Lekko denerwujący rootkit :(

anon50386165 · 13 Kwiecień 2009 19:51

oto mój log! Panowie dostałem go na pen drivie z drugiego zainfekowanego kompa, tamten juz czysty jest i pen drive oprozniony, to mnie lekko wkurza bo psuje prace systemu, mam nadzieje że pomożecie będe wdzięczny! ah i plik znajduje się na obu partycjach nazywa się “i.cmd” D:\i.cmd Win32:Rootkit-gen [Rtk]

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:34:10, on 2009-04-13 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\Program Files\Java\jre6\bin\jucheck.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\2.bin\ASKTBAR.DLL O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\2.bin\ASKTBAR.DLL O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM…\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM…\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM…\Run: [NBKeyScan] “C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe” O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe” O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM…\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM…\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\Wcescomm.exe” O4 - HKCU…\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Zaznaczanie HP Smart - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O14 - IERESET.INF: START_PAGE_URL=http://www.optimus.pl O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe O23 - Service: Menedżer Google Desktop 5.7.805.16405 (GoogleDesktopManager-051608-133132) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe – End of file - 10957 bytes

Leon1 · 13 Kwiecień 2009 20:02

Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 uruchom dwuklikiem

pokaż log

Podczas pobierania i skanu Combofixem proszę wyłączyć wszelkie zapory i antywirusy

anon50386165 · 13 Kwiecień 2009 20:15

Zrobiłem tak jak prosiłes nawet zapore windows wyłączyłem, mam nadzieje że znajdziesz ten ■■■■, będe bardzo wdzięczny!

