R1 Amfilter (A4Tech Mouse Filter Driver) - c:\windows\system32\drivers\amfilter.sys R1 atitray - c:\program files\radeon omega drivers\v3.8.330\ati tray tools\atitray.sys R1 srosa (Megadrv3) - c:\windows\system32\drivers\srosa.sys R2 U3SHLPDR - c:\windows\system32\drivers\u3shlpdr.sys R3 Amusbprt (A4Tech HID-compliant Mouse Driver) - c:\windows\system32\drivers\amusbprt.sys R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys S3 ENTECH - c:\windows\system32\drivers\entech.sys S3 fixustor - c:\windows\system32\drivers\fixustor.sys S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing) – Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe – Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: NVIDIA nForce Networking Controller Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV00DF\4&1A87BEAE&0&01 Manufacturer: Nvidia Name: NVIDIA nForce Networking Controller PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV00DF\4&1A87BEAE&0&01 Service: NVENETFD Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Karta sieciowa 1394 Device ID: V1394\NIC1394\45556AA8110666 Manufacturer: Microsoft Name: Karta sieciowa 1394 PNP Device ID: V1394\NIC1394\45556AA8110666 Service: NIC1394 – Scheduled Tasks ------------------------------------------------------------- 2007-10-27 14:05:21 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job – Files created between 2007-09-28 and 2007-10-28 ----------------------------- 2007-10-27 15:12:11 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-27 14:21:53 0 d-------- C:\Program Files\Alwil Software 2007-10-27 14:13:26 1824 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-10-27 14:13:26 49184 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-10-27 13:26:17 0 d-------- C:\WINDOWS\exefld 2007-10-27 13:15:54 0 d-------- C:\Program Files\F-Secure 2007-10-27 09:23:11 0 d-------- C:\Program Files\Desktop Tray Clock 2007-10-13 09:36:17 0 d-------- C:\WINDOWS\system32\Futuremark 2007-10-13 09:36:17 3972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys 2007-10-13 09:36:17 5632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys 2007-10-13 09:36:17 21664 --a------ C:\WINDOWS\system32\drivers\Entech.sys 2007-10-13 09:34:22 0 d-------- C:\Program Files\Futuremark 2007-10-12 08:36:04 0 d-------- C:\Program Files\Winamp Toolbar 2007-10-04 20:32:48 0 d—s---- C:\WINDOWS\Downloaded Program Files 2007-10-04 20:19:59 516096 -----n— C:\WINDOWS\system32\ati2sgag.exe 2007-10-04 20:16:38 0 d-------- C:\Program Files\Radeon Omega Drivers 2007-10-04 19:47:14 305447 --a------ C:\WINDOWS\system32\viwc.exe 2007-10-04 19:47:14 498176 --a------ C:\WINDOWS\system32\logon.scr 2007-10-04 19:07:11 0 d-------- C:\WINDOWS\setup.pss 2007-10-04 19:06:18 0 d-------- C:\WINDOWS\setupupd 2007-09-28 16:30:26 0 d-------- C:\WINDOWS\ASTULogTemp – Find3M Report --------------------------------------------------------------- 2007-10-28 07:30:20 501436 --a------ C:\WINDOWS\system32\perfh015.dat 2007-10-28 07:30:20 90000 --a------ C:\WINDOWS\system32\perfc015.dat 2007-10-27 14:03:04 0 d-------- C:\Program Files\FlashGet 2007-10-27 13:47:49 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\F-Secure 2007-10-27 13:36:53 723 --a------ C:\Documents and Settings\krig\Dane aplikacji\DesktopTrayClock.ini 2007-10-27 13:00:00 495 --a------ C:\Documents and Settings\krig\Dane aplikacji\alarms.ini 2007-10-27 07:17:00 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\The Bat! 2007-10-24 08:26:17 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-10-15 12:13:28 0 d-------- C:\Program Files\Common Files 2007-10-15 12:04:02 0 d–h----- C:\Program Files\InstallShield Installation Information 2007-10-13 11:31:41 0 d-------- C:\Program Files\Gadu-Gadu 2007-10-13 09:36:52 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll 2007-10-12 11:29:35 0 d-------- C:\Program Files\NAPI-PROJEKT 2007-10-12 08:36:28 0 d-------- C:\Program Files\Winamp 2007-10-09 09:49:52 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\OpenOffice.ux.pl2 2007-10-08 09:54:51 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\Help 2007-10-04 20:17:27 0 d-------- C:\Program Files\MultiRes 2007-10-04 20:10:58 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\Earthsim 2007-10-04 20:01:22 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\ATI 2007-09-28 16:10:09 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\Adobe 2007-09-23 09:07:36 0 d-------- C:\Program Files\Spb Software House 2007-09-19 14:24:43 0 d-------- C:\Program Files\Java 2007-09-19 14:22:29 0 d-------- C:\Program Files\Common Files\Java 2007-09-15 21:36:18 0 d-------- C:\Program Files\Codemasters 2007-09-15 20:46:56 0 d-------- C:\Program Files\AGEIA Technologies 2007-09-15 20:04:58 0 d-------- C:\Program Files\Odkurzacz 2007-09-15 13:27:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-09-11 10:25:44 4 --a------ C:\WINDOWS\system32\proc20744962.bin 2007-09-11 10:25:44 3780 --a------ C:\WINDOWS\mozver.dat 2007-09-11 10:25:44 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\GanymedeNet 2007-09-11 08:04:16 0 d-------- C:\Program Files\Pool Rebel 2007-09-10 07:43:47 0 d-------- C:\Program Files\INTERIAPL 2007-09-02 21:21:33 0 d-------- C:\Program Files\jv16 PowerTools 2007-08-31 10:16:27 0 d-------- C:\Program Files\Multi_Media 2007-08-31 10:13:58 0 d-------- C:\Program Files\MultiMedia Toolbar 2007-08-31 10:13:57 0 d-------- C:\Program Files\ShoppingReport 2007-08-31 10:13:57 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\ShoppingReport 2007-08-31 09:44:16 0 d-------- C:\Program Files\SBSH – Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}] 2007-10-04 21:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] “{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 21:06 1135968] [-HKEY_CLASSES_ROOT\CLSID{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1] [HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “LightMail”=“C:\Program Files\Digitop\LightMail\LightMail.exe” [2007-03-05 