Nowy virus ahnrpta.exe

Dla specjalistów Bezpieczeństwo
#1

Oto log z comobofixa prosze o pomoc:

ComboFix 09-01-19.05 - Bruce 2009-01-20 19:40:37.6 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.1024.723 [GMT 1:00]

Uruchomiony z: c:\documents and settings\Bruce\Desktop\ComboFix.exe

AV: PC Tools AntiVirus 5.0.1.1 *On-access scanning enabled* (Updated)

FW: PC Tools Firewall Plus *enabled*

.

((((((((((((((((((((((((( Pliki utworzone od 2008-12-20 do 2009-01-20 )))))))))))))))))))))))))))))))

.

2009-01-20 16:25 . 2009-01-20 19:21

2009-01-20 10:34 . 2009-01-20 10:34

2009-01-20 08:07 . 2009-01-20 14:06

2009-01-20 07:36 . 2009-01-20 07:36 107,561 -r-hs---- C:\gy.exe

2009-01-19 13:50 . 2009-01-19 13:50

2009-01-18 08:23 . 2009-01-20 07:36 95,744 -r-hs---- c:\windows\system32\nmdfgds1.dll

2009-01-18 08:23 . 2008-04-14 01:12 69,120 --a------ c:\windows\AhnRpta.exe

2009-01-18 08:15 . 2009-01-20 07:36 107,561 -r-hs---- c:\windows\system32\olhrwef.exe

2009-01-18 08:15 . 2009-01-20 07:19 95,744 --------- c:\windows\system32\nmdfgds0.dll

2009-01-09 21:53 . 2009-01-09 21:53 43,520 --a------ c:\windows\system32\CmdLineExt03.dll

2009-01-09 14:22 . 2009-01-09 14:32

2009-01-08 08:55 . 2009-01-08 08:55

2009-01-08 08:51 . 2009-01-08 09:14

2009-01-05 12:03 . 2009-01-05 11:48 737,280 --a------ c:\windows\iun6002.exe

2009-01-05 12:03 . 2001-05-11 13:18 420,240 --a------ c:\windows\system32\mpg4c32.dll

2009-01-05 12:03 . 2001-05-16 17:54 309,616 --a------ c:\windows\system32\wmv8dmod.dll

2009-01-05 12:03 . 2001-03-26 04:41 245,760 --a------ c:\windows\system32\mp4sds32.ax

2009-01-05 11:48 . 2009-01-05 11:48

2009-01-04 12:59 . 2009-01-19 21:42 1,475 --a------ c:\windows\brydz3.ini

2009-01-04 12:59 . 2009-01-19 21:42 10 --a------ c:\windows\osoba3.cfg

2009-01-04 12:24 . 2009-01-04 12:42

2009-01-01 15:09 . 2009-01-01 15:09 122,880 --a------ c:\windows\lcmmfu.cpl

2009-01-01 15:09 . 2009-01-01 15:09 48,640 --a------ c:\windows\mmfs.dll

2009-01-01 15:09 . 2009-01-01 15:09 2,560 --a------ c:\windows\Runservice.exe

2009-01-01 15:09 . 2009-01-20 19:28 1,217 --ahs---- c:\windows\system32\mmf.sys

2009-01-01 13:02 . 2009-01-01 13:02

2009-01-01 13:02 . 2009-01-01 13:03

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-20 18:39 --------- d—a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-20 18:28 --------- d-----w c:\program files\PC Tools AntiVirus

2009-01-20 18:11 --------- d-----w c:\documents and settings\Bruce\Application Data\uTorrent

2009-01-19 22:13 --------- d-----w c:\documents and settings\Bruce\Application Data\foobar2000

2009-01-19 15:13 --------- d-----w c:\documents and settings\Bruce\Application Data\Skype

2009-01-19 15:04 --------- d-----w c:\documents and settings\Bruce\Application Data\skypePM

2009-01-13 22:10 --------- d-----w c:\documents and settings\Bruce\Application Data\Tlen.pl

2009-01-11 12:01 --------- d–h--w c:\program files\InstallShield Installation Information

2009-01-07 09:34 --------- d-----w c:\program files\Mozilla Sunbird

2009-01-04 15:48 --------- d-----w c:\program files\eMule

2009-01-04 14:31 184 ----a-w c:\program files\firebird.log

2008-12-14 13:49 --------- d-----w c:\program files\ScannerU

2008-12-14 13:30 --------- d-----w c:\documents and settings\All Users\Application Data\CanonIJPLM

2008-12-12 11:54 --------- d-----w c:\program files\Skype

2008-12-06 07:07 --------- d-----w c:\program files\proGame

2008-12-05 20:25 --------- d-----w c:\documents and settings\Bruce\Application Data\SpeedSim

2008-12-04 11:57 --------- d-----w c:\program files\Electronic Arts

2008-12-04 11:52 --------- d-----w c:\program files\Tlen.pl

2008-12-04 11:52 --------- d-----w c:\program files\KB Piano

2008-12-01 20:07 --------- d-----w c:\program files\eTeacher 4

2008-11-27 10:02 --------- d-----w c:\documents and settings\All Users\Application Data\Tlen.pl

2008-11-20 09:10 --------- d-----w c:\documents and settings\Bruce\Application Data\GlarySoft

2008-11-20 09:09 --------- d-----w c:\program files\Glary Utilities

2008-10-29 09:20 152,904 ----a-w c:\windows\system32\vghd.scr

2008-10-29 08:08 107,888 ----a-w c:\windows\system32\CmdLineExt.dll

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTStartup”=“c:\program files\Creative\Splash Screen\CTEaxSpl.EXE” [2001-12-20 28672]

“PCTAVApp”=“c:\program files\PC Tools AntiVirus\PCTAV.exe” [2009-01-20 1370000]

“00PCTFW”=“c:\program files\PC Tools Firewall Plus\FirewallGUI.exe” [2008-08-05 2611096]

“CanonMyPrinter”=“c:\program files\Canon\MyPrinter\BJMyPrt.exe” [2007-04-04 1603152]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

“{BB4C402F-882A-4526-8C08-51278EA437C1}”= “c:\windows\system32\afmain1.dll” [2008-04-14 78848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“msacm.ac3filter”= ac3filter.acm

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Action Manager 32.lnk]

backup=c:\windows\pss\Action Manager 32.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdoosoft]

-r-hs---- 2009-01-20 07:36 107561 c:\windows\system32\olhrwef.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

–a------ 2008-04-14 01:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

–a------ 2008-03-20 11:04 2127296 c:\program files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]

–a------ 2001-11-29 00:00 28672 c:\program files\Creative\SBLive\Program\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

–a------ 2008-09-17 08:55 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

–a------ 2008-09-17 08:55 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

-ra------ 2005-10-26 15:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

--------- 2000-05-11 00:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

–a------ 2008-09-17 08:55 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]

–a------ 2002-07-02 10:56 24576 c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

“helpsvc”=2 (0x2)

“ERSvc”=2 (0x2)

“wuauserv”=2 (0x2)

“WebClient”=2 (0x2)

“Themes”=2 (0x2)

“seclogon”=2 (0x2)

“PolicyAgent”=2 (0x2)

“FastUserSwitchingCompatibility”=3 (0x3)

“ALG”=3 (0x3)

“aawservice”=2 (0x2)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=

“c:\Program Files\uTorrent\uTorrent.exe”=

“c:\Program Files\Skype\Phone\Skype.exe”=

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-09-30 160792]

R3 FWAuth;FWAuth Driver;c:\windows\system32\drivers\FWAuthdriver.sys [2008-09-30 58136]

R4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-01-01 2560]

S4 BulkUsb;Plustek USB Scanner;c:\windows\system32\drivers\usbscan.sys [2008-11-22 15104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{18511ede-ba00-11dd-a072-00e018b277bf}]

\Shell\AutoRun\command - nhbivui.exe

\Shell\explore\Command - nhbivui.exe

\Shell\open\Command - nhbivui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1a1b101b-a409-11dd-a037-00e018b277bf}]

\Shell\AutoRun\command - I:\xih9.cmd

\Shell\explore\Command - I:\xih9.cmd

\Shell\open\Command - I:\xih9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c5abc43d-e084-11dd-a0b7-0002447fc6c6}]

\Shell\AutoRun\command - J:\xih9.cmd

\Shell\explore\Command - J:\xih9.cmd

\Shell\open\Command - J:\xih9.cmd

.

Zawartość folderu ‘Zaplanowane zadania’

2009-01-20 c:\windows\Tasks\GlaryInitialize.job

  • c:\program files\Glary Utilities\initialize.exe [2008-10-29 17:58]

.

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.google.pl/

IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: {{B46B0919-62BA-4D99-A5C4-916B57A6805C} - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - c:\program files\Techland\Common\InternetTranslator\InternetTranslator.dll

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\hrib6oat.default\

FF - prefs.js: browser.startup.homepage - hxxp://google.pl/

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-20 19:42:02

Windows 5.1.2600 Service Pack 3 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???st???w? ?w???w???w4???.??w4???4???TA?s4???&8?T???t???5?B~e?B~????L????C@?\???\??????s????\??????s\????&8?A??s?&8??C@?x???|?w???@

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]

“1”=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,

25

“2”=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,

c3

“3”=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,

8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\0685B4039E83FFC215FE6F791AF60AF7]

“1”=hex:e4,aa,f8,f3,74,8d,9e,c8,87,9d,1b,26,37,fe,f3,a9,e1,65,0b,4e,76,5e,be,

cc,22,d3,ec,74,16,8a,da,65,11,e3,07,bb,51,b8,fc,76

“2”=hex:ac,5d,cf,8a,eb,60,b6,ba

“3”=hex:81,20,8f,ab,28,6a,52,9c

“4”=hex:2f,ad,a2,e7,8a,bf,05,5e

“5”=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

“6”=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

“7”=hex:93,41,de,56,34,94,a7,b2,fc,ed,3e,91,10,66,4e,1a,c6,31,42,b5,d7,5d,59,

d2,15,2d,46,f0,84,ba,60,d2,1d,15,55,8f,94,36,ff,d9,13,fd,dc,f4,43,be,c7,61,\

“8”=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,

64,0b,26,ce,91,53,4b,53,9a,85,70,6c,f0,9f,1f,18,c9,f3,fb,e2,b4,f6,a7,d8,a5,\

“9”=hex:81,20,8f,ab,28,6a,52,9c

“18”=hex:b6,dd,00,4d,9d,38,11,d1

“10”=hex:81,20,8f,ab,28,6a,52,9c

“11”=hex:81,20,8f,ab,28,6a,52,9c

“12”=hex:81,20,8f,ab,28,6a,52,9c

“13”=hex:81,20,8f,ab,28,6a,52,9c

“14”=hex:81,20,8f,ab,28,6a,52,9c

“24”=hex:81,20,8f,ab,28,6a,52,9c

“26”=hex:81,20,8f,ab,28,6a,52,9c

“27”=hex:81,20,8f,ab,28,6a,52,9c

“19”=hex:81,20,8f,ab,28,6a,52,9c

“22”=hex:81,20,8f,ab,28,6a,52,9c

.

Czas ukończenia: 2009-01-20 19:43:10

ComboFix-quarantined-files.txt 2009-01-20 18:43:05

ComboFix2.txt 2009-01-20 18:20:18

ComboFix3.txt 2008-11-19 19:44:16

ComboFix4.txt 2008-11-14 10:12:55

ComboFix5.txt 2009-01-20 18:40:12

Przed: 8 020 836 352 bytes free

Po: 8,007,090,176 bytes free

214 — E O F — 2008-11-12 06:33:21

#2

Wylecz pendriva lub kartę pamięci

Flash Disinfector lub Perlovga Removal Tool

lub format

wklej do notatnika:

Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe

Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum.

Loga wklej na www.wklejto.pl lub http://www.wklej.org/ a w poście daj linka

#3

Dzieki wyglada na to ze wszytko jest wporzadku

#4

Daj log z usuwania chcemy zobaczyć czy rzeczywiście jest już czysto

#5

ComboFix 09-01-20.05 - Bruce 2009-01-21 8:34:16.7 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.1024.719 [GMT 1:00]

Uruchomiony z: c:\documents and settings\Bruce\Desktop\combo\ComboFix.exe

Użyto następujących komend :: c:\documents and settings\Bruce\Desktop\combo\CFScript.txt

AV: PC Tools AntiVirus 5.0.1.1 *On-access scanning enabled* (Outdated)

FW: PC Tools Firewall Plus *enabled*

* Utworzono nowy punkt przywracania

FILE ::

C:\gy.exe

c:\windows\AhnRpta.exe

c:\windows\system32\afmain0.dll

c:\windows\system32\afmain1.dll

c:\windows\system32\afmain2.dll

c:\windows\system32\nmdfgds0.dll

c:\windows\system32\nmdfgds1.dll

c:\windows\system32\olhrwef.exe

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\gy.exe

c:\windows\AhnRpta.exe

c:\windows\system32\afmain0.dll

c:\windows\system32\afmain1.dll

c:\windows\system32\nmdfgds0.dll

c:\windows\system32\nmdfgds1.dll

c:\windows\system32\olhrwef.exe

.

((((((((((((((((((((((((( Pliki utworzone od 2008-12-21 do 2009-01-21 )))))))))))))))))))))))))))))))

.

2009-01-20 16:25 . 2009-01-20 19:21

2009-01-20 10:34 . 2009-01-20 10:34

2009-01-20 08:07 . 2009-01-20 14:06

2009-01-19 13:50 . 2009-01-19 13:50

2009-01-09 21:53 . 2009-01-09 21:53 43,520 --a------ c:\windows\system32\CmdLineExt03.dll

2009-01-09 14:22 . 2009-01-09 14:32

2009-01-08 08:55 . 2009-01-08 08:55

2009-01-08 08:51 . 2009-01-08 09:14

2009-01-05 12:03 . 2009-01-05 11:48 737,280 --a------ c:\windows\iun6002.exe

2009-01-05 12:03 . 2001-05-11 13:18 420,240 --a------ c:\windows\system32\mpg4c32.dll

2009-01-05 12:03 . 2001-05-16 17:54 309,616 --a------ c:\windows\system32\wmv8dmod.dll

2009-01-05 12:03 . 2001-03-26 04:41 245,760 --a------ c:\windows\system32\mp4sds32.ax

2009-01-05 11:48 . 2009-01-05 11:48

2009-01-04 12:59 . 2009-01-19 21:42 1,475 --a------ c:\windows\brydz3.ini

2009-01-04 12:59 . 2009-01-19 21:42 10 --a------ c:\windows\osoba3.cfg

2009-01-04 12:24 . 2009-01-04 12:42

2009-01-01 15:09 . 2009-01-01 15:09 122,880 --a------ c:\windows\lcmmfu.cpl

2009-01-01 15:09 . 2009-01-01 15:09 48,640 --a------ c:\windows\mmfs.dll

2009-01-01 15:09 . 2009-01-01 15:09 2,560 --a------ c:\windows\Runservice.exe

2009-01-01 15:09 . 2009-01-21 08:37 1,217 --ahs---- c:\windows\system32\mmf.sys

2009-01-01 13:02 . 2009-01-01 13:02

2009-01-01 13:02 . 2009-01-01 13:03

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-21 07:37 --------- d—a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-21 07:37 --------- d-----w c:\program files\PC Tools AntiVirus

2009-01-20 18:11 --------- d-----w c:\documents and settings\Bruce\Application Data\uTorrent

2009-01-19 22:13 --------- d-----w c:\documents and settings\Bruce\Application Data\foobar2000

2009-01-19 15:13 --------- d-----w c:\documents and settings\Bruce\Application Data\Skype

2009-01-19 15:04 --------- d-----w c:\documents and settings\Bruce\Application Data\skypePM

2009-01-13 22:10 --------- d-----w c:\documents and settings\Bruce\Application Data\Tlen.pl

2009-01-11 12:01 --------- d–h--w c:\program files\InstallShield Installation Information

2009-01-07 09:34 --------- d-----w c:\program files\Mozilla Sunbird

2009-01-04 15:48 --------- d-----w c:\program files\eMule

2009-01-04 14:31 184 ----a-w c:\program files\firebird.log

2008-12-14 13:49 --------- d-----w c:\program files\ScannerU

2008-12-14 13:30 --------- d-----w c:\documents and settings\All Users\Application Data\CanonIJPLM

2008-12-12 11:54 --------- d-----w c:\program files\Skype

2008-12-06 07:07 --------- d-----w c:\program files\proGame

2008-12-05 20:25 --------- d-----w c:\documents and settings\Bruce\Application Data\SpeedSim

2008-12-04 11:57 --------- d-----w c:\program files\Electronic Arts

2008-12-04 11:52 --------- d-----w c:\program files\Tlen.pl

2008-12-04 11:52 --------- d-----w c:\program files\KB Piano

2008-12-01 20:07 --------- d-----w c:\program files\eTeacher 4

2008-11-27 10:02 --------- d-----w c:\documents and settings\All Users\Application Data\Tlen.pl

2008-10-29 09:20 152,904 ----a-w c:\windows\system32\vghd.scr

2008-10-29 08:08 107,888 ----a-w c:\windows\system32\CmdLineExt.dll

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTStartup”=“c:\program files\Creative\Splash Screen\CTEaxSpl.EXE” [2001-12-20 28672]

“PCTAVApp”=“c:\program files\PC Tools AntiVirus\PCTAV.exe” [2009-01-20 1370000]

“00PCTFW”=“c:\program files\PC Tools Firewall Plus\FirewallGUI.exe” [2008-08-05 2611096]

“CanonMyPrinter”=“c:\program files\Canon\MyPrinter\BJMyPrt.exe” [2007-04-04 1603152]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“msacm.ac3filter”= ac3filter.acm

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Action Manager 32.lnk]

backup=c:\windows\pss\Action Manager 32.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

–a------ 2008-04-14 01:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

–a------ 2008-03-20 11:04 2127296 c:\program files\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]

–a------ 2001-11-29 00:00 28672 c:\program files\Creative\SBLive\Program\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

–a------ 2008-09-17 08:55 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

–a------ 2008-09-17 08:55 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

-ra------ 2005-10-26 15:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

--------- 2000-05-11 00:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

–a------ 2008-09-17 08:55 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]

–a------ 2002-07-02 10:56 24576 c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

“helpsvc”=2 (0x2)

“ERSvc”=2 (0x2)

“wuauserv”=2 (0x2)

“WebClient”=2 (0x2)

“Themes”=2 (0x2)

“seclogon”=2 (0x2)

“PolicyAgent”=2 (0x2)

“FastUserSwitchingCompatibility”=3 (0x3)

“ALG”=3 (0x3)

“aawservice”=2 (0x2)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=

“c:\Program Files\uTorrent\uTorrent.exe”=

“c:\Program Files\Skype\Phone\Skype.exe”=

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-09-30 160792]

R3 FWAuth;FWAuth Driver;c:\windows\system32\drivers\FWAuthdriver.sys [2008-09-30 58136]

R4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-01-01 2560]

S4 BulkUsb;Plustek USB Scanner;c:\windows\system32\drivers\usbscan.sys [2008-11-22 15104]

.

Zawartość folderu ‘Zaplanowane zadania’

2009-01-21 c:\windows\Tasks\GlaryInitialize.job

  • c:\program files\Glary Utilities\initialize.exe [2008-10-29 17:58]

.

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.google.pl/

IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: {{B46B0919-62BA-4D99-A5C4-916B57A6805C} - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - c:\program files\Techland\Common\InternetTranslator\InternetTranslator.dll

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\hrib6oat.default\

FF - prefs.js: browser.startup.homepage - hxxp://google.pl/

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-21 08:37:27

Windows 5.1.2600 Service Pack 3 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h???s???w? ?w???w???w4???.??w4???4???TA?s4???&8??? ??? ???5?B~e?B~???h0??????C@?\???\??????s????\??????s\????&8?A??s?&8??C@?x???|?w???@

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]

“1”=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,

25

“2”=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,

c3

“3”=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,

8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\0685B4039E83FFC215FE6F791AF60AF7]

“1”=hex:e4,aa,f8,f3,74,8d,9e,c8,87,9d,1b,26,37,fe,f3,a9,e1,65,0b,4e,76,5e,be,

cc,22,d3,ec,74,16,8a,da,65,11,e3,07,bb,51,b8,fc,76

“2”=hex:ac,5d,cf,8a,eb,60,b6,ba

“3”=hex:81,20,8f,ab,28,6a,52,9c

“4”=hex:2f,ad,a2,e7,8a,bf,05,5e

“5”=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

“6”=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

“7”=hex:93,41,de,56,34,94,a7,b2,fc,ed,3e,91,10,66,4e,1a,c6,31,42,b5,d7,5d,59,

d2,15,2d,46,f0,84,ba,60,d2,1d,15,55,8f,94,36,ff,d9,13,fd,dc,f4,43,be,c7,61,\

“8”=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,

64,0b,26,ce,91,53,4b,53,9a,85,70,6c,f0,9f,1f,18,c9,f3,fb,e2,b4,f6,a7,d8,a5,\

“9”=hex:81,20,8f,ab,28,6a,52,9c

“18”=hex:b6,dd,00,4d,9d,38,11,d1

“10”=hex:81,20,8f,ab,28,6a,52,9c

“11”=hex:81,20,8f,ab,28,6a,52,9c

“12”=hex:81,20,8f,ab,28,6a,52,9c

“13”=hex:81,20,8f,ab,28,6a,52,9c

“14”=hex:81,20,8f,ab,28,6a,52,9c

“24”=hex:81,20,8f,ab,28,6a,52,9c

“26”=hex:81,20,8f,ab,28,6a,52,9c

“27”=hex:81,20,8f,ab,28,6a,52,9c

“19”=hex:81,20,8f,ab,28,6a,52,9c

“22”=hex:81,20,8f,ab,28,6a,52,9c

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\program files\Canon\IJPLM\ijplmsvc.exe

c:\windows\system32\nvsvc32.exe

c:\program files\PC Tools AntiVirus\PCTAVSvc.exe

c:\program files\PC Tools Firewall Plus\FWService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Czas ukończenia: 2009-01-21 8:39:15 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2009-01-21 07:39:12

ComboFix2.txt 2009-01-20 18:43:13

ComboFix3.txt 2009-01-20 18:20:18

ComboFix4.txt 2008-11-19 19:44:16

ComboFix5.txt 2009-01-21 07:33:34

Przed: 7 986 135 040 bytes free

Po: 7,971,753,984 bytes free

222 — E O F — 2008-11-12 06:33:21

#6

Log wygląda na czysty.

usuń ręcznie folder C: \Qoobox oraz instalkę Combofix z dysku.

Przeczyść system oraz rejestr CCleaner

Wykonaj optymalizacje Autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar Mój komputer Kaspersky Online Scanner Przeskanuj system daj raport na forum

lub Dr.WEB CureIt!