Prosze o pomoc z virusem w systemie


(Ravix31) #1

Logfile of HijackThis v1.99.1

Scan saved at 17:16:10, on 2008-03-08

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32spoolsv.exe

C:Program FilesKaspersky LabKaspersky Anti-Virus 7.0avp.exe

C:WINDOWSsystem32PnkBstrA.exe

C:WINDOWSsystem32PnkBstrB.exe

C:WINDOWSExplorer.EXE

C:Program FilesKaspersky LabKaspersky Anti-Virus 7.0avp.exe

C:WINDOWSRTHDCPL.EXE

C:Program FilesCyberLinkPowerDVDPDVDServ.exe

C:WINDOWSsystem32igfxpers.exe

C:WINDOWSsystem32igfxtray.exe

C:WINDOWSsystem32hkcmd.exe

C:WINDOWSsystem32rundll32.exe

C:WINDOWSsystem32ctfmon.exe

C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe

C:Program FilesCommon FilesAheadLibNMBgMonitor.exe

C:Program FilesNo-IPDUC20.exe

C:WINDOWSsystem32igfxsrvc.exe

C:Program FilesCommon FilesAheadLibNMIndexStoreSvr.exe

C:Program FilesCyberLinkShared FilesRichVideo.exe

C:Program FilesCommon FilesAheadLibNMIndexingService.exe

C:Documents and SettingsMateuszPulpitgboxTGbox.exe

C:Documents and SettingsMateuszPulpitgboxgboxx86.exe

C:Program FilesMozilla Firefoxfirefox.exe

C:DOCUME~1MateuszUSTAWI~1TempRar$EX00.266HijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.onet.pl/

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60207

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=60207

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=60207

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx

O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar2.dll

O2 - BHO: (no name) - {AB41010D-4804-4793-A6A2-3B5EBE2348DD} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier2.0.301.7164swg.dll

O3 - Toolbar: (no name) - {C11483F7-D7D8-4804-98D8-6055470BB989} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar2.dll

O4 - HKLM..Run: [msptlg] C:WINDOWSptlg.exe

O4 - HKLM..Run: [AVP] "C:Program FilesKaspersky LabKaspersky Anti-Virus 7.0avp.exe"

O4 - HKLM..Run: [synchronization Manager] %SystemRoot%system32mobsync.exe /logon

O4 - HKLM..Run: [skyTel] SkyTel.EXE

O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM..Run: [RemoteControl] "C:Program FilesCyberLinkPowerDVDPDVDServ.exe"

O4 - HKLM..Run: [Persistence] C:WINDOWSsystem32igfxpers.exe

O4 - HKLM..Run: [NeroFilterCheck] C:Program FilesCommon FilesAheadLibNeroCheck.exe

O4 - HKLM..Run: [LanguageShortcut] "C:Program FilesCyberLinkPowerDVDLanguageLanguage.exe"

O4 - HKLM..Run: [igfxTray] C:WINDOWSsystem32igfxtray.exe

O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe

O4 - HKLM..Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe

O4 - HKCU..Run: [swg] C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe

O4 - HKCU..Run: [Odkurzacz-MCD] C:Program FilesOdkurzaczodk_mcd.exe

O4 - HKCU..Run: [himem] "c:windowshimem.exe" 3fff 8ffff

O4 - HKCU..Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:Program FilesCommon FilesAheadLibNMBgMonitor.exe"

O4 - HKCU..Run: [ares] "C:Program FilesAresAres.exe" -h

O4 - Startup: No-IP DUC.lnk = C:Program FilesNo-IPDUC20.exe

O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:Program FilesKaspersky LabKaspersky Anti-Virus 7.0SCIEPlgn.dll

O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:WINDOWSSystem32shdocvw.dll

O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:WINDOWSSystem32shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus ... nicode.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/downloa ... YAX29b.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game02.zylom.com/activex/zylomgamesplayer.cab

O17 - HKLMSystemCCSServicesTcpip..{C2E8ED17-DD03-486B-9055-0F625F1C50B3}: NameServer = 192.168.1.1

