Pray
(Scored09)
18 Lipiec 2007 22:27
#1
bLagam was o pomoc plik siie zapisuj a w temie w formacie np. mx_cos tam … i tak caly czas jak refreshuje strone i wchodze na inna twarza sie nwoe pliki zawalaja mi dysc c i wogole siec wolno chodzi blagam o syzbka rekacje
Logfile of HijackThis v1.99.1 Scan saved at 00:02:11, on 2007-07-19 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Avast\aswUpdSv.exe C:\Avast\ashServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Avast\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\Avast\ashDisp.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\Program Files\Creative\ShareDLL\MediaDet.Exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Documents and Settings\Memphis\Pulpit\Windows comander.EXE C:\WINDOWS\explorer.exe C:\Documents and Settings\Memphis\Pulpit\Bezp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def … .yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def … .yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def … .yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM…\Run: [avast!] C:\Avast\ashDisp.exe O4 - HKLM…\Run: [Odkurzacz-MCD] C:\Downloads\Odkurzacz 10.1 Pro\odk_mcd.exe O4 - HKLM…\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM…\Run: [updReg] C:\WINDOWS\Updreg.exe O4 - HKLM…\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run O4 - HKLM…\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [irXfer] IrXfer.exe /Q O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKCU…\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe O4 - HKCU…\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe O4 - HKCU…\Run: [AtiTrayTools] “C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe” O4 - HKCU…\Run: [spySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” /0 O4 - HKCU…\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - Startup: Registration Driver Parallel Lines.LNK = G:\Games\Driver\Register\RegistrationReminder.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Download with GetRight - C:\Net Programs\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Net Programs\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O17 - HKLM\System\CCS\Services\Tcpip…{E582AC7C-D1A2-46B6-94D0-EB03A9B25D05}: NameServer = 194.204.159.1,194.204.152.34 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Avast\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Avast\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Avast\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
SmitFraudFix v2.188 Scan done at 23:25:38,54, 2007-07-18 Run from C:\Documents and Settings\Memphis\Pulpit\Bezp\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: WAN (PPP/SLIP) Interface DNS Server Search Order: 194.204.159.1 DNS Server Search Order: 194.204.152.34 Description: WAN (PPP/SLIP) Interface DNS Server Search Order: 194.204.159.1 DNS Server Search Order: 217.98.63.164 HKLM\SYSTEM\CCS\Services\Tcpip…{6848A48D-6781-4319-8479-A17F3AA0E18E}: NameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CCS\Services\Tcpip…{E582AC7C-D1A2-46B6-94D0-EB03A9B25D05}: NameServer=194.204.159.1,194.204.152.34 HKLM\SYSTEM\CS1\Services\Tcpip…{E582AC7C-D1A2-46B6-94D0-EB03A9B25D05}: NameServer=194.204.159.1,194.204.152.34 HKLM\SYSTEM\CS2\Services\Tcpip…{6848A48D-6781-4319-8479-A17F3AA0E18E}: NameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CS2\Services\Tcpip…{E582AC7C-D1A2-46B6-94D0-EB03A9B25D05}: NameServer=194.204.159.1,194.204.152.34 HKLM\SYSTEM\CS3\Services\Tcpip…{E582AC7C-D1A2-46B6-94D0-EB03A9B25D05}: NameServer=194.204.159.1,194.204.152.34 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Fixwareout Last edited 4/5/2007 Post this report in the forums please … »»»»»Prerun check »»»»» System restarted »»»»» Postrun check HKLM\SOFTWARE~\Winlogon\ “System”="" … … »»»»» Misc files. … »»»»» Checking for older varients. … Search five digit cs, dm, kd, jb, other, files. The following files NEED TO BE SUBMITTED to one of the following URL’S for further inspection. Click browse, find the file then click submit. http://www.virustotal.com/flash/index_en.html Or http://virusscan.jotti.org/ »»»»» Other »»»»» Current runs [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe” “avast!”