Mam dziwny problem, otóż nie wiadomo skąd pojawili mi się nowi użytkownicy w systemie podpisani jako internet access account , najdziwniejsze jest to, że tych kont jest kilka, a próby skasowania ich wraz ze wszystkimi plikami nic nie dają bo przy każdym ponownym uruchomieniu systemu wracają. Mam aktualnego antywirusa Dr.Web i nie znajduje on żadnych wirusów. Może ktoś się spotkał z podobnym problemem, szukałem w google ale nie znalazłem odpowiedzi na ten problem. Z góry dziękuje za pomoc
hmmm… wczoraj przed napisaniem poprzedniego posta kolejny raz wywaliłem te konta i ku memu zdziwieniu dziś gdy uruchomiłem system (Vista 32bit Sp1) zniknęły:). Miła niespodzianka, ale podam tego loga bo może jednak jest w nim coś czego nie powinno być
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:47:15, on 2008-05-17
Platform: Windows Vista SP1, v.658 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.17042)
Boot mode: Normal
Running processes:
G:\Windows\system32\taskeng.exe
G:\Windows\system32\Dwm.exe
G:\Windows\Explorer.EXE
G:\Program Files\Windows Defender\MSASCui.exe
G:\Windows\System32\rundll32.exe
G:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
G:\Program Files\CyberLink\Shared files\brs.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Windows\System32\rundll32.exe
G:\Program Files\DrWeb\spiderml.exe
G:\Windows\SYSTEM32\CTXFISPI.EXE
G:\Program Files\DrWeb\spiderui.exe
G:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
G:\Windows\System32\CTHELPER.EXE
G:\Windows\System32\CTXFIHLP.EXE
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\Windows Sidebar\sidebar.exe
G:\Program Files\DAEMON Tools Lite\daemon.exe
G:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
G:\Program Files\Windows Sidebar\sidebar.exe
G:\Program Files\Windows Media Player\wmpnscfg.exe
G:\Program Files\Gadu-Gadu\gg.exe
G:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe
G:\Program Files\Winamp\winamp.exe
G:\Windows\system32\SearchFilterHost.exe
G:\Users\Adam\Desktop\downloads\HJ\HijackThis.exe
G:\Windows\system32\msfeedssync.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 82.98.86.179 korer.net
O1 - Hosts: 82.98.86.179 indah.info
O1 - Hosts: 82.98.86.179 artpassions.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GNX Rolex - {5908DD9F-AB4F-4244-9799-435AD9B55220} - G:\Windows\drnpfdxqvm.dll
O3 - Toolbar: etlrlws - {8853C284-DF46-469C-837F-6C9FDC2A3029} - G:\Windows\etlrlws.dll
O4 - HKLM…\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM…\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM…\Run: [NvSvc] RUNDLL32.EXE G:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE G:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE G:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM…\Run: [VolPanel] “G:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe” /r
O4 - HKLM…\Run: [updReg] G:\Windows\UpdReg.EXE
O4 - HKLM…\Run: [bDRegion] G:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM…\Run: [RemoteControl] “G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM…\Run: [LanguageShortcut] “G:\Program Files\CyberLink\PowerDVD\Language\Language.exe”
O4 - HKLM…\Run: [spIDerMail] “G:\Program Files\DrWeb\spiderml.exe”
O4 - HKLM…\Run: [spIDerNT] G:\PROGRA~1\DrWeb\spiderui.exe /agent