O20 - Winlogon Notify: igfxcui - C:WINDOWSSYSTEM32igfxdev.dll

O20 - Winlogon Notify: klogon - C:WINDOWSsystem32klogon.dll

O20 - Winlogon Notify: WgaLogon - C:WINDOWSSYSTEM32WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:WINDOWSsystem32WPDShServiceObj.dll

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:Program FilesKaspersky LabKaspersky Anti-Virus 7.0avp.exe" -r (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe

O23 - Service: NBService - Nero AG - C:Program FilesNeroNero 7Nero BackItUpNBService.exe

O23 - Service: NMIndexingService - Nero AG - C:Program FilesCommon FilesAheadLibNMIndexingService.exe

O23 - Service: PnkBstrA - Unknown owner - C:WINDOWSsystem32PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:WINDOWSsystem32PnkBstrB.exe

O23 - Service: ptlg - Unknown owner - C:WINDOWSsystem32ptlg.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:Program FilesCyberLinkShared FilesRichVideo.exe


(Dmirecki) #2

W logu nie ma ukośników! Popraw!


(Ravix31) #3

Logfile of HijackThis v1.99.1

Scan saved at 17:16:10, on 2008-03-08

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\No-IP\DUC20.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Documents and Settings\Mateusz\Pulpit\gbox\TGbox.exe

C:\Documents and Settings\Mateusz\Pulpit\gbox\gboxx86.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\DOCUME~1\Mateusz\USTAWI~1\Temp\Rar$EX00.266\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60207

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_custo … TbId=60207

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_custo … TbId=60207

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {AB41010D-4804-4793-A6A2-3B5EBE2348DD} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: (no name) - {C11483F7-D7D8-4804-98D8-6055470BB989} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM…\Run: [msptlg] C:\WINDOWS\ptlg.exe

O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe”

O4 - HKLM…\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM…\Run: [skyTel] SkyTel.EXE

O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”

O4 - HKLM…\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM…\Run: [LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe”

O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM…\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent

O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe

O4 - HKCU…\Run: [himem] “c:\windows\himem.exe” 3fff 8ffff

O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”

O4 - HKCU…\Run: [ares] “C:\Program Files\Ares\Ares.exe” -h

O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe

O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/downloa … YAX29b.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game02.zylom.com/activex/zylomgamesplayer.cab

O17 - HKLM\System\CCS\Services\Tcpip…{C2E8ED17-DD03-486B-9055-0F625F1C50B3}: NameServer = 192.168.1.1

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: ptlg - Unknown owner - C:\WINDOWS\system32\ptlg.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

teraz ok


(Ravix31) #4

bardzo prosze o pomoc jak ten log jest teraz dobrze


(Dmirecki) #5

FIX w hijack

Start => uruchom => wklep: cmd => ENTER => w konsoli, która się otworzy wpisz:

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

c:\windows\himem.exe

Plik -> zapisz jako -> CFScript.txt

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

88953CFScript-createdbyMiekiemoes.gif

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum + nowy log z HijackThis.

Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie plik C: ** Qoobox**


(Ravix31) #6

ComboFix 08-03-07.4 - Mateusz 2008-03-08 19:58:13.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.167 [GMT 1:00]

Running from: C:\Documents and Settings\Mateusz\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Mateusz\Pulpit\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

c:\windows\himem.exe

.

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))

.

2008-03-07 12:34 . 2008-03-07 12:34 466,432 --a------ C:\WINDOWS\ IEXPLORE.EXE

2008-03-06 22:33 . 2008-03-06 22:46 253,952 --------- C:\WINDOWS\Setup1.exe

2008-03-06 21:55 . 2008-03-06 21:55

2008-03-06 21:55 . 2008-03-08 17:08

2008-03-06 15:41 . 2008-03-07 21:03

2008-03-05 22:17 . 2008-03-05 22:17

2008-02-28 21:57 . 2008-02-28 21:57 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat

2008-02-28 21:57 . 2008-02-28 21:57 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat

2008-02-28 21:56 . 2008-02-28 21:56

2008-02-28 21:56 . 2008-03-08 08:32

2008-02-28 21:56 . 2008-03-08 20:07 5,302,560 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-02-28 21:56 . 2008-03-08 20:07 141,856 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2008-02-28 21:56 . 2008-03-07 23:02 69,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-02-28 21:56 . 2008-03-07 23:02 13,340 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx

2008-02-28 21:51 . 2008-02-28 21:51

2008-02-26 13:41 . 2008-02-26 13:45 3,724,840 --a------ C:\WINDOWS\sprmvr.exe

2008-02-26 13:28 . 2008-02-26 13:28 1,785,466 --a------ C:\WINDOWS\system32\ptlg.exe

2008-02-26 13:28 . 2008-02-26 13:28 1,785,466 --a------ C:\WINDOWS\ptlg.exe

2008-02-20 19:19 . 2008-02-20 19:19 486 --a------ C:\WINDOWS\mamba.ini

2008-02-20 18:47 . 2008-02-20 18:47 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll

2008-02-20 18:47 . 2008-02-20 18:47 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll

2008-02-11 17:34 . 2008-02-11 17:34

2008-02-10 11:58 . 2008-02-10 11:58

2008-02-08 18:37 . 2008-02-08 18:37 219,664 --a------ C:\WINDOWS\system32\klogon.dll

2008-02-08 18:35 . 2008-02-08 18:35 23,604 --a------ C:\WINDOWS\system32\drivers\klopp.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-06 21:46 74,752 ----a-w C:\WINDOWS\ST6UNST.EXE

2008-03-05 21:41 --------- d-----w C:\Program Files\Lavasoft

2008-03-01 17:48 --------- d-----w C:\Program Files\EA GAMES

2008-03-01 16:13 --------- d-----w C:\Program Files\Maxis

2008-02-25 21:05 --------- d-----w C:\Program Files\Winamp

2008-02-10 19:01 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-02-02 09:30 --------- d-----w C:\Program Files\NETPLUS

2008-02-01 14:48 53,248 ----a-w C:\WINDOWS\system32\apache.dll

2008-02-01 08:39 --------- d-----w C:\Documents and Settings\Mateusz\Dane aplikacji\Clickteam

2008-01-25 10:40 6,688 ----a-w C:\WINDOWS\movexe.exe

2008-01-23 19:57 --------- d-----w C:\Documents and Settings\Mateusz\Dane aplikacji\Ankh - Heart of Osiris (Demo)

2008-01-14 21:01 --------- d-----w C:\Documents and Settings\Mateusz\Dane aplikacji\AgerWebEdytor

2008-01-12 19:08 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft

2007-12-16 16:35 720,896 ----a-w C:\WINDOWS\iun6002.exe

2007-10-29 17:15 22,328 ----a-w C:\Documents and Settings\Mateusz\Dane aplikacji\PnkBstrK.sys

2007-07-08 07:44 8 -c–a-w C:\Documents and Settings\Mateusz\reg.dat

1998-04-24 05:00 1,078 -c----w C:\Program Files\Common Files\RECYFULL.ICO

2007-08-12 16:23 14 -csh–w C:\WINDOWS\mswtpdxp.dll

2007-08-16 08:56 21 -csh–w C:\WINDOWS\prwttrxp.dll

2007-08-12 16:23 21 -csh–w C:\WINDOWS\system32\dpwttaxp.dll

2007-08-12 16:23 14 -csh–w C:\WINDOWS\system32\mswtpaxp.dll

2007-09-12 18:10 2 -csh–w C:\WINDOWS\system32\verwttxp.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{100EB1FD-D03E-47FD-81F3-EE91287F9465}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44 15360]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-15 11:56 68856]

“Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2007-05-03 09:02 264704]

“himem”=“c:\windows\himem.exe” []

“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 17:05 143360]

“ares”=“C:\Program Files\Ares\Ares.exe” []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“msptlg”=“C:\WINDOWS\ptlg.exe” [2008-02-26 13:28 1785466]

“AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe” [2008-02-08 18:36 227856]

“Synchronization Manager”=“C:\WINDOWS\system32\mobsync.exe” [2004-08-03 23:44 143872]

“SkyTel”=“SkyTel.EXE” [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]

“RTHDCPL”=“RTHDCPL.EXE” [2006-11-14 10:21 16270848 C:\WINDOWS\RTHDCPL.EXE]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2006-11-23 14:10 56928]

“Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [2007-08-24 11:00 131072]

“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 14:40 155648]

