Przekierowanie na inne strony przez Google w IE

JA_CEK7 · 16 Grudzień 2007 11:28

Witam,

proszę o rzucenie okiem i opinię,żadne skany nie pomagają,Google w IE przekierowuje mnie na inne strony

Logfile of HijackThis v1.99.1

Scan saved at 12:15:56, on 2007-12-16

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\NMSAccessU.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Opera\Opera.exe

C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O11 - Options group: [iNTERNATIONAL] International*

O15 - Trusted Zone: http://www.mks.com.pl

O15 - Trusted Zone: http://*.mks.com.pl

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab

O17 - HKLM\System\CCS\Services\Tcpip…{1D8FB24A-373C-4088-8899-9463BFD8409E}: NameServer = 85.255.116.151,85.255.112.127

O17 - HKLM\System\CCS\Services\Tcpip…{62593BC7-DF97-41FF-BCC1-41C62A5707ED}: NameServer = 85.255.116.151 85.255.112.127

O17 - HKLM\System\CCS\Services\Tcpip…{A3A5D73F-9FA6-4297-9DB8-DAC1A534770B}: NameServer = 85.255.116.151,85.255.112.127

O17 - HKLM\System\CCS\Services\Tcpip…{B42F29E5-A3DB-4AAB-B19C-2E78934509E4}: NameServer = 85.255.116.151,85.255.112.127

O17 - HKLM\System\CCS\Services\Tcpip…{E52228E0-0A49-4B28-A369-3EF4C91D94AA}: NameServer = 85.255.116.151,85.255.112.127

O17 - HKLM\System\CCS\Services\Tcpip…{F7D409B8-CF62-47FA-9ABC-0307477253DA}: NameServer = 85.255.116.151,85.255.112.127

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.127

O17 - HKLM\System\CS1\Services\Tcpip…{1D8FB24A-373C-4088-8899-9463BFD8409E}: NameServer = 85.255.116.151,85.255.112.127

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.127

O17 - HKLM\System\CS2\Services\Tcpip…{1D8FB24A-373C-4088-8899-9463BFD8409E}: NameServer = 85.255.116.151,85.255.112.127

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.127

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Common Files\NMSAccessU.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

Pozdrawiam

Jacek

sirmacik · 16 Grudzień 2007 11:31

Przeskanuj go jeszcze ComboFixem

JA_CEK7 · 16 Grudzień 2007 11:49

Proszę z Combo

ComboFix 07-12-16.3 - Właściciel 2007-12-16 12:39:45.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.279 [GMT 1:00]

Running from: C:\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\kdmxm.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_IPRIP

-------\Iprip

((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))

.

2007-12-16 12:35 . 2007-12-16 12:35 1,477,325 --a------ C:\ComboFix.exe

2007-12-15 13:52 . 2007-12-15 13:53

2007-12-15 13:52 . 2007-12-16 09:29

2007-12-15 13:52 . 2007-12-15 13:52

2007-12-15 13:50 . 2007-12-15 13:50

2007-12-12 15:25 . 2007-12-12 15:25 1,254 --a------ C:\WINDOWS\mozver.dat

2007-12-12 14:44 . 2007-12-12 14:44

2007-12-12 14:40 . 2007-12-12 14:42 11,093,535 --a------ C:\Torpark_2.0.0.3a.exe

2007-12-09 10:24 . 2007-12-09 10:58

2007-12-01 12:04 . 2007-12-01 12:04 23,552 --a------ C:\zaswiad_zarobki_28_07b.doc

2007-11-28 16:21 . 2007-11-28 16:21

2007-11-28 16:21 . 2007-11-28 16:21 411,509 --a------ C:\GSpot270a.zip

2007-11-17 12:04 . 2007-09-25 13:24 722,192 --a------ C:\WINDOWS\system32\vb40032.dll

2007-11-17 11:42 . 2007-11-17 11:42

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-15 12:50 --------- d-----w C:\Program Files\Królik Bystrzak

2007-12-14 19:03 --------- d-----w C:\Program Files\Warblade

2007-12-14 19:00 --------- d–h--w C:\Program Files\InstallShield Installation Information

2007-12-11 06:03 --------- d-----w C:\Program Files\Odkurzacz

2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys

2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2007-12-01 18:00 --------- d-----w C:\Program Files\AVIcodec

2007-11-13 18:07 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2007-11-09 22:24 11,456,024 ----a-w C:\magicphotof.exe

2007-11-09 20:34 --------- d-----w C:\Program Files\ffdshow

2007-11-09 20:33 3,726,171 ----a-w C:\ffdshow-rev1579_20071026.zip

2007-11-09 20:28 556,675 ----a-w C:\AVIcodec_1.2_b110.exe

2007-11-09 19:22 --------- d-----w C:\Program Files\Zortam Mp3 Media Studio

2007-11-09 18:41 --------- d-----w C:\Program Files\a-squared HiJackFree

2007-11-03 10:49 --------- d-----w C:\Program Files\Team6 game studios

2007-10-25 15:10 --------- d-----w C:\Program Files\JLC’s Software

2007-10-10 15:26 6,498,440 ----a-w C:\Opera_9.23_International_Setup.exe

2007-09-15 16:33 2,248,200 ----a-w C:\Program Files\SopCast.zip

2007-09-03 13:45 4,037,632 ----a-w C:\Program Files\odk109update1.exe

2007-04-29 14:47 251,802 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\firstlsp.reg.dat

2007-04-20 12:31 2,274,815 ----a-w C:\Program Files\Setup-SopCast-1.1.2-2007-04-20.exe

2007-01-25 01:52 65,536 ----a-w C:\Program Files\Common Files\NMSAccessU.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00]

“Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2007-05-03 09:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00]

“NvCplDaemon”=“RUNDLL32.exe” [2004-08-04 13:00 C:\WINDOWS\system32\rundll32.exe]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-09-01 15:57]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 13:00]

“Picasa Media Detector”=“C:\Program Files\Picasa2\PicasaMediaDetector.exe” [2007-09-28 02:17]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared Anti-Dialer]

C:\Program Files\a-squared Anti-Dialer\a2adguard.exe /d=60

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]

C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]

C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2005-05-11 22:12 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartDefrag]

C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2005-05-20 02:11 925696 -ra------ C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe /icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2007-07-12 03:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZortamMp3MediaStudio]

2007-11-06 18:07 2654208 --a------ C:\Program Files\Zortam Mp3 Media Studio\zmmspro.exe

R2 NMSAccessU;NMSAccessU;C:\Program Files\Common Files\NMSAccessU.exe

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs

R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys

S3 ATE_PROCMON;ATE_PROCMON;??\C:\Program Files\Anti Trojan Elite\ATEPMon.sys

S3 p2pgasvc;Uwierzytelnianie grup sieci równorzędnej;C:\WINDOWS\system32\svchost.exe -k p2psvc

S3 p2pimsvc;Menedżer tożsamości sieci równorzędnej;C:\WINDOWS\system32\svchost.exe -k p2psvc

S3 p2psvc;Sieć równorzędna;C:\WINDOWS\system32\svchost.exe -k p2psvc

S3 PNRPSvc;Protokół PNRP (Peer Name Resolution Protocol);C:\WINDOWS\system32\svchost.exe -k p2psvc

S3 sony_ssm.sys;sony_ssm.sys;??\C:\DOCUME~1\WACICI~1\USTAWI~1\Temp\sony_ssm.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the ‘Scheduled Tasks’ folder

“2007-11-23 16:16:38 C:\WINDOWS\Tasks\1-Click Maintenance.job”

C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe

“2007-12-16 08:28:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-16 12:45:15

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-12-16 12:45:56 - machine was rebooted

.

2007-09-14 21:17:48 — E O F —

Gutek · 17 Grudzień 2007 21:02

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

Pobierz program SDFix

pawel_k2 · 11 Styczeń 2008 18:37

Witam

Dzięki za polecenie tego problemu ja też miałem to samo ale się udało dzięki SDFIX

SDFix: Version 1.125

Run by Administrator on 2008-01-11 at 18:35

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Name:

kcp

Microsoft Int Service

smtpdrv

lrito6594-34a6

Path:

??\C:\WINDOWS\system32\drivers\kcp.sys

C:\WINDOWS\system32_svchost.exe -A

System32\DRIVERS\smtpdrv.sys

??\C:\WINDOWS\system32\lrito6594-34a6.sys

kcp - Deleted

Microsoft Int Service - Deleted

smtpdrv - Deleted

lrito6594-34a6 - Deleted

Infected ip6fw.sys Found!

ip6fw.sys File Locations:

“C:\WINDOWS\system32\dllcache\ip6fw.sys” 29056 2004-08-03 23:00

“C:\WINDOWS\system32\drivers\ip6fw.sys” 29056 2004-08-03 23:00

Infected File Listed Below:

C:\WINDOWS\system32\drivers\ip6fw.sys

Trojan File copied to Backups Folder

Attempting to replace ip6fw.sys with original version…

Original ip6fw.sys Restored

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Restoring Missing Security Center Service

Restoring Missing SharedAccess Service

Rebooting…

Service NdisWon - Deleted after Reboot

Normal Mode:

Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\lrito6594-34a6.sys - Deleted

C:\WINDOWS\system32\Hfkr4g.dll - Deleted

C:\WINDOWS\SYSTEM32\QAQSAQAW.TMP - Deleted

C:\WINDOWS\SYSTEM32\KB9253~1.EXE - Deleted

C:\autoexcs.dll - Deleted

C:\autoexec.dll - Deleted

C:\WINDOWS\system32*_exception.nls - Deleted

C:\WINDOWS\system32\kr_done1 - Deleted

C:\WINDOWS\system32\lrito.ini - Deleted

C:\WINDOWS\system32\svchost.t__ - Deleted

C:\WINDOWS\system32\svchost.tmp - Deleted

C:\WINDOWS\system32\svcp.csv - Deleted

C:\WINDOWS\system32\winsub.xml - Deleted

C:\WINDOWS\system32\drivers\NdisWon.sys - Deleted

Could Not Remove C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll

Folder C:\Documents and Settings\All Users\Dokumenty\Settings - Removed

Removing Temp Files…

ADS Check:

C:\WINDOWS

No streams found.

C:\WINDOWS\system32

No streams found.

C:\WINDOWS\system32\svchost.exe

No streams found.

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-11 18:42:40

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden services & system hive …

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kprof]

“Type”=dword:00000001

“Start”=dword:00000001

“ErrorControl”=dword:00000000

“ImagePath”=str(2):"??\C:\WINDOWS\system32\kprof"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kprof\Security]

“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,…

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\poof]

“Type”=dword:00000001

“Start”=dword:00000000

“ErrorControl”=dword:00000000

“ImagePath”=str(2):“system32\poof”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\poof\Security]

“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,…

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sbvn49]

“Type”=dword:00000001

“Tag”=dword:00000002

“Group”=“System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0”

“ErrorControl”=dword:00000001

“Start”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kprof]

“Type”=dword:00000001

“Start”=dword:00000001

“ErrorControl”=dword:00000000

“ImagePath”=str(2):"??\C:\WINDOWS\system32\kprof"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kprof\Security]

“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,…

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\poof]

“Type”=dword:00000001

“Start”=dword:00000000

“ErrorControl”=dword:00000000

“ImagePath”=str(2):“system32\poof”

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\poof\Security]

“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,…

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Sbvn49]

“Type”=dword:00000001

“Tag”=dword:00000002

“Group”=“System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0”

“ErrorControl”=dword:00000001

“Start”=dword:00000000

scanning hidden registry entries …

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]

“Directory”=“C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]

“CachePath”=“C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Cache1”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]

“CachePath”=“C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Cache2”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]

“CachePath”=“C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Cache3”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]

“CachePath”=“C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Cache4”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

“TracesProcessed”=dword:00000040

“TracesSuccessful”=dword:00000010

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]

“Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,…

scanning hidden files …

C:\WINDOWS\system32\drivers\Sbvn49.sys 185344 bytes executable

C:\WINDOWS\system32\drivers\symavc32.sys 179200 bytes executable

C:\WINDOWS\system32\kprof 7040 bytes executable

C:\WINDOWS\system32\poof 37632 bytes executable

scan completed successfully

hidden processes: 0

hidden services: 3

hidden files: 4

Remaining Services:

smtpdrv

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

“C:\bot.exe”=“C:\bot.exe:*:Enabled:Windows Update”

“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:

C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll Found

C:\WINDOWS\system32*_exception.nls Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 9 Sep 2006 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak”

Finished!

Pozdrawiam

Gutek · 11 Styczeń 2008 19:45

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

Daj nowy log Combo

pawel_k2 · 13 Styczeń 2008 10:09

log z Combo

ComboFix 08-01-13.1 - ppp 2008-01-13 10:38:12.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.52 [GMT 1:00]Running from: C:\Documents and Settings\ppp\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\4_exception.nls

C:\WINDOWS\system32\drivers\Dvkp75.sys

C:\WINDOWS\system32\drivers\SBVN49.sys

C:\WINDOWS\system32\drivers\symavc32.sys

C:\WINDOWS\system32\kb9253279.exe

C:\WINDOWS\system32\kb9253309.exe

C:\WINDOWS\system32\kb9253311.exe

C:\WINDOWS\system32\koos.exe

C:\WINDOWS\system32\kprof

C:\WINDOWS\system32\poof

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_KPROF

-------\LEGACY_NDISWON

-------\LEGACY_POOF

-------\LEGACY_RUNTIME

-------\LEGACY_SBVN49

-------\LEGACY_SMTPDRV

-------\smtpdrv

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))

.