12:39] “WheelMouse”=“C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [2004-08-25 18:39] “Copy Handler”=“D:\Nowy folder\CH128\ch.exe” [2005-01-31 10:18] “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-09 17:53] “UMonit”=“C:\windows\system32\umonit.exe” [2004-05-11 06:34] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” [2006-12-15 02:23] “AtiPTA”=“atiptaxx.exe” [2006-02-22 01:05 C:\WINDOWS\system32\atiptaxx.exe] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 13:00] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2007-03-12 12:49] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2005-04-08 05:06] “Twoje TVN24”="" [] “H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2006-11-13 14:57] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoRemoteRecursiveEvents”=1 (0x1) “ClearRecentDocsOnExit”=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSharedDocuments”=1 (0x1) “NoSaveSettings”=0 (0x0) “ClearRecentDocsOnExit”=1 (0x1) SafeBoot registry key needs repairs. This machine cannot enter Safe Mode. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system] @=“Driver Group” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs] @=“Service” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys] @=“Driver” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}] @=“DiskDrive” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96A-E325-11CE-BFC1-08002BE10318}] @=“Hdc” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96B-E325-11CE-BFC1-08002BE10318}] @=“Keyboard” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96F-E325-11CE-BFC1-08002BE10318}] @=“Mouse” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E97D-E325-11CE-BFC1-08002BE10318}] @=“System” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @=“Volume” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant] – End of Deckard’s System Scanner: finished at 2007-10-28 07:49:12 ------------
jessica
(jessica)
28 Październik 2007 07:26
#4
W logu widać część infekcji Rootkita " Bagle-hidires z usługą srosa ".
Szkoda, że ComboFix u Ciebie nie działa.
Spróbujemy inaczej:
Ściągnij -->Avenger .
Zaznacz: “Input Script Manualy”. Kliknij “Lupkę”. Wklej:
Kliknij “Done”. Kliknij “zielone światełko”. Kliknij “TAK”.
Zrestartuj komputer.Log z Avengera znajduje się w C:\avenger.txt . Daj go tu.
Rootkit uszkodził Ci Tryb Awaryjny.
Ten Rootkit uszkadza też Antivirusy, więc zalecam przeinstalowanie Twego Antivirusa.
Daj potem log z DSS.
jessi
krig
(Krig22)
28 Październik 2007 08:04
#5
Dzięki za pomoc podaje logi
pierwszy z avenger:
Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\mijempfm ******************* Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately. Could not open script file! Status: 0xc0000034 Abort!
drugi z DSS:
Deckard’s System Scanner v20071014.68 Run by krig on 2007-10-28 08:59:04 Computer is in Normal Mode. -------------------------------------------------------------------------------- – HijackThis (run as krig.exe) ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 08:59:09, on 2007-10-28 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Digitop\LightMail\LightMail.exe C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe D:\Nowy folder\CH128\ch.exe C:\windows\system32\umonit.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Gadu-Gadu\gg.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE c:\program files\winamp toolbar\WinampTbServer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\krig\Pulpit\dss.exe C:\DOCUME~1\krig\Pulpit\HIJACK~1\krig.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch_1.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Kwyshell MidpX BHO - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O4 - HKLM…\Run: [LightMail] C:\Program Files\Digitop\LightMail\LightMail.exe O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe O4 - HKLM…\Run: [Copy Handler] D:\Nowy folder\CH128\ch.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [uMonit] C:\windows\system32\umonit.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Link to &MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l … cfscan.cab O17 - HKLM\System\CCS\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip…{ED354F1A-89B5-43B4-A71E-1147C65C23CB}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip…{EE94F6B3-FD30-4F10-99A8-C894942FFB19}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CS1\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CS2\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe – Files created between 2007-09-28 and 2007-10-28 ----------------------------- 2007-10-27 15:12:11 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-27 14:21:53 0 d-------- C:\Program Files\Alwil Software 2007-10-27 14:13:26 2848 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-10-27 14:13:26 75808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-10-27 13:26:17 0 d-------- C:\WINDOWS\exefld 2007-10-27 13:15:54 0 d-------- C:\Program Files\F-Secure 2007-10-27 09:23:11 0 d-------- C:\Program Files\Desktop Tray Clock 2007-10-13 09:36:17 0 d-------- C:\WINDOWS\system32\Futuremark 2007-10-13 09:36:17 3972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys 2007-10-13 09:36:17 5632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys 2007-10-13 09:36:17 21664 --a------ C:\WINDOWS\system32\drivers\Entech.sys 2007-10-13 09:34:22 0 d-------- C:\Program Files\Futuremark 2007-10-12 08:36:04 0 d-------- C:\Program Files\Winamp Toolbar 2007-10-04 20:32:48 0 d—s---- C:\WINDOWS\Downloaded Program Files 2007-10-04 20:19:59 516096 -----n— C:\WINDOWS\system32\ati2sgag.exe 2007-10-04 20:16:38 0 d-------- C:\Program Files\Radeon Omega Drivers 2007-10-04 19:47:14 305447 --a------ C:\WINDOWS\system32\viwc.exe 2007-10-04 19:47:14 498176 --a------ C:\WINDOWS\system32\logon.scr 2007-10-04 19:07:11 0 d-------- C:\WINDOWS\setup.pss 2007-10-04 19:06:18 0 d-------- C:\WINDOWS\setupupd 2007-09-28 16:30:26 0 