MAM Virusy

darlem (Darek Dar) 2008-05-04 12:44:48 UTC #1

Mam poważne problemy z wirusami krtórych żaden antyvirus nie może usunąć.

Wysyłam logi z hijackthis i proszę o sprawdzenie i pomoc w usunięciu ich. Zgóry dziekuje.

Logi:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:31:42, on 2008-05-04

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Network Associates\VirusScan\avsynmgr.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\ctfmon.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\head2.exe

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\VM305_STI.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\AGEIA Technologies\bin\TrayIcon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\winlogon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\MSI\Core Center\CoreCenter.exe

C:\Program Files\RALINK\Common\RaUI.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.exe

C:\WINDOWS\winlogon.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vmware-ufad.exe,C:\WINDOWS\system32\actcontroller.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM..\Run: [bigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)

O4 - HKLM..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\bin\TrayIcon.exe

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM..\Run: [uninstall Information] C:\WINDOWS\system32CmdLineExt.exe

O4 - HKLM..\Run: [FIFA Soccer] C:\WINDOWS\system32\head2.exe

O4 - HKLM..\Run: [runwinlogon] C:\WINDOWS\winlogon.exe

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU..\Run: [steam] "e:\games\hl1\steam.exe" -silent

O4 - HKCU..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

O4 - HKCU..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

O4 - HKCU..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

O4 - HKCU..\Run: [libor] C:\WINDOWS\libor.exe

O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-20..\Run: [fci] C:\WINDOWS\system32\fci.exe (User '?')

O4 - HKUS\S-1-5-21-796845957-1220945662-725345543-1003..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-796845957-1220945662-725345543-1003..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')

O4 - HKUS\S-1-5-21-796845957-1220945662-725345543-1003..\Run: [steam] "e:\games\hl1\steam.exe" -silent (User '?')

O4 - HKUS\S-1-5-21-796845957-1220945662-725345543-1003..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent (User '?')

O4 - HKUS\S-1-5-21-796845957-1220945662-725345543-1003..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide (User '?')

O4 - HKUS\S-1-5-21-796845957-1220945662-725345543-1003..\Run: [] (User '?')

O4 - HKUS\S-1-5-21-796845957-1220945662-725345543-1003..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User '?')

O4 - HKUS\S-1-5-21-796845957-1220945662-725345543-1003..\Run: [libor] C:\WINDOWS\libor.exe (User '?')

O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')

O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - S-1-5-21-796845957-1220945662-725345543-1003 Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe (User '?')

O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe

O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {631FF594-EC25-4CFF-B869-402DF294E1D6} (Instalator oprogramowania Onet.pl) - http://slimak.onet.pl/_m/kamerzysta/One ... or012s.ocx

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/softwar ... launch.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game04.zylom.com/activex/zylomgamesplayer.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://kamery.darlowo.org/activex/AMC.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: ???????????

O20 - Winlogon Notify: WinNt32 - C:\WINDOWS\SYSTEM32\WinNt32.dll

O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe

O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe

O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)

O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\fci.exe

O23 - Service: gusvc - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: LightScribeService - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LPTRDC server (LPTRDCsrv) - Unknown owner - C:\WINDOWS\ctfmon.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: NVSvc - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Lokalizator usługi zdalnego wywołania procedury (RPC) (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)

O23 - Service: sfrem01 - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe

O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

O23 - Service: StarWindService - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)

O23 - Service: UserAccess7 - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)