O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM…\Run: [sony Ericsson PC Suite] “G:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM…\Run: [RivaTunerStartupDaemon] “G:\Program Files\RivaTuner v2.08\RivaTunerWrapper.exe” /S
O4 - HKLM…\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM…\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM…\Run: [QuickTime Task] “G:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM…\Run: [iTunesHelper] “G:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKCU…\Run: [sidebar] G:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU…\Run: [Gadu-Gadu] “G:\Program Files\Gadu-Gadu\gg.exe” /tray
O4 - HKCU…\Run: [DAEMON Tools Lite] “G:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun
O4 - HKCU…\Run: [Odkurzacz-MCD] G:\Program Files\Odkurzacz\odk_mcd.exe
O4 - HKCU…\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “G:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe” ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU…\Run: [DeskSpace] G:\Program Files\DeskSpace\deskspace.exe
O4 - HKUS\S-1-5-19…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-19…\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-18…\Run: [DevconDefaultDB] G:\Windows\system32\READREG /SILENT /FAIL=1 (User ‘SYSTEM’)
O4 - HKUS.DEFAULT…\Run: [DevconDefaultDB] G:\Windows\system32\READREG /SILENT /FAIL=1 (User ‘Default user’)
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/ … TSUEng.cab
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ … /CTPID.cab
O21 - SSODL: bokpkov - {8576D8F0-143A-4A3E-A66D-2AD39DDC8F33} - G:\Windows\bokpkov.dll
O21 - SSODL: altvxvm - {45DCE87F-8C11-44A9-BA43-1D95C4DA4F6A} - G:\Windows\altvxvm.dll
O23 - Service: AFinding Service (AFinding) - Unknown owner - G:\Windows\system32\afinding.exe
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative ALchemy AL1 Licensing Service - Creative Labs - G:\Program Files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - G:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - G:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - G:\Windows\system32\perfs.exe
O23 - Service: PnkBstrA - Unknown owner - G:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - G:\Windows\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - G:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Routing Service (Routing) - Unknown owner - G:\Windows\system32\routing.exe
O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - G:\PROGRA~1\DrWeb\spidernt.exe
O23 - Service: WServing Service (WServing) - Unknown owner - G:\Windows\system32\wserving.exe
–
End of file - 8249 bytes
No jest. Poniższe wiersze są do usunięcia:
Chociaż tak naprawdę jedynym skutecznym rozwiązaniem na usunięcie tych rootkitów to “zaoranie” tego systemu, postawienie go na nowo i używanie tak ja to się powinno robić, czyli z włączonym UAC i z konta zwykłego użytkownika. O rozwadze prezy odwiedzaniu podejrzanych miejsc w internecie i uruchamianiu nieznanych programów i załączników w mailach już nie wspominam…
fix w hijackthis
Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:
File::
G:\Windows\drnpfdxqvm.dll
G:\Windows\etlrlws.dll
G:\Windows\bokpkov.dll
G:\Windows\altvxvm.dll
G:\Windows\system32\afinding.exe
G:\Windows\system32\perfs.exe
G:\Windows\system32\routing.exe
G:\Windows\system32\wserving.exe
Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->
Rozpocznie się usuwanie i powstanie log, daj ten log na forum.
Dla pewności możesz to wyłączyć.