d-------- C:\WINDOWS\ASTULogTemp – Find3M Report --------------------------------------------------------------- 2007-10-28 07:30:20 501436 --a------ C:\WINDOWS\system32\perfh015.dat 2007-10-28 07:30:20 90000 --a------ C:\WINDOWS\system32\perfc015.dat 2007-10-27 14:03:04 0 d-------- C:\Program Files\FlashGet 2007-10-27 13:47:49 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\F-Secure 2007-10-27 13:36:53 723 --a------ C:\Documents and Settings\krig\Dane aplikacji\DesktopTrayClock.ini 2007-10-27 13:00:00 495 --a------ C:\Documents and Settings\krig\Dane aplikacji\alarms.ini 2007-10-27 07:17:00 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\The Bat! 2007-10-24 08:26:17 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-10-15 12:13:28 0 d-------- C:\Program Files\Common Files 2007-10-15 12:04:02 0 d–h----- C:\Program Files\InstallShield Installation Information 2007-10-13 11:31:41 0 d-------- C:\Program Files\Gadu-Gadu 2007-10-13 09:36:52 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll 2007-10-12 11:29:35 0 d-------- C:\Program Files\NAPI-PROJEKT 2007-10-12 08:36:28 0 d-------- C:\Program Files\Winamp 2007-10-09 09:49:52 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\OpenOffice.ux.pl2 2007-10-08 09:54:51 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\Help 2007-10-04 20:17:27 0 d-------- C:\Program Files\MultiRes 2007-10-04 20:10:58 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\Earthsim 2007-10-04 20:01:22 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\ATI 2007-09-28 16:10:09 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\Adobe 2007-09-23 09:07:36 0 d-------- C:\Program Files\Spb Software House 2007-09-19 14:24:43 0 d-------- C:\Program Files\Java 2007-09-19 14:22:29 0 d-------- C:\Program Files\Common Files\Java 2007-09-15 21:36:18 0 d-------- C:\Program Files\Codemasters 2007-09-15 20:46:56 0 d-------- C:\Program Files\AGEIA Technologies 2007-09-15 20:04:58 0 d-------- C:\Program Files\Odkurzacz 2007-09-15 13:27:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-09-11 10:25:44 4 --a------ C:\WINDOWS\system32\proc20744962.bin 2007-09-11 10:25:44 3780 --a------ C:\WINDOWS\mozver.dat 2007-09-11 10:25:44 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\GanymedeNet 2007-09-11 08:04:16 0 d-------- C:\Program Files\Pool Rebel 2007-09-10 07:43:47 0 d-------- C:\Program Files\INTERIAPL 2007-09-02 21:21:33 0 d-------- C:\Program Files\jv16 PowerTools 2007-08-31 10:16:27 0 d-------- C:\Program Files\Multi_Media 2007-08-31 10:13:58 0 d-------- C:\Program Files\MultiMedia Toolbar 2007-08-31 10:13:57 0 d-------- C:\Program Files\ShoppingReport 2007-08-31 10:13:57 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\ShoppingReport 2007-08-31 09:44:16 0 d-------- C:\Program Files\SBSH – Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}] 2007-10-04 21:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] “{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 21:06 1135968] [-HKEY_CLASSES_ROOT\CLSID{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1] [HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “LightMail”=“C:\Program Files\Digitop\LightMail\LightMail.exe” [2007-03-05 12:39] “WheelMouse”=“C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [2004-08-25 18:39] “Copy Handler”=“D:\Nowy folder\CH128\ch.exe” [2005-01-31 10:18] “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-09 17:53] “UMonit”=“C:\windows\system32\umonit.exe” [2004-05-11 06:34] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” [2006-12-15 02:23] “AtiPTA”=“atiptaxx.exe” [2006-02-22 01:05 C:\WINDOWS\system32\atiptaxx.exe] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 13:00] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2007-03-12 12:49] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2005-04-08 05:06] “Twoje TVN24”="" [] “H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2006-11-13 14:57] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoRemoteRecursiveEvents”=1 (0x1) “ClearRecentDocsOnExit”=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSharedDocuments”=1 (0x1) “NoSaveSettings”=0 (0x0) “ClearRecentDocsOnExit”=1 (0x1) SafeBoot registry key needs repairs. This machine cannot enter Safe Mode. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system] @=“Driver Group” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs] @=“Service” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys] @=“Driver” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}] @=“DiskDrive” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96A-E325-11CE-BFC1-08002BE10318}] @=“Hdc” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96B-E325-11CE-BFC1-08002BE10318}] @=“Keyboard” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96F-E325-11CE-BFC1-08002BE10318}] @=“Mouse” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E97D-E325-11CE-BFC1-08002BE10318}] @=“System” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @=“Volume” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant] *Newly Created Service* - ASWUPDSV *Newly Created Service* - AVAST!_ANTIVIRUS – End of Deckard’s System Scanner: finished at 2007-10-28 08:59:34 ------------
Problem z antyvirusem nadal jest bo instaluję go następuje reset systemu a skrót pomimo tego nie może znaleść pliku docelowego. Jak sprawdzam folder antyirusa są tam różne pliki ale brakuje tych .exe
jessica
(jessica)
28 Październik 2007 08:23
#6
Problem jest i jeszcze długo będzie, bo okazuje się, że Avenger nie jest w stanie usunąć tego, co miał usunąć. Najlepiej poradziłby sobie z tym ComboFix.
Ale ponieważ u Ciebie ComboFix nie działa, więc trzeba będzie próbować po kolei inne narzędzia - może w końcu znajdzie się jakieś, które będzie potrafiło to usunąć.
W takim razie ściągaj GMER .
Uruchom go>>gmer.zip>>gmer.exe
Rozwiń>>>zakładka CMD >>zaznacz CMD —w górne czarne pole wklej to:
Kliknij „Uruchom” z prawej strony. Komputer powinien się samoczynnie wyłączyć i włączyć.
