system
(system)
5 Styczeń 2008 17:42
#1
Proszę o sprawdzenie loga
Logfile of HijackThis v1.99.1 Scan saved at 18:40:44, on 2008-01-05 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\System32\Ati2evxx.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\system32\Ati2evxx.exe C:\windows\Explorer.EXE C:\windows\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE C:\Program Files\Kerio\Personal Firewall\persfw.exe C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\windows\system32\wscntfy.exe C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\admin.DOM\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe” O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O17 - HKLM\System\CCS\Services\Tcpip…{75436F5F-4510-4B2F-ADA0-6BAD5F285CEC}: NameServer = 194.204.159.1 217.98.63.164 O20 - Winlogon Notify: klogon - C:\windows\system32\klogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing) O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Gutek
(Gutek)
5 Styczeń 2008 17:43
#2
Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350
Daj log z ComboFix
system
(system)
5 Styczeń 2008 19:41
#3
Gutek
(Gutek)
5 Styczeń 2008 21:05
#4
C:\windows\system32\drivers\xcbgnvpa.sys
Przeskanuj na http://www.virustotal.com/pl/ i wklej raport po skanowaniu.
system
(system)
5 Styczeń 2008 22:07
#5
niestety nie mogę znależć pliku ‘xcbgnvpa.sys’. W folderze ‘drivers’ nie ma żadnego pliku zaczynającego się od x
grzal
(Rafal Grzelak)
5 Styczeń 2008 22:14
#6
system windows nie odnalazl mi takiego pliku ;/
Gutek
(Gutek)
5 Styczeń 2008 22:33
#7
Wklej do Notatnika:
File::
C:\windows\system32\drivers\xcbgnvpa.sys
Driver::
hrbqmihy
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo
grzal
(Rafal Grzelak)
6 Styczeń 2008 14:56
#8
zrbilem tak jak kazales oto log
ComboFix 08-01-04.1 - user 2008-01-06 15:46:08.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.58 [GMT 1:00] Running from: C:\Documents and Settings\user\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 ))))))))))))))))))))))))))))))) . 2008-01-06 14:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-06 14:21 . 2008-01-06 14:22 2008-01-04 02:55 . 2008-01-04 02:55 2007-12-30 02:19 . 2007-12-30 02:23 2007-12-25 03:27 . 2007-12-25 03:28 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-06 14:45 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Skype 2008-01-06 14:44 --------- d-----w C:\Program Files\DialNet 2008-01-06 13:45 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\skypePM 2008-01-06 12:28 4,000 ----a-w C:\ao.dat 2008-01-04 15:57 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\teamspeak2 2007-12-28 13:50 --------- d-----w C:\Program Files\Gadu-Gadu 2007-12-07 09:11 --------- d-----w C:\Program Files\Google 2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr 2007-11-30 14:32 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-30 14:32 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\InstallShield 2007-11-29 21:35 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2007-11-29 17:12 --------- d-----w C:\Program Files\Spyware Doctor 2007-11-23 17:31 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat 2007-11-23 17:29 --------- d-----w C:\Program Files\Skype 2007-11-23 17:29 --------- d-----w C:\Program Files\Common Files\Skype 2007-11-23 17:29 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype 2007-11-22 15:07 --------- d-----w C:\Program Files\Xing 2007-11-22 15:07 --------- d-----w C:\Program Files\Common Files\Xing Shared 2007-11-22 12:04 --------- d-----w C:\Program Files\CDex_150 2007-11-22 11:42 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\Ahead 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-12 08:29 --------- d-----w C:\Program Files\eMule 2007-11-11 19:33 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\gtk-2.0 2007-11-11 13:26 --------- d-----w C:\Program Files\GIMP-2.0 2007-11-09 16:30 --------- d-----w C:\Program Files\ImageWiz Free 2007-10-29 22:44 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-20 05:01 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44 15360] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-05-10 15:36 2111176] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24 1694208] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-11-12 15:48 21760296] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-11-26 23:37 68856] “z-WrDialer”=“C:\Program Files\DialNet\WrDialer.exe” [2007-01-18 13:18 483328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NVMixerTray”=“C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” [2004-06-03 19:51 131072] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2007-10-23 20:24 339968] “Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” [] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2007-10-23 20:24 35328] “Salestart(1)”=“C:\Program Files\Common Files\WinPCDoctor\strpmon.exe” [2007-10-09 13:14 589824] “Salestart(2)”=“C:\Program Files\Common Files\AntiSpywareSuite\bm.exe” [] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00 79224] “a-winpoet-service”=“C:\Program Files\DialNet\winpppoverethernet.exe” [2007-01-18 10:26 405504] “z-wrdialer”=“C:\Program Files\DialNet\wrdialer.exe” [2007-01-18 13:18 483328] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-03 23:44 15360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" R2 TopWinPoETDriver;WinPoET PPPoE Optimized Driver;C:\WINDOWS\system32\DRIVERS\WrKPoET2000.sys [2004-09-16 17:56] R3 FPD;Fine Point Packet Service;C:\WINDOWS\system32\drivers\fpd.sys [2003-04-04 15:07] R3 WrKPoET2000;WrKPoET2000;C:\Program Files\DialNet\WrKPoET2000.sys [2004-09-16 17:56] R3 WRSWanDD;WinPoET PPPoE Adapter;C:\WINDOWS\system32\DRIVERS\WrKPoETNic2000.sys [2002-10-28 17:42] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{773cf3dd-142a-11dc-a367-806d6172696f}] \Shell\AutoRun\command - F:\Bin\asusqfe.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-06 15:47:48 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-06 15:49:01 ComboFix2.txt 2008-01-06 14:33:07 . 2007-12-22 01:15:21 — E O F —
Gutek
(Gutek)
6 Styczeń 2008 16:33
#9
Log Ok
Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350