Install TrustedAntyvirus


(Malsz25) #1

To jest log z Silent Runners. Czy ktoś mógłby to sprawdzić?

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"AVPDWIN" = ""C:\Program Files\Panda Software\pandasft.exe"" [file not found]

"mkstray" = "C:\Program Files\mks_vir_2007\bin\mkstray.exe" ["MKS Sp z o.o."]

"mks_mail" = "C:\Program Files\mks_vir_2007\bin\mks_mail.exe" ["MkS Sp. z o.o."]

"MKSRegmon" = "C:\Program Files\mks_vir_2007\bin\mksregmon.exe" [null data]

"zzz_ImInstaller_IncrediMail" = "C:\Documents and Settings\miecio i gosia\Ustawienia lokalne\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe -startup -product IncrediMail" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = "Skype add-on (mastermind)"

-> {HKLM...CLSID} = "Skype add-on (mastermind)"

\InProcServer32(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.3.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.3.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.3.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.3.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.3.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

MkS_Vir(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"

-> {HKLM...CLSID} = "MkS_Vir Shell Extension"

\InProcServer32(Default) = "C:\Program Files\mks_vir_2007\bin\mksshell.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

MkS_Vir(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"

-> {HKLM...CLSID} = "MkS_Vir Shell Extension"

\InProcServer32(Default) = "C:\Program Files\mks_vir_2007\bin\mksshell.dll" [null data]

Group Policies {policy setting}:


Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"

Startup items in "miecio i gosia" & "All Users" startup folders:


C:\Documents and Settings\miecio i gosia\Menu Start\Programy\Autostart

"OpenOffice.ux.pl 2.3.0" -> shortcut to: "C:\Program Files\OpenOffice.ux.pl 2.3.0\program\quickstart.exe" [null data]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Adobe Reader Synchronizer" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe" [null data]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\Program Files\mks_vir_2007\bin\mkslsp.dll [null data], 01 - 03, 15

%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 14

%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08

Toolbars, Explorer Bars, Extensions:


Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

mks_vir file monitor, MksVirMonSvc, "C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe" [null data]

MksFwall, MksFwall, ""C:\Program Files\mks_vir_2007\bin\MksFwall.exe"" ["MKS Sp z o.o."]

MksPC, MksPC, ""C:\Program Files\mks_vir_2007\bin\MksPC.exe"" [null data]

MksUpdate, MksUpdate, ""C:\Program Files\mks_vir_2007\bin\mksupdate.exe"" ["MKS Sp. z o. o."]

---------- (launch time: 2007-11-29 19:18:47)

<>: Suspicious data at a malware launch point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 18 seconds.

---------- (total run time: 70 seconds)


(Leon$) #2

Po pierwsze napisz co się dzieje co jest nie tak.

Po drugie sam log Silent Runners nic nie mówi są tam prawidłowe wpisy jak i błędne

Pobierz Combofix przeskanuj system daj log na forum

następnie HijackThis przeskanuj system daj log na forum

w tej kolejności co podałem

:slight_smile:


(Malsz25) #3

Program antywirusowy wykrywał trojana, po czym kasował plik. Ostatnio zainstalował się program Install TrustedAntivirus, który zrobił z siebie administratora komputera. Zniknął panel sterowania i nie można było nic zrobić. Pojawił się też program z ikonką koperty IncrediMail, którego również nie dało się usunąć. Pomógł Combofix. Te dwa programy znikneły a Komputer zaczął działać poprawnie. Jednak nadal program antywirusowy wykrywa trojana.

Przesyłam logi

ComboFix 07-11-19.4 - miecio i gosia 2007-11-29 21:42:55.2 - NTFSx86

Running from: C:\Documents and Settings\miecio i gosia\Pulpit\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))

.