start -> uruchom -> cmd.exe
Wpierw sprawdzasz nazwy kont w systemie:
net user
Następnie deaktywujesz wybrane konto czyli …internet access account
net user nazwa_konta /active:no
okej poszedłem za wszystkimi wskazówkami a tu jeszcze umieszczam tego loga z ComboFix
ComboFix 08-05-19.4 - Adam 2008-05-20 18:27:30.1 - NTFSx86
Running from: G:\Users\Adam\Desktop\downloads\ComboFix.exe
Command switches used :: G:\Users\Adam\Desktop\downloads\CFScript.txt.txt
* Created a new restore point
* Resident AV is active
FILE ::
G:\Windows\altvxvm.dll
G:\Windows\bokpkov.dll
G:\Windows\drnpfdxqvm.dll
G:\Windows\etlrlws.dll
G:\Windows\system32\afinding.exe
G:\Windows\system32\perfs.exe
G:\Windows\system32\routing.exe
G:\Windows\system32\wserving.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
G:\Program Files\ShoppingReport
G:\Windows\altvxvm.dll
G:\Windows\bokpkov.dll
G:\Windows\dat.txt
G:\Windows\etlrlws.dll
G:\Windows\rs.txt
G:\Windows\search_res.txt
G:\Windows\system32\afinding.exe
G:\Windows\system32\andt.sys
G:\Windows\system32\avi.dll
G:\Windows\system32\comsa32.sys
G:\Windows\system32\DivXsm.exe
G:\Windows\system32\drmgs.sys
G:\Windows\system32\ff_liba52.dll
G:\Windows\system32\ff_libdts.dll
G:\Windows\system32\ff_libfaad2.dll
G:\Windows\system32\ff_libmad.dll
G:\Windows\system32\ff_realaac.dll
G:\Windows\system32\ff_samplerate.dll
G:\Windows\system32\ff_tremor.dll
G:\Windows\system32\ff_unrar.dll
G:\Windows\system32\ff_wmv9.dll
G:\Windows\system32\iconv.dll
G:\Windows\system32\Indt2.sys
G:\Windows\system32\libavcodec.dll
G:\Windows\system32\libmpeg2_ff.dll
G:\Windows\system32\libmplayer.dll
G:\Windows\system32\mkunicode.dll
G:\Windows\system32\mkx.dll
G:\Windows\system32\mkzlib.dll
G:\Windows\system32\mmfinfo.dll
G:\Windows\system32\mp4.dll
G:\Windows\system32\ogg.dll
G:\Windows\system32\OggDS.dll
G:\Windows\system32\ogm.dll
G:\Windows\system32\perfs.exe
G:\Windows\system32\routing.exe
G:\Windows\system32\tmp0_200222180745.bk
G:\Windows\system32\tmp0_263782317345.bk
G:\Windows\system32\tmp0_417003419015.bk
G:\Windows\system32\tmp0_694363634232.bk
G:\Windows\system32\tmp0_84314316600.bk
G:\Windows\system32\tmp1_173830223210.bk
G:\Windows\system32\tmp1_33722672658.bk
G:\Windows\system32\tmp1_393641746321.bk
G:\Windows\system32\tmp1_609902141170.bk
G:\Windows\system32\tmp1_635744135128.bk
G:\Windows\system32\tmp1_663913242154.bk
G:\Windows\system32\tmp1_67113654974.bk
G:\Windows\system32\tmp1_676322743603.bk
G:\Windows\system32\tmp4_100470548724.bk
G:\Windows\system32\tmp4_19368099843.bk
G:\Windows\system32\tmp4_381778295252.bk
G:\Windows\system32\tmp4_385035318584.bk
G:\Windows\system32\tmp4_478781121154.bk
G:\Windows\system32\ts.dll
G:\Windows\system32\vorbis.dll
G:\Windows\system32\vorbisenc.dll
G:\Windows\system32\WMV9VCM.dll
G:\Windows\system32\wserving.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_AFinding
-------\Service_perfmons
-------\Service_Routing
-------\Service_WServing
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.