ComboFix 09-04-13.A2 - Kuba 2009-04-13 22:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.2038.1190 [GMT 2:00] Uruchomiony z: c:\documents and settings\Kuba\Pulpit\ComboFix.exe AV: avast! antivirus 4.8.1335 [VPS 090413-0] *On-access scanning enabled* (Updated) * Utworzono nowy punkt przywracania . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.inf C:\i.cmd c:\program files\myglobalsearch c:\program files\myglobalsearch\bar\History\search c:\windows\system32\nmdfgds0.dll c:\windows\system32\olhrwef.exe D:\Autorun.inf D:\i.cmd . ((((((((((((((((((((((((( Pliki utworzone od 2009-03-13 do 2009-04-13 ))))))))))))))))))))))))))))))) . 2009-04-13 19:57 . 2006-03-02 22:42 73728 ----a-w C:\pv.exe 2009-04-11 09:19 . 2009-04-11 09:19 -------- d-----w c:\windows\Downloaded Installations 2009-04-11 09:19 . 2006-04-10 18:05 104576 ----a-r c:\windows\system32\drivers\wceusbsh.sys 2009-04-06 06:01 . 2008-10-16 12:06 268648 ----a-w c:\windows\system32\mucltui.dll 2009-04-06 06:01 . 2008-10-16 12:06 208744 ----a-w c:\windows\system32\muweb.dll 2009-04-06 06:01 . 2008-10-16 12:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui 2009-04-05 12:36 . 2005-06-13 08:08 85664 ----a-w c:\windows\system32\drivers\w800obex.sys 2009-04-05 12:36 . 2005-06-13 08:08 6144 ----a-w c:\windows\system32\drivers\w800cmnt.sys 2009-04-05 12:36 . 2005-06-13 08:08 6144 ----a-w c:\windows\system32\drivers\w800cm.sys 2009-04-05 12:36 . 2005-06-13 08:06 87792 ----a-w c:\windows\system32\drivers\w800mgmt.sys 2009-04-05 12:36 . 2005-06-13 08:05 96224 ----a-w c:\windows\system32\drivers\w800mdm.sys 2009-04-05 12:36 . 2005-06-13 08:05 9264 ----a-w c:\windows\system32\drivers\w800mdfl.sys 2009-04-05 12:36 . 2005-06-13 08:03 60768 ----a-w c:\windows\system32\drivers\w800bus.sys 2009-04-05 12:36 . 2005-06-13 08:03 5744 ----a-w c:\windows\system32\drivers\w800whnt.sys 2009-04-05 12:36 . 2005-06-13 08:03 5744 ----a-w c:\windows\system32\drivers\w800wh.sys 2009-04-05 11:58 . 2009-04-05 11:58 -------- d—a-w C:\customize files 2009-04-05 10:30 . 2009-04-07 21:39 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\MyPhoneExplorer 2009-04-05 10:15 . 2006-10-26 20:43 14940 ----a-r c:\windows\system32\drivers\Epiusb.sys 2009-03-31 17:50 . 2009-03-31 17:51 168362614 ----a-w C:\20090331_195012_Kuba.nba 2009-03-31 17:46 . 2009-03-31 17:47 165741848 ----a-w C:\20090331_194609_Kuba.nba 2009-03-31 17:39 . 2009-03-31 17:42 175005546 ----a-w C:\20090331_193945_Kuba.nba 2009-03-31 12:11 . 2005-07-07 14:25 81728 ----a-r c:\windows\system32\drivers\k750mgmt.sys 2009-03-31 12:10 . 2005-07-07 14:25 79488 ----a-r c:\windows\system32\drivers\k750obex.sys 2009-03-31 12:10 . 2005-07-07 14:26 6576 ----a-r c:\windows\system32\drivers\k750mdfl.sys 2009-03-31 12:09 . 2005-07-07 14:26 6144 ----a-r c:\windows\system32\drivers\k750cmnt.sys 2009-03-31 12:09 . 2005-07-07 14:26 6144 ----a-r c:\windows\system32\drivers\k750cm.sys 2009-03-31 12:09 . 2005-07-07 14:25 89872 ----a-r c:\windows\system32\drivers\k750mdm.sys 2009-03-31 12:09 . 2005-07-07 14:25 5744 ----a-r c:\windows\system32\drivers\k750whnt.sys 2009-03-31 12:09 . 2005-07-07 14:25 5744 ----a-r c:\windows\system32\drivers\k750wh.sys 2009-03-31 12:09 . 2005-07-07 14:26 55216 ----a-r c:\windows\system32\drivers\k750bus.sys 2009-03-19 21:56 . 2006-10-26 18:56 32592 ----a-w c:\windows\system32\msonpmon.dll 2009-03-19 21:48 . 2009-03-19 21:48 -------- d-----w c:\documents and settings\Kuba\Ustawienia lokalne\Dane aplikacji\Microsoft Help 2009-03-19 21:48 . 2009-04-10 13:01 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Microsoft Help 2009-03-19 21:47 . 2009-03-19 21:47 -------- d–h--r C:\MSOCache . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-13 19:33 . 2009-04-13 19:33 -------- d-----w c:\program files\Trend Micro 2009-04-13 09:44 . 2008-03-08 10:14 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\Skype 2009-04-11 13:37 . 2008-11-24 18:45 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\HPAppData 2009-04-11 13:36 . 2008-05-15 10:40 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\MegauploadToolbar 2009-04-11 13:18 . 2009-04-11 09:20 -------- d-----w c:\program files\Microsoft ActiveSync 2009-04-05 12:36 . 2009-04-05 12:36 -------- d-----w c:\program files\Sony Ericsson 2009-04-05 10:30 . 2009-04-05 10:30 -------- d-----w c:\program files\MyPhoneExplorer 2009-04-05 10:17 . 2009-04-05 10:17 -------- d-----w c:\program files\Far 2009-03-27 22:36 . 2004-08-04 11:00 68752 ----a-w c:\windows\system32\perfc015.dat 2009-03-27 22:36 . 2004-08-04 11:00 439908 ----a-w c:\windows\system32\perfh015.dat 2009-03-22 14:38 . 2008-02-02 06:26 -------- d-----w c:\program files\DivX 2009-03-22 14:20 . 2008-02-03 14:49 -------- d-----w c:\program files\Common Files\Adobe 2009-03-20 05:44 . 2008-01-31 04:49 533832 ----a-w c:\documents and settings\Kuba\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-03-19 21:54 . 2009-03-19 21:54 -------- d-----w c:\program files\Microsoft Works 2009-03-19 21:53 . 2009-03-19 21:53 -------- d-----w c:\program files\MSBuild 2009-03-19 21:51 . 2009-03-19 21:51 -------- d-----w c:\program files\Microsoft.NET 2009-03-18 13:30 . 2008-03-11 16:57 -------- d-----w c:\program files\Azureus 2009-03-18 13:30 . 2008-03-11 16:58 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\Azureus 2009-03-18 09:35 . 2009-03-18 09:35 -------- d-----r c:\program files\Skype 2009-03-18 09:35 . 2008-03-08 10:13 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Skype 2009-03-18 08:50 . 2008-03-08 10:16 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\skypePM 2009-03-11 16:50 . 2008-10-11 13:37 -------- d-----w c:\program files\Grupa IMAGE 2009-03-04 20:15 . 2009-03-04 20:14 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\Nowe Gadu-Gadu 2009-02-09 14:07 . 2004-08-04 11:00 1847040 ----a-w c:\windows\system32\win32k.sys 2009-01-25 12:45 . 2009-01-25 12:45 410984 ----a-w c:\windows\system32\deploytk.dll 2008-03-08 10:16 . 2008-03-08 10:16 32 ----a-w c:\documents and settings\All Users\Dane aplikacji\ezsid.dat 2008-02-01 22:41 . 2008-02-01 22:41 129 ----a-w c:\documents and settings\Kuba\Ustawienia lokalne\Dane aplikacji\fusioncache.dat 2008-02-01 22:37 . 2008-02-01 22:37 22328 ----a-w c:\documents and settings\Kuba\Dane aplikacji\PnkBstrK.sys 2008-07-05 10:2008-07-05 10:49 49:23 . c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe” [2007-08-03 202024] “Gadu-Gadu”=“c:\program files\Gadu-Gadu\gg.exe” [2007-11-14 2131392] “H/PC Connection Agent”=“c:\program files\Microsoft ActiveSync\Wcescomm.exe” [2006-11-13 1289000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SMSERIAL”=“c:\program files\Motorola\SMSERIAL\sm56hlpr.exe” [2007-01-29 638976] “hpWirelessAssistant”=“c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe” [2007-10-03 480560] “WatchDog”=“c:\program files\InterVideo\DVD Check\DVDCheck.exe” [2005-07-04 184320] “NeroFilterCheck”=“c:\program files\Common Files\Nero\Lib\NeroCheck.exe” [2007-03-01 153136] “NBKeyScan”=“c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe” [2007-08-08 1828136] “IgfxTray”=“c:\windows\system32\igfxtray.exe” [2007-12-19 135168] “HotKeysCmds”=“c:\windows\system32\hkcmd.exe” [2007-12-19 159744] “Persistence”=“c:\windows\system32\igfxpers.exe” [2007-12-19 131072] “avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-02-05 81000] “Google Desktop Search”=“c:\program files\Google\Google Desktop Search\GoogleDesktop.exe” [2008-07-05 29744] “SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe” [2009-01-25 136600] “HP Software Update”=“c:\program files\HP\HP Software Update\HPWuSchd2.exe” [2007-10-14 49152] “hpqSRMon”=“c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe” [2007-08-22 80896] “QlbCtrl.exe”=“c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe” [2008-08-01 202032] “GrooveMonitor”=“c:\program files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-27 31016] “Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2009-02-27 35696] “RTHDCPL”=“RTHDCPL.EXE” [2007-10-16 c:\windows\RTHDCPL.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360] c:\documents and settings\Kuba\Menu Start\Programy\Autostart\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-02-02 184320] HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoResolveTrack”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “msacm.avis”= ff_acm.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @=“Driver” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] --a------ 2007-08-23 18:36 455968 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] -ra------ 2009-03-11 13:00 24095528 c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] “AntiVirusOverride”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “c:\WINDOWS\system32\usmt\migwiz.exe”= “c:\WINDOWS\system32\PnkBstrA.exe”= “c:\WINDOWS\system32\PnkBstrB.exe”= “c:\Program Files\Gadu-Gadu\gg.exe”= “c:\Program Files\Valve\hl.exe”= “c:\Program Files\Azureus\Azureus.exe”= “c:\Program Files\Valve\hlds.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= “c:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe”= “c:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe”= “c:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe”= “c:\Program Files\Hp\Digital Imaging\bin\hposid01.exe”= “c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”= “c:\Program Files\Microsoft Office\Office12\GROOVE.EXE”= “c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”= “c:\program files\Microsoft ActiveSync\rapimgr.exe”= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager “c:\program files\Microsoft ActiveSync\wcescomm.exe”= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager “c:\program files\Microsoft ActiveSync\WCESMgr.exe”= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application “c:\Program Files\Skype\Phone\Skype.exe”= [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “26675:TCP”= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] “AllowInboundTimestampRequest”= 1 (0x1) “AllowInboundMaskRequest”= 1 (0x1) “AllowInboundRouterRequest”= 1 (0x1) “AllowOutboundDestinationUnreachable”= 1 (0x1) “AllowOutboundSourceQuench”= 1 (0x1) “AllowOutboundParameterProblem”= 1 (0x1) “AllowOutboundTimeExceeded”= 1 (0x1) “AllowRedirect”= 1 (0x1) “AllowOutboundPacketTooBig”= 1 (0x1) R3 GoogleDesktopManager-051608-133132;Menedżer Google Desktop 5.7.805.16405;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-07-05 29744] R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-02-01 138112] R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320] S1 aswSP;avast! Self Protection; [x] S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560] S2 NwSapAgent;Agent SAP;c:\windows\system32\svchost.exe [2008-04-14 14336] S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{17a168a2-2785-11de-95e5-001b24e3aa5c}] \Shell\AutoRun\command - H:\i.cmd \Shell\open\Command - H:\i.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1d7ff722-1c62-11dd-9482-001b24e3aa5c}] \Shell\AutoRun\command - EXPLORER.EXE \Shell\explore\Command - EXPLORER.EXE \Shell\open\Command - EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5da9b2b0-ce79-11dd-957b-001b24e3aa5c}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe \Shell\Open(&0)\command - Recycled\ctfmon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6902f804-cf61-11dd-958a-001b24e3aa5c}] \Shell\AutoRun\command - H:\EXPLORER.EXE \Shell\explore\Command - H:\EXPLORER.EXE \Shell\open\Command - H:\EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6902f805-cf61-11dd-958a-001b24e3aa5c}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{77a75125-10da-11de-95de-001b24e3aa5c}] \Shell\AutoRun\command - H:\EXPLORER.EXE \Shell\explore\Command - H:\EXPLORER.EXE \Shell\open\Command - H:\EXPLORER.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{934b2390-da5f-11dd-9594-001b24e3aa5c}] \Shell\AutoRun\command - H:\i.cmd \Shell\open\Command - H:\i.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{a0747ffc-e479-11dc-9425-001b24e3aa5c}] \Shell\AutoRun\command - I:\e.cmd \Shell\explore\Command - I:\e.cmd \Shell\open\Command - I:\e.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{a6debaaa-ce8a-11dd-957c-001b24e3aa5c}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}] “c:\program files\Common Files\LightScribe\LSRunOnce.exe” . - - - - USUNIĘTO PUSTE WPISY - - - - HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/ uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Kuba\Dane aplikacji\Mozilla\Firefox\Profiles\zk0hj60c.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - http://www.onet.pl FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p= FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-13 22:08 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > ‘explorer.exe’(3580) c:\progra~1\WINDOW~2\wmpband.dll c:\program files\Gadu-Gadu\ggwhook.dll c:\program files\Common Files\Nero\Lib\NeroDigitalExt.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.POL c:\windows\system32\WPDShServiceObj.dll c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_pol.nlr c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Microsoft Office\Office12\1045\GrooveIntlResource.dll c:\windows\system32\igfxpph.dll c:\windows\system32\hccutils.DLL c:\windows\system32\igfxres.dll c:\windows\system32\igfxress.dll c:\windows\system32\igfxsrvc.dll c:\program files\AskTBar\bar\2.bin\ASKTBAR.DLL . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\igfxsrvc.exe c:\progra~1\MI3AA1~1\rapimgr.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\windows\system32\wscntfy.exe c:\program files\Common Files\Nero\Lib\NMIndexingService.exe c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe c:\windows\system32\wbem\wmiapsrv.exe c:\program files\Hewlett-Packard\Shared\HpqToaster.exe c:\program files\Hp\Digital Imaging\bin\hpqste08.exe c:\program files\Hp\Digital Imaging\bin\hpqbam08.exe c:\program files\Hp\Digital Imaging\bin\hpqgpc01.exe c:\program files\Java\jre6\bin\jucheck.exe . ************************************************************************** . Czas ukończenia: 2009-04-13 22:13 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-04-13 20:13 Przed: 152 027 353 088 bajtów wolnych Po: 152,061,386,752 bajtów wolnych WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Home Edition” /noexecute=optin /fastdetect 295 — E O F — 2009-04-10 13:01

MarS · 13 Kwiecień 2009 20:17

Skoro to rootkit to użyj polskiego Gmera http://gmer.net/index.php

anon50386165 · 13 Kwiecień 2009 20:19

poczekam jeszcze na odpowiedz Leona, bo za mało się jeszcze na tym znam w ogóle się nie znam!

Leon1 · 13 Kwiecień 2009 20:31

Wylecz pendriva lub kartę pamięci http://www.softpedia.com/get/Security/S … Tool.shtml

Flash Disinfector http://www.searchengines.pl/index.php?s … ntry369724

lub format

Otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

anon50386165 · 13 Kwiecień 2009 20:39

ciekawe czy jest dobrze czy nie? ale lekko mi tu śmierdzi!, pozdrawiam

ComboFix 09-04-13.A2 - Kuba 2009-04-13 22:34.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.2038.1339 [GMT 2:00] Uruchomiony z: c:\documents and settings\Kuba\Pulpit\ComboFix.exe Użyto następujących komend :: c:\documents and settings\Kuba\Pulpit\CFScript.txt AV: avast! antivirus 4.8.1335 [VPS 090413-0] *On-access scanning disabled* (Updated) * Utworzono nowy punkt przywracania FILE :: H:\EXPLORER.EXE H:\i.cmd I:\e.cmd . ((((((((((((((((((((((((( Pliki utworzone od 2009-03-13 do 2009-04-13 ))))))))))))))))))))))))))))))) . 2009-04-11 09:19 . 2009-04-11 09:19 -------- d-----w c:\windows\Downloaded Installations 2009-04-11 09:19 . 2006-04-10 18:05 104576 ----a-r c:\windows\system32\drivers\wceusbsh.sys 2009-04-06 06:01 . 2008-10-16 12:06 268648 ----a-w c:\windows\system32\mucltui.dll 2009-04-06 06:01 . 2008-10-16 12:06 208744 ----a-w c:\windows\system32\muweb.dll 2009-04-06 06:01 . 2008-10-16 12:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui 2009-04-05 12:36 . 2005-06-13 08:08 85664 ----a-w c:\windows\system32\drivers\w800obex.sys 2009-04-05 12:36 . 2005-06-13 08:08 6144 ----a-w c:\windows\system32\drivers\w800cmnt.sys 2009-04-05 12:36 . 2005-06-13 08:08 6144 ----a-w c:\windows\system32\drivers\w800cm.sys 2009-04-05 12:36 . 2005-06-13 08:06 87792 ----a-w c:\windows\system32\drivers\w800mgmt.sys 2009-04-05 12:36 . 2005-06-13 08:05 96224 ----a-w c:\windows\system32\drivers\w800mdm.sys 2009-04-05 12:36 . 2005-06-13 08:05 9264 ----a-w c:\windows\system32\drivers\w800mdfl.sys 2009-04-05 12:36 . 2005-06-13 08:03 60768 ----a-w c:\windows\system32\drivers\w800bus.sys 2009-04-05 12:36 . 2005-06-13 08:03 5744 ----a-w c:\windows\system32\drivers\w800whnt.sys 2009-04-05 12:36 . 2005-06-13 08:03 5744 ----a-w c:\windows\system32\drivers\w800wh.sys 2009-04-05 11:58 . 2009-04-05 11:58 -------- d—a-w C:\customize files 2009-04-05 10:30 . 2009-04-07 21:39 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\MyPhoneExplorer 2009-04-05 10:15 . 2006-10-26 20:43 14940 ----a-r c:\windows\system32\drivers\Epiusb.sys 2009-03-31 17:50 . 2009-03-31 17:51 168362614 ----a-w C:\20090331_195012_Kuba.nba 2009-03-31 17:46 . 2009-03-31 17:47 165741848 ----a-w C:\20090331_194609_Kuba.nba 2009-03-31 17:39 . 2009-03-31 17:42 175005546 ----a-w C:\20090331_193945_Kuba.nba 2009-03-31 12:11 . 2005-07-07 14:25 81728 ----a-r c:\windows\system32\drivers\k750mgmt.sys 2009-03-31 12:10 . 2005-07-07 14:25 79488 ----a-r c:\windows\system32\drivers\k750obex.sys 2009-03-31 12:10 . 2005-07-07 14:26 6576 ----a-r c:\windows\system32\drivers\k750mdfl.sys 2009-03-31 12:09 . 2005-07-07 14:26 6144 ----a-r c:\windows\system32\drivers\k750cmnt.sys 2009-03-31 12:09 . 2005-07-07 14:26 6144 ----a-r c:\windows\system32\drivers\k750cm.sys 2009-03-31 12:09 . 2005-07-07 14:25 89872 ----a-r c:\windows\system32\drivers\k750mdm.sys 2009-03-31 12:09 . 2005-07-07 14:25 5744 ----a-r c:\windows\system32\drivers\k750whnt.sys 2009-03-31 12:09 . 2005-07-07 14:25 5744 ----a-r c:\windows\system32\drivers\k750wh.sys 2009-03-31 12:09 . 2005-07-07 14:26 55216 ----a-r c:\windows\system32\drivers\k750bus.sys 2009-03-19 21:56 . 2006-10-26 18:56 32592 ----a-w c:\windows\system32\msonpmon.dll 2009-03-19 21:48 . 2009-03-19 21:48 -------- d-----w c:\documents and settings\Kuba\Ustawienia lokalne\Dane aplikacji\Microsoft Help 2009-03-19 21:48 . 2009-04-10 13:01 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Microsoft Help 2009-03-19 21:47 . 