2007-11-27 20:32 7,712 --a------ C:\WINDOWS\system32\ismfaaaf.exe

2007-11-27 19:27

2007-11-27 17:37 20,480 --a------ C:\WINDOWS\davrrx.exe

2007-11-27 09:22 20,992 --a------ C:\WINDOWS\daverx.exe

2007-11-27 08:45 16,384 --a------ C:\WINDOWS\windisk.dll

2007-11-27 08:27 28,929 --a------ C:\WINDOWS\trayicons.exe

2007-11-27 08:27 28,929 --a------ C:\sysqdwz.exe

2007-11-20 17:03 7,932 --a------ C:\WINDOWS\system32\mistdrws.exe

2007-11-19 15:22 53,248 --a------ C:\WINDOWS\system32\oleauth32.dll

2007-11-13 08:54 7,863 --a------ C:\WINDOWS\system32\udiydtth.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-29 19:53 --------- d-----w C:\Documents and Settings\miecio i gosia\Dane aplikacji\Skype

2007-11-29 17:52 --------- d-----w C:\Documents and Settings\miecio i gosia\Dane aplikacji\OpenOffice.ux.pl2

2007-10-22 10:17 61,440 ----a-w C:\lhvy.exe

2007-10-16 16:38 --------- d-----w C:\Program Files\Korea Zapomniany Konflikt

2007-10-15 20:33 --------- d-----w C:\Program Files\OpenOffice.ux.pl 2.3.0

2007-10-15 16:58 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help

2007-09-30 20:58 --------- d-----w C:\Program Files\MSECache

2007-09-30 20:56 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Office Genuine Advantage

2007-08-29 20:18 315,392 ----a-w C:\WINDOWS\HideWin.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 08:39]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-07-13 17:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 20:10]

"AVPDWIN"="C:\Program Files\Panda Software\pandasft.exe" []

"mkstray"="C:\Program Files\mks_vir_2007\bin\mkstray.exe" [2007-08-06 21:36]

"mks_mail"="C:\Program Files\mks_vir_2007\bin\mks_mail.exe" [2007-05-24 04:06]

"MKSRegmon"="C:\Program Files\mks_vir_2007\bin\mksregmon.exe" [2007-05-24 04:06]

"zzz_ImInstaller_IncrediMail"="C:\Documents and Settings\miecio i gosia\Ustawienia lokalne\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe" []

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]

C:\Documents and Settings\miecio i gosia\Menu Start\Programy\Autostart\

OpenOffice.ux.pl 2.3.0.lnk - C:\Program Files\OpenOffice.ux.pl 2.3.0\program\quickstart.exe [2007-09-26 14:24:26]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MkS_Scan]

@="service"

R0 mksidsa;mksidsa;C:\WINDOWS\system32\mksidsa.sys

R1 mksfwallt;mksfwallt;\??\C:\WINDOWS\system32\mksfwallt.sys

R2 MksFwall;MksFwall;"C:\Program Files\mks_vir_2007\bin\MksFwall.exe"

R2 MksPC;MksPC;"C:\Program Files\mks_vir_2007\bin\MksPC.exe"

R2 MksUpdate;MksUpdate;"C:\Program Files\mks_vir_2007\bin\mksupdate.exe"

R2 VIHULNFQ;VIHULNFQ;\??\C:\WINDOWS\system32\vihulnfq.vcc

R3 mksfwallf;mksfwallf;\??\C:\WINDOWS\system32\mksfwallf.sys

R3 mksidsf;mksidsf;\??\C:\WINDOWS\system32\mksidsf.sys

R3 MksMonEn;MksMonEn;\??\C:\Program Files\mks_vir_2007\bin\MksMonEn.sys

R3 MksMonEv;MksMonEv;\??\C:\Program Files\mks_vir_2007\bin\MksMonEv.sys

R3 MksMonFd;MksMonFd;\??\C:\Program Files\mks_vir_2007\bin\MksMonFd.sys

S1 kcp;kcp;\??\C:\WINDOWS\system32\drivers\kcp.sys

S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys

.

**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-29 21:45:37

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-11-29 21:46:51

C:\ComboFix2.txt ... 2007-11-27 22:18

.

--- E O F ---

Logfile of HijackThis v1.99.1 Scan saved at 21:57:06, on 2007-11-29

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\mks_vir_2007\bin\mkstray.exe

C:\Program Files\mks_vir_2007\bin\mks_mail.exe

C:\Program Files\mks_vir_2007\bin\mksregmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\OpenOffice.ux.pl 2.3.0\program\soffice.exe

C:\Program Files\OpenOffice.ux.pl 2.3.0\program\soffice.BIN

C:\Program Files\mks_vir_2007\bin\MksFwall.exe

C:\Program Files\mks_vir_2007\bin\MksPC.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\mks_vir_2007\bin\mksupdate.exe

C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\mks_vir_2007\bin\mks_scan.exe