“LanguageShortcut”=“C:\Program Files\CyberLink\PowerDVD\Language\Language.exe” [2006-12-05 21:55 54832]

“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-08-24 11:01 135168]

“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2007-08-24 11:01 159744]

“BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-03 23:44 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-03 23:44 15360]

C:\Documents and Settings\Mateusz\Menu Start\Programy\Autostart\

No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [2007-08-04 16:03:40 1172992]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Messenger\msmsgs.exe”=

“C:\Documents and Settings\Mateusz\Pulpit\gbox\gboxx86.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\WINDOWS\system32\PnkBstrA.exe”=

“C:\WINDOWS\system32\PnkBstrB.exe”=

“C:\WINDOWS\system32\dplaysvr.exe”=

“C:\Program Files\EA GAMES\Need for Speed Underground 2\speed2.exe”=

“C:\Documents and Settings\Mateusz\Pulpit\mateusz1\Nowy folder (2)\install\WSZYSTKIE\Gadu-Gadu\gg.exe”=

“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe”=

“C:\Arquivos de programas\Yu-Gi-Oh Duel Master\Yu-Gi-Oh Duel Master 1.8 XP LNCB.exe”=

“C:\Documents and Settings\Mateusz\Pulpit\gbox\TGbox.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“7806:TCP”= 7806:TCP:BitComet 7806 TCP

“7806:UDP”= 7806:UDP:BitComet 7806 UDP

“7143:TCP”= 7143:TCP:BitComet 7143 TCP

“7143:UDP”= 7143:UDP:BitComet 7143 UDP

“5000:TCP”= 5000:TCP:AresChatServer

“8461:TCP”= 8461:TCP:GoD High Port

“8462:TCP”= 8462:TCP:GoD Low Port

R1 eusk2par;EUTRON SmartKey Parallel Driver;C:\WINDOWS\system32\Drivers\eusk2par.sys [2004-11-18 12:49]

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-09-21 18:59]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

S1 UserPort;UserPort;C:\WINDOWS\system32\Drivers\UserPort.sys []

S2 ioperm;ioperm support for Cygwin driver;C:\Documents and Settings\Mateusz\Pulpit\gbox2\ioperm.sys []

S3 eusk3usb;SmartKey 3 USB;C:\WINDOWS\system32\Drivers\eusk3usb.sys [2004-11-18 12:49]

S3 gwiopm;gwiopm;C:\DOCUME~1\Mateusz\USTAWI~1\Temp\Rar$EX01.703\Pionero v4.0 (FINAL_forBCT1530)\Pionero v4.0 (FINAL_forBCT1530)_oraz_przykładowe_pliki\Pionero v4.0 (FINAL_forBCT1530)\gwiopm.sys []

S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS []

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-08 20:07:47

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-03-08 20:09:06

.

2008-02-13 09:57:08 — E O F —


(Ravix31) #7

nowy log z hijack

Logfile of HijackThis v1.99.1

Scan saved at 20:27:17, on 2008-03-08

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\No-IP\DUC20.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\ptlg.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\Mateusz\USTAWI~1\Temp\Rar$EX00.235\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60207

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_custo … TbId=60207

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {AB41010D-4804-4793-A6A2-3B5EBE2348DD} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: (no name) - {C11483F7-D7D8-4804-98D8-6055470BB989} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM…\Run: [msptlg] C:\WINDOWS\ptlg.exe

O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe”

O4 - HKLM…\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM…\Run: [skyTel] SkyTel.EXE

O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”

O4 - HKLM…\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM…\Run: [LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe”

O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM…\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe

O4 - HKCU…\Run: [himem] “c:\windows\himem.exe” 3fff 8ffff

O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”

O4 - HKCU…\Run: [ares] “C:\Program Files\Ares\Ares.exe” -h

O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe

O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/downloa … YAX29b.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game02.zylom.com/activex/zylomgamesplayer.cab

O17 - HKLM\System\CCS\Services\Tcpip…{C2E8ED17-DD03-486B-9055-0F625F1C50B3}: NameServer = 192.168.1.1

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


(Ravix31) #8

mozesz mi powiedziec gdzie i jak usunac ten plik C: \Qoobox


(Ravix31) #9

mozesz mi powiedziec gdzie i jak usunac ten plik C: \Qoobox


(Ravix31) #10

ok usunolem go z moj komputer dysk c


(Leon$) #11

wpisy

usuń HijackThisem >> Fix checked

otwórz notatnik i wklej

zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri … iemoes.gif

Powinno rozpocząć się usuwanie

Potem log z usuwania Combofix

Po restarcie jeśli wszystko będzie OK usuń ręcznie folder C: \Qoobox

Sprawdź plik

http://virusscan.jotti.org/

powinien znajdować się w innej lokalizacji

:slight_smile:


(Ravix31) #12

log po combofix

ComboFix 08-03-07.4 - Mateusz 2008-03-08 22:37:12.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.62 [GMT 1:00]

Running from: C:\Documents and Settings\Mateusz\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Mateusz\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))

.

2008-03-08 21:59 . 2008-03-08 21:59 230 --a------ C:\WINDOWS\system32\spupdsvc.inf

2008-03-08 21:45 . 2008-03-08 21:50 1,319 --a------ C:\WINDOWS\imsins.BAK

2008-03-06 22:33 . 2008-03-06 22:46 253,952 --------- C:\WINDOWS\Setup1.exe

2008-03-06 15:41 . 2008-03-07 21:03

2008-03-05 22:17 . 2008-03-05 22:17

2008-02-28 21:57 . 2008-02-28 21:57 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat

2008-02-28 21:57 . 2008-02-28 21:57 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat

2008-02-28 21:56 . 2008-02-28 21:56

2008-02-28 21:56 . 2008-03-08 22:52

2008-02-28 21:56 . 2008-03-08 22:52 5,605,408 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-02-28 21:56 . 2008-03-08 22:51 152,096 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2008-02-28 21:56 . 2008-03-08 22:50 76,880 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-02-28 21:56 . 2008-03-08 22:50 15,284 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx

2008-02-28 21:51 . 2008-02-28 21:51

2008-02-26 13:41 . 2008-02-26 13:45 3,724,840 --a------ C:\WINDOWS\sprmvr.exe

2008-02-26 13:28 . 2008-02-26 13:28 1,785,466 --a------ C:\WINDOWS\system32\ptlg.exe

2008-02-26 13:28 . 2008-02-26 13:28 1,785,466 --a------ C:\WINDOWS\ptlg.exe

2008-02-20 19:19 . 2008-02-20 19:19 486 --a------ C:\WINDOWS\mamba.ini

2008-02-20 18:47 . 2008-02-20 18:47 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll

2008-02-20 18:47 . 2008-02-20 18:47 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll

2008-02-11 17:34 . 2008-02-11 17:34

2008-02-10 11:58 . 2008-02-10 11:58

2008-02-08 18:37 . 2008-02-08 18:37 219,664 --a------ C:\WINDOWS\system32\klogon.dll

2008-02-08 18:35 . 2008-02-08 18:35 23,604 --a------ C:\WINDOWS\system32\drivers\klopp.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-08 21:52 466,432 ----a-w C:\WINDOWS\ IEXPLORE.EXE

2008-03-06 21:46 74,752 ----a-w C:\WINDOWS\ST6UNST.EXE

2008-03-05 21:41 --------- d-----w C:\Program Files\Lavasoft

2008-03-01 17:48 --------- d-----w C:\Program Files\EA GAMES

2008-03-01 16:13 --------- d-----w C:\Program Files\Maxis

2008-02-25 21:05 --------- d-----w C:\Program Files\Winamp

2008-02-10 19:01 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-02-02 09:30 --------- d-----w C:\Program Files\NETPLUS

2008-02-01 14:48 53,248 ----a-w C:\WINDOWS\system32\apache.dll

2008-02-01 08:39 --------- d-----w C:\Documents and Settings\Mateusz\Dane aplikacji\Clickteam

2008-01-25 10:40 6,688 ----a-w C:\WINDOWS\movexe.exe

2008-01-23 19:57 --------- d-----w C:\Documents and Settings\Mateusz\Dane aplikacji\Ankh - Heart of Osiris (Demo)

2008-01-14 21:01 --------- d-----w C:\Documents and Settings\Mateusz\Dane aplikacji\AgerWebEdytor

