Muli... Dużo syfu... Antivir zablokowany

Dla specjalistów Bezpieczeństwo
#1 
"Silent Runners.vbs", revision R51, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\Radio\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"hldrrr" = "C:\WINDOWS\system32\hldrrr.exe" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"HP Software Update" = ""C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"" ["Hewlett-Packard Company"]

"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"avast!" = "C:\PROGRA~1\Avast4\ashDisp.exe" [file not found]

"QuickTime Task" = ""F:\quick\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"DAEMON Tools-1033" = ""F:\tool\daemon.exe" -lang 1033" ["DAEMON'S HOME"]

"hldrrr" = "C:\WINDOWS\system32\hldrrr.exe" [null data]

"AVGCtrl" = "E:\AVGNT.EXE /min" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\LISU\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "LISU" & "All Users" startup folders:

------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

"Digital Image Monitor" -> shortcut to: "C:\Documents and Settings\LISU\Moje dokumenty\aparat\Monitor.exe" [file not found]

"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]

"HP Image Zone - szybkie uruchamianie" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe -s" [null data]



Enabled Scheduled Tasks:

------------------------


"HPpromotions journeysoftware.job" -- insufficient permission to read this file!



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]



---------- (launch time: 2007-07-25 21:21:44)

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 57 seconds.

---------- (total run time: 138 seconds)

Logfile of HijackThis v1.99.1

Scan saved at 21:29:46, on 2007-07-25

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

F:\quick\qttask.exe

F:\tool\daemon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\abcd\Pulpit\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [QuickTime Task] "F:\quick\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\tool\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [AVGCtrl] E:\AVGNT.EXE /min

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\Radio\gg.exe" /tray

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Digital Image Monitor.lnk = C:\Documents and Settings\abcd\Moje dokumenty\aparat\Monitor.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone - szybkie uruchamianie.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154520525907

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Złączono Posta : 25.07.2007 (Sro) 21:36

#2

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

możesz rejestr przelecieć albo

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509

Opis RegCleaner - http://www.agavk.p9.pl/strony/progra_regcleaner.php

Zobacz - Obsługa jv16 PowerTools

Daj log z ComboFix

#3

“abcd” - 2007-07-26 9:27:43 [GMT 2:00] - ComboFix 07-07-24 - Dodatek Service Pack 2 NTFS

ADS removed - svchost.exe: deleted 68 bytes in 1 streams.

ADS removed - ntoskrnl.exe: deleted 228 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\abcd\DANEAP~1.\hidires\m_hook.sys

