system
(system)
29 Luty 2008 15:35
#1
dorwałem chyba jakiegos wirusa przez pendrive’a. net prawie w ogóle nie dziala. tylko onet i gg… ale tez tak na 50%. wysyłam logi z hijackthis i combofix’a. z góry dzieki za pomoc.
hijack:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:41:54, on 02/29/2008 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Ahead\InCD\InCD.exe D:\WINDOWS\system32\temp1.exe D:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\WINDOWS\system32\RunDll32.exe D:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe D:\Program Files\HP\HP Software Update\HPWuSchd2.exe D:\WINDOWS\system32\P2P Networking\P2P Networking.exe D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe D:\Program Files\Messenger\msmsgs.exe D:\WINDOWS\system32\rundll32.exe D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe D:\WINDOWS\System32\drivers\CDAC11BA.EXE D:\Program Files\Common Files\Symantec Shared\ccProxy.exe D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe D:\Program Files\Norton Internet Security\ISSVC.exe D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe D:\Program Files\NewDotNet\nnrun.exe D:\WINDOWS\System32\nvsvc32.exe D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe D:\Program Files\NewDotNet\nnrun.exe D:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe D:\Program Files\BearShare Applications\BearShare\BearShare.exe D:\Gadu-Gadu\gg.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file) R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file) R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll F3 - REG:win.ini: load=D:\WINDOWS\svchost.exe F2 - REG:system.ini: UserInit=D:\WINDOWS\System32\Userinit.exe O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - D:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing) O2 - BHO: InstaFinder_K - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - D:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - D:\Program Files\RXToolBar\sfcont.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - D:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - D:\Program Files\RXToolBar\RXToolBar.dll O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll O4 - HKLM…\Run: [inCD] D:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [ccApp] “D:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [ulead AutoDetector] D:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” O4 - HKLM…\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [P2P Networking] D:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM…\Run: [KAZAA] D:\Program Files\Kazaa\kazaa.exe /SYSTRAY O4 - HKLM…\Run: [iSUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM…\Run: [iSUSScheduler] “D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start O4 - HKCU…\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU…\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider ‘d:\windows\system32\winlspak.dll’ missing O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.iframedollars.biz O15 - Trusted Zone: *.iframedollars.biz (HKLM) O15 - Trusted Zone: *.ysbweb.com (HKLM) O15 - Trusted IP range: 213.159.117.202 O15 - Trusted IP range: 213.159.117.202 (HKLM) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= … lcid=0x409 O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {37A49D66-2735-4BB9-8503-82BA5E2333D0} (MailCfg Control) - http://poczta.wp.pl/autoryzacja/mailcfg.ocx O16 - DPF: {5CBA93A3-E0ED-11D5-A70E-00C12601EADE} - http://cyber.kochanki.pl/1000sexfotek.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 9892319390 O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} - http://install.gif-bereich.de/Installat … istent.ocx O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - D:\Program Files\RXToolBar\sfcont.dll O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file) O20 - Winlogon Notify: Extensions - D:\WINDOWS\system32\lv0609dse.dll (file missing) O22 - SharedTaskScheduler: OLE Module - {0211C4D9-BC71-8916-38AD-9DEA5D213614} - (no file) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - D:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NNServ - New.net , Inc. - D:\Program Files\NewDotNet\nnrun.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe – End of file - 12712 bytes
combofix:
ComboFix 08-02-25.3 - ABC 2008-02-29 15:58:12.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.136 [GMT 1:00] Running from: D:\Documents and Settings\ABC\Pulpit\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf C:\copy.exe C:\host.exe D:\Autorun.inf D:\copy.exe D:\host.exe D:\Program Files\newdotnet D:\Program Files\newdotnet\nncore.dll D:\Program Files\newdotnet\nnrun.exe D:\Program Files\newdotnet\readme.html D:\Program Files\newdotnet\uninstall.exe D:\WINDOWS\autorun.inf D:\WINDOWS\Fonts\acrsecB.fon D:\WINDOWS\Fonts\acrsecI.fon D:\WINDOWS\hosts D:\WINDOWS\NDNuninstall7_48.exe D:\WINDOWS\smdat32a.sys D:\WINDOWS\smdat32m.sys D:\WINDOWS\svchost.exe D:\WINDOWS\system32\guard.tmp D:\WINDOWS\system32\temp1.exe D:\WINDOWS\system32\temp2.exe D:\WINDOWS\system32\vmss D:\WINDOWS\xcopy.exe G:\autorun.inf G:\copy.exe G:\host.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_NNSERV -------\NNServ ((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-29 ))))))))))))))))))))))))))))))) . 2008-02-29 15:41 . 2008-02-29 15:41 2008-02-18 19:13 . 2008-02-18 19:13 2008-02-18 19:13 . 2008-02-18 19:13 2008-02-18 19:13 . 2007-04-03 10:04 1,060,864 --a------ D:\WINDOWS\system32\cdintf210.dll 2008-02-18 19:11 . 2001-03-05 12:11 98,304 --a------ D:\WINDOWS\system32\tsccvid.dll 2008-02-18 16:45 . 1998-06-26 21:22 525,352 -r------- D:\WINDOWS\system32\dbgrid32.OCX 2008-02-18 16:45 . 1999-09-09 12:28 446,464 -r------- D:\WINDOWS\system32\HHActiveX.dll 2008-02-18 16:45 . 2000-05-22 00:00 438,976 -r------- D:\WINDOWS\system32\MSHFLXGD.OCX 2008-02-18 16:45 . 2000-03-14 00:00 299,008 -r------- D:\WINDOWS\system32\MSDBRPTR.DLL 2008-02-18 16:45 . 1999-05-07 13:24 244,232 -r------- D:\WINDOWS\system32\msflxgrd.OCX 2008-02-18 16:45 . 1999-05-07 13:24 176,648 -r------- D:\WINDOWS\system32\msrdc20.OCX 2008-02-18 16:45 . 1998-06-24 11:55 164,144 -r------- D:\WINDOWS\system32\comct232.OCX 2008-02-18 16:41 . 2008-02-18 16:41 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-13 18:12 --------- d-----w D:\Program Files\Windows Media Connect 2 2008-01-11 15:38 --------- d-----w D:\Program Files\Investintech.com Inc 2008-01-11 05:41 44,544 ----a-w D:\WINDOWS\system32\dllcache\pngfilt.dll 2008-01-04 18:36 --------- d-----w D:\Documents and Settings\All Users\Dane aplikacji\PlayFirst 2008-01-04 18:36 --------- d-----w D:\Documents and Settings\ABC\Dane aplikacji\PlayFirst 2007-12-19 22:58 347,136 ----a-w D:\WINDOWS\system32\dllcache\dxtmsft.dll 2007-12-18 09:51 179,584 ------w D:\WINDOWS\system32\dllcache\mrxdav.sys 2007-12-08 05:14 3,592,192 ----a-w D:\WINDOWS\system32\dllcache\mshtml.dll 2007-12-06 11:06 625,664 ------w D:\WINDOWS\system32\dllcache\iexplore.exe 2007-12-06 11:05 70,656 ------w D:\WINDOWS\system32\dllcache\ie4uinit.exe 2007-12-06 11:00 13,824 ------w D:\WINDOWS\system32\dllcache\ieudinit.exe 2007-12-06 04:59 161,792 ----a-w D:\WINDOWS\system32\dllcache\ieakui.dll 2007-12-04 18:42 550,912 ------w D:\WINDOWS\system32\oleaut32.dll 2007-12-04 18:42 550,912 ------w D:\WINDOWS\system32\dllcache\oleaut32.dll 2007-03-25 14:41 74,448 ----a-w D:\Documents and Settings\ABC\Dane aplikacji\GDIPFONTCACHEV1.DAT 2005-07-17 21:55 106,496 ----a-w D:\Program Files\55453 2004-12-29 14:23 7,741,336 ----a-w D:\Program Files\DivX521XP2K.exe 2004-12-28 12:57 232,640 ----a-w D:\Program Files\WM9Powertoy_TweakMP.EXE 2004-12-28 12:57 182,424 ----a-w D:\Program Files\ratmigptoy.exe 2004-12-28 12:56 84,568 ----a-w D:\Program Files\decades_autoplaylists.exe 2003-07-05 16:29 286 ----a-w D:\Program Files\Skrót do Program Files.lnk 2002-12-24 14:30 3,392 ----a-w D:\WINDOWS\inf\OTHER\cmiainfo.sys 2007-10-01 13:29 4,184 --sha-w D:\WINDOWS\system32\KGyGaAvL.sys 2007-10-01 13:29 104 --sh–r D:\WINDOWS\system32\F127652498.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{4E7BD74F-2B8D-469E-90F0-F66AB581A933}] D:\PROGRA~1\INSTAF~1\INSTAF~1.DLL [HKEY_LOCAL_MACHINE~\Browser Helper Objects{59879FA4-4790-461c-A1CC-4EC4DE4CA483}] 2006-07-04 22:48 206552 --a------ D:\Program Files\RXToolBar\sfcont.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {855F3B16-6D32-4FE6-8A56-BBB695989046} {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} {2318C2B1-4965-11D4-9B18-009027A5CD4F} {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} [HKEY_CLASSES_ROOT\clsid{25d8bacf-3de2-4b48-ae22-d659b8d835b0}] [HKEY_CLASSES_ROOT\RXToolBar.TBInfo.1] [HKEY_CLASSES_ROOT\TypeLib{66B20295-DC57-42B6-ACDF-52D916E86464}] [HKEY_CLASSES_ROOT\RXToolBar.TBInfo] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] “{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}”= D:\Program Files\RXToolBar\RXToolBar.dll [2006-07-04 22:48 628440] [HKEY_CLASSES_ROOT\clsid{25d8bacf-3de2-4b48-ae22-d659b8d835b0}] [HKEY_CLASSES_ROOT\RXToolBar.TBInfo.1] [HKEY_CLASSES_ROOT\TypeLib{66B20295-DC57-42B6-ACDF-52D916E86464}] [HKEY_CLASSES_ROOT\RXToolBar.TBInfo] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NVIEW”=“nview.dll” [2003-05-02 15:19 835654 D:\WINDOWS\system32\nview.dll] “MSMSGS”=“D:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24 1694208] “swg”=“D:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe” [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “InCD”=“D:\Program