C:\WINDOWS\explorer.exe

C:\DOCUME~1\MIECIO~1\USTAWI~1\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM..\Run: [AVPDWIN] "C:\Program Files\Panda Software\pandasft.exe"

O4 - HKLM..\Run: [mkstray] C:\Program Files\mks_vir_2007\bin\mkstray.exe

O4 - HKLM..\Run: [mks_mail] C:\Program Files\mks_vir_2007\bin\mks_mail.exe

O4 - HKLM..\Run: [MKSRegmon] C:\Program Files\mks_vir_2007\bin\mksregmon.exe

O4 - HKLM..\Run: [zzz_ImInstaller_IncrediMail] C:\Documents and Settings\miecio i gosia\Ustawienia lokalne\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe -startup -product IncrediMail

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Startup: OpenOffice.ux.pl 2.3.0.lnk = C:\Program Files\OpenOffice.ux.pl 2.3.0\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: MksFwall - MKS Sp z o.o. - C:\Program Files\mks_vir_2007\bin\MksFwall.exe

O23 - Service: MksPC - Unknown owner - C:\Program Files\mks_vir_2007\bin\MksPC.exe

O23 - Service: MksUpdate - MKS Sp. z o. o. - C:\Program Files\mks_vir_2007\bin\mksupdate.exe

O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe

O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\mks_vir_2007\bin\mks_scan.exe

:?


(Gutek) #4

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

Wklej do Notatnika:

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po tym nowy log z Combo


(Malsz25) #5

Witam! usunełam wskazane pliki.

Oto nowy log z Combofix:

ComboFix 07-11-19.4 - miecio i gosia 2007-11-30 18:50:15.4 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.36 [GMT 1:00]

Running from: C:\Documents and Settings\miecio i gosia\Pulpit\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))

.

2007-11-27 19:27

2007-10-15 21:36

2007-10-15 21:33

2007-10-15 19:26 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls

2007-10-15 19:25 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex

2007-10-15 19:25 98,304 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.dll

2007-10-15 19:25 57,856 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_scripto.dll

2007-10-15 19:25 38,912 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_ntfsdrv.dll

2007-10-15 19:25 26,112 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_seos.dll

2007-10-15 19:25 23,040 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_regtrace.exe

2007-10-15 19:25 12,800 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpctrs.dll

2007-10-15 19:25 7,168 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_snprfdll.dll

2007-10-15 19:24 92,416 --a--c--- C:\WINDOWS\system32\dllcache\mga.sys

2007-10-15 19:24 92,032 --a--c--- C:\WINDOWS\system32\dllcache\mga.dll

2007-10-15 19:24 66,594 --a--c--- C:\WINDOWS\system32\dllcache\c_864.nls

2007-10-15 19:24 65,536 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_mailmsg.dll

2007-10-15 19:24 54,528 --a--c--- C:\WINDOWS\system32\dllcache\cap7146.sys

2007-10-15 19:24 43,520 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_fcachdll.dll

2007-10-15 19:24 24,632 --a--c--- C:\WINDOWS\system32\dllcache\fpadmcgi.exe

2007-10-15 19:24 14,848 --a--c--- C:\WINDOWS\system32\dllcache\flattemp.exe

2007-10-15 19:24 7,680 --a--c--- C:\WINDOWS\system32\dllcache\migregdb.exe

2007-10-15 19:24 7,168 --a--c--- C:\WINDOWS\system32\dllcache\f3ahvoas.dll

2007-10-15 19:23 188,480 --a--c--- C:\WINDOWS\system32\dllcache\cfgwiz.exe

2007-10-15 19:23 162,850 --a--c--- C:\WINDOWS\system32\dllcache\c_10001.nls

2007-10-15 19:23 45,056 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_aqadmin.dll