C:\WINDOWS\exefld

C:\WINDOWS\exefld\101218.exe

C:\WINDOWS\exefld\1016593.exe

C:\WINDOWS\exefld\102484.exe

C:\WINDOWS\exefld\103843.exe

C:\WINDOWS\exefld\103921.exe

C:\WINDOWS\exefld\105093.exe

C:\WINDOWS\exefld\106328.exe

C:\WINDOWS\exefld\107421.exe

C:\WINDOWS\exefld\108375.exe

C:\WINDOWS\exefld\108859.exe

C:\WINDOWS\exefld\110187.exe

C:\WINDOWS\exefld\113859.exe

C:\WINDOWS\exefld\116656.exe

C:\WINDOWS\exefld\119875.exe

C:\WINDOWS\exefld\124640.exe

C:\WINDOWS\exefld\126421.exe

C:\WINDOWS\exefld\126515.exe

C:\WINDOWS\exefld\1280875.exe

C:\WINDOWS\exefld\128562.exe

C:\WINDOWS\exefld\1290406.exe

C:\WINDOWS\exefld\129046.exe

C:\WINDOWS\exefld\129468.exe

C:\WINDOWS\exefld\130078.exe

C:\WINDOWS\exefld\1305343.exe

C:\WINDOWS\exefld\1306828.exe

C:\WINDOWS\exefld\1322890.exe

C:\WINDOWS\exefld\134656.exe

C:\WINDOWS\exefld\135500.exe

C:\WINDOWS\exefld\135656.exe

C:\WINDOWS\exefld\142281.exe

C:\WINDOWS\exefld\143046.exe

C:\WINDOWS\exefld\143156.exe

C:\WINDOWS\exefld\143703.exe

C:\WINDOWS\exefld\144093.exe

C:\WINDOWS\exefld\145015.exe

C:\WINDOWS\exefld\14559640.exe

C:\WINDOWS\exefld\14561421.exe

C:\WINDOWS\exefld\14754578.exe

C:\WINDOWS\exefld\148656.exe

C:\WINDOWS\exefld\14939359.exe

C:\WINDOWS\exefld\15383859.exe

C:\WINDOWS\exefld\153843.exe

C:\WINDOWS\exefld\160625.exe

C:\WINDOWS\exefld\163187.exe

C:\WINDOWS\exefld\163906.exe

C:\WINDOWS\exefld\165562.exe

C:\WINDOWS\exefld\169312.exe

C:\WINDOWS\exefld\174000.exe

C:\WINDOWS\exefld\176015.exe

C:\WINDOWS\exefld\176531.exe

C:\WINDOWS\exefld\179609.exe

C:\WINDOWS\exefld\181703.exe

C:\WINDOWS\exefld\182312.exe

C:\WINDOWS\exefld\182859.exe

C:\WINDOWS\exefld\187734.exe

C:\WINDOWS\exefld\189171.exe

C:\WINDOWS\exefld\19465281.exe

C:\WINDOWS\exefld\201671.exe

C:\WINDOWS\exefld\214015.exe

C:\WINDOWS\exefld\227421.exe

C:\WINDOWS\exefld\231640.exe

C:\WINDOWS\exefld\236968.exe

C:\WINDOWS\exefld\2440546.exe

C:\WINDOWS\exefld\2442593.exe

C:\WINDOWS\exefld\246859.exe

C:\WINDOWS\exefld\257421.exe

C:\WINDOWS\exefld\261484.exe

C:\WINDOWS\exefld\262609.exe

C:\WINDOWS\exefld\265671.exe

C:\WINDOWS\exefld\267343.exe

C:\WINDOWS\exefld\267390.exe

C:\WINDOWS\exefld\267718.exe

C:\WINDOWS\exefld\273875.exe

C:\WINDOWS\exefld\275953.exe

C:\WINDOWS\exefld\2761078.exe

C:\WINDOWS\exefld\284453.exe

C:\WINDOWS\exefld\285328.exe

C:\WINDOWS\exefld\306562.exe

C:\WINDOWS\exefld\317906.exe

C:\WINDOWS\exefld\342984.exe

C:\WINDOWS\exefld\3742593.exe

C:\WINDOWS\exefld\3747781.exe

C:\WINDOWS\exefld\381125.exe

C:\WINDOWS\exefld\393281.exe

C:\WINDOWS\exefld\393343.exe

C:\WINDOWS\exefld\4895750.exe

C:\WINDOWS\exefld\5268890.exe

C:\WINDOWS\exefld\606953.exe

C:\WINDOWS\exefld\788015.exe

C:\WINDOWS\exefld\792078.exe

C:\WINDOWS\exefld\91140.exe

C:\WINDOWS\exefld\95125.exe

C:\WINDOWS\exefld\96171.exe

C:\WINDOWS\system32\hldrrr.exe

C:\WINDOWS\system32\wintems.exe

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_M_HOOK

-------\LEGACY_ROSA

-------\rosa

((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))

2007-07-26 09:26 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-26 09:20

2007-07-25 14:25

2007-07-20 11:52

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-13 21:41:46 -------- d-----w C:\Program Files\eMule

2007-07-03 19:47:26 -------- d-----w C:\Program Files\Winamp

2007-06-03 17:44:47 800 ----a-w C:\WINDOWS\eReg.dat

2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2004-09-13 15:49]

“QuickTime Task”=“F:\quick\qttask.exe” [2007-01-06 19:36]

“DAEMON Tools-1033”=“F:\tool\daemon.exe” [2004-08-22 17:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\Radio\gg.exe” [2006-10-10 17:51]

“german.exe”=“C:\WINDOWS\system32\wintems.exe” []

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 21:16:50]

[color=red]SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.[/color]

~~\SafeBoot\Minimal\Base

~~\SafeBoot\Minimal\Boot Bus Extender

~~\SafeBoot\Minimal\Boot file system

~~\SafeBoot\Minimal\dmboot.sys

~~\SafeBoot\Minimal\dmio.sys

~~\SafeBoot\Minimal\dmload.sys

~~\SafeBoot\Minimal\dmserver

~~\SafeBoot\Minimal\File system

~~\SafeBoot\Minimal\Filter

~~\SafeBoot\Minimal\PCI Configuration

~~\SafeBoot\Minimal\Primary disk

~~\SafeBoot\Minimal\RpcSs

~~\SafeBoot\Minimal\SCSI Class

~~\SafeBoot\Minimal\sermouse.sys

~~\SafeBoot\Minimal\System Bus Extender

~~\SafeBoot\Minimal\vga.sys

~~\SafeBoot\Minimal\vgasave.sys

~~\SafeBoot\Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}

~~\SafeBoot\Minimal{4D36E96A-E325-11CE-BFC1-08002BE10318}

~~\SafeBoot\Minimal{4D36E96B-E325-11CE-BFC1-08002BE10318}

~~\SafeBoot\Minimal{4D36E96F-E325-11CE-BFC1-08002BE10318}

~~\SafeBoot\Minimal{4D36E97D-E325-11CE-BFC1-08002BE10318}

~~\SafeBoot\Minimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Komunikator]

“C:\Program Files\Tlen.pl\tlen.exe” --confdir=home

R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

S3 nsysaudm;nsysaudm;??\C:\DOCUME~1\abcd\USTAWI~1\Temp\nsysaudm.sys

S4 AVWUpSrv;AntiVir Update;E:\AVWUPSRV.EXE

Contents of the ‘Scheduled Tasks’ folder

2007-07-25 18:00:00 C:\WINDOWS\tasks\HPpromotions journeysoftware.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-26 09:32:19