Potem spróbuj naprawić Tryb Awaryjny.
Potem daj tu:
log z DSS
log z GMER na ustawieniu: >>gmer>>Rootkit>>Szukaj>>Kopiuj>>CTRL+V do Notatnika (zapisz gdzieś)
log z GMER na ustawieniu: >>gmer>>Rootkit>>zaznacz tylko “Usługi” i “Pokaż wszystko”>>Szukaj>>Kopiuj>>CTRL+V do Notatnika (zapisz gdzieś)
Logi dłuższe wklej na http://wklej.org/ , a w poście daj tylko link.(czyli skopiuj adres z paska adresów) .
jessi
krig
(Krig22)
28 Październik 2007 09:35
#7
Ok zrobiłem jak pisałaś podaję pierwsze log z DSS:
Deckard’s System Scanner v20071014.68 Run by krig on 2007-10-28 09:28:32 Computer is in Normal Mode. -------------------------------------------------------------------------------- – HijackThis (run as krig.exe) ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 09:28:38, on 2007-10-28 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Digitop\LightMail\LightMail.exe C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe D:\Nowy folder\CH128\ch.exe C:\windows\system32\umonit.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Gadu-Gadu\gg.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\krig\Pulpit\dss.exe C:\DOCUME~1\krig\Pulpit\HIJACK~1\krig.exe C:\WINDOWS\system32\NOTEPAD.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch_1.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Kwyshell MidpX BHO - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O4 - HKLM…\Run: [LightMail] C:\Program Files\Digitop\LightMail\LightMail.exe O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe O4 - HKLM…\Run: [Copy Handler] D:\Nowy folder\CH128\ch.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [uMonit] C:\windows\system32\umonit.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Link to &MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l … cfscan.cab O17 - HKLM\System\CCS\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip…{ED354F1A-89B5-43B4-A71E-1147C65C23CB}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip…{EE94F6B3-FD30-4F10-99A8-C894942FFB19}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CS1\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CS2\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe – Files created between 2007-09-28 and 2007-10-28 ----------------------------- 2007-10-28 09:14:32 0 d-------- C:\WINDOWS\setupupd 2007-10-27 15:12:11 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-27 14:21:53 0 d-------- C:\Program Files\Alwil Software 2007-10-27 14:13:26 2848 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-10-27 14:13:26 75808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-10-27 13:26:17 0 d-a------ C:\WINDOWS\exefld 2007-10-27 13:15:54 0 d-------- C:\Program Files\F-Secure 2007-10-27 09:23:11 0 d-------- C:\Program Files\Desktop Tray Clock 2007-10-13 09:36:17 0 d-------- C:\WINDOWS\system32\Futuremark 2007-10-13 09:36:17 3972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys 2007-10-13 09:36:17 5632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys 2007-10-13 09:36:17 21664 --a------ C:\WINDOWS\system32\drivers\Entech.sys 2007-10-13 09:34:22 0 d-------- C:\Program Files\Futuremark 2007-10-12 08:36:04 0 d-------- C:\Program Files\Winamp Toolbar 2007-10-04 20:32:48 0 d—s---- C:\WINDOWS\Downloaded Program Files 2007-10-04 20:19:59 516096 -----n— C:\WINDOWS\system32\ati2sgag.exe 2007-10-04 20:16:38 0 d-------- C:\Program Files\Radeon Omega Drivers 2007-10-04 19:47:14 305447 --a------ C:\WINDOWS\system32\viwc.exe 2007-10-04 19:47:14 498176 --a------ C:\WINDOWS\system32\logon.scr 2007-10-04 19:07:11 0 d-------- C:\WINDOWS\setup.pss 2007-09-28 16:30:26 0 d-------- C:\WINDOWS\ASTULogTemp – Find3M Report --------------------------------------------------------------- 2007-10-28 07:30:20 501436 --a------ C:\WINDOWS\system32\perfh015.dat 2007-10-28 07:30:20 90000 --a------ C:\WINDOWS\system32\perfc015.dat 2007-10-27 14:03:04 0 d-------- C:\Program Files\FlashGet 2007-10-27 13:47:49 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\F-Secure 2007-10-27 13:36:53 723 --a------ C:\Documents and Settings\krig\Dane aplikacji\DesktopTrayClock.ini 2007-10-27 13:00:00 495 --a------ C:\Documents and Settings\krig\Dane aplikacji\alarms.ini 2007-10-27 07:17:00 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\The Bat! 2007-10-24 08:26:17 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-10-15 12:13:28 0 d-------- C:\Program Files\Common Files 2007-10-15 12:04:02 0 d–h----- C:\Program Files\InstallShield Installation Information 2007-10-13 11:31:41 0 d-------- C:\Program Files\Gadu-Gadu 2007-10-13 09:36:52 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll 2007-10-12 11:29:35 0 d-------- C:\Program Files\NAPI-PROJEKT 2007-10-12 08:36:28 0 d-------- C:\Program Files\Winamp 2007-10-09 09:49:52 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\OpenOffice.ux.pl2 2007-10-08 09:54:51 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\Help 