2008-05-20 18:08 . 2008-05-20 18:25
2008-05-19 22:09 . 2008-05-19 22:10
2008-05-18 17:58 . 2008-05-18 17:58
2008-05-18 17:53 . 2008-05-18 17:53
2008-05-18 17:53 . 2008-05-18 18:00
2008-05-18 17:53 . 2004-08-04 08:00 506,368 --a------ G:\Windows\System32\msxml.dll
2008-05-12 18:59 . 2008-05-12 18:59 22,328 --a------ G:\Windows\System32\drivers\PnkBstrK.sys
2008-05-12 18:59 . 2008-05-12 18:59 22,328 --a------ G:\Users\Adam\AppData\Roaming\PnkBstrK.sys
2008-05-12 18:58 . 2008-05-12 18:58 2,337,865 --a------ G:\Windows\System32\pbsvc.exe
2008-05-12 18:58 . 2008-05-12 18:58 107,832 --a------ G:\Windows\System32\PnkBstrB.exe
2008-05-12 18:58 . 2008-05-12 18:58 66,872 --a------ G:\Windows\System32\PnkBstrA.exe
2008-05-11 20:02 . 2008-05-11 20:02
2008-05-11 20:02 . 2008-05-20 18:35 54,156 --ah----- G:\Windows\QTFont.qfn
2008-05-11 20:02 . 2008-05-11 20:02 1,409 --a------ G:\Windows\QTFont.for
2008-05-11 20:01 . 2008-05-11 20:01
2008-05-11 20:01 . 2008-05-11 20:01
2008-05-11 20:00 . 2008-05-11 20:00
2008-05-11 19:59 . 2008-05-11 20:01
2008-05-11 19:59 . 2008-05-18 17:47
2008-05-11 19:58 . 2008-05-11 19:58
2008-05-11 19:57 . 2008-05-11 19:57
2008-05-11 19:57 . 2008-05-11 19:57
2008-05-10 00:58 . 2008-05-10 00:58
2008-05-06 19:32 . 2008-05-06 19:32 0 --ah----- G:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-05-06 16:15 . 2008-05-06 16:23
2008-05-06 15:57 . 2008-05-07 19:26
2008-05-04 22:55 . 2008-05-05 00:24
2008-05-04 22:55 . 2008-05-04 23:12
2008-05-01 22:55 . 2008-05-01 22:55
2008-05-01 22:42 . 2008-05-01 22:42 468 --a------ G:\Windows\System32\splitter.ax
2008-05-01 22:14 . 2008-05-01 22:14
2008-05-01 20:29 . 2008-05-01 22:13
2008-05-01 20:14 . 2008-05-01 20:14
2008-05-01 11:50 . 2008-05-18 13:41 69 --a------ G:\Windows\NeroDigital.ini
2008-04-27 14:25 . 2008-04-27 14:25
2008-04-27 14:24 . 2008-04-27 14:24
2008-04-24 22:31 . 2008-04-24 22:31
2008-04-24 16:24 . 2008-04-24 16:24
2008-04-20 18:39 . 2008-04-20 21:31
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 16:27 --------- d-----w G:\Program Files\Mozilla Firefox 3 Beta 2
2008-05-20 16:25 --------- d-----w G:\Program Files\DrWeb
2008-05-20 16:22 --------- d-----w G:\Users\Adam\AppData\Roaming\Azureus
2008-05-19 22:13 --------- d-----w G:\Program Files\Microsoft Silverlight
2008-05-14 22:27 --------- d-----w G:\ProgramData\Microsoft Help
2008-05-12 16:59 --------- d-----w G:\ProgramData\Ubisoft
2008-05-12 16:45 --------- d–h--w G:\Program Files\InstallShield Installation Information
2008-05-06 15:21 --------- d-----w G:\Program Files\NAPI-PROJEKT
2008-05-06 14:28 --------- d-----w G:\Program Files\Odkurzacz
2008-05-03 10:36 --------- d-----w G:\Program Files\Mozilla Thunderbird
2008-05-01 20:31 --------- d-----w G:\Program Files\FreeCommander
2008-04-30 09:24 --------- d-----w G:\ProgramData\WinZip
2008-04-25 09:25 --------- d-----w G:\Program Files\Gadu-Gadu
2008-04-20 09:46 --------- d-----w G:\Users\Adam\AppData\Roaming\Creative
2008-04-17 21:12 --------- d-----w G:\Users\Adam\AppData\Roaming\Nero
2008-04-17 21:08 --------- d-----w G:\Program Files\NeroInstall.bak
2008-04-17 20:57 --------- d-----w G:\Program Files\Common Files\Nero
