Internet access account


(Dyingtoliv) #1

Mam dziwny problem, otóż nie wiadomo skąd pojawili mi się nowi użytkownicy w systemie podpisani jako internet access account , najdziwniejsze jest to, że tych kont jest kilka, a próby skasowania ich wraz ze wszystkimi plikami nic nie dają bo przy każdym ponownym uruchomieniu systemu wracają. Mam aktualnego antywirusa Dr.Web i nie znajduje on żadnych wirusów. Może ktoś się spotkał z podobnym problemem, szukałem w google ale nie znalazłem odpowiedzi na ten problem. Z góry dziękuje za pomoc :slight_smile:


(huber2t) #2

Podaj log z Hijackthis


(Dyingtoliv) #3

hmmm.... wczoraj przed napisaniem poprzedniego posta kolejny raz wywaliłem te konta i ku memu zdziwieniu dziś gdy uruchomiłem system (Vista 32bit Sp1) zniknęły:). Miła niespodzianka, ale podam tego loga bo może jednak jest w nim coś czego nie powinno być :stuck_out_tongue:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:47:15, on 2008-05-17

Platform: Windows Vista SP1, v.658 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.17042)

Boot mode: Normal

Running processes:

G:\Windows\system32\taskeng.exe

G:\Windows\system32\Dwm.exe

G:\Windows\Explorer.EXE

G:\Program Files\Windows Defender\MSASCui.exe

G:\Windows\System32\rundll32.exe

G:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe

G:\Program Files\CyberLink\Shared files\brs.exe

G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

G:\Windows\System32\rundll32.exe

G:\Program Files\DrWeb\spiderml.exe

G:\Windows\SYSTEM32\CTXFISPI.EXE

G:\Program Files\DrWeb\spiderui.exe

G:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

G:\Windows\System32\CTHELPER.EXE

G:\Windows\System32\CTXFIHLP.EXE

G:\Program Files\iTunes\iTunesHelper.exe

G:\Program Files\Windows Sidebar\sidebar.exe

G:\Program Files\DAEMON Tools Lite\daemon.exe

G:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

G:\Program Files\Windows Sidebar\sidebar.exe

G:\Program Files\Windows Media Player\wmpnscfg.exe

G:\Program Files\Gadu-Gadu\gg.exe

G:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe

G:\Program Files\Winamp\winamp.exe

G:\Windows\system32\SearchFilterHost.exe

G:\Users\Adam\Desktop\downloads\HJ\HijackThis.exe

G:\Windows\system32\msfeedssync.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O1 - Hosts: 82.98.86.179 korer.net

O1 - Hosts: 82.98.86.179 indah.info

O1 - Hosts: 82.98.86.179 artpassions.net

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: GNX Rolex - {5908DD9F-AB4F-4244-9799-435AD9B55220} - G:\Windows\drnpfdxqvm.dll

O3 - Toolbar: etlrlws - {8853C284-DF46-469C-837F-6C9FDC2A3029} - G:\Windows\etlrlws.dll

O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM..\Run: [CTXFIREG] CTxfiReg.exe

O4 - HKLM..\Run: [NvSvc] RUNDLL32.EXE G:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE G:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE G:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM..\Run: [VolPanel] "G:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r

O4 - HKLM..\Run: [updReg] G:\Windows\UpdReg.EXE

O4 - HKLM..\Run: [bDRegion] G:\Program Files\Cyberlink\Shared Files\brs.exe

O4 - HKLM..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM..\Run: [LanguageShortcut] "G:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM..\Run: [spIDerMail] "G:\Program Files\DrWeb\spiderml.exe"

O4 - HKLM..\Run: [spIDerNT] G:\PROGRA~1\DrWeb\spiderui.exe /agent

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM..\Run: [sony Ericsson PC Suite] "G:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM..\Run: [RivaTunerStartupDaemon] "G:\Program Files\RivaTuner v2.08\RivaTunerWrapper.exe" /S

O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM..\Run: [QuickTime Task] "G:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU..\Run: [sidebar] G:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU..\Run: [Gadu-Gadu] "G:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [DAEMON Tools Lite] "G:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU..\Run: [Odkurzacz-MCD] G:\Program Files\Odkurzacz\odk_mcd.exe

O4 - HKCU..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "G:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKCU..\Run: [DeskSpace] G:\Program Files\DeskSpace\deskspace.exe