O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

End of file - 10580 bytes

W dniu 04.05.2008 , o godzinie 14:44 został dopisany post przez darlem

drugi log z combofix

ComboFix 08-05-01.3 - 1 2008-05-04 14:35:04.1 - FAT32 x86

Running from: E:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\ctfmon.exe

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\system32\bio2.exe

C:\WINDOWS\system32\CcEvtSvc.exe

C:\WINDOWS\system32\csrssw.dll

c:\windows\system32\Drivers\Rwu81.sys

C:\WINDOWS\system32\head2.exe

C:\WINDOWS\system32\lost.exe.exe

C:\WINDOWS\system32\mssrv32.exe

C:\WINDOWS\system32\svcp.csv

C:\WINDOWS\system32\WinNt32.dll

C:\WINDOWS\system32\winsub.xml

C:\WINDOWS\system32\WLCtrl32.dll

C:\WINDOWS\system32\wsnpoem\audio.dll

C:\WINDOWS\system32\wsnpoem\video.dll

C:\WINDOWS\winlogon.exe

C:\WINDOWS\system32\WinData.cab . . . . failed to delete

C:\WINDOWS\system32\wsnpoem\video.dll . . . . failed to delete

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\Legacy_CCEVTSVC

-------\Legacy_FCI

-------\Legacy_LPTRDCSRV

-------\Legacy_PROTECT

-------\Legacy_RWU81

-------\Legacy_ZZZDRV_LICH

-------\Legacy_ZZZSVC_LICH

-------\Service_CcEvtSvc

-------\Service_FCI

-------\Service_LPTRDCsrv

-------\Service_protect

-------\Service_Rwu81

((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))

2008-05-04 14:39 . 2008-05-04 14:39 69,632 --a------ C:\WINDOWS\system32\csrssw.dll

2008-05-04 14:39 . 2008-05-04 14:20 35,840 --a------ C:\WINDOWS\NVBenchMarks.exe

2008-05-04 14:26 . 2008-05-04 14:26

2008-05-04 13:03 . 2008-05-04 13:04 44,548 --a------ C:\WINDOWS\gogora.config

2008-05-04 12:17 . 2008-05-04 13:50 192,512 --a------ C:\WINDOWS\system32\cbOCR.dll

2008-04-30 06:27 . 2008-04-30 06:27

2008-04-30 06:24 . 2008-04-30 06:24

2008-04-30 06:05 . 2008-04-30 06:05

2008-04-29 17:57 . 2008-04-29 17:57

2008-04-29 17:56 . 2008-04-29 17:56

2008-04-29 17:56 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll

2008-04-29 17:56 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll

2008-04-29 17:56 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll

2008-04-29 17:56 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll

2008-04-29 17:56 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll

2008-04-28 09:45 . 2008-04-28 09:45

2008-04-27 20:48 . 2008-04-28 08:48 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe

2008-04-27 20:48 . 2008-04-27 20:48 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

2008-04-27 16:26 . 2008-04-27 16:26

2008-04-27 10:52 . 2008-04-27 10:52 5,114 --a------ C:\WINDOWS\system32\dumprep.rar

2008-04-26 18:13 . 14,976 C:\WINDOWS\system32\drivers\Kgw50.sys

2008-04-26 18:13 . 0 C:\WINDOWS\system32\WinData.cab

2008-04-26 18:09 . 2008-04-26 18:09

2008-04-26 18:08 . 2008-04-26 18:08

2008-04-26 18:06 . 2008-04-26 18:06

2008-04-25 16:24 . 2008-04-25 16:24 0 --a------ C:\1EC.tmp

2008-04-25 16:24 . 2008-04-25 16:24 0 --a------ C:\1EB.tmp

2008-04-25 16:24 . 2008-04-25 16:24 0 --a------ C:\1EA.tmp

2008-04-25 16:24 . 2008-04-25 16:24 0 --a------ C:\1E9.tmp

2008-04-25 16:24 . 2008-04-25 16:24 0 --a------ C:\1E8.tmp

2008-04-25 16:24 . 2008-04-25 16:24 0 --a------ C:\1E7.tmp

2008-04-25 16:24 . 2008-04-25 16:24 0 --a------ C:\1E6.tmp

2008-04-25 16:24 . 2008-04-25 16:24 0 --a------ C:\1E5.tmp

2008-04-25 16:19 . 2008-04-25 16:19 0 --a------ C:\1CC.tmp

2008-04-25 16:18 . 2008-04-25 16:18 0 --a------ C:\1BC.tmp

2008-04-25 16:14 . 2008-04-25 16:14 0 --a------ C:\1AC.tmp

2008-04-25 16:13 . 2008-04-25 16:13 0 --a------ C:\19C.tmp

2008-04-25 16:12 . 2008-04-25 16:12 0 --a------ C:\18C.tmp

2008-04-25 16:11 . 2008-04-25 16:11 0 --a------ C:\17C.tmp

2008-04-25 16:09 . 2008-04-25 16:09 0 --a------ C:\16C.tmp

2008-04-25 16:07 . 2008-04-25 16:07 0 --a------ C:\15C.tmp

2008-04-25 16:01 . 2008-04-25 16:01 0 --a------ C:\14C.tmp

2008-04-25 16:00 . 2008-04-25 16:01 0 --a------ C:\148.tmp

2008-04-25 15:58 . 2008-04-25 15:58 29 --a------ C:\WINDOWS\system32\erqgopat.tmp