2008-04-17 20:55 --------- d-----w G:\ProgramData\Nero
2008-04-17 20:55 --------- d-----w G:\Program Files\Nero
2008-04-13 18:23 --------- d-----w G:\Program Files\Guitar Pro 5
2008-04-12 11:25 0 —ha-w G:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-04-10 21:17 --------- d-----w G:\Program Files\Winamp
2008-04-10 21:16 --------- d-----w G:\Users\Adam\AppData\Roaming\Winamp
2008-04-10 20:41 --------- d-----w G:\Program Files\Gigabyte
2008-04-10 17:29 --------- d-----w G:\ProgramData\NVIDIA
2008-04-10 17:27 174 --sha-w G:\Program Files\desktop.ini
2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Sidebar
2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Photo Gallery
2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Mail
2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Journal
2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Defender
2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Collaboration
2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Calendar
2008-04-09 18:24 --------- d-----w G:\Users\Adam\AppData\Roaming\Ubisoft
2008-04-09 17:44 --------- d-----w G:\Users\Adam\AppData\Roaming\GHISLER
2008-04-09 17:44 --------- d-----w G:\Program Files\totalcmd
2008-04-09 17:38 --------- d-----w G:\Users\Adam\AppData\Roaming\FreeCommander
2008-04-08 14:15 --------- d-----w G:\Users\Adam\AppData\Roaming\Daoisoft
2008-04-02 19:52 --------- d-----w G:\Program Files\RivaTuner v2.08
2008-03-28 10:00 --------- d-----w G:\Program Files\Eusing Free Registry Cleaner
2008-03-25 12:53 --------- d-----w G:\Program Files\Creative
2008-03-25 12:46 --------- d-----w G:\ProgramData\Creative Labs
2008-03-25 12:46 --------- d-----w G:\ProgramData\Creative
2008-03-24 23:54 --------- d-----w G:\Program Files\MSXML 4.0
2008-03-24 10:01 --------- d-----w G:\Users\Adam\AppData\Roaming\Teleca
2008-03-24 00:04 --------- d-----w G:\Users\Adam\AppData\Roaming\Sony Ericsson
2008-03-24 00:04 --------- d-----w G:\ProgramData\Teleca
2008-03-24 00:04 --------- d-----w G:\ProgramData\Sony Ericsson
2008-03-24 00:04 --------- d-----w G:\Program Files\Sony Ericsson
2008-03-24 00:04 --------- d-----w G:\Program Files\Common Files\Teleca Shared
2008-03-24 00:04 --------- d-----w G:\Program Files\Common Files\Sony Ericsson Shared
2008-03-21 16:20 --------- d-----w G:\Users\Adam\AppData\Roaming\vlc
2008-02-20 19:59 11,776 ----a-w G:\Windows\INRES.DLL
2008-02-20 19:58 10,240 ----a-w G:\Windows\CTDCRES.DLL
.
------- Sigcheck -------
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Sidebar”=“G:\Program Files\Windows Sidebar\sidebar.exe” [2007-11-07 21:12 1233920]
“Gadu-Gadu”=“G:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 12:54 2131392]
“DAEMON Tools Lite”=“G:\Program Files\DAEMON Tools Lite\daemon.exe” [2008-03-14 13:55 486856]
“Odkurzacz-MCD”=“G:\Program Files\Odkurzacz\odk_mcd.exe” [2008-03-03 14:44 266240]
“IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“G:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe” [2008-02-28 17:07 1828136]
“DeskSpace”=“G:\Program Files\DeskSpace\deskspace.exe” [2008-04-23 14:24 1335296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Windows Defender”=“G:\Program Files\Windows Defender\MSASCui.exe” [2007-11-07 21:18 1008184]