O4 - HKUS\S-1-5-19..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18..\Run: [DevconDefaultDB] G:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')

O4 - HKUS.DEFAULT..\Run: [DevconDefaultDB] G:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/ ... TSUEng.cab

O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab

O21 - SSODL: bokpkov - {8576D8F0-143A-4A3E-A66D-2AD39DDC8F33} - G:\Windows\bokpkov.dll

O21 - SSODL: altvxvm - {45DCE87F-8C11-44A9-BA43-1D95C4DA4F6A} - G:\Windows\altvxvm.dll

O23 - Service: AFinding Service (AFinding) - Unknown owner - G:\Windows\system32\afinding.exe

O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative ALchemy AL1 Licensing Service - Creative Labs - G:\Program Files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - G:\Program Files\Creative\Shared Files\CTAudSvc.exe

O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NMIndexingService - Nero AG - G:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: perfmons Service (perfmons) - Unknown owner - G:\Windows\system32\perfs.exe

O23 - Service: PnkBstrA - Unknown owner - G:\Windows\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - G:\Windows\system32\PnkBstrB.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - G:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Routing Service (Routing) - Unknown owner - G:\Windows\system32\routing.exe

O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - G:\PROGRA~1\DrWeb\spidernt.exe

O23 - Service: WServing Service (WServing) - Unknown owner - G:\Windows\system32\wserving.exe

--

End of file - 8249 bytes


(goomish) #4

No jest. Poniższe wiersze są do usunięcia:

Chociaż tak naprawdę jedynym skutecznym rozwiązaniem na usunięcie tych rootkitów to "zaoranie" tego systemu, postawienie go na nowo i używanie tak ja to się powinno robić, czyli z włączonym UAC i z konta zwykłego użytkownika. O rozwadze prezy odwiedzaniu podejrzanych miejsc w internecie i uruchamianiu nieznanych programów i załączników w mailach już nie wspominam...


(huber2t) #5

fix w hijackthis

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

G:\Windows\drnpfdxqvm.dll

G:\Windows\etlrlws.dll

G:\Windows\bokpkov.dll

G:\Windows\altvxvm.dll

G:\Windows\system32\afinding.exe

G:\Windows\system32\perfs.exe

G:\Windows\system32\routing.exe

G:\Windows\system32\wserving.exe

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.


(Kolmar) #6

Dla pewności możesz to wyłączyć.

start -> uruchom -> cmd.exe

Wpierw sprawdzasz nazwy kont w systemie:

net user

Następnie deaktywujesz wybrane konto czyli ...internet access account

net user nazwa_konta /active:no


(Dyingtoliv) #7

okej poszedłem za wszystkimi wskazówkami a tu jeszcze umieszczam tego loga z ComboFix

ComboFix 08-05-19.4 - Adam 2008-05-20 18:27:30.1 - NTFSx86

Running from: G:\Users\Adam\Desktop\downloads\ComboFix.exe

Command switches used :: G:\Users\Adam\Desktop\downloads\CFScript.txt.txt

* Created a new restore point

* Resident AV is active

FILE ::

G:\Windows\altvxvm.dll

G:\Windows\bokpkov.dll

G:\Windows\drnpfdxqvm.dll

G:\Windows\etlrlws.dll

G:\Windows\system32\afinding.exe

G:\Windows\system32\perfs.exe

G:\Windows\system32\routing.exe

G:\Windows\system32\wserving.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

G:\Program Files\ShoppingReport

G:\Windows\altvxvm.dll

G:\Windows\bokpkov.dll

G:\Windows\dat.txt

G:\Windows\etlrlws.dll

G:\Windows\rs.txt

G:\Windows\search_res.txt

G:\Windows\system32\afinding.exe

G:\Windows\system32\andt.sys

G:\Windows\system32\avi.dll

G:\Windows\system32\comsa32.sys

G:\Windows\system32\DivXsm.exe

G:\Windows\system32\drmgs.sys

G:\Windows\system32\ff_liba52.dll

G:\Windows\system32\ff_libdts.dll

G:\Windows\system32\ff_libfaad2.dll

G:\Windows\system32\ff_libmad.dll

G:\Windows\system32\ff_realaac.dll

G:\Windows\system32\ff_samplerate.dll

G:\Windows\system32\ff_tremor.dll

G:\Windows\system32\ff_unrar.dll

G:\Windows\system32\ff_wmv9.dll

G:\Windows\system32\iconv.dll

G:\Windows\system32\Indt2.sys

G:\Windows\system32\libavcodec.dll

G:\Windows\system32\libmpeg2_ff.dll

G:\Windows\system32\libmplayer.dll

G:\Windows\system32\mkunicode.dll

G:\Windows\system32\mkx.dll

G:\Windows\system32\mkzlib.dll

G:\Windows\system32\mmfinfo.dll

G:\Windows\system32\mp4.dll

G:\Windows\system32\ogg.dll

G:\Windows\system32\OggDS.dll

G:\Windows\system32\ogm.dll

G:\Windows\system32\perfs.exe

G:\Windows\system32\routing.exe

G:\Windows\system32\tmp0_200222180745.bk

G:\Windows\system32\tmp0_263782317345.bk

G:\Windows\system32\tmp0_417003419015.bk

G:\Windows\system32\tmp0_694363634232.bk

G:\Windows\system32\tmp0_84314316600.bk

G:\Windows\system32\tmp1_173830223210.bk

G:\Windows\system32\tmp1_33722672658.bk

G:\Windows\system32\tmp1_393641746321.bk

G:\Windows\system32\tmp1_609902141170.bk

G:\Windows\system32\tmp1_635744135128.bk

G:\Windows\system32\tmp1_663913242154.bk

G:\Windows\system32\tmp1_67113654974.bk

G:\Windows\system32\tmp1_676322743603.bk

G:\Windows\system32\tmp4_100470548724.bk

G:\Windows\system32\tmp4_19368099843.bk

G:\Windows\system32\tmp4_381778295252.bk

G:\Windows\system32\tmp4_385035318584.bk

G:\Windows\system32\tmp4_478781121154.bk

G:\Windows\system32\ts.dll

G:\Windows\system32\vorbis.dll

G:\Windows\system32\vorbisenc.dll

G:\Windows\system32\WMV9VCM.dll

G:\Windows\system32\wserving.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_AFinding

-------\Service_perfmons

-------\Service_Routing

-------\Service_WServing

((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))

.

2008-05-20 18:08 . 2008-05-20 18:25

2008-05-19 22:09 . 2008-05-19 22:10

2008-05-18 17:58 . 2008-05-18 17:58

2008-05-18 17:53 . 2008-05-18 17:53

2008-05-18 17:53 . 2008-05-18 18:00

2008-05-18 17:53 . 2004-08-04 08:00 506,368 --a------ G:\Windows\System32\msxml.dll

2008-05-12 18:59 . 2008-05-12 18:59 22,328 --a------ G:\Windows\System32\drivers\PnkBstrK.sys

2008-05-12 18:59 . 2008-05-12 18:59 22,328 --a------ G:\Users\Adam\AppData\Roaming\PnkBstrK.sys

2008-05-12 18:58 . 2008-05-12 18:58 2,337,865 --a------ G:\Windows\System32\pbsvc.exe

2008-05-12 18:58 . 2008-05-12 18:58 107,832 --a------ G:\Windows\System32\PnkBstrB.exe

2008-05-12 18:58 . 2008-05-12 18:58 66,872 --a------ G:\Windows\System32\PnkBstrA.exe

2008-05-11 20:02 . 2008-05-11 20:02

2008-05-11 20:02 . 2008-05-20 18:35 54,156 --ah----- G:\Windows\QTFont.qfn

2008-05-11 20:02 . 2008-05-11 20:02 1,409 --a------ G:\Windows\QTFont.for

2008-05-11 20:01 . 2008-05-11 20:01

2008-05-11 20:01 . 2008-05-11 20:01

2008-05-11 20:00 . 2008-05-11 20:00

2008-05-11 19:59 . 2008-05-11 20:01

2008-05-11 19:59 . 2008-05-18 17:47

2008-05-11 19:58 . 2008-05-11 19:58

2008-05-11 19:57 . 2008-05-11 19:57

2008-05-11 19:57 . 2008-05-11 19:57

2008-05-10 00:58 . 2008-05-10 00:58

2008-05-06 19:32 . 2008-05-06 19:32 0 --ah----- G:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

2008-05-06 16:15 . 2008-05-06 16:23

2008-05-06 15:57 . 2008-05-07 19:26

2008-05-04 22:55 . 2008-05-05 00:24

2008-05-04 22:55 . 2008-05-04 23:12

2008-05-01 22:55 . 2008-05-01 22:55

2008-05-01 22:42 . 2008-05-01 22:42 468 --a------ G:\Windows\System32\splitter.ax

2008-05-01 22:14 . 2008-05-01 22:14

2008-05-01 20:29 . 2008-05-01 22:13

2008-05-01 20:14 . 2008-05-01 20:14

2008-05-01 11:50 . 2008-05-18 13:41 69 --a------ G:\Windows\NeroDigital.ini

2008-04-27 14:25 . 2008-04-27 14:25

2008-04-27 14:24 . 2008-04-27 14:24

2008-04-24 22:31 . 2008-04-24 22:31

2008-04-24 16:24 . 2008-04-24 16:24

2008-04-20 18:39 . 2008-04-20 21:31

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-20 16:27 --------- d-----w G:\Program Files\Mozilla Firefox 3 Beta 2

2008-05-20 16:25 --------- d-----w G:\Program Files\DrWeb

2008-05-20 16:22 --------- d-----w G:\Users\Adam\AppData\Roaming\Azureus

2008-05-19 22:13 --------- d-----w G:\Program Files\Microsoft Silverlight

2008-05-14 22:27 --------- d-----w G:\ProgramData\Microsoft Help

2008-05-12 16:59 --------- d-----w G:\ProgramData\Ubisoft

2008-05-12 16:45 --------- d--h--w G:\Program Files\InstallShield Installation Information

2008-05-06 15:21 --------- d-----w G:\Program Files\NAPI-PROJEKT

2008-05-06 14:28 --------- d-----w G:\Program Files\Odkurzacz

2008-05-03 10:36 --------- d-----w G:\Program Files\Mozilla Thunderbird

2008-05-01 20:31 --------- d-----w G:\Program Files\FreeCommander

2008-04-30 09:24 --------- d-----w G:\ProgramData\WinZip

2008-04-25 09:25 --------- d-----w G:\Program Files\Gadu-Gadu

2008-04-20 09:46 --------- d-----w G:\Users\Adam\AppData\Roaming\Creative

2008-04-17 21:12 --------- d-----w G:\Users\Adam\AppData\Roaming\Nero

2008-04-17 21:08 --------- d-----w G:\Program Files\NeroInstall.bak

2008-04-17 20:57 --------- d-----w G:\Program Files\Common Files\Nero

2008-04-17 20:55 --------- d-----w G:\ProgramData\Nero

2008-04-17 20:55 --------- d-----w G:\Program Files\Nero

2008-04-13 18:23 --------- d-----w G:\Program Files\Guitar Pro 5

2008-04-12 11:25 0 ---ha-w G:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf

2008-04-10 21:17 --------- d-----w G:\Program Files\Winamp

2008-04-10 21:16 --------- d-----w G:\Users\Adam\AppData\Roaming\Winamp

2008-04-10 20:41 --------- d-----w G:\Program Files\Gigabyte

2008-04-10 17:29 --------- d-----w G:\ProgramData\NVIDIA

2008-04-10 17:27 174 --sha-w G:\Program Files\desktop.ini

2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Sidebar

2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Photo Gallery

2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Mail

2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Journal

2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Defender

2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Collaboration

2008-04-10 17:14 --------- d-----w G:\Program Files\Windows Calendar

2008-04-09 18:24 --------- d-----w G:\Users\Adam\AppData\Roaming\Ubisoft

2008-04-09 17:44 --------- d-----w G:\Users\Adam\AppData\Roaming\GHISLER

2008-04-09 17:44 --------- d-----w G:\Program Files\totalcmd

2008-04-09 17:38 --------- d-----w G:\Users\Adam\AppData\Roaming\FreeCommander

2008-04-08 14:15 --------- d-----w G:\Users\Adam\AppData\Roaming\Daoisoft

2008-04-02 19:52 --------- d-----w G:\Program Files\RivaTuner v2.08

2008-03-28 10:00 --------- d-----w G:\Program Files\Eusing Free Registry Cleaner

2008-03-25 12:53 --------- d-----w G:\Program Files\Creative

2008-03-25 12:46 --------- d-----w G:\ProgramData\Creative Labs

2008-03-25 12:46 --------- d-----w G:\ProgramData\Creative

2008-03-24 23:54 --------- d-----w G:\Program Files\MSXML 4.0

2008-03-24 10:01 --------- d-----w G:\Users\Adam\AppData\Roaming\Teleca

2008-03-24 00:04 --------- d-----w G:\Users\Adam\AppData\Roaming\Sony Ericsson

2008-03-24 00:04 --------- d-----w G:\ProgramData\Teleca

2008-03-24 00:04 --------- d-----w G:\ProgramData\Sony Ericsson

2008-03-24 00:04 --------- d-----w G:\Program Files\Sony Ericsson

2008-03-24 00:04 --------- d-----w G:\Program Files\Common Files\Teleca Shared

2008-03-24 00:04 --------- d-----w G:\Program Files\Common Files\Sony Ericsson Shared

2008-03-21 16:20 --------- d-----w G:\Users\Adam\AppData\Roaming\vlc

2008-02-20 19:59 11,776 ----a-w G:\Windows\INRES.DLL

2008-02-20 19:58 10,240 ----a-w G:\Windows\CTDCRES.DLL

.

------- Sigcheck -------

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="G:\Program Files\Windows Sidebar\sidebar.exe" [2007-11-07 21:12 1233920]

"Gadu-Gadu"="G:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 12:54 2131392]

"DAEMON Tools Lite"="G:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-03-14 13:55 486856]

"Odkurzacz-MCD"="G:\Program Files\Odkurzacz\odk_mcd.exe" [2008-03-03 14:44 266240]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="G:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]

"DeskSpace"="G:\Program Files\DeskSpace\deskspace.exe" [2008-04-23 14:24 1335296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="G:\Program Files\Windows Defender\MSASCui.exe" [2007-11-07 21:18 1008184]

"CTXFIREG"="CTxfiReg.exe" [2008-02-20 21:55 43520 G:\Windows\System32\Ctxfireg.exe]

"NvSvc"="G:\Windows\system32\nvsvc.dll" [2007-12-11 18:06 86016]

"NvCplDaemon"="G:\Windows\system32\NvCpl.dll" [2007-12-11 18:06 8530464]

"NvMediaCenter"="G:\Windows\system32\NvMcTray.dll" [2007-12-11 18:06 81920]

"VolPanel"="G:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-12-06 19:10 180224]

"UpdReg"="G:\Windows\UpdReg.EXE" [2000-05-11 02:00 90112]

"BDRegion"="G:\Program Files\Cyberlink\Shared Files\brs.exe" [2007-11-16 16:50 91432]

"RemoteControl"="G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 07:05 72736]

"LanguageShortcut"="G:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 09:36 62760]

"SpIDerMail"="G:\Program Files\DrWeb\spiderml.exe" [2007-12-25 15:34 500976]

"SpIDerNT"="G:\PROGRA~1\DrWeb\spiderui.exe" [2008-03-31 15:33 230936]

"Adobe Reader Speed Launcher"="G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 14:06 40048]

"Sony Ericsson PC Suite"="G:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 09:16 528384]

"RivaTunerStartupDaemon"="G:\Program Files\RivaTuner v2.08\RivaTunerWrapper.exe" [2008-03-10 10:10 24576]

"CTHelper"="CTHELPER.EXE" [2008-02-20 21:58 19456 G:\Windows\System32\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 21:58 19968 G:\Windows\System32\CTXFIHLP.EXE]

"QuickTime Task"="G:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="G:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

"DesktopMechanic"="" []

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DevconDefaultDB"="G:\Windows\system32\READREG /SILENT /FAIL=1" []

"CtxfiReg"="CTXFIREG.exe" [2008-02-20 21:55 43520 G:\Windows\System32\Ctxfireg.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"TCP Query User{1F3D4BC7-71C2-4771-8CBE-93C97D8A0475}C:\program files\azureus vuze\azureus.exe"= UDP:C:\program files\azureus vuze\azureus.exe:Azureus

"UDP Query User{8172AC0B-D140-4DD5-A64E-044A70D6A379}C:\program files\azureus vuze\azureus.exe"= TCP:C:\program files\azureus vuze\azureus.exe:Azureus

"TCP Query User{8CB95AFD-4674-471A-8306-04EC8F4E1E9D}G:\program files\gadu-gadu\gg.exe"= UDP:G:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny

"UDP Query User{40C73ABC-BF4B-4E0B-B9B7-326B8B9FC156}G:\program files\gadu-gadu\gg.exe"= TCP:G:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny

"{B9F18A12-472A-413E-B963-84DD3FF1E793}"= TCP:6004|G:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

"{5E3EB1CE-96D1-4169-B9E5-0C45CC4DB2B6}"= G:\Program Files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD

"TCP Query User{B5CDE655-5CAF-4B70-B55F-ECAC1E38BD56}G:\program files\gigabyte\@bios\gwflash.exe"= UDP:G:\program files\gigabyte\@bios\gwflash.exe:gwflash

"UDP Query User{C7661B74-CE19-4724-ACC9-55DDD9E5AE3E}G:\program files\gigabyte\@bios\gwflash.exe"= TCP:G:\program files\gigabyte\@bios\gwflash.exe:gwflash

"{7FAD7953-61D7-4861-8C69-4B0D3CB0E780}"= UDP:F:\GRY\Assasain Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9

"{33A62DCD-6070-4BB3-A16C-0EA82A9CE400}"= TCP:F:\GRY\Assasain Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9

"{EFB02FE8-E161-41CE-8E24-0BB260AC7566}"= UDP:F:\GRY\Assasain Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10

"{8EB0E597-7252-43EA-A08A-57E316A54F42}"= TCP:F:\GRY\Assasain Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10

"{6F3545CA-EBF1-4216-804A-BD03C185833F}"= UDP:F:\GRY\Assasain Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update

"{4CC849A7-D922-4C03-B231-14B5B890A71F}"= TCP:F:\GRY\Assasain Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update

"TCP Query User{3C531D65-4E8B-4789-917A-DC65C3380128}G:\program files\magictunepremium\magictune premium\magictune.exe"= UDP:G:\program files\magictunepremium\magictune premium\magictune.exe:MagicTune

"UDP Query User{2C36925B-1D98-41B1-A2A8-E1260ED3E743}G:\program files\magictunepremium\magictune premium\magictune.exe"= TCP:G:\program files\magictunepremium\magictune premium\magictune.exe:MagicTune

"{8942792C-AC8E-406D-B9AA-357A3A0CC5FF}"= UDP:G:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

"{0960705A-7003-4521-B95A-D85BC3BC62D3}"= TCP:G:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

"{9E2B837F-FD03-4257-8403-4E120BA55F61}"= UDP:G:\Program Files\iTunes\iTunes.exe:iTunes

"{8B6FC335-4E2A-44A4-8FE4-2E3F2A8A5B69}"= TCP:G:\Program Files\iTunes\iTunes.exe:iTunes

"{FCA4599C-E536-46AF-B061-40ABC8C1024E}"= UDP:G:\Windows\System32\PnkBstrA.exe:PnkBstrA

"{8A860774-3061-4E4E-B4AE-A34BC900448C}"= TCP:G:\Windows\System32\PnkBstrA.exe:PnkBstrA

"{E48D4343-812E-44C7-A8AD-BF806E6F29B8}"= UDP:G:\Windows\System32\PnkBstrB.exe:PnkBstrB

"{6DD35599-6AB4-499E-A013-9E6E7C981E07}"= TCP:G:\Windows\System32\PnkBstrB.exe:PnkBstrB

"{E5837E80-A162-4393-A36B-AE1B5B475A27}"= UDP:F:\GRY\Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy's Rainbow Six Vegas 2

"{252BEEDC-D342-484C-AE93-C977F9949CAA}"= TCP:F:\GRY\Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy's Rainbow Six Vegas 2

"{6E2DAA0F-BB9D-4CA0-8EFA-39AE649DA662}"= UDP:F:\GRY\Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy's Rainbow Six Vegas 2 Update

"{6A3192AE-B801-4799-9D64-925949236F97}"= TCP:F:\GRY\Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy's Rainbow Six Vegas 2 Update

"TCP Query User{71494438-90FE-4706-AC9C-92ECBD013A25}F:\gry\rainbow six vegas 2\binaries\rainbowsixvegas2_sads.exe"= UDP:F:\gry\rainbow six vegas 2\binaries\rainbowsixvegas2_sads.exe:RainbowSixVegas2_SADS

"UDP Query User{CE3348A9-C019-43FD-8EC8-4685268F4136}F:\gry\rainbow six vegas 2\binaries\rainbowsixvegas2_sads.exe"= TCP:F:\gry\rainbow six vegas 2\binaries\rainbowsixvegas2_sads.exe:RainbowSixVegas2_SADS

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};G:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-02 21:42]

R2 CTAudSvcService;Creative Audio Service;G:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-03-07 20:24]

R2 SPIDER;SpIDer Guard File System Monitor;G:\PROGRA~1\DrWeb\spider.sys [2008-03-31 15:33]

R2 SPIDERNT;SpIDer Guard for Windows;G:\PROGRA~1\DrWeb\spidernt.exe [2008-03-31 15:33]

R3 ha20x2k;Creative 20X HAL Driver;G:\Windows\system32\drivers\ha20x2k.sys [2008-02-25 10:44]

S0 NVStrap;NVStrap;G:\Windows\system32\drivers\NVStrap.sys [2008-03-10 10:10]

S3 Creative ALchemy AL1 Licensing Service;Creative ALchemy AL1 Licensing Service;"G:\Program Files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe" [2008-03-15 17:19]

S3 MarkFun_NT;MarkFun_NT;G:\Program Files\Gigabyte\@BIOS\markfun.w32 [2007-08-21 20:49]

S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;G:\Windows\system32\DRIVERS\s115mdfl.sys [2007-04-23 16:54]

S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;G:\Windows\system32\DRIVERS\s115mdm.sys [2007-04-23 16:54]

S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);G:\Windows\system32\DRIVERS\s115mgmt.sys [2007-04-23 16:54]

S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;G:\Windows\system32\DRIVERS\s115obex.sys [2007-04-23 16:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

GPSvcGroup REG_MULTI_SZ GPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3aa665e8-f4e9-11dc-bf98-000fea4f8e6d}]

\shell\AutoRun\command - I:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{66c4ac2a-f4e5-11dc-b891-000fea4f8e6d}]

\shell\AutoRun\command - H:\autorun.exe

.

Contents of the 'Scheduled Tasks' folder

"2008-05-20 15:47:40 G:\Windows\Tasks\Dr.Web automatic update.job"

  • G:\Program Files\DrWeb\drwebupw.exe/ /go /st /reg- /urm:disable /rp+

"2008-05-16 14:15:00 G:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job"

  • G:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

"2008-03-27 20:53:15 G:\Windows\Tasks\Uniblue SpeedUpMyPC.job"

  • G:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

"2008-05-20 16:37:12 G:\Windows\Tasks\User_Feed_Synchronization-{B8CA4358-A14B-45E1-BA73-D385F7AB578E}.job"

  • G:\Windows\system32\msfeedssync.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-20 18:35:11

Windows 6.0.6001 Service Pack 1, v.658 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

G:\Windows\System32\audiodg.exe

G:\Windows\System32\conime.exe

G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

G:\Program Files\Bonjour\mDNSResponder.exe

G:\Windows\System32\PnkBstrA.exe

G:\Windows\System32\PnkBstrB.exe

G:\Program Files\CyberLink\Shared files\RichVideo.exe

G:\Windows\System32\rundll32.exe

G:\Windows\System32\rundll32.exe

G:\Windows\System32\CTXFISPI.EXE

G:\Program Files\DrWeb\spiderui.exe

G:\Program Files\Windows Media Player\wmpnscfg.exe

G:\Program Files\Windows Media Player\wmpnetwk.exe

G:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

G:\Program Files\iPod\bin\iPodService.exe

G:\Windows\System32\dllhost.exe

.

**************************************************************************

.

Completion time: 2008-05-20 18:38:51 - machine was rebooted [Adam]

ComboFix-quarantined-files.txt 2008-05-20 16:38:46

Pre-Run: 14,849,372,160 bajtów wolnych

Post-Run: 18,020,876,288 bajt˘w wolnych

323 --- E O F --- 2008-05-19 22:13:56

mam nadzieje, że mimo wszystko uda mi się pozbyc tego ustrojstwa bez formata :wink:


(huber2t) #8

W logu syfu nie widzę ale

Usuń ręcznie folder C:\Qoobox,usuń instalkę Combofix z dysku

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

Włącz przywracanie systemu.