=“C:\Avast\ashDisp.exe” “Odkurzacz-MCD”=“C:\Downloads\Odkurzacz 10.1 Pro\odk_mcd.exe” “Disc Detector”=“C:\Program Files\Creative\ShareDLL\CtNotify.exe” “UpdReg”=“C:\WINDOWS\Updreg.exe” “CTStartup”=“C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run” “Jet Detection”=“C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe” “QuickTime Task”="“C:\Program Files\QuickTime\qttask.exe” -atboottime" “IrXfer”=“IrXfer.exe /Q” “SpeedTouch USB Diagnostics”="“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon" “AtiPTA”=“atiptaxx.exe” “RemoteControl”="“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “TaskTray”=“C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe” “Taskbar”=“C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe” “AtiTrayTools”="“C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe”" “SpySweeper”="“C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” /0" “STYLEXP”=“C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide” … Hosts file was reset, If you use a custom hosts file please replace it »»»»» End report »»»»» Złączono Posta: 19.07.2007 (Czw) 0:31 Silent Runners : “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “TaskTray” = “C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe” [“Creative Technology Ltd.”] “Taskbar” = “C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe” [“Creative Technology Ltd”] “AtiTrayTools” = ““C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe”” [file not found] “SpySweeper” = ““C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” /0” [“Webroot Software, Inc.”] “STYLEXP” = “C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “SunJavaUpdateSched” = “C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe” [file not found] “avast!” = “C:\Avast\ashDisp.exe” [null data] “Odkurzacz-MCD” = “C:\Downloads\Odkurzacz 10.1 Pro\odk_mcd.exe” [“FranmoSoft”] “Disc Detector” = “C:\Program Files\Creative\ShareDLL\CtNotify.exe” [“Creative Technology Ltd.”] “UpdReg” = “C:\WINDOWS\Updreg.exe” [“Creative Technology Ltd.”] “CTStartup” = “C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run” [“Creative Technology Ltd.”] “Jet Detection” = “C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe” [empty string] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [file not found] “IrXfer” = “IrXfer.exe /Q” [null data] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “AtiPTA” = “atiptaxx.exe” [“ATI Technologies, Inc.”] “RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\CTStartup\ {++} “CTStartup” = ““C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE” EAX.AVI” [“Creative Technology Ltd.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” - {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” = “Webroot Spy Sweeper Context Menu Integration” - {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration” \InProcServer32(Default) = “C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [“Webroot Software, Inc.”] “{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}” = “Notepad++ Shell Extension” - {HKLM…CLSID} = “Notepad++ Shell Extension” \InProcServer32(Default) = “C:\Net Programs\Notepad++\nppshellext.dll” [“Notepad++ team”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” - {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Avast\ashShell.dll” [“ALWIL Software”] “{EBDF1F20-C829-11D1-8233-0020AF3E97A6}” = “ATS Context Menu Shell Extension” - {HKLM…CLSID} = “ATS Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\ATS\contmenu.dll” [null data] “{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}” = “TrojanHunter Menu Shell Extension” - {HKLM…CLSID} = “TrojanHunter Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1.5\contmenu.dll” [null data] “{52B87208-9CCF-42C9-B88E-069281105805}” = “Trojan Remover Shell Extension” - {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [file not found] “{B8323370-FF27-11D2-97B6-204C4F4F5020}” = “SmartFTP Shell Extension DLL” - {HKLM…CLSID} = “SmartFTP Shell Extension DLL” \InProcServer32(Default) = “C:\Program Files\SmartFTP Client 2.0\smarthook.dll” [“SmartFTP”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” - {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll” [“Alcohol Soft Development Team”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” - {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“GRISOFT s.r.o.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Avast\ashShell.dll” [“ALWIL Software”] AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” - {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“GRISOFT s.r.o.”] ContMenu(Default) = “{EBDF1F20-C829-11D1-8233-0020AF3E97A6}” - {HKLM…CLSID} = “ATS Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\ATS\contmenu.dll” [null data] NppShellExt(Default) = “{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}” - {HKLM…CLSID} = “Notepad++ Shell Extension” \InProcServer32(Default) = “C:\Net Programs\Notepad++\nppshellext.dll” [“Notepad++ team”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” - {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [file not found] TrojanHunter(Default) = “{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}” - {HKLM…CLSID} = “TrojanHunter Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1.5\contmenu.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” - {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“GRISOFT s.r.o.”] ContMenu(Default) = “{EBDF1F20-C829-11D1-8233-0020AF3E97A6}” - {HKLM…CLSID} = “ATS Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\ATS\contmenu.dll” [null data] NppShellExt(Default) = “{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}” - {HKLM…CLSID} = “Notepad++ Shell Extension” \InProcServer32(Default) = “C:\Net Programs\Notepad++\nppshellext.dll” [“Notepad++ team”] TrojanHunter(Default) = “{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}” - {HKLM…CLSID} = “TrojanHunter Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1.5\contmenu.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Avast\ashShell.dll” [“ALWIL Software”] ContMenu(Default) = “{EBDF1F20-C829-11D1-8233-0020AF3E97A6}” - {HKLM…CLSID} = “ATS Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\ATS\contmenu.dll” [null data] SpySweeper(Default) = “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” - {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration” \InProcServer32(Default) = “C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [“Webroot Software, Inc.”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” - {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [file not found] TrojanHunter(Default) = “{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}” - {HKLM…CLSID} = “TrojanHunter Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1.5\contmenu.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Memphis\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp” Startup items in “Memphis” “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\Memphis\Menu Start\Programy\Autostart “Registration Driver Parallel Lines” - shortcut to: “G:\Games\Driver\Register\RegistrationReminder.exe -d 803093 -l english -r 7 -g Driver Parallel Lines -c us -i 3231” [file not found] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Gamma Loader.exe” - shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] “Microsoft Office” - shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\NetLimiter\nl_lsp.dll [null data], 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 25 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): [strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=iepver=6ar=msnhome Missing lines (compared with English-language version): [strings]: 1 line Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““C:\Avast\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Avast\aswUpdSv.exe”” [null data] avast! Web Scanner, avast! Web Scanner, ““C:\Avast\ashWebSv.exe” /service” [“ALWIL Software”] AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe” [“GRISOFT s.r.o.”] Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\system32\CTsvcCDA.EXE” [“Creative Technology Ltd”] PnkBstrA, PnkBstrA, “C:\WINDOWS\system32\PnkBstrA.exe” [null data] StarWind iSCSI Service, StarWindService, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] StyleXPService, StyleXPService, ““C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe”” [empty string] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] WMDM PMSP Service, WMDM PMSP Service, “C:\WINDOWS\system32\MsPMSPSv.exe” [MS] ---------- : Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 133 seconds. ---------- (total run time: 229 seconds)
Gutek
(Gutek)
18 Lipiec 2007 22:36
#2
Pray
(Scored09)
18 Lipiec 2007 22:39
#3
czyli logi czyste ?
Złączono Posta : 19.07.2007 (Czw) 0:40
nie wiem dziwne przed chwilka przestalo sie wszystko zapisywac odkad zrobilem loga z silent runners
Złączono Posta : 19.07.2007 (Czw) 0:41
ale ja kzoabczylem nadal pobeira to ale gdzie indziej sie zaczelo zapisywac
Gutek
(Gutek)
18 Lipiec 2007 22:51
#4
Dla pewności daj log z Combofix
Pray
(Scored09)
18 Lipiec 2007 23:04
#5
okey prosze :
“Memphis” - 2007-07-19 0:55:39 Dodatek Service Pack 2 ComboFix 07-05.26.3.V - Running from: “C:\Documents and Settings\Memphis\Pulpit\Bezp” ((((((((((((((((((((((((((((((( Files Created from 2007-06-19 to 2007-07-19 )))))))))))))))))))))))))))))))))) 2007-07-09 19:04 2007-07-08 10:32 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-07-08 10:32 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-07-08 10:32 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-07-08 10:32 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-07-08 10:32 2007-07-06 13:10 2007-07-02 11:21 2007-07-02 04:28 2007-07-02 03:51 2007-07-02 03:51 2007-07-01 22:22 2007-07-01 18:24 2007-06-30 20:49 2007-06-30 20:48 2007-06-30 20:48 2007-06-30 20:44 2007-06-30 20:44 2007-06-30 20:34 2007-06-27 10:47 2007-06-27 10:47 2007-06-27 10:47 2007-06-25 10:15 2007-06-25 10:14 11,776 --a------ C:\WINDOWS\INRES.DLL 2007-06-25 10:14 10,240 --a------ C:\WINDOWS\CTDCRES.DLL 2007-06-21 10:45 2007-06-21 10:44 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll 2007-06-21 10:44 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll 2007-06-21 10:43 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll 2007-06-21 10:43 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll 2007-06-21 10:43 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll 2007-06-21 10:43 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll 2007-06-21 10:43 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll 2007-06-21 10:43 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll 2007-06-20 18:06 2007-06-20 17:58 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-18 21:25:56 2,710 ----a-w C:\WINDOWS\system32\tmp.reg 2007-07-15 18:56:16 -------- d-----w C:\Program Files\eMule 2007-07-15 09:23:00 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\Azureus 2007-07-09 16:58:40 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-07-08 20:08:26 -------- d-----w C:\Program Files\GRETECH 2007-07-06 20:03:35 61,114 ----a-w C:\WINDOWS\system32\xpdx.sys 2007-07-01 16:24:38 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\Real 2007-06-30 12:21:51 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2007-06-28 15:35:28 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-06-27 08:42:53 -------- d-----w C:\Program Files\Common Files\Real 2007-06-26 16:07:39 -------- d-----w C:\Program Files\TrustSoft AntiSpyware 2007-06-23 16:03:31 -------- d-----w C:\Program Files\Winamp 2007-06-22 21:50:38 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\Xfire 2007-06-22 19:54:33 -------- d-----w C:\Program Files\GameSpy Arcade 2007-06-22 16:12:48 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\teamspeak2 2007-06-21 08:45:51 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-06-18 14:50:13 -------- d-----w C:\Program Files\MarBit 2007-06-18 14:49:48 -------- d-----w C:\Program Files\SubEdit-Player 2007-06-11 21:35:02 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\Gzegzolka XP 2007-06-11 21:35:00 -------- d-----w C:\Program Files\Gżegżółka XP 2007-06-10 19:22:37 505,344 ----a-w C:\WINDOWS\system32\winlogon.exe 2007-06-08 14:18:11 63,040 ----a-w C:\WINDOWS\system32\PnkBstrA.exe 2007-05-30 14:08:20 -------- d-----w C:\Program Files\TextReader 2007-05-26 10:08:27 -------- d-----w C:\Program Files\HoverIP 2007-05-26 09:55:10 106 ----a-w C:\delete.bat 2007-04-28 17:25:30 451,072 ----a-w C:\WINDOWS\Radeon Omega Drivers v3.8.330 Uninstall.exe 2007-04-22 21:13:32 107,132 ----a-w C:\WINDOWS\UninstallFirefox.exe 2007-04-22 21:13:07 6,789 ----a-w C:\WINDOWS\mozver.dat 2007-04-19 16:27:23 1,040,384 ----a-w C:\WINDOWS\system32\libeay32.dll 2007-04-19 16:27:06 196,608 ----a-w C:\WINDOWS\system32\ssleay32.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2004-05-12 01:03] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50] “SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe” [] “avast!”=“C:\Avast\ashDisp.exe” [2007-01-15 19:28] “Odkurzacz-MCD”=“C:\Downloads\Odkurzacz 10.1 Pro\odk_mcd.exe” [2005-12-28 11:09] “Disc Detector”=“C:\Program Files\Creative\ShareDLL\CtNotify.exe” [2001-04-02 02:00] “UpdReg”=“C:\WINDOWS\Updreg.exe” [2000-05-11 01:00] “CTStartup”=“C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.exe” [2001-06-04 01:00] “Jet Detection”=“C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe” [2001-04-20 14:52] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [] “IrXfer”=“IrXfer.exe” [] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 12:38] “AtiPTA”=“atiptaxx.exe” [2006-02-22 02:05 C:\WINDOWS\system32\atiptaxx.exe] “RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “TaskTray”=“C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe” [2001-06-29 01:00] “Taskbar”=“C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe” [2001-07-26 01:00] “AtiTrayTools”=“C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe” [] “SpySweeper”=“C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” [2004-07-20 13:48] “STYLEXP”=“C:\Program Files\TGTSoft\StyleXP\StyleXP.exe” [2005-03-14 21:21] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2007-07-09 21:11] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard] ******************************************************************** catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-19 01:01:21 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … HKLM\Software\Microsoft\Windows\CurrentVersion\Run Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X??? C???Disc Detector?B???A???A?? ???B???@?$?@?? C???U?@???@?B???A???A???B???@???P???$?@?? ???w???@???B???B CTStartup = C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run???x???s$???w? ?w???w???w4???.??w4???4???TA?s4???&7???w???w???$???U??w???w????