“CTXFIREG”=“CTxfiReg.exe” [2008-02-20 21:55 43520 G:\Windows\System32\Ctxfireg.exe]
“NvSvc”=“G:\Windows\system32\nvsvc.dll” [2007-12-11 18:06 86016]
“NvCplDaemon”=“G:\Windows\system32\NvCpl.dll” [2007-12-11 18:06 8530464]
“NvMediaCenter”=“G:\Windows\system32\NvMcTray.dll” [2007-12-11 18:06 81920]
“VolPanel”=“G:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe” [2006-12-06 19:10 180224]
“UpdReg”=“G:\Windows\UpdReg.EXE” [2000-05-11 02:00 90112]
“BDRegion”=“G:\Program Files\Cyberlink\Shared Files\brs.exe” [2007-11-16 16:50 91432]
“RemoteControl”=“G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2007-10-28 07:05 72736]
“LanguageShortcut”=“G:\Program Files\CyberLink\PowerDVD\Language\Language.exe” [2007-10-11 09:36 62760]
“SpIDerMail”=“G:\Program Files\DrWeb\spiderml.exe” [2007-12-25 15:34 500976]
“SpIDerNT”=“G:\PROGRA~1\DrWeb\spiderui.exe” [2008-03-31 15:33 230936]
“Adobe Reader Speed Launcher”=“G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 14:06 40048]
“Sony Ericsson PC Suite”=“G:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [2007-06-13 09:16 528384]
“RivaTunerStartupDaemon”=“G:\Program Files\RivaTuner v2.08\RivaTunerWrapper.exe” [2008-03-10 10:10 24576]
“CTHelper”=“CTHELPER.EXE” [2008-02-20 21:58 19456 G:\Windows\System32\CTHELPER.EXE]
“CTxfiHlp”=“CTXFIHLP.EXE” [2008-02-20 21:58 19968 G:\Windows\System32\CTXFIHLP.EXE]
“QuickTime Task”=“G:\Program Files\QuickTime\QTTask.exe” [2008-03-28 23:37 413696]
“iTunesHelper”=“G:\Program Files\iTunes\iTunesHelper.exe” [2008-03-30 10:36 267048]
“DesktopMechanic”="" []
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“DevconDefaultDB”=“G:\Windows\system32\READREG /SILENT /FAIL=1” []
“CtxfiReg”=“CTXFIREG.exe” [2008-02-20 21:55 43520 G:\Windows\System32\Ctxfireg.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“EnableLUA”= 0 (0x0)
“EnableUIADesktopToggle”= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.YV12”= yv12vfw.dll
[HKLM~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
“TCP Query User{1F3D4BC7-71C2-4771-8CBE-93C97D8A0475}C:\program files\azureus vuze\azureus.exe”= UDP:C:\program files\azureus vuze\azureus.exe:Azureus
“UDP Query User{8172AC0B-D140-4DD5-A64E-044A70D6A379}C:\program files\azureus vuze\azureus.exe”= TCP:C:\program files\azureus vuze\azureus.exe:Azureus
“TCP Query User{8CB95AFD-4674-471A-8306-04EC8F4E1E9D}G:\program files\gadu-gadu\gg.exe”= UDP:G:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny
“UDP Query User{40C73ABC-BF4B-4E0B-B9B7-326B8B9FC156}G:\program files\gadu-gadu\gg.exe”= TCP:G:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny
“{B9F18A12-472A-413E-B963-84DD3FF1E793}”= TCP:6004|G:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
“{5E3EB1CE-96D1-4169-B9E5-0C45CC4DB2B6}”= G:\Program Files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
“TCP Query User{B5CDE655-5CAF-4B70-B55F-ECAC1E38BD56}G:\program files\gigabyte\@bios\gwflash.exe”= UDP:G:\program files\gigabyte@bios\gwflash.exe:gwflash
“UDP Query User{C7661B74-CE19-4724-ACC9-55DDD9E5AE3E}G:\program files\gigabyte\@bios\gwflash.exe”= TCP:G:\program files\gigabyte@bios\gwflash.exe:gwflash
“{7FAD7953-61D7-4861-8C69-4B0D3CB0E780}”= UDP:F:\GRY\Assasain Creed\AssassinsCreed_Dx9.exe:Assassin’s Creed Dx9
“{33A62DCD-6070-4BB3-A16C-0EA82A9CE400}”= TCP:F:\GRY\Assasain Creed\AssassinsCreed_Dx9.exe:Assassin’s Creed Dx9
“{EFB02FE8-E161-41CE-8E24-0BB260AC7566}”= UDP:F:\GRY\Assasain Creed\AssassinsCreed_Dx10.exe:Assassin’s Creed Dx10
“{8EB0E597-7252-43EA-A08A-57E316A54F42}”= TCP:F:\GRY\Assasain Creed\AssassinsCreed_Dx10.exe:Assassin’s Creed Dx10
“{6F3545CA-EBF1-4216-804A-BD03C185833F}”= UDP:F:\GRY\Assasain Creed\AssassinsCreed_Launcher.exe:Assassin’s Creed Update
“{4CC849A7-D922-4C03-B231-14B5B890A71F}”= TCP:F:\GRY\Assasain Creed\AssassinsCreed_Launcher.exe:Assassin’s Creed Update
“TCP Query User{3C531D65-4E8B-4789-917A-DC65C3380128}G:\program files\magictunepremium\magictune premium\magictune.exe”= UDP:G:\program files\magictunepremium\magictune premium\magictune.exe:MagicTune
“UDP Query User{2C36925B-1D98-41B1-A2A8-E1260ED3E743}G:\program files\magictunepremium\magictune premium\magictune.exe”= TCP:G:\program files\magictunepremium\magictune premium\magictune.exe:MagicTune
“{8942792C-AC8E-406D-B9AA-357A3A0CC5FF}”= UDP:G:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
“{0960705A-7003-4521-B95A-D85BC3BC62D3}”= TCP:G:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
“{9E2B837F-FD03-4257-8403-4E120BA55F61}”= UDP:G:\Program Files\iTunes\iTunes.exe:iTunes
“{8B6FC335-4E2A-44A4-8FE4-2E3F2A8A5B69}”= TCP:G:\Program Files\iTunes\iTunes.exe:iTunes
“{FCA4599C-E536-46AF-B061-40ABC8C1024E}”= UDP:G:\Windows\System32\PnkBstrA.exe:PnkBstrA
“{8A860774-3061-4E4E-B4AE-A34BC900448C}”= TCP:G:\Windows\System32\PnkBstrA.exe:PnkBstrA
“{E48D4343-812E-44C7-A8AD-BF806E6F29B8}”= UDP:G:\Windows\System32\PnkBstrB.exe:PnkBstrB
“{6DD35599-6AB4-499E-A013-9E6E7C981E07}”= TCP:G:\Windows\System32\PnkBstrB.exe:PnkBstrB
“{E5837E80-A162-4393-A36B-AE1B5B475A27}”= UDP:F:\GRY\Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy’s Rainbow Six Vegas 2
“{252BEEDC-D342-484C-AE93-C977F9949CAA}”= TCP:F:\GRY\Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy’s Rainbow Six Vegas 2
“{6E2DAA0F-BB9D-4CA0-8EFA-39AE649DA662}”= UDP:F:\GRY\Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy’s Rainbow Six Vegas 2 Update
“{6A3192AE-B801-4799-9D64-925949236F97}”= TCP:F:\GRY\Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy’s Rainbow Six Vegas 2 Update
“TCP Query User{71494438-90FE-4706-AC9C-92ECBD013A25}F:\gry\rainbow six vegas 2\binaries\rainbowsixvegas2_sads.exe”= UDP:F:\gry\rainbow six vegas 2\binaries\rainbowsixvegas2_sads.exe:RainbowSixVegas2_SADS
“UDP Query User{CE3348A9-C019-43FD-8EC8-4685268F4136}F:\gry\rainbow six vegas 2\binaries\rainbowsixvegas2_sads.exe”= TCP:F:\gry\rainbow six vegas 2\binaries\rainbowsixvegas2_sads.exe:RainbowSixVegas2_SADS
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};G:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-02 21:42]
R2 CTAudSvcService;Creative Audio Service;G:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-03-07 20:24]
R2 SPIDER;SpIDer Guard File System Monitor;G:\PROGRA~1\DrWeb\spider.sys [2008-03-31 15:33]
R2 SPIDERNT;SpIDer Guard for Windows;G:\PROGRA~1\DrWeb\spidernt.exe [2008-03-31 15:33]
R3 ha20x2k;Creative 20X HAL Driver;G:\Windows\system32\drivers\ha20x2k.sys [2008-02-25 10:44]
S0 NVStrap;NVStrap;G:\Windows\system32\drivers\NVStrap.sys [2008-03-10 10:10]
S3 Creative ALchemy AL1 Licensing Service;Creative ALchemy AL1 Licensing Service;“G:\Program Files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe” [2008-03-15 17:19]
S3 MarkFun_NT;MarkFun_NT;G:\Program Files\Gigabyte@BIOS\markfun.w32 [2007-08-21 20:49]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;G:\Windows\system32\DRIVERS\s115mdfl.sys [2007-04-23 16:54]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;G:\Windows\system32\DRIVERS\s115mdm.sys [2007-04-23 16:54]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);G:\Windows\system32\DRIVERS\s115mgmt.sys [2007-04-23 16:54]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;G:\Windows\system32\DRIVERS\s115obex.sys [2007-04-23 16:54]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
GPSvcGroup REG_MULTI_SZ GPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3aa665e8-f4e9-11dc-bf98-000fea4f8e6d}]
\shell\AutoRun\command - I:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{66c4ac2a-f4e5-11dc-b891-000fea4f8e6d}]
\shell\AutoRun\command - H:\autorun.exe
.
Contents of the ‘Scheduled Tasks’ folder
“2008-05-20 15:47:40 G:\Windows\Tasks\Dr.Web automatic update.job”
- G:\Program Files\DrWeb\drwebupw.exe/ /go /st /reg- /urm:disable /rp+
“2008-05-16 14:15:00 G:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job”
- G:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
“2008-03-27 20:53:15 G:\Windows\Tasks\Uniblue SpeedUpMyPC.job”
- G:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
“2008-05-20 16:37:12 G:\Windows\Tasks\User_Feed_Synchronization-{B8CA4358-A14B-45E1-BA73-D385F7AB578E}.job”
- G:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 18:35:11
Windows 6.0.6001 Service Pack 1, v.658 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
G:\Windows\System32\audiodg.exe
G:\Windows\System32\conime.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\Windows\System32\PnkBstrA.exe
G:\Windows\System32\PnkBstrB.exe
G:\Program Files\CyberLink\Shared files\RichVideo.exe
G:\Windows\System32\rundll32.exe
G:\Windows\System32\rundll32.exe
G:\Windows\System32\CTXFISPI.EXE
G:\Program Files\DrWeb\spiderui.exe
G:\Program Files\Windows Media Player\wmpnscfg.exe
G:\Program Files\Windows Media Player\wmpnetwk.exe
G:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-05-20 18:38:51 - machine was rebooted [Adam]
ComboFix-quarantined-files.txt 2008-05-20 16:38:46
Pre-Run: 14,849,372,160 bajtów wolnych
Post-Run: 18,020,876,288 bajt˘w wolnych
323 — E O F — 2008-05-19 22:13:56
mam nadzieje, że mimo wszystko uda mi się pozbyc tego ustrojstwa bez formata
W logu syfu nie widzę ale
Usuń ręcznie folder C:\Qoobox,usuń instalkę Combofix z dysku
Przeczyść komputer Ccleanerem
Wykonaj optymalizację autostartu
Wyłącz przywracanie systemu na wszystkich dyskach. Instrukcja
Przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum
Włącz przywracanie systemu.