2009-03-19 21:47 -------- d–h--r C:\MSOCache . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-13 19:33 . 2009-04-13 19:33 -------- d-----w c:\program files\Trend Micro 2009-04-13 09:44 . 2008-03-08 10:14 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\Skype 2009-04-11 13:37 . 2008-11-24 18:45 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\HPAppData 2009-04-11 13:36 . 2008-05-15 10:40 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\MegauploadToolbar 2009-04-11 13:18 . 2009-04-11 09:20 -------- d-----w c:\program files\Microsoft ActiveSync 2009-04-05 12:36 . 2009-04-05 12:36 -------- d-----w c:\program files\Sony Ericsson 2009-04-05 10:30 . 2009-04-05 10:30 -------- d-----w c:\program files\MyPhoneExplorer 2009-04-05 10:17 . 2009-04-05 10:17 -------- d-----w c:\program files\Far 2009-03-27 22:36 . 2004-08-04 11:00 68752 ----a-w c:\windows\system32\perfc015.dat 2009-03-27 22:36 . 2004-08-04 11:00 439908 ----a-w c:\windows\system32\perfh015.dat 2009-03-22 14:38 . 2008-02-02 06:26 -------- d-----w c:\program files\DivX 2009-03-22 14:20 . 2008-02-03 14:49 -------- d-----w c:\program files\Common Files\Adobe 2009-03-20 05:44 . 2008-01-31 04:49 533832 ----a-w c:\documents and settings\Kuba\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-03-19 21:54 . 2009-03-19 21:54 -------- d-----w c:\program files\Microsoft Works 2009-03-19 21:53 . 2009-03-19 21:53 -------- d-----w c:\program files\MSBuild 2009-03-19 21:51 . 2009-03-19 21:51 -------- d-----w c:\program files\Microsoft.NET 2009-03-18 13:30 . 2008-03-11 16:57 -------- d-----w c:\program files\Azureus 2009-03-18 13:30 . 2008-03-11 16:58 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\Azureus 2009-03-18 09:35 . 2009-03-18 09:35 -------- d-----r c:\program files\Skype 2009-03-18 09:35 . 2008-03-08 10:13 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Skype 2009-03-18 08:50 . 2008-03-08 10:16 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\skypePM 2009-03-11 16:50 . 2008-10-11 13:37 -------- d-----w c:\program files\Grupa IMAGE 2009-03-04 20:15 . 2009-03-04 20:14 -------- d-----w c:\documents and settings\Kuba\Dane aplikacji\Nowe Gadu-Gadu 2009-02-09 14:07 . 2004-08-04 11:00 1847040 ----a-w c:\windows\system32\win32k.sys 2009-01-25 12:45 . 2009-01-25 12:45 410984 ----a-w c:\windows\system32\deploytk.dll 2008-03-08 10:16 . 2008-03-08 10:16 32 ----a-w c:\documents and settings\All Users\Dane aplikacji\ezsid.dat 2008-02-01 22:41 . 2008-02-01 22:41 129 ----a-w c:\documents and settings\Kuba\Ustawienia lokalne\Dane aplikacji\fusioncache.dat 2008-02-01 22:37 . 2008-02-01 22:37 22328 ----a-w c:\documents and settings\Kuba\Dane aplikacji\PnkBstrK.sys 2008-07-05 10:2008-07-05 10:49 49:23 . c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe” [2007-08-03 202024] “Gadu-Gadu”=“c:\program files\Gadu-Gadu\gg.exe” [2007-11-14 2131392] “H/PC Connection Agent”=“c:\program files\Microsoft ActiveSync\Wcescomm.exe” [2006-11-13 1289000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SMSERIAL”=“c:\program files\Motorola\SMSERIAL\sm56hlpr.exe” [2007-01-29 638976] “hpWirelessAssistant”=“c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe” [2007-10-03 480560] “WatchDog”=“c:\program files\InterVideo\DVD Check\DVDCheck.exe” [2005-07-04 184320] “NeroFilterCheck”=“c:\program files\Common Files\Nero\Lib\NeroCheck.exe” [2007-03-01 153136] “NBKeyScan”=“c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe” [2007-08-08 1828136] “IgfxTray”=“c:\windows\system32\igfxtray.exe” [2007-12-19 135168] “HotKeysCmds”=“c:\windows\system32\hkcmd.exe” [2007-12-19 159744] “Persistence”=“c:\windows\system32\igfxpers.exe” [2007-12-19 131072] “avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-02-05 81000] “Google Desktop Search”=“c:\program files\Google\Google Desktop Search\GoogleDesktop.exe” [2008-07-05 29744] “SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe” [2009-01-25 136600] “HP Software Update”=“c:\program files\HP\HP Software Update\HPWuSchd2.exe” [2007-10-14 49152] “hpqSRMon”=“c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe” [2007-08-22 80896] “QlbCtrl.exe”=“c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe” [2008-08-01 202032] “GrooveMonitor”=“c:\program files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-27 31016] “Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2009-02-27 35696] “RTHDCPL”=“RTHDCPL.EXE” [2007-10-16 c:\windows\RTHDCPL.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360] c:\documents and settings\Kuba\Menu Start\Programy\Autostart\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-02-02 184320] HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoResolveTrack”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “msacm.avis”= ff_acm.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @=“Driver” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] --a------ 2007-08-23 18:36 455968 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] -ra------ 2009-03-11 13:00 24095528 c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] “AntiVirusOverride”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “c:\WINDOWS\system32\usmt\migwiz.exe”= “c:\WINDOWS\system32\PnkBstrA.exe”= “c:\WINDOWS\system32\PnkBstrB.exe”= “c:\Program Files\Gadu-Gadu\gg.exe”= “c:\Program Files\Valve\hl.exe”= “c:\Program Files\Azureus\Azureus.exe”= “c:\Program Files\Valve\hlds.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= “c:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe”= “c:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe”= “c:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe”= “c:\Program Files\Hp\Digital Imaging\bin\hposid01.exe”= “c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”= “c:\Program Files\Microsoft Office\Office12\GROOVE.EXE”= “c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”= “c:\program files\Microsoft ActiveSync\rapimgr.exe”= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager “c:\program files\Microsoft ActiveSync\wcescomm.exe”= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager “c:\program files\Microsoft ActiveSync\WCESMgr.exe”= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application “c:\Program Files\Skype\Phone\Skype.exe”= [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “26675:TCP”= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] “AllowInboundTimestampRequest”= 1 (0x1) “AllowInboundMaskRequest”= 1 (0x1) “AllowInboundRouterRequest”= 1 (0x1) “AllowOutboundDestinationUnreachable”= 1 (0x1) “AllowOutboundSourceQuench”= 1 (0x1) “AllowOutboundParameterProblem”= 1 (0x1) “AllowOutboundTimeExceeded”= 1 (0x1) “AllowRedirect”= 1 (0x1) “AllowOutboundPacketTooBig”= 1 (0x1) R3 GoogleDesktopManager-051608-133132;Menedżer Google Desktop 5.7.805.16405;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-07-05 29744] R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-02-01 138112] R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320] S1 aswSP;avast! Self Protection; [x] S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560] S2 NwSapAgent;Agent SAP;c:\windows\system32\svchost.exe [2008-04-14 14336] S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}] “c:\program files\Common Files\LightScribe\LSRunOnce.exe” . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.google.pl/ uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Kuba\Dane aplikacji\Mozilla\Firefox\Profiles\zk0hj60c.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.onet.pl FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p= FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-13 22:36 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > ‘explorer.exe’(3440) c:\progra~1\WINDOW~2\wmpband.dll c:\program files\Gadu-Gadu\ggwhook.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Czas ukończenia: 2009-04-13 22:37 ComboFix-quarantined-files.txt 2009-04-13 20:37 ComboFix2.txt 2009-04-13 20:13 Przed: 152 096 088 064 bajtów wolnych Po: 152,081,928,192 bajtów wolnych 212 — E O F — 2009-04-10 13:01

Leon1 · 13 Kwiecień 2009 20:46

Log wygląda na czysty

Pobierz CCleaner http://www.filehippo.com/download_ccleaner/

przeskanuj nim i wyczyść rejestr.

zrób optymalizacje uruchamiania

http://cybertrash.netarteria.pl/cyber/i … 378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html gdy będą wirusy pokaż raport

anon50386165 · 13 Kwiecień 2009 21:00

dzięki Ci mistrzu jesteś wielki i stronki, które tu podajesz ułatwiają mi od razu życie, trzeba to wszystko wyczytać dokładnie i skonczyć z byciem noobem pozdrawiam i wielkie dzięki za pomoc! czekam na raport i rano wrzuce

– Dodane 14.04.2009 (Wt) 7:42 –

oto co u mnie siedzi jeszcze komputer czysty i zdrowy, dziękuje za pomoc

-------------------------------------------------------------------------------- RAPORT KASPERSKY ONLINE SCANNER 7.0 wtorek, 14 kwiecień 2009 System operacyjny: Microsoft Windows XP Home Edition Dodatek Service Pack 3 (build 2600) Wersja Kaspersky Online Scanner: 7.0.26.12 Data ostatniej aktualizacji bazy danych: Monday, April 13, 2009 22:07:31 Liczba wpisów: 2041472 -------------------------------------------------------------------------------- Ustawienia skanowania: Typ bazy danych użytej do skanowania: rozszerzona Skanuj archiwa: tak Skanuj pocztowe bazy danych: tak Obszar skanowania - Mój komputer: C:\ D:\ E:\ F:\ G:\ Statystyki skanowania: Przeskanowanych plików: 85911 Nazwa zagrożenia: 1 Zainfekowanych obiektów: 1 Podejrzanych obiektów: 0 Czas skanowania: 01:49:10 Nazwa pliku / Nazwa zagrożenia / Liczba zagrożeń C:\Documents and Settings\Kuba\Moje dokumenty\Moja muzyka\My Downloads\My Downloads\Rod Stewart\first love - rod stewart.wm Zainfekowany: Trojan-Downloader.WMA.Wimad.m 1 Wybrany obszar został przeskanowany.