Files\Ahead\InCD\InCD.exe” [2002-09-12 19:13 1101824] “NeroCheck”=“D:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648] “ccApp”=“D:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2008-01-17 11:42 58728] “Cmaudio”=“cmicnfg.cpl” [] “Ulead AutoDetector”=“D:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe” [2003-11-18 17:20 45056] “SunJavaUpdateSched”=“D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496] “HP Software Update”=“D:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2005-05-11 23:12 49152] “P2P Networking”=“D:\WINDOWS\system32\P2P Networking\P2P Networking.exe” [2006-10-24 19:21 468152] “KAZAA”=“D:\Program Files\Kazaa\kazaa.exe” [] “ISUSPM Startup”=“D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-06-16 06:03 221184] “ISUSScheduler”=“D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-06-16 06:03 81920] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“D:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 08:44 15360] “NvMediaCenter”=“D:\WINDOWS\System32\NVMCTRAY.DLL” [2003-05-02 15:19 49152] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli scecli [HKLM~\startupfolder\D:^Documents and Settings^ABC^Menu Start^Programy^Autostart^AdDestroyer.lnk] path=D:\Documents and Settings\ABC\Menu Start\Programy\Autostart\AdDestroyer.lnk backup=D:\WINDOWS\pss\AdDestroyer.lnkStartup [HKLM~\startupfolder\D:^Documents and Settings^ABC^Menu Start^Programy^Autostart^Power Project.lnk] path=D:\Documents and Settings\ABC\Menu Start\Programy\Autostart\Power Project.lnk backup=D:\WINDOWS\pss\Power Project.lnkStartup [HKLM~\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^InterCheck Monitor.LNK] path=D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\InterCheck Monitor.LNK backup=D:\WINDOWS\pss\InterCheck Monitor.LNKCommon Startup [HKLM~\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] --a------ 2004-08-04 08:44 15360 D:\WINDOWS\System32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Search] D:\WINDOWS\isrvs\desktop.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dvx] D:\WINDOWS\System32\wsxsvc\wsxsvc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EanthologyApp] D:\Program Files\Common Files\eAcceleration\eanthology.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ffis] --a------ 2005-02-26 00:02 34146 D:\WINDOWS\isrvs\ffisearch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KavSvc] D:\WINDOWS\System32\naznvr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA] D:\Program Files\Kazaa\kazaa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 18:24 1694208 D:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Narrator] D:\WINDOWS\System32\kqukwy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup] D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nsvcin] D:\WINDOWS\system32\n20050308.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2003-05-02 15:19 4640768 D:\WINDOWS\System32\NvCpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrvDef3.0] --a------ 2005-02-04 18:04 7933952 D:\Program Files\PCSecurityShield\PrivacyDefender3\PrvDef3.0.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Nuker] D:\Program Files\Spyware Nuker 2004\swn2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System32] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uchxob] --a------ 2004-08-04 08:44 13312 D:\WINDOWS\System32\l?ass.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmss] D:\WINDOWS\System32\vmss\vmss.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast] D:\Program Files\WeatherCast\Weather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebScan] D:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave] D:\PROGRA~1\Save\Save.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2003-12-13 02:50 33792 D:\Program Files\Winamp\winampa.exe [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “D:\Program Files\ICQLite\ICQLite.exe”= “D:\Program Files\Skype\Phone\Skype.exe”= R0 BsStor;InCD Storage Helper Driver;D:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-06 01:07] R2 BsUDF;InCD UDF Driver;D:\WINDOWS\system32\drivers\BsUDF.sys [2002-09-13 14:35] S1 delprot;delprot;D:\WINDOWS\system32\drivers\delprot.sys [] S3 k510bus;Sony Ericsson K510 Driver driver (WDM);D:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-02-17 21:34] S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;D:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2006-02-17 21:34] S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;D:\WINDOWS\system32\DRIVERS\k510mdm.sys [2006-02-17 21:34] S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);D:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2006-02-17 21:34] S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;D:\WINDOWS\system32\DRIVERS\k510obex.sys [2006-02-17 21:34] S3 w300bus;Sony Ericsson W300 Driver driver (WDM);D:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 16:49] S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);D:\WINDOWS\system32\DRIVERS\w300mgmt.sys [2006-03-13 16:50] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ba588ecb-47f3-40fa-83d6-49f89cf7c949] D:\WINDOWS\System32\oxaobcr.exe . Contents of the ‘Scheduled Tasks’ folder “2008-02-22 20:26:28 D:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - ABC.job” - D:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exef/task: . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-29 16:03:24 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: D:\WINDOWS\explorer.exe [6.00.2900.3156] - D:\Gadu-Gadu\ggwhook.dll . ------------------------ Other Running Processes ------------------------ . D:\WINDOWS\system32\RunDll32.exe D:\WINDOWS\system32\rundll32.exe D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe D:\WINDOWS\System32\drivers\CDAC11BA.EXE D:\WINDOWS\System32\nvsvc32.exe D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe D:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe D:\Gadu-Gadu\gg.exe . ************************************************************************** . Completion time: 2008-02-29 16:19:31 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-29 15:19:24 . 2008-02-27 21:41:34 — E O F —
system
(system)
29 Luty 2008 19:06
#2
Omg…
Co ty robiłeś z tym kompem :o
D:\WINDOWS\system32\temp1.exe D:\WINDOWS\system32\P2P Networking\P2P Networking.exe D:\Program Files\NewDotNet\nnrun.exe D:\Program Files\NewDotNet\nnrun.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file) R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll F3 - REG:win.ini: load=D:\WINDOWS\svchost.exe O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - D:\Program Files\RXToolBar\sfcont.dll O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - D:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - D:\Program Files\RXToolBar\RXToolBar.dll O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll O4 - HKLM…\Run: [KAZAA] D:\Program Files\Kazaa\kazaa.exe /SYSTRAY O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN O10 - Broken Internet access because of LSP provider ‘d:\windows\system32\winlspak.dll’ missing O15 - Trusted Zone: *.iframedollars.biz O15 - Trusted Zone: *.iframedollars.biz (HKLM) O15 - Trusted IP range: 213.159.117.202 O15 - Trusted IP range: 213.159.117.202 (HKLM) O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} - http://install.gif-bereich.de/Installat … istent.ocx O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - D:\Program Files\RXToolBar\sfcont.dll O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file) O23 - Service: NNServ - New.net , Inc. - D:\Program Files\NewDotNet\nnrun.exe
Usuń HJT…
Zapewne używasz programów BearShare, Kazaa ogólnie P2P
Gutek
(Gutek)
2 Marzec 2008 20:34
#3
Wklej do Notatnika:
File::
D:\WINDOWS\System32\naznvr.exe
D:\WINDOWS\system32\n20050308.exe
D:\WINDOWS\System32\kqukwy.exe
D:\WINDOWS\System32\l?ass.exe
D:\WINDOWS\System32\oxaobcr.exe
Folder::
D:\Program Files\RXToolBar
D:\PROGRA~1\INSTAF~1
D:\WINDOWS\system32\P2P Networking
D:\Program Files\Kazaa
D:\WINDOWS\System32\wsxsvc
D:\PROGRA~1\NEWDOT~1
D:\Program Files\Spyware Nuker 2004
D:\Program Files\WeatherCast
D:\WINDOWS\System32\vmss
D:\PROGRA~1\Save
Driver::
delprot
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}"=-
"{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}"=-
[-HKEY_CLASSES_ROOT\clsid\{25d8bacf-3de2-4b48-ae22-d659b8d835b0}]
[-HKEY_CLASSES_ROOT\RXToolBar.TBInfo.1]
[-HKEY_CLASSES_ROOT\TypeLib\{66B20295-DC57-42B6-ACDF-52D916E86464}]
[-HKEY_CLASSES_ROOT\RXToolBar.TBInfo]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}"=-
[-HKEY_CLASSES_ROOT\clsid\{25d8bacf-3de2-4b48-ae22-d659b8d835b0}]
[-HKEY_CLASSES_ROOT\RXToolBar.TBInfo.1]
[-HKEY_CLASSES_ROOT\TypeLib\{66B20295-DC57-42B6-ACDF-52D916E86464}]
[-HKEY_CLASSES_ROOT\RXToolBar.TBInfo]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"=-
"P2P Networking"=-
"KAZAA"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dvx]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KavSvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Narrator]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nsvcin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Nuker]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uchxob]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmss]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ba588ecb-47f3-40fa-83d6-49f89cf7c949]
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo