komando55
(Krysiak55)
8 Listopad 2007 18:38
#1
Witam!
Nie moge sie tego ■■■■■■■■■■ pozbyc… jakies inne dziadostwo rowniez sie przyczepilo, zwalnianie systemu etc… nizej wrzucam logi bylbym badzo wdzieczny za pomoc.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:22:58, on 08/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SM1BG.EXE C:\Program Files\Realtek Semiconductor Corp\Card Reader Software\DriveIcon\DriveIcon.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\btbb_wcm\McciTrayApp.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\Program Files\AOL 9.0\aoltray.exe C:\Program Files\AOL Companion\companion.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\BT Total Broadband 220V\Help\bin\mpbtn.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\wincmd\WINCMD32.EXE C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SysApp - {4AE2A9A0-DC33-4C27-B521-5B6C68C1C53D} - C:\Program Files\ApplePie\ie-improver.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O2 - BHO: {311e0b29-f0b4-f50a-9594-a2b4c5bfcec5} - {5cecfb5c-4b2a-4959-a05f-4b0f92b0e113} - C:\WINDOWS\system32\vdvlfqad.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\examuyjp.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\examuyjp.dll O4 - HKLM…\Run: [AOL_Demo] C:\Applications\Tool\AOL Demo\DSGDemo.exe O4 - HKLM…\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM…\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM…\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM…\Run: [DriveIcons] “C:\Program Files\Realtek Semiconductor Corp\Card Reader Software\DriveIcon\DriveIcon.exe” O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [skyTel] SkyTel.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM…\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [AOL Spyware Protection] “C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe” O4 - HKLM…\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe O4 - HKLM…\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM…\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM…\Run: [Motive SmartBridge] C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [dc6f6f3b] rundll32.exe “C:\WINDOWS\system32\dumuxssd.dll”,b O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM…\Run: [sDTray] “C:\Program Files\Spyware Doctor\SDTrayApp.exe” O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [bitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Veoh] “C:\Program Files\Veoh Networks\Veoh\VeohClient.exe” /VeohHide O4 - HKCU…\Run: [DLD.EXE] C:\RapidShare_Download_Direct\DLD.exe O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Total Broadband 220V\Help\bin\matcli.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra ‘Tools’ menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: examuyjp - C:\WINDOWS\SYSTEM32\examuyjp.dll O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
oraz
SmitFraudFix v2.250 Scan done at 18:35:45.01, 08/11/2007 Run from c:\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SM1BG.EXE C:\Program Files\Realtek Semiconductor Corp\Card Reader Software\DriveIcon\DriveIcon.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\btbb_wcm\McciTrayApp.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\Program Files\AOL 9.0\aoltray.exe C:\Program Files\AOL Companion\companion.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\BT Total Broadband 220V\Help\bin\mpbtn.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wuauclt.exe C:\wincmd\WINCMD32.EXE C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\wbem\wmiprvse.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kris »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kris\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Kris\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] “AppInit_DLLs”="" “LoadAppInit_DLLs”=dword:00000001 »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport DNS Server Search Order: 192.168.1.1 HKLM\SYSTEM\CCS\Services\Tcpip…{0AAB73FD-6F4F-4A3D-809A-630A90A6176F}: DhcpNameServer=192.168.1.1 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End
jessica
(jessica)
8 Listopad 2007 19:43
#2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [dc6f6f3b] rundll32.exe “C:\WINDOWS\system32\dumuxssd.dll”,b O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
Te w/w wpisy sfiksuj w Hijacku:
>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked .
Co najmniej dwie infekcje, w tym “VUNDO”, dlatego daj log z -->ComboFix
jessi
Gutek
(Gutek)
8 Listopad 2007 22:50
#4
komando55
(Krysiak55)
9 Listopad 2007 18:45
#5
Program vundoFix skasowal jeden plik i wszystko wrocilo do normy, potem sprawdzilem SDfix i nic nie wykryl oto log chyba wsystko powinno juz byc ok? Bardzo dziekuje za pomoc…
SDFix: Version 1.114 Run by Kris on 09/11/2007 at 18:32 Microsoft Windows XP [Version 5.1.2600] Running From: c:\s\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-09 18:38:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT] “EventMessageFile”=str(2):“c:\windows\system32\ESENT.dll” “CategoryMessageFile”=str(2):“c:\windows\system32\ESENT.dll” scanning hidden registry entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “C:\Program Files\Veoh Networks\Veoh\VeohClient.exe”=“C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client” “C:\Program Files\iMesh Applications\iMesh\iMesh.exe”=“C:\Program Files\iMesh Applications\iMesh\iMesh.exe:*:Enabled:iMesh” “C:\Program Files\Yahoo!\Messenger\ypager.exe”=“C:\Program Files\Yahoo!\Messenger\ypager.exe:*:Disabled:Yahoo! Messenger” “C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program glówny” “C:\wincmd\WINCMD32.EXE”=“C:\wincmd\WINCMD32.EXE:*:Enabled:Windows Commander 32 bit international version, file manager replacement for Windows” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Thu 12 May 2005 54,384 A…H. — “C:\Program Files\AOL 9.0\aolphx.exe” Thu 12 May 2005 156,784 A…H. — “C:\Program Files\AOL 9.0\aoltray.exe” Thu 12 May 2005 31,344 A…H. — “C:\Program Files\AOL 9.0\RBM.exe” Fri 9 Nov 2007 20,640 …SH. — “C:\WINDOWS\system32\examuyjp.dllbox” Wed 23 Aug 2006 1,024 A…HR — “C:\WINDOWS\system32\NTICDMK7.dll” Wed 23 Aug 2006 1,024 …HR — “C:\WINDOWS\system32\NTICDMK32.dll” Wed 23 Aug 2006 1,024 A…HR — “C:\WINDOWS\system32\ntiembed.dll” Wed 23 Aug 2006 1,024 A…HR — “C:\WINDOWS\system32\NTIFCD3.dll” Wed 23 Aug 2006 1,024 A…HR — “C:\WINDOWS\system32\NTIMP3.dll” Wed 23 Aug 2006 1,024 A…HR — “C:\WINDOWS\system32\NTIMPEG2.dll” Sat 8 Sep 2007 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Fri 25 Jun 2004 418,816 A…HR — “C:\WINDOWS\system32\Tools\All.exe” Fri 25 Jun 2004 390,144 A…HR — “C:\WINDOWS\system32\Tools\Change.exe” Fri 25 Jun 2004 574,464 A…HR — “C:\WINDOWS\system32\Tools\CheckPath.exe” Fri 25 Jun 2004 430,592 A…HR — “C:\WINDOWS\system32\Tools\Counter.exe” Fri 25 Jun 2004 390,656 A…HR — “C:\WINDOWS\system32\Tools\DelFolders.exe” Fri 25 Jun 2004 399,872 A…HR — “C:\WINDOWS\system32\Tools\DirectSetup.exe” Mon 28 Oct 2002 433,152 A…HR — “C:\WINDOWS\system32\Tools\Locale.exe” Fri 25 Jun 2004 388,096 A…HR — “C:\WINDOWS\system32\Tools\RegClean.exe” Fri 25 Jun 2004 388,608 A…HR — “C:\WINDOWS\system32\Tools\Regexe.exe” Fri 25 Jun 2004 431,616 A…HR — “C:\WINDOWS\system32\Tools\Restart.exe” Fri 25 Jun 2004 388,096 A…HR — “C:\WINDOWS\system32\Tools\RunRegexe.exe” Sat 23 Jun 2007 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp” Fri 5 Oct 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\8361ae28fcfac79271825a6b2935fdb6\BITF3.tmp” Sun 6 May 2007 5,694 A.SH. — “C:\Documents and Settings\Kris\Application Data\Roxio\Dragon\DiscInfoCache\TSSTcorp_CD_DVDW_TS-L532U_TI04_300_DICV017_DRGV2000027.TMP” Finished!
Gutek
(Gutek)
10 Listopad 2007 00:17
#6
Daj na koniec log z Combo
komando55
(Krysiak55)
10 Listopad 2007 17:33
#7
Na poczatku IE mial jakies problemy i sie czasami wylaczal… ale narazie jest ok, wrucam log z combo…
ComboFix 07-11-08.1 - Kris 2007-11-08 20:12:10.1 - NTFSx86 n Running from: c:\48_Stron\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk C:\Documents and Settings\Kris\Desktop\Live Safety Center.lnk C:\Documents and Settings\Kris\Desktop\Online Security Guide.lnk C:\Documents and Settings\Kris\Favorites\Online Security Guide.lnk C:\Program Files\internet explorer\msimg32.dll C:\Program Files\MyWebSearch C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL C:\WINDOWS\cookies.ini C:\WINDOWS\system32~.exe C:\WINDOWS\system32\Cache C:\WINDOWS\system32\examuyjp.dllbox C:\WINDOWS\system32\jcuyubtu.dll C:\WINDOWS\system32\opnnnli.dll C:\WINDOWS\system32\sysdl132.exe . ((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 ))))))))))))))))))))))))))))))) . 2007-11-08 20:05 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-08 17:18 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-11-08 17:18 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-11-08 17:18 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-11-08 17:18 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-11-08 17:18 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-11-08 17:18 4,508 --a------ C:\WINDOWS\system32\tmp.reg 2007-11-08 17:12 2007-11-07 21:43 2007-11-07 21:43 2007-11-07 21:43 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-11-07 21:43 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-11-07 21:43 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-11-07 21:43 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-11-07 21:42 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-11-07 19:00 2007-11-07 18:24 2007-11-07 18:10 2007-11-07 18:09 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-11-07 18:08 2007-11-07 07:16 79,936 --a------ C:\WINDOWS\system32\vdvlfqad.dll 2007-11-07 07:10 86,080 --a------ C:\WINDOWS\system32\dumuxssd.dll 2007-11-07 07:04 145,984 --a------ C:\WINDOWS\system32\igrfnmbj.dll 2007-11-07 07:04 145,984 --a------ C:\WINDOWS\system32\examuyjp.dll 2007-11-06 21:34 43,008 --a------ C:\ipnetinfo.exe 2007-11-06 21:33 49,416 --a------ C:\ipnetinfo.zip 2007-11-06 18:01 2007-10-28 10:20 2007-10-26 20:12 2007-10-25 17:13 2007-10-25 17:13 2007-10-20 17:10 2007-10-14 15:20 2007-10-14 12:23 2007-10-14 12:20 2007-10-13 20:59 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-08 20:28 --------- d—a-w C:\Documents and Settings\All Users\Application Data\TEMP 2007-11-08 19:14 --------- d-----w C:\Program Files\iMesh Applications 2007-11-08 18:14 --------- d-----w C:\Documents and Settings\Kris\Application Data\Skype 2007-11-07 21:11 --------- d-----w C:\Program Files\SkanerOnline 2007-10-21 19:24 --------- d-----w C:\Program Files\Gadu-Gadu 2007-10-20 17:11 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-20 15:41 --------- d-----w C:\Documents and Settings\Kris\Application Data\ppstream 2007-10-20 15:40 --------- d-----w C:\Program Files\PPStream 2007-10-17 16:38 --------- d-----w C:\Program Files\PPMate 2007-10-04 19:29 --------- d-----w C:\Program Files\ACD Systems 2007-09-12 16:42 --------- d-----w C:\Program Files\Winamp 2007-09-08 19:33 --------- d-----w C:\Program Files\StormII 2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr 2007-08-26 16:10 11,646,328 ----a-w C:\acdsee.exe 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2003-08-27 22:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{474597C5-AB09-49d6-A4D5-2E8D7341384E}] 2007-11-05 10:50 402864 --a------ C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshIEHelper.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{4AE2A9A0-DC33-4C27-B521-5B6C68C1C53D}] 2007-11-06 18:01 95232 --a------ C:\Program Files\ApplePie\ie-improver.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{5cecfb5c-4b2a-4959-a05f-4b0f92b0e113}] 2007-11-07 07:16 79936 --a------ C:\WINDOWS\system32\vdvlfqad.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}] 2007-11-07 07:04 145984 --a------ C:\WINDOWS\system32\examuyjp.