2007-10-15 19:23 20,540 --a--c--- C:\WINDOWS\system32\dllcache\admin.dll

2007-10-15 19:23 20,536 --a--c--- C:\WINDOWS\system32\dllcache\shtml.dll

2007-10-15 19:23 16,437 --a--c--- C:\WINDOWS\system32\dllcache\shtml.exe

2007-10-15 19:23 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll

2007-10-15 19:18 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys

2007-10-15 19:15 1,014,483 --a--c--- C:\WINDOWS\system32\dllcache\SP2.CAT

2007-10-15 19:15 399,670 --a--c--- C:\WINDOWS\system32\dllcache\MAPIMIG.CAT

2007-10-15 19:15 30,983 --a--c--- C:\WINDOWS\system32\dllcache\FP4.CAT

2007-10-15 19:15 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll

2007-10-15 19:15 14,043 --a--c--- C:\WINDOWS\system32\dllcache\IMS.CAT

2007-10-15 19:15 13,497 --a--c--- C:\WINDOWS\system32\dllcache\HPCRDP.CAT

2007-10-15 19:15 13,312 --a------ C:\WINDOWS\system32\irclass.dll

2007-10-15 19:15 9,581 --a--c--- C:\WINDOWS\system32\dllcache\MSMSGS.CAT

2007-10-15 19:15 7,245 --a--c--- C:\WINDOWS\system32\dllcache\MSTSWEB.CAT

2007-10-13 19:37

2007-10-13 19:36

2007-10-13 19:33

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-30 17:50 --------- d-----w C:\Documents and Settings\miecio i gosia\Dane aplikacji\Skype

2007-10-25 20:40 11,563 ----a-w C:\WINDOWS\system32\ofzatkxn.exe

2007-10-18 11:28 10,518 ----a-w C:\WINDOWS\system32\oilzybkw.exe

2007-10-15 16:58 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help

2007-09-30 20:58 --------- d-----w C:\Program Files\MSECache

2007-09-30 20:56 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Office Genuine Advantage

2007-08-29 20:18 315,392 ----a-w C:\WINDOWS\HideWin.exe

2007-08-20 13:38 16,384,512 ----a-w C:\WINDOWS\RTHDCPL.exe

2007-08-03 11:22 1,826,816 ----a-w C:\WINDOWS\SkyTel.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 08:39]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-07-13 17:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 20:10]

"AVPDWIN"="C:\Program Files\Panda Software\pandasft.exe" []

"mkstray"="C:\Program Files\mks_vir_2007\bin\mkstray.exe" [2007-08-06 21:36]

"mks_mail"="C:\Program Files\mks_vir_2007\bin\mks_mail.exe" [2007-05-24 04:06]

"MKSRegmon"="C:\Program Files\mks_vir_2007\bin\mksregmon.exe" [2007-05-24 04:06]

"zzz_ImInstaller_IncrediMail"="C:\Documents and Settings\miecio i gosia\Ustawienia lokalne\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe" []

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]

C:\Documents and Settings\miecio i gosia\Menu Start\Programy\Autostart\

OpenOffice.ux.pl 2.3.0.lnk - C:\Program Files\OpenOffice.ux.pl 2.3.0\program\quickstart.exe [2007-09-26 14:24:26]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MkS_Scan]

@="service"

R0 mksidsa;mksidsa;C:\WINDOWS\system32\mksidsa.sys

R1 mksfwallt;mksfwallt;\??\C:\WINDOWS\system32\mksfwallt.sys

R3 mksfwallf;mksfwallf;\??\C:\WINDOWS\system32\mksfwallf.sys

R3 mksidsf;mksidsf;\??\C:\WINDOWS\system32\mksidsf.sys

R3 MksMonEn;MksMonEn;\??\C:\Program Files\mks_vir_2007\bin\MksMonEn.sys

R3 MksMonEv;MksMonEv;\??\C:\Program Files\mks_vir_2007\bin\MksMonEv.sys

R3 MksMonFd;MksMonFd;\??\C:\Program Files\mks_vir_2007\bin\MksMonFd.sys

S1 kcp;kcp;\??\C:\WINDOWS\system32\drivers\kcp.sys

S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys

.

**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-30 18:52:41

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-11-30 18:53:46

.

--- E O F ---


(Gutek) #6

przeskanuj pliki na http://virusscan.jotti.org/


(Malsz25) #7

Witam! Przeskanowałam pliki i wykryto Trojana proxy. Usunełam te pliki. To jest nowy log z Combo fix:


(Gutek) #8

Wklej do Notatnika:

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po tym nowy log z Combo


(Malsz25) #9

Witam!

Oto nowy log z ComboFix:


(Gutek) #10

Powinno być już OK


(Malsz25) #11

Bardzo dziękuję za pomoc. Mam nadzieję, że dysk będzie już czysty. Pozdrawiam! :slight_smile: