Pozostalosci po -ZLOB- log -HijackThis+ComboFix-

Orczyk · 14 Grudzień 2007 11:43

Tak jak w temacie

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:40:34, on 2007-12-14 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\explorer.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Filseclab\xfilter\xfilter.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Filseclab\FilMsg.exe C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: Video DivX 3.12 - {36490B2D-77CC-4CC2-B6A6-8A16EC550DAB} - C:\WINDOWS\system32\sysdivx.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file) O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [XFILTER] “C:\Program Files\Filseclab\xfilter\xfilter.exe” -a O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sDTray] “C:\Program Files\Spyware Doctor\SDTrayApp.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Filseclab Messenger.lnk = ? O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe – End of file - 6778 bytes

ComboFix 07-12-14.4 - Domownicy 2007-12-14 12:52:08.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.175 [GMT 1:00] Running from: C:\Documents and Settings\Domownicy\Pulpit\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 ))))))))))))))))))))))))))))))) . 2007-12-14 12:38 . 2007-12-14 12:38 2007-12-03 23:33 . 2007-12-04 00:06 2007-12-03 23:05 . 2007-12-03 23:05 2007-12-03 21:46 . 2007-12-03 22:35 1,974 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-03 20:48 . 2007-12-14 12:09 2007-12-03 20:48 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-12-03 20:48 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-12-03 20:48 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-12-03 20:48 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-12-03 20:47 . 2007-12-13 14:30 2007-12-03 20:47 . 2007-12-03 20:47 2007-12-03 20:47 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-12-01 20:13 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2007-12-01 20:13 . 2001-08-17 22:02 9,600 --a–c— C:\WINDOWS\system32\dllcache\hidusb.sys 2007-11-28 20:56 . 2007-11-28 20:56 2007-11-27 16:52 . 2007-11-27 16:52 2007-11-26 20:59 . 2006-09-04 19:16 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll 2007-11-26 20:59 . 2006-09-04 19:16 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll 2007-11-23 14:25 . 2007-11-23 14:25 2007-11-16 19:57 . 2007-11-16 19:57 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-11 17:43 --------- d-----w C:\Program Files\Gadu-Gadu 2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-12-03 18:35 --------- d-----w C:\Program Files\FlashGet 2007-11-22 21:31 --------- d-----w C:\Program Files\SwiftSwitch 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-11 21:24 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-11 21:24 --------- d-----w C:\Documents and Settings\Domownicy\Dane aplikacji\InstallShield 2007-11-10 12:16 37,632 ----a-w C:\WINDOWS\DPUNIN20.EXE 2007-11-02 05:52 2,644,480 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys 2007-11-02 04:57 9,314,304 ----a-w C:\WINDOWS\system32\atioglx2.dll 2007-11-02 04:24 176,128 ----a-w C:\WINDOWS\system32\atiok3x2.dll 2007-11-02 04:10 364,544 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll 2007-11-02 04:09 268,288 ----a-w C:\WINDOWS\system32\ati2dvag.dll 2007-11-02 04:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe 2007-11-02 04:01 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll 2007-11-02 04:01 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll 2007-11-02 04:00 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll 2007-11-02 04:00 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll 2007-11-02 03:59 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe 2007-11-02 03:58 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL 2007-11-02 03:50 3,133,728 ----a-w C:\WINDOWS\system32\ati3duag.dll 2007-11-02 03:39 1,602,176 ----a-w C:\WINDOWS\system32\ativvaxx.dll 2007-11-02 03:35 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll 2007-11-02 03:26 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll 2007-11-02 03:24 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll 2007-11-02 03:22 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll 2007-11-02 03:22 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll 2007-11-02 03:16 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll 2007-11-01 20:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe 2007-10-30 22:10 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll 2007-10-30 22:10 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll 2007-10-30 22:09 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll 2007-10-30 22:09 740,442 ----a-w C:\WINDOWS\system32\DivX.dll 2007-10-30 22:09 45,056 ----a-w C:\WINDOWS\system32\ogg.dll 2007-10-30 22:09 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll 2007-10-30 22:09 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll 2007-10-30 22:09 1,415,680 ----a-w C:\WINDOWS\system32\WMV9VCM.dll 2007-10-30 22:04 --------- d-----w C:\Program Files\K-Lite Codec Pack 2007-10-30 22:02 --------- d-----w C:\Program Files\MarBit 2007-10-29 22:44 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-25 18:04 --------- d-----w C:\Program Files\Kurka Wodna 3 2007-10-25 16:59 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\SwiftSwitch 2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-10-24 14:58 --------- d-----w C:\Documents and Settings\Domownicy\Dane aplikacji\CursorArts 2007-10-21 20:16 --------- d-----w C:\Program Files\Winamp 2007-10-17 16:18 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\TechSmith 2007-10-17 16:15 --------- d-----w C:\Documents and Settings\Domownicy\Dane aplikacji\Azureus 2007-10-17 16:09 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Azureus 2007-10-17 15:53 --------- d-----w C:\Program Files\TechSmith 2007-09-28 17:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-09-28 17:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{36490B2D-77CC-4CC2-B6A6-8A16EC550DAB}] C:\WINDOWS\system32\sysdivx.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00] “DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2007-08-29 16:09] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2004-02-26 09:53 C:\WINDOWS\SOUNDMAN.EXE] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-08-25 11:52] “XFILTER”=“C:\Program Files\Filseclab\xfilter\xfilter.exe” [2006-12-23 14:29] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 00:11] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50] “SDTray”=“C:\Program Files\Spyware Doctor\SDTrayApp.exe” [2007-11-02 17:24] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 13:00] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:00] Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:00] Filseclab Messenger.lnk - C:\Program Files\Common Files\Filseclab\FilMsg.exe [2007-09-16 12:33:51] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" R0 XPacket;Filseclab Packet Filter;C:\WINDOWS\system32\xpacket.sys S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-14 12:54:03 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-14 12:54:57 C:\ComboFix2.txt … 2007-12-04 00:14 C:\ComboFix3.txt … 2007-12-03 22:29 . 2007-12-12 15:05:05 — E O F —

Gutek · 14 Grudzień 2007 22:40

Pobierz FixIEDef

Pobieramy i wypakowujemy program na Pulpicie. Powstanie folder FixIEDef.
W folderze znajduje się plik FixIEDef.bat, który uruchamiamy.
Ukaże się nam okno z prośbą o wciśnięcie jakiegokolwiek klawisza, by kontynuować.
Klikamy w ENTER. Okno cmd ulega zamknięciu. Żadne logi nie są tworzone.

Po tym daj nowy log z Combo