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{11A69AE4-FBED-4832-A2BF-45AF82825583}”= C:\WINDOWS\system32\examuyjp.dll [2007-11-07 07:04 145984] [HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “AOL_Demo”=“C:\Applications\Tool\AOL Demo\DSGDemo.exe” [2005-12-01 17:03] “SM1BG”=“C:\WINDOWS\SM1BG.EXE” [2003-08-27 22:20] “Recguard”=“C:\WINDOWS\SMINST\RECGUARD.EXE” [2002-09-13 22:42] “High Definition Audio Property Page Shortcut”=“HDAShCut.exe” [2005-01-07 16:07 C:\WINDOWS\system32\HdAShCut.exe] “DriveIcons”=“C:\Program Files\Realtek Semiconductor Corp\Card Reader Software\DriveIcon\DriveIcon.exe” [2005-12-09 18:39] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-05-19 13:51] “RTHDCPL”=“RTHDCPL.EXE” [2006-07-21 23:56 C:\WINDOWS\RTHDCPL.exe] “SkyTel”=“SkyTel.EXE” [2006-05-17 01:04 C:\WINDOWS\SkyTel.exe] “AGRSMMSG”=“AGRSMMSG.exe” [2005-09-09 03:20 C:\WINDOWS\AGRSMMSG.exe]n “igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2006-03-23 11:17] “igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2006-03-23 11:13] “igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2006-03-23 11:17] “AOLDialer”=“C:\Program Files\Common Files\AOL\ACS\AOLDial.exe” [2004-04-08 08:38] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-12-09 17:16] “AOL Spyware Protection”=“C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe” [2004-03-19 14:17] “btbb_wcm_McciTrayApp”=“C:\Program Files\btbb_wcm\McciTrayApp.exe” [2005-12-29 10:22] “YBrowser”=“C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe” [2006-07-21 15:19] “RealTray”=“C:\Program Files\Real\RealPlayer\RealPlay.exe” [2007-06-21 12:16] “Motive SmartBridge”=“C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe” [2006-02-06 17:52] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [2005-11-10 12:03] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 10:06] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 02:06] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2007-02-13 18:29] “!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 09:25] “SDTray”=“C:\Program Files\Spyware Doctor\SDTrayApp.exe” [2007-10-02 16:27] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 16:24] “Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe” [2005-08-31 16:11] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-05-10 14:36] “BitTorrent”=“C:\Program Files\BitTorrent\bittorrent.exe” [] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-07-02 16:10] “Veoh”=“C:\Program Files\Veoh Networks\Veoh\VeohClient.exe” [2007-10-17 00:29] “DLD.EXE”=“C:\RapidShare_Download_Direct\DLD.exe” [] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2006-12-09 17:15:44] AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [2006-12-09 17:16:52] BT Broadband Desktop Help.lnk - C:\Program Files\BT Total Broadband 220V\Help\bin\matcli.exe [2007-06-21 14:53:50] InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-08-23 05:24:50] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “DisableRegistryTools”=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\examuyjp] examuyjp.dll 2007-11-07 07:04 145984 C:\WINDOWS\system32\examuyjp.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{486f9ebf-6260-11db-b2a2-0015af0a3a22}] \Shell\AutoRun\command - winshell110.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8664291d-43a5-11db-bbbd-806d6172696f}] \Shell\AutoRun\command - D:\BSetup.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{a2044a21-6549-11da-a5a1-806d6172696f}] \Shell\AutoRun\command - E:\Launch.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f7d841b1-43b8-11db-8ada-806d6172696f}] \Shell\AutoRun\command - D:\BSetup.EXE . Contents of the ‘Scheduled Tasks’ folder “2007-10-14 15:20:24 C:\WINDOWS\Tasks\Norton Security Scan.job” - C:\Program Files\Norton Security Scan\Nss.exe . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-08 20:26:37 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … C:\WINDOWS\system32\examuyjp.dllbox 20640 bytes scan completed successfully hidden files: 1 ************************************************************************** . Completion time: 2007-11-08 20:35:23 - machine was rebooted . — E O F —
Gutek
(Gutek)
11 Listopad 2007 00:18
#8
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo
Gutek
(Gutek)
11 Listopad 2007 13:57
#10