2007-10-04 20:17:27 0 d-------- C:\Program Files\MultiRes 2007-10-04 20:10:58 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\Earthsim 2007-10-04 20:01:22 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\ATI 2007-09-28 16:10:09 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\Adobe 2007-09-23 09:07:36 0 d-------- C:\Program Files\Spb Software House 2007-09-19 14:24:43 0 d-------- C:\Program Files\Java 2007-09-19 14:22:29 0 d-------- C:\Program Files\Common Files\Java 2007-09-15 21:36:18 0 d-------- C:\Program Files\Codemasters 2007-09-15 20:46:56 0 d-------- C:\Program Files\AGEIA Technologies 2007-09-15 20:04:58 0 d-------- C:\Program Files\Odkurzacz 2007-09-15 13:27:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-09-11 10:25:44 4 --a------ C:\WINDOWS\system32\proc20744962.bin 2007-09-11 10:25:44 3780 --a------ C:\WINDOWS\mozver.dat 2007-09-11 10:25:44 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\GanymedeNet 2007-09-11 08:04:16 0 d-------- C:\Program Files\Pool Rebel 2007-09-10 07:43:47 0 d-------- C:\Program Files\INTERIAPL 2007-09-02 21:21:33 0 d-------- C:\Program Files\jv16 PowerTools 2007-08-31 10:16:27 0 d-------- C:\Program Files\Multi_Media 2007-08-31 10:13:58 0 d-------- C:\Program Files\MultiMedia Toolbar 2007-08-31 10:13:57 0 d-------- C:\Program Files\ShoppingReport 2007-08-31 10:13:57 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\ShoppingReport 2007-08-31 09:44:16 0 d-------- C:\Program Files\SBSH – Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}] 2007-10-04 21:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] “{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 21:06 1135968] [-HKEY_CLASSES_ROOT\CLSID{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1] [HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “LightMail”=“C:\Program Files\Digitop\LightMail\LightMail.exe” [2007-03-05 12:39] “WheelMouse”=“C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [2004-08-25 18:39] “Copy Handler”=“D:\Nowy folder\CH128\ch.exe” [2005-01-31 10:18] “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-09 17:53] “UMonit”=“C:\windows\system32\umonit.exe” [2004-05-11 06:34] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” [2006-12-15 02:23] “AtiPTA”=“atiptaxx.exe” [2006-02-22 01:05 C:\WINDOWS\system32\atiptaxx.exe] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 13:00] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2007-03-12 12:49] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2005-04-08 05:06] “Twoje TVN24”="" [] “H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2006-11-13 14:57] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoRemoteRecursiveEvents”=1 (0x1) “ClearRecentDocsOnExit”=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSharedDocuments”=1 (0x1) “NoSaveSettings”=0 (0x0) “ClearRecentDocsOnExit”=1 (0x1) SafeBoot registry key needs repairs. This machine cannot enter Safe Mode. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system] @=“Driver Group” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs] @=“Service” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys] @=“Driver” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}] @=“DiskDrive” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96A-E325-11CE-BFC1-08002BE10318}] @=“Hdc” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96B-E325-11CE-BFC1-08002BE10318}] @=“Keyboard” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96F-E325-11CE-BFC1-08002BE10318}] @=“Mouse” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E97D-E325-11CE-BFC1-08002BE10318}] @=“System” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @=“Volume” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant] – End of Deckard’s System Scanner: finished at 2007-10-28 09:28:56 ------------
tutaj podaję link do Gmera w pierwszej wersji http://wklej.org/id/e1d1302e9c
oraz logi z drugą wersją gmer
jessica
(jessica)
28 Październik 2007 10:13
#8
No niestety, Rootkit jest dalej.
Otwórz Notatnik i wklej do niego:
Plik >>> zapisz jako >>> zmień rozszerzenie z TXT na wszystkie typy plików >>> zapisz pod nazwą FIX.BAT
( np. na C:\ )
Uruchom Gmer, w >>>zakładce Procesy wybierz Gmer Awaryjny . Komputer się zresetuje i uruchomi się Gmer.
Wybierz znów >>>zakładkę Procesy i na dole w „Poleceniu” przez trzy kropki wskaż plik FIX.BAT , po czym go uruchom (dwuklik).
Potem zrób log z GMERa na ustawieniu:
>>Rootkit>>zaznacz tylko “Usługi” i “Pokaż wszystko”>>Szukaj>>
i zobacz, czy zniknął ten poniższy wpis:
Jeśli będzie, to:
>>Start >>> Uruchom >>> wybierz (lub wpisz) cmd >> zastosować te komendy (po każdej wciśnij “ENTER”):
Potem daj log z DSS i GMERa.
Jeśli to dalej będzie, to ja się poddaję:
Avenger nie usuwa tego,
GMER nie usuwa tego,
GMER Awaryjny nie usuwa tego,
komendy MS-DOS nie usuwają tego…
Ale miejmy nadzieję, że tym razem się uda.
Jeśli się uda, to nie zapomnij o naprawie Trybu Awaryjnego.
jessi
krig
(Krig22)
28 Październik 2007 11:13
#9
Z góry Ci dziękuję za pomoc podaję logi :
DSS
Deckard’s System Scanner v20071014.68 Run by krig on 2007-10-28 11:43:48 Computer is in Normal Mode. -------------------------------------------------------------------------------- – HijackThis (run as krig.exe) ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 11:43:51, on 2007-10-28 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Digitop\LightMail\LightMail.exe C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe D:\Nowy folder\CH128\ch.exe C:\windows\system32\umonit.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\system32\drivers\hidr.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\krig\Pulpit\dss.exe C:\DOCUME~1\krig\Pulpit\HIJACK~1\krig.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch_1.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Kwyshell MidpX BHO - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O4 - HKLM…\Run: [LightMail] C:\Program Files\Digitop\LightMail\LightMail.exe O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe O4 - HKLM…\Run: [Copy Handler] D:\Nowy folder\CH128\ch.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [uMonit] C:\windows\system32\umonit.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hidr.exe O4 - HKCU…\Run: [german.exe] C:\WINDOWS\system32\wintems.exe O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Link to &MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l … cfscan.cab O17 - HKLM\System\CCS\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip…{ED354F1A-89B5-43B4-A71E-1147C65C23CB}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip…{EE94F6B3-FD30-4F10-99A8-C894942FFB19}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CS1\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CS2\Services\Tcpip…{107503B8-57E9-45C6-AB66-90EC77502E0B}: NameServer = 194.204.159.1,194.204.152.34 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe – Files created between 2007-09-28 and 2007-10-28 ----------------------------- 2007-10-28 09:14:32 0 d-------- C:\WINDOWS\setupupd 2007-10-27 21:58:42 521220 -----n— C:\WINDOWS\system32\wintems.exe 2007-10-27 15:12:11 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-27 14:21:53 0 d-------- C:\Program Files\Alwil Software 2007-10-27 14:13:26 2848 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-10-27 14:13:26 75808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-10-27 13:26:17 0 d-a------ C:\WINDOWS\exefld 2007-10-27 13:26:04 652632 -----n— C:\WINDOWS\system32\drivers\hidr.exe 2007-10-27 13:15:54 0 d-------- C:\Program Files\F-Secure 2007-10-27 09:23:11 0 d-------- C:\Program Files\Desktop Tray Clock 2007-10-13 09:36:17 0 d-------- C:\WINDOWS\system32\Futuremark 2007-10-13 09:36:17 3972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys 2007-10-13 09:36:17 5632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys 2007-10-13 09:36:17 21664 --a------ C:\WINDOWS\system32\drivers\Entech.sys 2007-10-13 09:34:22 0 d-------- C:\Program Files\Futuremark 2007-10-12 08:36:04 0 d-------- C:\Program Files\Winamp Toolbar 2007-10-04 20:32:48 0 d—s---- C:\WINDOWS\Downloaded Program Files 2007-10-04 20:19:59 516096 -----n— C:\WINDOWS\system32\ati2sgag.exe 2007-10-04 20:16:38 0 d-------- C:\Program Files\Radeon Omega Drivers 2007-10-04 19:47:14 305447 --a------ C:\WINDOWS\system32\viwc.exe 2007-10-04 19:47:14 498176 --a------ C:\WINDOWS\system32\logon.scr 2007-10-04 19:07:11 0 d-------- C:\WINDOWS\setup.pss 2007-09-28 16:30:26 0 d-------- C:\WINDOWS\ASTULogTemp – Find3M Report --------------------------------------------------------------- 2007-10-28 07:30:20 501436 --a------ C:\WINDOWS\system32\perfh015.dat 2007-10-28 07:30:20 90000 --a------ C:\WINDOWS\system32\perfc015.dat 2007-10-27 14:03:04 0 d-------- C:\Program Files\FlashGet 2007-10-27 13:47:49 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\F-Secure 2007-10-27 13:36:53 723 --a------ C:\Documents and Settings\krig\Dane aplikacji\DesktopTrayClock.ini 2007-10-27 13:00:00 495 --a------ C:\Documents and Settings\krig\Dane aplikacji\alarms.ini 2007-10-27 07:17:00 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\The Bat! 2007-10-24 08:26:17 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-10-15 12:13:28 0 d-------- C:\Program Files\Common Files 2007-10-15 12:04:02 0 d–h----- C:\Program Files\InstallShield Installation Information 2007-10-13 11:31:41 0 d-------- C:\Program Files\Gadu-Gadu 2007-10-13 09:36:52 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll 2007-10-12 11:29:35 0 d-------- C:\Program Files\NAPI-PROJEKT 2007-10-12 08:36:28 0 d-------- C:\Program Files\Winamp 2007-10-09 09:49:52 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\OpenOffice.ux.pl2 2007-10-08 09:54:51 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\Help 2007-10-04 20:17:27 0 d-------- C:\Program Files\MultiRes 2007-10-04 20:10:58 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\Earthsim 2007-10-04 20:01:22 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\ATI 2007-09-28 16:10:09 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\Adobe 2007-09-23 09:07:36 0 d-------- C:\Program Files\Spb Software House 2007-09-19 14:24:43 0 d-------- C:\Program Files\Java 2007-09-19 14:22:29 0 d-------- C:\Program Files\Common Files\Java 2007-09-15 21:36:18 0 d-------- C:\Program Files\Codemasters 2007-09-15 20:46:56 0 d-------- C:\Program Files\AGEIA Technologies 2007-09-15 20:04:58 0 d-------- C:\Program Files\Odkurzacz 2007-09-15 13:27:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-09-11 10:25:44 4 --a------ C:\WINDOWS\system32\proc20744962.bin 2007-09-11 10:25:44 3780 --a------ C:\WINDOWS\mozver.dat 2007-09-11 10:25:44 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\GanymedeNet 2007-09-11 08:04:16 0 d-------- C:\Program Files\Pool Rebel 2007-09-10 07:43:47 0 d-------- C:\Program Files\INTERIAPL 2007-09-02 21:21:33 0 d-------- C:\Program Files\jv16 PowerTools 2007-08-31 10:16:27 0 d-------- C:\Program Files\Multi_Media 2007-08-31 10:13:58 0 d-------- C:\Program Files\MultiMedia Toolbar 2007-08-31 10:13:57 0 d-------- C:\Program Files\ShoppingReport 2007-08-31 10:13:57 0 d-------- C:\Documents and Settings\krig\Dane aplikacji\ShoppingReport 2007-08-31 09:44:16 0 d-------- C:\Program Files\SBSH – Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}] 2007-10-04 21:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] “{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 21:06 1135968] [-HKEY_CLASSES_ROOT\CLSID{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1] [HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “LightMail”=“C:\Program Files\Digitop\LightMail\LightMail.exe” [2007-03-05 12:39] “WheelMouse”=“C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [2004-08-25 18:39] “Copy Handler”=“D:\Nowy folder\CH128\ch.exe” [2005-01-31 10:18] “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-09 17:53] “UMonit”=“C:\windows\system32\umonit.exe” [2004-05-11 06:34] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” [2006-12-15 02:23] “AtiPTA”=“atiptaxx.exe” [2006-02-22 01:05 C:\WINDOWS\system32\atiptaxx.exe] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 13:00] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2007-03-12 12:49] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2005-04-08 05:06] “Twoje TVN24”="" [] “H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2006-11-13 14:57] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] “drvsyskit”=“C:\WINDOWS\system32\drivers\hidr.exe” [2005-04-08 05:06] “german.exe”=“C:\WINDOWS\system32\wintems.exe” [2007-10-28 10:55] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoRemoteRecursiveEvents”=1 (0x1) “ClearRecentDocsOnExit”=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSharedDocuments”=1 (0x1) “NoSaveSettings”=0 (0x0) “ClearRecentDocsOnExit”=1 (0x1) SafeBoot registry key needs repairs. This machine cannot enter Safe Mode. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system] @=“Driver Group” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs] @=“Service” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys] @=“Driver” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}] @=“DiskDrive” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96A-E325-11CE-BFC1-08002BE10318}] @=“Hdc” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96B-E325-11CE-BFC1-08002BE10318}] @=“Keyboard” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96F-E325-11CE-BFC1-08002BE10318}] @=“Mouse” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E97D-E325-11CE-BFC1-08002BE10318}] @=“System” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @=“Volume” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant] – End of Deckard’s System Scanner: finished at 2007-10-28 11:44:07 ------------
a tutaj linki do Gmera :
http://wklej.org/id/e3319ab757
http://www.wklej.org/id/78f22e2574
jessica
(jessica)
28 Październik 2007 11:48
#10
Jak widać - nic się nie zmienia, a właściwie nawet pogarsza, bo jeszcze przybył następny Rootkit
ComboFix by sobie z tym poradził, ale ponieważ u Ciebie nie działa, więc ja już nic nie wymyślę.
Musisz czekać, może tu ktoś inny coś wymyśli…
Avenger tego u Ciebie nie usunął.
W oczekiwaniu na ewentualną pomoć kogoś innego, możesz się pobawić:
>>Gmer >>> zakładka CMD i zaznaczyć w niej opcję REGEDIT a do okna wklej:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"german.exe"=-
Kliknij na “Uruchom”.
Potem:
Otwórz Notatnik i wklej do niego:
Plik >>> zapisz jako >>> zmień rozszerzenie z TXT na wszystkie typy plików >>> zapisz pod nazwą FIX.BAT
( np. na C:\ )
Uruchom Gmer, w >>>zakładce Procesy wybierz Gmer Awaryjny . Komputer się zresetuje i uruchomi się Gmer.
Wybierz znów >>>zakładkę Procesy i na dole w „Poleceniu” przez trzy kropki wskaż plik FIX.BAT , po czym go uruchom (dwuklik).
EDIT:
Spróbuj jeszcze raz przeinstalować i uruchomić ComboFixa, ale tym razem przedtem wyłącz Antivirusa.
jessi
krig
(Krig22)
28 Październik 2007 12:10
#11
To znowu ja. Po długiej walce udało mi się uruchomić ComboFixa loga robił ponad godzinę wklejam go:
ComboFix 07-10-23.2 - krig 2007-10-28 19:23:52.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.617 [GMT 1:00] Running from: C:\Documents and Settings\krig\Pulpit\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\krig\Dane aplikacji\ShoppingReport C:\Documents and Settings\krig\Dane aplikacji\ShoppingReport\cs\Config.xml C:\Documents and Settings\krig\Dane aplikacji\ShoppingReport\cs\db\Aliases.dbs C:\Documents and Settings\krig\Dane aplikacji\ShoppingReport\cs\db\Sites.dbs C:\Documents and Settings\krig\Dane aplikacji\ShoppingReport\cs\dwld\WhiteList.xip C:\Documents and Settings\krig\Dane aplikacji\ShoppingReport\cs\report\aggr_storage.xml C:\Documents and Settings\krig\Dane aplikacji\ShoppingReport\cs\report\send_storage.xml C:\Documents and Settings\krig\Dane aplikacji\ShoppingReport\cs\res1\WhiteList.dbs C:\Program Files\ShoppingReport C:\Program Files\ShoppingReport\Uninst.exe C:\WINDOWS\exefld C:\WINDOWS\exefld\100078.exe C:\WINDOWS\exefld\102125.exe C:\WINDOWS\exefld\102796.exe C:\WINDOWS\exefld\102828.exe C:\WINDOWS\exefld\104062.exe C:\WINDOWS\exefld\107406.exe C:\WINDOWS\exefld\107609.exe C:\WINDOWS\exefld\114453.exe C:\WINDOWS\exefld\2243593.exe C:\WINDOWS\exefld\463250.exe C:\WINDOWS\exefld\95203.exe C:\WINDOWS\exefld\96203.exe C:\WINDOWS\exefld\97531.exe C:\WINDOWS\exefld\97906.exe C:\WINDOWS\system32\drivers\hidr.exe C:\WINDOWS\system32\drivers\srosa.sys C:\WINDOWS\system32\pskill.exe C:\WINDOWS\system32\wintems.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_SROSA -------\srosa ((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 ))))))))))))))))))))))))))))))) . 2007-10-28 14:28 2007-10-28 14:08 2,149,888 --a------ C:\WINDOWS\system32\ntoskrnl.exe 2007-10-28 14:08 2,149,888 --a–c— C:\WINDOWS\system32\dllcache\ntkrnlmp.exe 2007-10-28 13:29 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-28 09:25 2007-10-27 15:12 2007-10-27 14:21 2007-10-27 14:21 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-10-27 14:21 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr 2007-10-27 14:21 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-10-27 14:21 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-10-27 14:21 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-10-27 14:21 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-10-27 14:21 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-10-27 14:13 75,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-10-27 14:13 2,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-10-27 13:47 2007-10-27 13:15 2007-10-27 09:23 2007-10-15 12:07 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll 2007-10-15 12:07 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll 2007-10-15 12:07 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll 2007-10-15 12:07 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll 2007-10-15 12:07 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll 2007-10-15 12:07 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll 2007-10-15 12:07 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll 2007-10-15 12:07 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll 2007-10-15 12:07 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll 2007-10-13 09:36 2007-10-13 09:36 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys 2007-10-13 09:36 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys 2007-10-13 09:36 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys 2007-10-13 09:34 2007-10-12 08:36 2007-10-10 09:59 582,656 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-04 20:32 2007-10-04 20:19 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe 2007-10-04 20:16 2007-10-04 20:10 2007-10-04 20:01 2007-10-04 19:47 498,176 --a------ C:\WINDOWS\system32\logon.scr 2007-10-04 19:47 305,447 --a------ C:\WINDOWS\system32\viwc.exe 2007-10-04 19:45 2007-10-04 19:45 2007-09-28 16:30 2007-09-28 15:23 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-28 07:42 4,052 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-10-28 07:42 1,340 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2007-10-27 13:03 --------- d-----w C:\Program Files\FlashGet 2007-10-27 06:17 --------- d-----w C:\Documents and Settings\krig\Dane aplikacji\The Bat! 2007-10-24 07:26 --------- d-----w C:\Program Files\Microsoft ActiveSync 2007-10-15 11:04 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-13 10:31 --------- d-----w C:\Program Files\Gadu-Gadu 2007-10-12 10:29 --------- d-----w C:\Program Files\NAPI-PROJEKT 2007-10-12 07:36 --------- d-----w C:\Program Files\Winamp 2007-10-09 08:49 --------- d-----w C:\Documents and Settings\krig\Dane aplikacji\OpenOffice.ux.pl2 2007-10-04 19:17 --------- d-----w C:\Program Files\MultiRes 2007-10-04 19:16 451,072 ----a-w C:\WINDOWS\Radeon Omega Drivers v3.8.330 Uninstall.exe 2007-09-23 08:07 --------- d-----w C:\Program Files\Spb Software House 2007-09-19 13:24 --------- d-----w C:\Program Files\Java 2007-09-19 13:22 --------- d-----w C:\Program Files\Common Files\Java 2007-09-15 20:36 --------- d-----w C:\Program Files\Codemasters 2007-09-15 19:46 --------- d-----w C:\Program Files\AGEIA Technologies 2007-09-15 19:04 --------- d-----w C:\Program Files\Odkurzacz 2007-09-15 12:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-09-11 09:25 --------- d-----w C:\Documents and Settings\krig\Dane aplikacji\GanymedeNet 2007-09-11 07:04 --------- d-----w C:\Program Files\Pool Rebel 2007-09-10 06:43 --------- d-----w C:\Program Files\INTERIAPL 2007-09-02 20:21 --------- d-----w C:\Program Files\jv16 PowerTools 2007-08-31 09:16 --------- d-----w C:\Program Files\Multi_Media 2007-08-31 09:13 --------- d-----w C:\Program Files\MultiMedia Toolbar 2007-08-31 08:44 --------- d-----w C:\Program Files\SBSH . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}] 2007-10-04 21:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2}”= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 21:06 1135968] [HKEY_CLASSES_ROOT\CLSID{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1] [HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] “{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 21:06 1135968] [HKEY_CLASSES_ROOT\CLSID{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1] [HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}] [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “LightMail”=“C:\Program Files\Digitop\LightMail\LightMail.exe” [2007-03-05 12:39] “WheelMouse”=“C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [2004-08-25 18:39] “Copy Handler”=“D:\Nowy folder\CH128\ch.exe” [2005-01-31 10:18] “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-09 17:53] “UMonit”=“C:\windows\system32\umonit.exe” [2004-05-11 06:34] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” [2006-12-15 02:23] “AtiPTA”=“atiptaxx.exe” [2006-02-22 01:05 C:\WINDOWS\system32\atiptaxx.exe] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 13:00] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2007-03-12 12:49] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2005-04-08 05:06] “Twoje TVN24”="" [] “H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2006-11-13 14:57] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSharedDocuments”=1 (0x1) SafeBoot registry key needs repairs. This machine cannot enter Safe Mode. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system] @=“Driver Group” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys] @=“Driver” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}] @=“DiskDrive” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96A-E325-11CE-BFC1-08002BE10318}] @=“Hdc” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96B-E325-11CE-BFC1-08002BE10318}] @=“Keyboard” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96F-E325-11CE-BFC1-08002BE10318}] @=“Mouse” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E97D-E325-11CE-BFC1-08002BE10318}] @=“System” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @=“Volume” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant] R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);C:\WINDOWS\system32\drivers\pe3ah4nc.sys R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);C:\WINDOWS\system32\drivers\ps6ah4nc.sys R1 atitray;atitray;??\C:\Program Files\Radeon Omega Drivers\v3.8.330\ATI Tray Tools\atitray.sys R2 U3SHLPDR;U3SHLPDR;??\C:\WINDOWS\System32\Drivers\U3SHLPDR.SYS R3 Cap7134;TVFM 503 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);C:\WINDOWS\system32\pr2ah4nc.exe svc S3 BTNetFilter;Bluetooth Network Filter;??\C:\WINDOWS\system32\drivers\BTNetFilter.sys S3 fixustor;fixustor;C:\WINDOWS\system32\drivers\fixustor.sys S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys S3 scsiscan;Sterownik skanera SCSI;C:\WINDOWS\system32\DRIVERS\scsiscan.sys S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS . Contents of the ‘Scheduled Tasks’ folder “2007-10-27 13:05:21 C:\WINDOWS\Tasks\MP Scheduled Scan.job” - C:\Program Files\Windows Defender\MpCmdRun.exe . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-28 20:42:44 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-28 20:44:25 - machine was rebooted . — E O F —