Prawdopodobnie Keylogger ;/

Eyro · 28 Październik 2007 08:23

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:16:33, on 2007-10-28

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Ahead\InCD\InCD.exe

D:\Gadu-Gadu\gg.exe

C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE

C:\Documents and Settings\gość1\Menu Start\Programy\Autostart\services.exe

C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\PROGRA~1\NEOSTR~1\Watch.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - 


C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program 


Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O1 - Hosts: 91.121.20.21 nprotect.ryl.com.my

O1 - Hosts: 202.3.245.130 nprotect.ryl.com.my

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program 


Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 


6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program 


Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O2 - BHO: (no name) - {702575D0-B689-4058-BD23-71A1BAA1B86A} - C:\WINDOWS\system32\MGC71ESP.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program 


Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program 


files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program 


Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program 


Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program 


files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" 


/icon

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [AVPDWIN] "C:\Program Files\Panda Software\Panda Demo\pandasft.exe"

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [HGI Agent] D:\HGI\HGI.exe

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe

O4 - HKCU\..\Run: [swg] C:\Program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: services.exe

O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZN

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program 


Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program 


Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network 


Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - 


C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O10 - Broken Internet access because of LSP provider 'c:\program files\mks_vir_2006\mksfirewall.dll' 


missing

O15 - Trusted Zone: http://*.mks.com.pl

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - 


http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - 


http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - 


http://82.146.224.245:85/activex/AxisCamControl.cab

O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - 


http://static.zangocash.com/cab/Seekmo/ie/bridge-c567.cab?0407451f125bb4702ef22c41b34bd5979c5516009691352


9835d16a72533d83b2e3f66b7061404865d208e54adc74b1fca7477cb89ffde9ea6bac6a5dfd81ba8c3f1f16ecc:155ff7b6a3c39


e5d13b88244eaad9a2e

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - 


http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - 


file://F:\CDVIEWER\CdViewer.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - 


http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DD8A5056-06E3-47BF-AD38-DA6BD976702D}: NameServer = 


194.204.159.1 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - 


C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT 


Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google 


Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common 


Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\MKS_VIR_2006\mks_scan.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - 


C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - 


C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--

End of file - 9098 bytes

jessica · 28 Październik 2007 08:58

Keyloggery raczej nie są widzialne w Hijacku, zresztą w większości innych logów są niewidzialne. Część Keyloggerów jest widzialna w logu ComboFixa, ale to tylko część z nich.

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Ściągnij -->ComboFix.

Wklej do Notatnika :

File::

C:\Documents and Settings\gość1\Menu Start\Programy\Autostart\services.exe

C:\WINDOWS\system\smss.exe

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Daj ten log.

Znasz te?

jessi

Ziomixiu · 28 Październik 2007 09:06

Niektóre są widzialne także uważaj szczególnie pliki typu scr.

Eyro · 28 Październik 2007 09:30

ComboFix 07-10-23.2 - go†1 2007-10-28 10:16:52.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.129 [GMT 1:00] Running from: C:\Documents and Settings\go†1\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\go†1\Pulpit\CFScript.txt * Created a new restore point FILE:: C:\Documents and Settings\gość1\Menu Start\Programy\Autostart\services.exe C:\WINDOWS\system\smss.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\internet explorer\msimg32.dll C:\Program Files\MyWebSearch C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S C:\Program Files\MyWebSearch\bar\Cache\00F94CFB.Fw C:\Program Files\MyWebSearch\bar\Cache\00F95681 C:\Program Files\MyWebSearch\bar\Cache\00F959AD.bin C:\Program Files\MyWebSearch\bar\Cache\00F95EED.bin C:\Program Files\MyWebSearch\bar\Cache\00F963EE.bin C:\Program Files\MyWebSearch\bar\Cache\00F96834.bin C:\Program Files\MyWebSearch\bar\Cache\files.ini C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S C:\Program Files\MyWebSearch\bar\History\search2 C:\Program Files\MyWebSearch\bar\icons\CM.ICO C:\Program Files\MyWebSearch\bar\icons\MFC.ICO C:\Program Files\MyWebSearch\bar\icons\PSS.ICO C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO C:\Program Files\MyWebSearch\bar\icons\WB.ICO C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL C:\WINDOWS\exefld C:\WINDOWS\system32\f3PSSavr.scr C:\WINDOWS\system32\hldrrr.exe . ((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 ))))))))))))))))))))))))))))))) . 2007-10-28 10:13 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-28 09:16 2007-10-27 17:27 2007-10-26 20:58 2007-10-26 20:47 25,119 --a------ C:\tpt-0xFFFFFF.tmp.exe 2007-10-26 20:18 407,126 --a------ C:\WINDOWS\system32\sys34.exe 2007-10-26 19:33 2007-10-26 12:46 2007-10-23 20:29 2,368 --a------ C:\WINDOWS\system32\SVKP.sys 2007-10-20 22:57 2007-10-20 15:14 2007-10-20 15:06 2007-10-20 14:34 2007-10-20 14:34 2007-10-20 13:11 2007-09-30 12:09 2007-09-29 11:46 2007-09-28 09:04 2007-09-28 09:04 203,264 --a------ C:\WINDOWS\system32\Pajacyk.scr . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-28 09:24 --------- d-----w C:\Documents and Settings\gość1\Dane aplikacji\Skype 2007-10-28 09:19 14,942,208 —ha-w C:\Documents and Settings\gość1\NTUSER.DAT 2007-10-28 07:12 --------- d-----w C:\Program Files\Neostrada TP 2007-10-27 16:25 --------- d-----w C:\Documents and Settings\gość1\Dane aplikacji\uTorrent 2007-10-26 20:15 --------- d-----w C:\Program Files\SkanerOnline 2007-10-11 08:04 --------- d-----w C:\Program Files\Java 2007-10-08 18:04 --------- d-----w C:\Program Files\English Translator 3 2007-09-30 11:09 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-09-29 15:10 --------- d-----w C:\Documents and Settings\gość1\Dane aplikacji\Tlen.pl 2007-09-25 11:48 --------- d-----w C:\Program Files\Snow Ride 2007-09-25 11:40 223,128 ----a-w C:\WINDOWS\system32\drivers\dtscsi.sys 2007-09-23 17:36 --------- d-----w C:\Program Files\Orbitron 2007-09-21 19:00 --------- d-----w C:\Documents and Settings\gość1\Dane aplikacji\OpenOffice.org2 2007-09-20 16:02 --------- d-----w C:\Program Files\Save 2007-09-20 12:59 --------- d-----w C:\Program Files\Google 2007-09-11 18:55 --------- d-----w C:\Program Files\OpenOffice.org 2.2 2007-09-08 18:16 286,720 ------w C:\WINDOWS\Setup1.exe 2007-09-08 18:15 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-09-02 10:44 --------- d-----w C:\Program Files\Common Files\LogoManager 2007-09-02 10:28 --------- d-----w C:\Program Files\Oxygen 2007-08-29 12:22 --------- d-----w C:\Documents and Settings\gość1\Dane aplikacji\Gadu-Gadu 2007-07-26 05:32 774,144 ----a-w C:\Program Files\RngInterstitial.dll 2006-11-24 14:43 81,920 ----a-w C:\Documents and Settings\gość1\Dane aplikacji\ezpinst.exe 2006-11-24 14:43 47,360 ----a-w C:\Documents and Settings\gość1\Dane aplikacji\pcouffin.sys 2005-05-11 21:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll 2006-06-29 19:07:36 56 --sh–r C:\WINDOWS\system32\7F29004B3A.sys 2006-06-29 19:07:36 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{702575D0-B689-4058-BD23-71A1BAA1B86A}] 2007-09-09 10:49 23832 --a------ C:\WINDOWS\system32\MGC71ESP.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-08-25 12:52] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 10:38] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 18:07] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 18:07] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 18:07] “ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-01-08 14:29] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe” [2006-11-09 15:07] “AVPDWIN”=“C:\Program Files\Panda Software\Panda Demo\pandasft.exe” [] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-04-18 12:13] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-02-16 09:54] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2005-05-11 22:12] “InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2005-01-27 18:17] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [] “HGI Agent”=“D:\HGI\HGI.exe” [] “DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“D:\Gadu-Gadu\gg.exe” [2007-07-09 08:39] “WhatPulse”=“C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE” [2004-12-05 11:20] “PhotoShow Deluxe Media Manager”=“C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe” [] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [] “Komunikator”=“C:\Program Files\Tlen.pl\tlen.exe” [2007-02-12 11:01] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-06-08 14:18] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BlueSoleil.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\BlueSoleil.lnk backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Komunikator] C:\Program Files\Tlen.pl\tlen.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized . Contents of the ‘Scheduled Tasks’ folder “2007-10-17 11:38:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-28 10:24:24 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-28 10:25:33 - machine was rebooted . — E O F —

to z combofix-a a tych dwóch na dole to nie znam wywalic?

jessica · 28 Październik 2007 09:56

ComboFix nie usuwał tego, co miał usuwać, za to usunął np Rootkita “Bagle-hidires”.

Keyloggera rzeczywiście masz, ale na szczęście, on tylko szkodzi na Tibii.

Wklej do Notatnika :

File::

C:\tpt-0xFFFFFF.tmp.exe

C:\WINDOWS\system32\sys34.exe

C:\WINDOWS\system32\MGC71ESP.DLL


Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{702575D0-B689-4058-BD23-71A1BAA1B86A}] 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVPDWIN"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HGI Agent"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools"=-

>>Plik>>Zapisz jako… >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

– podobnie jak na tym obrazku –>

Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Daj ten log.

jessi

Eyro · 28 Październik 2007 10:10

ComboFix 07-10-23.2 - go†1 2007-10-28 11:02:12.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.206 [GMT 1:00] Running from: C:\Documents and Settings\go†1\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\go†1\Pulpit\CFScript.txt * Created a new restore point FILE:: C:\tpt-0xFFFFFF.tmp.exe C:\WINDOWS\system32\MGC71ESP.DLL C:\WINDOWS\system32\sys34.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\tpt-0xFFFFFF.tmp.exe C:\WINDOWS\system32\MGC71ESP.DLL C:\WINDOWS\system32\sys34.exe . ((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 ))))))))))))))))))))))))))))))) . 2007-10-28 10:13 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-28 09:16 2007-10-27 17:27 2007-10-26 20:58 2007-10-26 19:33 2007-10-26 12:46 2007-10-23 20:29 2,368 --a------ C:\WINDOWS\system32\SVKP.sys 2007-10-20 22:57 2007-10-20 15:14 2007-10-20 15:06 2007-10-20 14:34 2007-10-20 14:34 2007-10-20 13:11 2007-09-30 12:09 2007-09-29 11:46 2007-09-28 09:04 2007-09-28 09:04 203,264 --a------ C:\WINDOWS\system32\Pajacyk.scr . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-28 10:06 --------- d-----w C:\Documents and Settings\gość1\Dane aplikacji\Skype 2007-10-28 10:04 14,942,208 —ha-w C:\Documents and Settings\gość1\NTUSER.DAT 2007-10-28 09:27 --------- d-----w C:\Program Files\Neostrada TP 2007-10-27 16:25 --------- d-----w C:\Documents and Settings\gość1\Dane aplikacji\uTorrent 2007-10-26 20:15 --------- d-----w C:\Program Files\SkanerOnline 2007-10-11 08:04 --------- d-----w C:\Program Files\Java 2007-10-08 18:04 --------- d-----w C:\Program Files\English Translator 3 2007-09-30 11:09 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-09-29 15:10 --------- d-----w C:\Documents and Settings\gość1\Dane aplikacji\Tlen.pl 2007-09-25 11:48 --------- d-----w C:\Program Files\Snow Ride 2007-09-25 11:40 223,128 ----a-w C:\WINDOWS\system32\drivers\dtscsi.sys 2007-09-23 17:36 --------- d-----w C:\Program Files\Orbitron 2007-09-21 19:00 --------- d-----w C:\Documents and Settings\gość1\Dane aplikacji\OpenOffice.org2 2007-09-20 16:02 --------- d-----w C:\Program Files\Save 2007-09-20 12:59 --------- d-----w C:\Program Files\Google 2007-09-11 18:55 --------- d-----w C:\Program Files\OpenOffice.org 2.2 2007-09-08 18:16 286,720 ------w C:\WINDOWS\Setup1.exe 2007-09-08 18:15 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-09-02 10:44 --------- d-----w C:\Program Files\Common Files\LogoManager 2007-09-02 10:28 --------- d-----w C:\Program Files\Oxygen 2007-08-29 12:22 --------- d-----w C:\Documents and Settings\gość1\Dane aplikacji\Gadu-Gadu 2007-07-26 05:32 774,144 ----a-w C:\Program Files\RngInterstitial.dll 2006-11-24 14:43 81,920 ----a-w C:\Documents and Settings\gość1\Dane aplikacji\ezpinst.exe 2006-11-24 14:43 47,360 ----a-w C:\Documents and Settings\gość1\Dane aplikacji\pcouffin.sys 2005-05-11 21:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll 2006-06-29 19:07:36 56 --sh–r C:\WINDOWS\system32\7F29004B3A.sys 2006-06-29 19:07:36 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-08-25 12:52] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 10:38] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 18:07] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 18:07] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 18:07] “ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-01-08 14:29] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe” [2006-11-09 15:07] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-04-18 12:13] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-02-16 09:54] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2005-05-11 22:12] “InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2005-01-27 18:17] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“D:\Gadu-Gadu\gg.exe” [2007-07-09 08:39] “WhatPulse”=“C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE” [2004-12-05 11:20] “PhotoShow Deluxe Media Manager”=“C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe” [] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-09-21 13:43] “Komunikator”=“C:\Program Files\Tlen.pl\tlen.exe” [2007-02-12 11:01] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-06-08 14:18] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BlueSoleil.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\BlueSoleil.lnk backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Komunikator] C:\Program Files\Tlen.pl\tlen.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized . Contents of the ‘Scheduled Tasks’ folder “2007-10-17 11:38:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-28 11:06:08 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-28 11:07:22 - machine was rebooted C:\ComboFix2.txt … 2007-10-28 10:25 . — E O F —

jessica · 28 Październik 2007 10:15

Wg mnie - jest OK.

jessi

Eyro · 28 Październik 2007 10:16

Dzieki wielkie za pomoc