2008-04-25 15:58 . 2008-04-25 15:58 0 --a------ C:\144.tmp

2008-04-22 08:34 . 2008-04-22 08:34

2008-04-21 19:10 . 2008-04-21 19:10

2008-04-20 12:16 . 2008-04-27 17:51 273 --a------ C:\WINDOWS\game.ini

2008-04-19 14:44 . 2008-04-19 14:44 14,886,912 --a------ C:\focmapeditor.msi

2008-04-19 14:29 . 2008-04-19 14:29 98,304 --a------ C:\WINDOWS\system32CmdLineExt.dll

2008-04-19 11:05 . 2008-04-19 11:05 9,351,679 --a------ C:\Zbot.zip

2008-04-19 10:50 . 2008-04-19 10:50 1,095,819 --a------ C:\Manual.pdf

2008-04-19 10:49 . 2008-04-19 10:49 5,809,224 --a------ C:\CDRoller750_en.exe

2008-04-19 10:44 . 2008-04-19 10:44 3,492 --a------ C:\CD_Roller_7 0_[ENG]_ _crack[Torrenty[1][1].org].torrent

2008-04-18 19:08 . 2008-04-18 19:08

2008-04-18 19:08 . 2008-04-18 19:08 134,892 --a------ C:\310oe_a.rar

2008-04-18 19:07 . 2008-04-18 19:07

2008-04-18 19:07 . 2008-04-18 19:07 136,563 --a------ C:\340_oea.rar

2008-04-18 19:06 . 2008-04-18 19:06

2008-04-18 19:06 . 2008-04-18 19:06 76,997 --a------ C:\303_10oe_mix.rar

2008-04-18 19:02 . 2008-04-18 19:02

2008-04-18 19:01 . 2008-04-18 19:01 199,447 --a------ C:\390m33_2.rar

2008-04-17 19:22 . 2008-04-17 19:22

2008-04-17 16:36 . 2008-04-17 16:36

2008-04-17 15:09 . 2001-07-04 04:12 1,649,399 --------- C:\WINDOWS\TRAINE~1.CAB

2008-04-17 15:09 . 2008-04-17 16:36 249,856 --------- C:\WINDOWS\Setup1.exe

2008-04-17 15:09 . 2008-04-17 16:36 73,216 --a------ C:\WINDOWS\ST6UNST.EXE

2008-04-17 15:09 . 2008-04-17 15:09 1,607 --a------ C:\WINDOWS\ST6UNST.000

2008-04-13 19:07 . 2008-04-13 19:07

2008-04-13 19:06 . 2008-04-13 19:06

2008-04-13 07:41 . 2008-04-13 07:41

2008-04-10 18:58 . 2008-04-10 18:58

2008-04-09 20:30 . 2008-04-09 20:30

2008-04-08 08:54 . 2008-04-08 08:54

2008-04-07 19:08 . 2008-04-07 19:08

2008-04-07 19:07 . 2008-04-07 19:07

2008-04-06 09:41 . 2008-04-06 09:41

2008-04-05 16:14 . 2008-04-05 16:14

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-05-04 12:20 35,840 ----a-w C:\WINDOWS\system32CmdLineExt.exe

2008-05-04 11:02 28,160 ----a-w C:\WINDOWS\system32\fci.exe

2008-05-04 11:02 129,024 ----a-w C:\WINDOWS\libor.exe

2008-04-30 04:27 720,896 ----a-w C:\WINDOWS\iun6002.exe

2008-04-28 16:36 5,678 ----a-w C:\WINDOWS\system32\ealregsnapshot1.reg

2008-04-28 06:48 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-04-25 14:22 14,336 ----a-w C:\WINDOWS\system32\ups.exe

2008-04-25 14:22 14,336 ----a-w C:\WINDOWS\system32\tlntsvr.exe

2008-04-25 14:20 14,336 ----a-w C:\WINDOWS\system32\smlogsvc.exe

2008-04-25 14:14 14,336 ----a-w C:\WINDOWS\system32\sessmgr.exe

2008-04-25 14:14 14,336 ----a-w C:\WINDOWS\system32\scardsvr.exe

2008-04-25 14:14 14,336 ----a-w C:\WINDOWS\system32\rsvp.exe

2008-04-25 14:10 14,336 ----a-w C:\WINDOWS\system32\netdde.exe

2008-04-25 14:09 14,336 ----a-w C:\WINDOWS\system32\mnmsrvc.exe

2008-04-25 14:00 14,336 ----a-w C:\WINDOWS\system32\cisvc.exe.tmp

2008-04-10 11:05 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2008-04-01 11:56 --------- d-----w C:\Program Files\THQ

2008-03-29 16:10 --------- d-----w C:\Program Files\Common Files\Thraex Software

2008-03-22 16:05 3 ----a-r C:\WINDOWS\system32\drivers\Tcplp.sys

2008-03-22 14:35 8,576 ----a-w C:\WINDOWS\system32\drivers\ydbmlgryxoxo.sys

2008-03-22 13:31 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft

2008-03-21 10:19 --------- d-----w C:\Documents and Settings\1\Dane aplikacji\IGN_DLM

2008-03-17 17:10 --------- d-----w C:\Program Files\GTA3Mods

2008-03-17 16:07 --------- d-----w C:\Program Files\Sniker

2008-03-16 08:55 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys

2008-03-16 08:54 --------- d-----w C:\Program Files\RALINK

2008-03-11 18:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\PlayFirst

2008-03-11 18:05 --------- d-----w C:\Documents and Settings\1\Dane aplikacji\PlayFirst

2008-03-08 13:09 --------- d-----w C:\Documents and Settings\1\Dane aplikacji\Sierra

2008-03-06 12:33 --------- d-----w C:\Program Files\Veoh Networks

2008-02-16 07:43 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2008-02-02 16:53 22,328 ----a-w C:\Documents and Settings\1\Dane aplikacji\PnkBstrK.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Sample Shell Icon Overlay Identifier]

@={EA3775F2-28BE-11D3-9C8D-00105A24ED29}

[HKEY_CLASSES_ROOT\CLSID{EA3775F2-28BE-11D3-9C8D-00105A24ED29}]

C:\Documents and Settings\1\Ustawienia lokalne\Temp\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-07 13:12 68856]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-16 19:25 25268264]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]

"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 00:29 165784]

"Steam"="e:\games\hl1\steam.exe" [2008-03-28 10:13 1271032]

"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" [2007-07-19 08:02 2887680]

"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 18:35 3587120]

"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]

"libor"="C:\WINDOWS\libor.exe" [2008-05-04 13:02 129024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"BigDog305"="C:\WINDOWS\VM305_STI.exe" [2006-03-17 10:03 61440]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:44 110592 C:\WINDOWS\system32\bthprops.cpl]

"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]

"Adobe Reader Speed Launcher"="F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]

"AGEIA PhysX SysTray"="C:\Program Files\AGEIA Technologies\bin\TrayIcon.exe" [2007-07-23 09:05 345640]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

"Uninstall Information"="C:\WINDOWS\system32CmdLineExt.exe" [2008-05-04 14:20 35840]

"FIFA Soccer"="C:\WINDOWS\system32\head2.exe" []

"Usługi online"="C:\WINDOWS\NVBenchMarks.exe" [2008-05-04 14:20 35840]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]

C:\Documents and Settings\1\Menu Start\Programy\Autostart\

OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48 393216]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

CoreCenter.lnk - C:\Program Files\MSI\Core Center\CoreCenter.exe [2007-07-26 13:19:18 931840]

Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2008-03-16 10:55:50 614400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.3iv2"= 3ivxVfWCodec.dll

"msacm.divxa32"= divxa32.acm

"VIDC.HFYU"= huffyuv.dll

"VIDC.i263"= i263_32.drv

"msacm.imc"= imc32.acm

"VIDC.VP31"= vp31vfw.dll

"vidc.asv2"= asusasv2.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kgw50.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"C:\Program Files\Java\jre1.5.0_11\bin\javaw.exe"=