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden registry entries …

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\x90\x2022\x20ac|\x2d9\x2d9\x2d9\x2d9"\x2022\x20ac|\x16f\x2022\xd3w\2]

“5E7CEC10DF0760D4F8DAFB12FDC06CCD”=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

“TracesProcessed”=dword:00000087

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]

“Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,…

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-07-26 9:34:05 - machine was rebooted

C:\ComboFix-quarantined-files.txt … 2007-07-26 09:33

— E O F —

[code]

#4

Jak widać z logu - miałeś Rootkita Bagle-hidires i to z dwoma usługami (“m_hook” i “rosa”)

Do Notatnika wklej:

Windows Registry Editor Version 5.00


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"german.exe"=-

Z menu Notatnika >>> Plik >>> Zapisz jako >>> Ustaw rozszerzenie na Wszystkie pliki >>> Zapisz jako FIX.REG >>>

plik uruchom (dwuklik i OK).

Zrestartuj komputer.

Ponieważ ten Rootkit zmienia pliki Antywirusów, więc musisz przeinstalować swój Antiwirus.

Rootkit uszkodził też Tryb Awaryjny.

Można zacząć od użycia SafeBootKeyRepair

Jeśli jego użycie nie naprawi Trybu Awaryjnego, to postępuj ściśle wg tego opisu

Naprawa Trybu Awaryjnego.

Potem daj nowy log z ComboFixa.

.

#5

Combofix

"abcd" - 2007-07-26 10:45:31 [GMT 2:00] - ComboFix 07-07-24 - Dodatek Service Pack 2 NTFS  



((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))



2007-07-26 09:26	51,200	--a------	C:\WINDOWS\nircmd.exe

2007-07-26 09:20	






SafeBoot

[code] Reg export of SafeBoot key after repair: ======================== Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot] “AlternateShell”=“cmd.exe” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys] @=“FSFilter System Recovery” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal{36FC9E60-C465-11CF-8056-444553540000}] @=“Universal Serial Bus controllers” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal{4D36E965-E325-11CE-BFC1-08002BE10318}] @=“CD-ROM Drive” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}] @=“DiskDrive” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal{4D36E969-E325-11CE-BFC1-08002BE10318}] @=“Standard floppy disk controller” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal{4D36E96A-E325-11CE-BFC1-08002BE10318}] @=“Hdc” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal{4D36E96B-E325-11CE-BFC1-08002BE10318}] @=“Keyboard” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal{4D36E96F-E325-11CE-BFC1-08002BE10318}] @=“Mouse” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal{4D36E977-E325-11CE-BFC1-08002BE10318}] @=“PCMCIA Adapters” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal{4D36E97B-E325-11CE-BFC1-08002BE10318}] @=“SCSIAdapter” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal{4D36E97D-E325-11CE-BFC1-08002BE10318}] @=“System” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal{4D36E980-E325-11CE-BFC1-08002BE10318}] @=“Floppy disk drive” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @=“Volume” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}] @=“Human Interface Devices” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys] @=“FSFilter System Recovery” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI] @=“Driver Group” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys] @=“Driver” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC] @=“Service” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{36FC9E60-C465-11CF-8056-444553540000}] @=“Universal Serial Bus controllers” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E965-E325-11CE-BFC1-08002BE10318}] @=“CD-ROM Drive” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E967-E325-11CE-BFC1-08002BE10318}] @=“DiskDrive” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E969-E325-11CE-BFC1-08002BE10318}] @=“Standard floppy disk controller” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E96A-E325-11CE-BFC1-08002BE10318}] @=“Hdc” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E96B-E325-11CE-BFC1-08002BE10318}] @=“Keyboard” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E96F-E325-11CE-BFC1-08002BE10318}] @=“Mouse” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E972-E325-11CE-BFC1-08002BE10318}] @=“Net” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E973-E325-11CE-BFC1-08002BE10318}] @=“NetClient” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E974-E325-11CE-BFC1-08002BE10318}] @=“NetService” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E975-E325-11CE-BFC1-08002BE10318}] @=“NetTrans” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E977-E325-11CE-BFC1-08002BE10318}] @=“PCMCIA Adapters” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E97B-E325-11CE-BFC1-08002BE10318}] @=“SCSIAdapter” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E97D-E325-11CE-BFC1-08002BE10318}] @=“System” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{4D36E980-E325-11CE-BFC1-08002BE10318}] @=“Floppy disk drive” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @=“Volume” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}] @=“Human Interface Devices” ========================

#6

Wygląda na to, że jest już w porządku, zwłaszcza z Trybem Awaryjnym.

Nie wiem, co to za usługa, startująca z folderu TEMP,

ale nie będziemy się chyba nią przejmować, bo ona uruchamiana jest ręcznie,

a “szkodniki” starają się uruchamiać automatycznie/systemowo.

Tak więc - OK.

.

#7

Bardzo dziękuję za błyskawiczną pomoc.

Pozdrawiam gorąco.

Sheaker