???w???s???s???&7?A??s?&7???w??? scanning hidden files … ******************************************************************** Completion time: 2007-07-19 1:03:03 C:\ComboFix2.txt … 2007-07-18 23:55 — E O F —
Nie wiem co sie stalo ale ustalo zapisywanie ise tych plikow w tempie i nic nie ubywa z miejsca no ale nic nei robilem nawet w kierunku usuwania tego tylko przeczesalem to tymi programami co dalem loga …
Pray
(Scored09)
18 Lipiec 2007 23:12
#7
no i znowu sie zaczelo tworza sie takie pliki o to przyklad :
Złączono Posta : 19.07.2007 (Czw) 1:14
a po paru minutach :
Jezus marja pomocy …
Gutek
(Gutek)
18 Lipiec 2007 23:20
#8
Pray
(Scored09)
19 Lipiec 2007 05:04
#9
uzylem tego narzedzia ale te pliki nadal sie tworza w tempie ja je usuwam a one znowu sie pojawiaja
jessica
(jessica)
19 Lipiec 2007 07:00
#10
Masz Rootkita
ComboFix powinien go samoczynnie usunąć, - nie wiem, dlaczego go nie usunął.
A może masz starszą wersję ComboFixa?
Usuwanie:
>>Start >>> Uruchom >>> wybierz (lub wpisz) cmd >> zastosować te trzy komendy (po każdej wciśnij “ENTER”):
Nie wiem, czy to Rootkit tworzy te pliki, ale wg mnie, to nie jego sprawka.
Problem w tym, że nie widzę niczego innego podejrzanego.
Jeśli te pliki tworzą się w folderze TEMP , to usuń ręcznie cały ten folder.
Po restarcie folder się samoczynnie odtworzy, ale wtedy powinien być już pusty.
Trochę niepokoi mnie ten bezadresowy klucz w rejestrze - to otwarta droga dla…?
.Powodzenia.
Daj potem log z ComboFixa.
.
Pray
(Scored09)
19 Lipiec 2007 07:13
#11
po pierwsze komenda :
Po wpisaniu :
Pokazuje ze Nie moze odnalezc pliku del …
Upewnij sie czy podana (…)
Kolejne Nie moge usunac folderu temp w tempei sie twrza pliki w folderze avast ktore naleza do avasta nei mgoe ich usunac program przestal by dzialac ponad to zawsze w rejestrze mialem plik Prefreb.data … i inee chodz te inne daly sie usunac ten ktory pozostal nie wiec nei usune folderu temp bo poprostu nie moge …
a co do loga to prosze ale nei wiem czy to co kolwiek da … te plik izaczynaja sie pojawiac TYLKO WTEDY KIEDY LACZE SIE Z NETEM normalnie ich nie ma w folderze temp …
Złączono Posta : 19.07.2007 (Czw) 9:24
“Memphis” - 2007-07-19 9:15:13 Dodatek Service Pack 2 ComboFix 07-05.26.3.V - Running from: “C:\Documents and Settings\Memphis\Pulpit\Bezp” ((((((((((((((((((((((((((((((( Files Created from 2007-06-19 to 2007-07-19 )))))))))))))))))))))))))))))))))) 2007-07-19 07:26 2007-07-19 07:25 2007-07-19 07:25 2007-07-09 19:04 2007-07-08 10:32 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-07-08 10:32 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-07-08 10:32 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-07-08 10:32 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-07-08 10:32 2007-07-06 13:10 2007-07-02 11:21 2007-07-02 04:28 2007-07-02 03:51 2007-07-02 03:51 2007-07-01 22:22 2007-07-01 18:24 2007-06-30 20:49 2007-06-30 20:48 2007-06-30 20:48 2007-06-30 20:44 2007-06-30 20:44 2007-06-30 20:34 2007-06-27 10:47 2007-06-27 10:47 2007-06-27 10:47 2007-06-25 10:15 2007-06-25 10:14 11,776 --a------ C:\WINDOWS\INRES.DLL 2007-06-25 10:14 10,240 --a------ C:\WINDOWS\CTDCRES.DLL 2007-06-21 10:45 2007-06-21 10:44 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll 2007-06-21 10:44 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll 2007-06-21 10:43 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll 2007-06-21 10:43 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll 2007-06-21 10:43 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll 2007-06-21 10:43 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll 2007-06-21 10:43 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll 2007-06-21 10:43 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll 2007-06-20 18:06 2007-06-20 17:58 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-19 05:25:18 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-07-18 23:18:23 -------- d-----w C:\Program Files\QuickTime 2007-07-18 23:18:23 -------- d-----w C:\Program Files\eMule 2007-07-18 23:18:23 -------- d-----w C:\Program Files\Codec Pack - All In 1 2007-07-18 23:18:22 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\Azureus 2007-07-18 21:25:56 2,710 ----a-w C:\WINDOWS\system32\tmp.reg 2007-07-09 16:58:40 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-07-08 20:08:26 -------- d-----w C:\Program Files\GRETECH 2007-07-06 20:03:35 61,114 ----a-w C:\WINDOWS\system32\xpdx.sys 2007-07-01 16:24:38 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\Real 2007-06-30 12:21:51 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2007-06-28 15:35:28 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-06-27 08:42:53 -------- d-----w C:\Program Files\Common Files\Real 2007-06-26 16:07:39 -------- d-----w C:\Program Files\TrustSoft AntiSpyware 2007-06-23 16:03:31 -------- d-----w C:\Program Files\Winamp 2007-06-22 21:50:38 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\Xfire 2007-06-22 19:54:33 -------- d-----w C:\Program Files\GameSpy Arcade 2007-06-22 16:12:48 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\teamspeak2 2007-06-21 08:45:51 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-06-18 14:50:13 -------- d-----w C:\Program Files\MarBit 2007-06-18 14:49:48 -------- d-----w C:\Program Files\SubEdit-Player 2007-06-11 21:35:02 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\Gzegzolka XP 2007-06-11 21:35:00 -------- d-----w C:\Program Files\Gżegżółka XP 2007-06-10 19:22:37 505,344 ----a-w C:\WINDOWS\system32\winlogon.exe 2007-06-08 14:18:11 63,040 ----a-w C:\WINDOWS\system32\PnkBstrA.exe 2007-05-30 14:08:20 -------- d-----w C:\Program Files\TextReader 2007-05-26 10:08:27 -------- d-----w C:\Program Files\HoverIP 2007-05-26 09:55:10 106 ----a-w C:\delete.bat 2007-04-28 17:25:30 451,072 ----a-w C:\WINDOWS\Radeon Omega Drivers v3.8.330 Uninstall.exe 2007-04-22 21:13:32 107,132 ----a-w C:\WINDOWS\UninstallFirefox.exe 2007-04-22 21:13:07 6,789 ----a-w C:\WINDOWS\mozver.dat 2007-04-19 16:27:23 1,040,384 ----a-w C:\WINDOWS\system32\libeay32.dll 2007-04-19 16:27:06 196,608 ----a-w C:\WINDOWS\system32\ssleay32.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2004-05-12 01:03] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe” [] “avast!”=“C:\Avast\ashDisp.exe” [2007-01-15 19:28] “Odkurzacz-MCD”=“C:\Downloads\Odkurzacz 10.1 Pro\odk_mcd.exe” [2005-12-28 11:09] “Disc Detector”=“C:\Program Files\Creative\ShareDLL\CtNotify.exe” [2001-04-02 02:00] “CTStartup”=“C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.exe” [2001-06-04 01:00] “Jet Detection”=“C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe” [2001-04-20 14:52] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [] “IrXfer”=“IrXfer.exe” [] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 12:38] “AtiPTA”=“atiptaxx.exe” [2006-02-22 02:05 C:\WINDOWS\system32\atiptaxx.exe] “RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “TaskTray”=“C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe” [2001-06-29 01:00] “Taskbar”=“C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe” [2001-07-26 01:00] “AtiTrayTools”=“C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe” [] “SpySweeper”=“C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” [2004-07-20 13:48] “STYLEXP”=“C:\Program Files\TGTSoft\StyleXP\StyleXP.exe” [2005-03-14 21:21] “SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2007-07-09 21:11] “{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=“C:\Program Files\SUPERAntiSpyware\SASSEH.DLL” [2006-12-20 13:55] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard] ******************************************************************** catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-19 09:21:23 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … HKLM\Software\Microsoft\Windows\CurrentVersion\Run Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X??? C???Disc Detector?B???A???A?? ???B???@?$?@?? C???U?@???@?B???A???A???B???@???P???$?@?? ???w???@???B???B CTStartup = C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run???x???s$???w? ?w???w???w4???.??w4???4???TA?s4???&7???w???w???$???U??w???w???`???w???s???s???&7?A??s?&7???w??? scanning hidden files … ******************************************************************** Completion time: 2007-07-19 9:23:24 C:\ComboFix2.txt … 2007-07-19 01:03 C:\ComboFix3.txt … 2007-07-18 23:55 — E O F —
A co do tego pliku co dalas
Co zrobci by to naprawic i co jest tego przyczyna ?
jessica
(jessica)
19 Lipiec 2007 07:28
#12
No tak - jeśli po wpisaniu komend nie może odnaleźć pliku, to znaczy, że Twój ComboFix kłamie, bo widzi Rootkita, którego nie ma!
W takim razie wywal tego ComboFixa na zbity pysk, bo po co Ci ComboFix, który kłamie, no nie?
Potem ewentualnie możesz zainstalować nową wersję Combo ** Fix** .
Przeinstaluj też avasta, tak by pomiędzy jego deinstalacją i nową instalacją usunąć ten folder TEMP.
.
Pray
(Scored09)
19 Lipiec 2007 07:54
#13
Jeszcze nei przeinstalowalem avasta zrobie to pozniej to logo z combofixa nowego co dales/dalas :
“Memphis” - 2007-07-19 9:38:56 - ComboFix 07-07-17.8 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\xpdx.sys ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\xpdx ((((((((((((((((((((((((( Files Created from 2007-06-19 to 2007-07-19 ))))))))))))))))))))))))))))))) 2007-07-19 09:36 2007-07-19 07:26 2007-07-19 07:25 2007-07-19 07:25 2007-07-09 19:04 2007-07-08 10:32 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-07-08 10:32 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-07-08 10:32 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-07-08 10:32 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-07-08 10:32 2007-07-02 11:21 2007-07-02 04:28 2007-07-02 03:51 2007-07-02 03:51 2007-07-01 22:22 2007-07-01 18:24 2007-06-30 20:49 2007-06-30 20:48 2007-06-30 20:44 2007-06-30 20:34 2007-06-27 10:47 2007-06-27 10:47 2007-06-27 10:47 2007-06-25 10:15 2007-06-25 10:14 11,776 --a------ C:\WINDOWS\INRES.DLL 2007-06-25 10:14 10,240 --a------ C:\WINDOWS\CTDCRES.DLL 2007-06-21 10:45 2007-06-21 10:44 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll 2007-06-21 10:44 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll 2007-06-21 10:43 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll 2007-06-21 10:43 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll 2007-06-21 10:43 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll 2007-06-21 10:43 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll 2007-06-21 10:43 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll 2007-06-21 10:43 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll 2007-06-20 18:06 2007-06-20 17:58 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-19 05:25:18 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-07-18 23:18:23 -------- d-----w C:\Program Files\QuickTime 2007-07-18 23:18:23 -------- d-----w C:\Program Files\eMule 2007-07-18 23:18:23 -------- d-----w C:\Program Files\Codec Pack - All In 1 2007-07-18 23:18:22 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\Azureus 2007-07-18 21:25:56 2,710 ----a-w C:\WINDOWS\system32\tmp.reg 2007-07-09 16:58:40 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-07-08 20:08:26 -------- d-----w C:\Program Files\GRETECH 2007-07-02 10:11:44 76 —ha-w C:\Program Files\Desktop.ini 2007-07-01 16:24:38 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\Real 2007-06-30 12:21:51 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2007-06-28 15:35:28 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-06-27 08:42:53 -------- d-----w C:\Program Files\Common Files\Real 2007-06-26 16:07:39 -------- d-----w C:\Program Files\TrustSoft AntiSpyware 2007-06-23 16:03:31 -------- d-----w C:\Program Files\Winamp 2007-06-22 21:50:38 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\Xfire 2007-06-22 19:54:33 -------- d-----w C:\Program Files\GameSpy Arcade 2007-06-22 16:12:48 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\teamspeak2 2007-06-21 08:45:51 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-06-18 14:50:13 -------- d-----w C:\Program Files\MarBit 2007-06-18 14:49:48 -------- d-----w C:\Program Files\SubEdit-Player 2007-06-16 22:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe 2007-06-11 21:35:02 -------- d-----w C:\DOCUME~1\Memphis\DANEAP~1\Gzegzolka XP 2007-06-11 21:35:00 -------- d-----w