"C:\Program Files\Gadu-Gadu\gg.exe"=

"C:\Program Files\Messenger\msmsgs.exe"=

"C:\WINDOWS\System32\dpnsvr.exe"=

"C:\Program Files\Azureus\Azureus.exe"=

"C:\WINDOWS\System32\dplaysvr.exe"=

"C:\WINDOWS\System32\CTFMON.EXE"=

"E:\Games\hl1\team fortress classic\hl.exe"=

"E:\Games\hl1\half-life blue shift\hl.exe"=

"E:\Games\hl1\opposing force\hl.exe"=

"E:\Games\hl1\half-life\hl.exe"=

"F:\download\samp-server-0.2.1-win32\samp-server.exe"=

"C:\Program Files\Valve\hl.exe"=

"C:\Program Files\Internet Explorer\iexplore.exe"=

"E:\Games\hl1\SteamApps\fabian992\half-life 2 deathmatch\hl2.exe"=

"C:\WINDOWS\System32\PnkBstrA.exe"=

"C:\WINDOWS\System32\PnkBstrB.exe"=

"F:\eaw\GameData\sweaw.exe"=

"F:\eawfoc\swfoc.exe"=

"E:\Games\assassins creed\AssassinsCreed_Dx9.exe"=

"E:\Games\assassins creed\AssassinsCreed_Dx10.exe"=

"E:\Games\assassins creed\AssassinsCreed_Launcher.exe"=

"C:\WINDOWS\system32\regsvr32.exe"=

"C:\WINDOWS\explorer.exe"= C:\WINDOWS\Explorer.EXE

"C:\WINDOWS\system32\mmc.exe"=

"C:\WINDOWS\libor.exe"=

"C:\Program Files\Skype\Phone\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6667:TCP"= 6667:TCP:chat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b5fcc8f8-718c-11dc-a02c-001617ec6911}]

\Shell\AutoRun\command - explorer.exe /n,/e,\

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-04 14:39:08

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

------------------------ Other Running Processes ------------------------

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Network Associates\VirusScan\avsynmgr.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN

C:\Program Files\Skype\Plugin Manager\skypePM.exe

**************************************************************************

Completion time: 2008-05-04 14:41:08 - machine was rebooted

ComboFix-quarantined-files.txt 2008-05-04 12:41:04

Pre-Run: 700,571,648 bajtów wolnych

Post-Run: 3,462,889,472 bajt˘w wolnych

281

huber2t (Huber2t) 2008-05-04 13:16:08 UTC #2

fix w hijackthis

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\system32CmdLineExt.exe

C:\WINDOWS\winlogon.exe

C:\WINDOWS\libor.exe

C:\WINDOWS\system32\fci.exe 

C:\1EC.tmp

C:\1EB.tmp

C:\1EA.tmp

C:\1E9.tmp

C:\1E8.tmp

C:\1E7.tmp

C:\1E6.tmp

C:\1E5.tmp

C:\1CC.tmp

C:\1BC.tmp

C:\1AC.tmp

C:\19C.tmp

C:\18C.tmp

C:\17C.tmp

C:\16C.tmp

C:\15C.tmp

C:\14C.tmp

C:\148.tmp

C:\144.tmp

C:\Documents and Settings\1\Ustawienia lokalne\Temp\IcnOvrly.dll


Folder::

C:\FOUND.001

C:\FOUND.000


Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"=-

"libor"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

darlem (Darek Dar) 2008-05-04 15:24:14 UTC #3

ComboFix 08-05-01.3 - 1 2008-05-04 15:19:55.2 - FAT32 x86

Running from: E:\ComboFix.exe

Command switches used :: E:\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::

C:\144.tmp

C:\148.tmp

C:\14C.tmp

C:\15C.tmp

C:\16C.tmp

C:\17C.tmp

C:\18C.tmp

C:\19C.tmp

C:\1AC.tmp

C:\1BC.tmp

C:\1CC.tmp

C:\1E5.tmp

C:\1E6.tmp

C:\1E7.tmp

C:\1E8.tmp

C:\1E9.tmp

C:\1EA.tmp

C:\1EB.tmp

C:\1EC.tmp

C:\Documents and Settings\1\Ustawienia lokalne\Temp\IcnOvrly.dll

C:\WINDOWS\libor.exe

C:\WINDOWS\system32\fci.exe

C:\WINDOWS\system32CmdLineExt.exe

C:\WINDOWS\winlogon.exe

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\144.tmp

C:\148.tmp

C:\14C.tmp

C:\15C.tmp

C:\16C.tmp

C:\17C.tmp

C:\18C.tmp

C:\19C.tmp

C:\1AC.tmp

C:\1BC.tmp

C:\1CC.tmp

C:\1E5.tmp

C:\1E6.tmp

C:\1E7.tmp

C:\1E8.tmp

C:\1E9.tmp

C:\1EA.tmp

C:\1EB.tmp

C:\1EC.tmp

C:\FOUND.000

C:\FOUND.000\FILE0000.CHK

C:\FOUND.001

C:\FOUND.001\FILE0000.CHK

C:\WINDOWS\libor.exe

C:\WINDOWS\system32\csrssw.dll

C:\WINDOWS\system32\fci.exe

C:\WINDOWS\system32\ntos.exe

C:\WINDOWS\system32\wsnpoem

C:\WINDOWS\system32\wsnpoem\audio.dll

C:\WINDOWS\system32\wsnpoem\video.dll

C:\WINDOWS\system32CmdLineExt.exe

C:\WINDOWS\system32\WinData.cab . . . . failed to delete

((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))

2008-05-04 14:39 . 2008-05-04 14:20 35,840 --a------ C:\WINDOWS\NVBenchMarks.exe

2008-05-04 14:26 . 2008-05-04 14:26

2008-05-04 13:03 . 2008-05-04 13:04 44,548 --a------ C:\WINDOWS\gogora.config

2008-05-04 13:02 . 2008-05-04 13:02 87,552 --a------ C:\1F9.tmp

2008-05-04 13:02 . 2008-05-04 13:02 87,552 --a------ C:\1EF.tmp

2008-05-04 13:02 . 2008-05-04 13:02 64,916 --a------ C:\1F7.tmp

2008-05-04 13:02 . 2008-05-04 13:02 46,592 --a------ C:\1FC.tmp

2008-05-04 13:02 . 2008-05-04 13:02 10,752 --a------ C:\1FA.tmp

2008-05-04 13:02 . 2008-05-04 13:02 0 --a------ C:\1FE.tmp

2008-05-04 13:02 . 2008-05-04 13:02 0 --a------ C:\1FD.tmp

2008-05-04 13:02 . 2008-05-04 13:02 0 --a------ C:\1F4.tmp

2008-05-04 12:17 . 2008-05-04 13:50 192,512 --a------ C:\WINDOWS\system32\cbOCR.dll

2008-04-30 06:27 . 2008-04-30 06:27

2008-04-30 06:24 . 2008-04-30 06:24

2008-04-30 06:05 . 2008-04-30 06:05

2008-04-29 17:57 . 2008-04-29 17:57

2008-04-29 17:56 . 2008-04-29 17:56

2008-04-29 17:56 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll

2008-04-29 17:56 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll

2008-04-29 17:56 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll

2008-04-29 17:56 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll

2008-04-29 17:56 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll

2008-04-28 09:45 . 2008-04-28 09:45

2008-04-27 20:48 . 2008-04-28 08:48 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe

2008-04-27 20:48 . 2008-04-27 20:48 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

2008-04-27 16:26 . 2008-04-27 16:26

2008-04-27 10:52 . 2008-04-27 10:52 5,114 --a------ C:\WINDOWS\system32\dumprep.rar

2008-04-26 18:13 . 14,976 C:\WINDOWS\system32\drivers\Kgw50.sys

2008-04-26 18:13 . 0 C:\WINDOWS\system32\WinData.cab

2008-04-26 18:09 . 2008-04-26 18:09

2008-04-26 18:08 . 2008-04-26 18:08

2008-04-26 18:06 . 2008-04-26 18:06

2008-04-25 16:19 . 2008-04-25 16:19 0 --a------ C:\1CB.tmp

2008-04-25 16:18 . 2008-04-25 16:18 0 --a------ C:\1BB.tmp

2008-04-25 16:14 . 2008-04-25 16:14 0 --a------ C:\1AB.tmp

2008-04-25 16:13 . 2008-04-25 16:13 0 --a------ C:\19B.tmp

2008-04-25 16:12 . 2008-04-25 16:12 0 --a------ C:\18B.tmp

2008-04-25 16:11 . 2008-04-25 16:11 0 --a------ C:\17B.tmp

2008-04-25 16:09 . 2008-04-25 16:09 0 --a------ C:\16B.tmp

2008-04-25 16:07 . 2008-04-25 16:07 0 --a------ C:\15B.tmp