2008-01-12 19:08 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft

2007-12-16 16:35 720,896 ----a-w C:\WINDOWS\iun6002.exe

2007-10-29 17:15 22,328 ----a-w C:\Documents and Settings\Mateusz\Dane aplikacji\PnkBstrK.sys

2007-07-08 07:44 8 -c–a-w C:\Documents and Settings\Mateusz\reg.dat

1998-04-24 05:00 1,078 -c----w C:\Program Files\Common Files\RECYFULL.ICO

2007-08-12 16:23 14 -csh–w C:\WINDOWS\mswtpdxp.dll

2007-08-16 08:56 21 -csh–w C:\WINDOWS\prwttrxp.dll

2007-08-12 16:23 21 -csh–w C:\WINDOWS\system32\dpwttaxp.dll

2007-08-12 16:23 14 -csh–w C:\WINDOWS\system32\mswtpaxp.dll

2007-09-12 18:10 2 -csh–w C:\WINDOWS\system32\verwttxp.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44 15360]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-15 11:56 68856]

“Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2007-05-03 09:02 264704]

“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 17:05 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe” [2008-02-08 18:36 227856]

“Synchronization Manager”=“C:\WINDOWS\system32\mobsync.exe” [2004-08-03 23:44 143872]

“SkyTel”=“SkyTel.EXE” [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]

“RTHDCPL”=“RTHDCPL.EXE” [2006-11-14 10:21 16270848 C:\WINDOWS\RTHDCPL.EXE]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2006-11-23 14:10 56928]

“Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [2007-08-24 11:00 131072]

“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 14:40 155648]

“LanguageShortcut”=“C:\Program Files\CyberLink\PowerDVD\Language\Language.exe” [2006-12-05 21:55 54832]

“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-08-24 11:01 135168]

“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2007-08-24 11:01 159744]

“BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-03 23:44 110592 C:\WINDOWS\system32\bthprops.cpl]

“msptlg”=“C:\WINDOWS\ptlg.exe” [2008-02-26 13:28 1785466]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-03 23:44 15360]

C:\Documents and Settings\Mateusz\Menu Start\Programy\Autostart\

No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [2007-08-04 16:03:40 1172992]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Messenger\msmsgs.exe”=

“C:\Documents and Settings\Mateusz\Pulpit\gbox\gboxx86.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\WINDOWS\system32\PnkBstrA.exe”=

“C:\WINDOWS\system32\PnkBstrB.exe”=

“C:\WINDOWS\system32\dplaysvr.exe”=

“C:\Program Files\EA GAMES\Need for Speed Underground 2\speed2.exe”=

“C:\Documents and Settings\Mateusz\Pulpit\mateusz1\Nowy folder (2)\install\WSZYSTKIE\Gadu-Gadu\gg.exe”=

“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe”=

“C:\Arquivos de programas\Yu-Gi-Oh Duel Master\Yu-Gi-Oh Duel Master 1.8 XP LNCB.exe”=

“C:\Documents and Settings\Mateusz\Pulpit\gbox\TGbox.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

“7806:TCP”= 7806:TCP:BitComet 7806 TCP

“7806:UDP”= 7806:UDP:BitComet 7806 UDP

“7143:TCP”= 7143:TCP:BitComet 7143 TCP

“7143:UDP”= 7143:UDP:BitComet 7143 UDP

“5000:TCP”= 5000:TCP:AresChatServer

“8461:TCP”= 8461:TCP:GoD High Port

“8462:TCP”= 8462:TCP:GoD Low Port

R1 eusk2par;EUTRON SmartKey Parallel Driver;C:\WINDOWS\system32\Drivers\eusk2par.sys [2004-11-18 12:49]

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-09-21 18:59]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

S3 eusk3usb;SmartKey 3 USB;C:\WINDOWS\system32\Drivers\eusk3usb.sys [2004-11-18 12:49]

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-08 22:52:37

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\ptlg.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

.

**************************************************************************

.

Completion time: 2008-03-08 22:55:27 - machine was rebooted

ComboFix-quarantined-files.txt 2008-03-08 21:54:40

.

2008-02-13 09:57:08 — E O F —


(Leon$) #13

Log wygląda na czysty

:slight_smile:


(Gutek) #14

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350