C:\Program Files\Gżegżółka XP 2007-06-10 19:22:37 505,344 ----a-w C:\WINDOWS\system32\winlogon.exe 2007-06-08 14:18:11 63,040 ----a-w C:\WINDOWS\system32\PnkBstrA.exe 2007-05-30 14:08:20 -------- d-----w C:\Program Files\TextReader 2007-05-26 10:08:27 -------- d-----w C:\Program Files\HoverIP 2007-05-26 09:55:10 106 ----a-w C:\delete.bat 2007-04-28 17:25:30 451,072 ----a-w C:\WINDOWS\Radeon Omega Drivers v3.8.330 Uninstall.exe 2007-04-22 21:13:32 107,132 ----a-w C:\WINDOWS\UninstallFirefox.exe 2007-04-22 21:13:07 6,789 ----a-w C:\WINDOWS\mozver.dat 2007-04-19 16:27:23 1,040,384 ----a-w C:\WINDOWS\system32\libeay32.dll 2007-04-19 16:27:06 196,608 ----a-w C:\WINDOWS\system32\ssleay32.dll 2006-11-10 16:23:05 2,584 ----a-w C:\DOCUME~1\Memphis\DANEAP~1\AbsoluteFTP.dat ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2003-11-04 00:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{53707962-6F74-2D53-2644-206D7942484F}] 2004-05-12 01:03 744960 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe” [] “avast!”=“C:\Avast\ashDisp.exe” [2007-01-15 19:28] “Odkurzacz-MCD”=“C:\Downloads\Odkurzacz 10.1 Pro\odk_mcd.exe” [2005-12-28 11:09] “Disc Detector”=“C:\Program Files\Creative\ShareDLL\CtNotify.exe” [2001-04-02 02:00] “CTStartup”=“C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.exe” [2001-06-04 01:00] “Jet Detection”=“C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe” [2001-04-20 14:52] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [] “IrXfer”=“IrXfer.exe” [1996-11-01 00:59 C:\WINDOWS\IrXfer.exe] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 12:38] “AtiPTA”=“atiptaxx.exe” [2006-02-22 02:05 C:\WINDOWS\system32\atiptaxx.exe] “RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “TaskTray”=“C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe” [2001-06-29 01:00] “Taskbar”=“C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe” [2001-07-26 01:00] “AtiTrayTools”=“C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe” [] “SpySweeper”=“C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” [2004-07-20 13:48] “STYLEXP”=“C:\Program Files\TGTSoft\StyleXP\StyleXP.exe” [2005-03-14 21:21] “SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06] C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1 Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-04-09 21:03:10] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 08:15:54] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2007-07-09 21:11] “{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=“C:\Program Files\SUPERAntiSpyware\SASSEH.DLL” [2006-12-20 13:55] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard] ************************************************************************** catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-19 09:48:31 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,ba,01,00,00,01,00,00,00,03,00,00,00,44,… scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-19 9:52:09 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-07-19 09:51 C:\ComboFix2.txt … 2007-07-19 09:23 C:\ComboFix3.txt … 2007-07-19 01:03 — E O F —
Nie wiem odziwo zaczelo cos tam dzialac nei tworza sie juz pliki w tempie ale nei jestem pozytywnej mysli poneiwaz wczesniej tez tak bylo i sie pozniej znowu zaczelo albo przez pewien czas byla cisza i znowu ale naraize jest dobrze => net chodzi znacznie szybciej …
Złączono Posta : 19.07.2007 (Czw) 13:38
no juz jest znakomicie szxzerze powiedziawszy ale jezeli to byl rookit to mzoe sie to zaczac od nowa bo caly czas mzoe byc chociaz w procesach systemowych go nie widze choc jezeli mialbym podobny problem tutez napisze …
Gutek
(Gutek)
19 Lipiec 2007 16:06
#14
Pobierz Gmer
Rootkit=>szukaj=>bez zaznaczania pokaż wszystko=> Ctrl + V do posta wklej
Rootkit => zaznaczone tylko Pokazuj wszystko + Usługi => Szukaj => Kopiuj => Ctrl + V do posta wklej
EDIT: pobierałes Combo z tego linku co dałem?