2008-01-13 10:37 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-13 10:12 . 2008-01-13 10:12

2008-01-11 18:41 . 2008-01-11 18:41 29 --a------ C:\WINDOWS\system32\qpwaarsq.tmp

2008-01-11 18:33 . 2008-01-11 18:33

2008-01-11 18:28 . 2006-08-12 13:13

2008-01-11 18:28 . 2006-08-12 11:23

2008-01-11 18:28 . 2008-01-11 18:35

2008-01-11 18:28 . 2006-08-12 13:13

2008-01-09 21:49 . 2008-01-09 21:49 81,920 --a------ C:\WINDOWS\system32\pj116568.dll

2008-01-09 21:49 . 2008-01-09 21:49 44,686 --ah----- C:\WINDOWS\system32\pj116568.dl_

2008-01-09 16:24 . 24,832 C:\WINDOWS\system32\drivers\Txc83.sys

2008-01-07 17:40 . 2008-01-11 18:21 22 --a------ C:\autoexec.ba_

2008-01-06 21:13 . 21,760 C:\WINDOWS\Dhl58.sys

2008-01-06 13:08 . 2008-01-06 13:08

2008-01-06 13:08 . 2008-01-06 13:08 72,192 --a------ C:\bot.exe

2008-01-06 13:08 . 21,760 C:\WINDOWS\system32\drivers\Dhl58.sys

2008-01-06 12:19 . 2008-01-06 12:19 260 --a------ C:\WINDOWS\AUDOZ3_0.INI

2007-12-19 23:10 . 2008-01-03 23:03

2007-12-13 22:59 . 2007-12-13 22:59

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-10 21:52 --------- d-----w C:\Program Files\Google

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{474597C5-AB09-49d6-A4D5-2E8D7341384E}]

2007-12-02 15:12 394672 --a------ C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-08-03 23:55 1667584]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2006-09-14 16:49 1672904]

“RSSNewser”=“C:\Documents and Settings\ppp\Dane aplikacji\RSSNewser\RSSNewser.exe” [2006-10-06 17:38 7400801]

“Paseczek”=“C:\Program Files\Paseczek\Paseczek.exe” [2006-09-18 23:15 1454592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]

“WinampAgent”=“C:\Program Files\Winamp\Winampa.exe” [2003-04-02 03:20 12288]

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2004-11-15 14:17 4624384]

“nwiz”=“nwiz.exe” [2004-11-15 14:17 921600 C:\WINDOWS\system32\nwiz.exe]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2004-11-15 14:17 86016]

“ShStatEXE”=“C:\Program Files\Network Associates\VirusScan\SHSTAT.exe” [2003-10-15 06:10 81990]

“McAfeeUpdaterUI”=“C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe” [2003-09-10 02:11 135251]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe” [2006-10-12 03:10 49263]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-05-20 09:54 98304]

“Sony Ericsson PC Suite”=“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [2005-10-26 16:17 159744]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\partnershipreg]

C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll 2008-01-06 13:08 13201 C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Dhl58.sys]

@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Txc83.sys]

@=“Driver”

R0 AFPAnsi;G-DATA Ukrywacz Ansi;C:\WINDOWS\system32\Drivers\AFPAnsi.sys [2002-10-09 14:53]

R0 Dhl58;Dhl58;C:\WINDOWS\system32\Drivers\Dhl58.sys []

R0 FO_PAnt;FotoOffice VirtualDisc Driver;C:\WINDOWS\system32\Drivers\FO_PAnt.sys [2003-07-17 13:56]

R0 Txc83;Txc83;C:\WINDOWS\system32\Drivers\Txc83.sys []

R3 SiS7012;Service for AC’97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2003-04-08 08:56]

R3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]

S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-02-17 20:34]

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 10:46:34

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe

C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll

.

Completion time: 2008-01-13 10:51:47 - machine was rebooted [ppp]

ComboFix-quarantined-files.txt 2008-01-13 09:51:33

i co dalej ? bo chyba coś nie do końca jest tak z komputwerem Mcafee pokazuje przy uruchomieniu komunikat ComboFix 08-01-13.1 - ppp 2008-01-13 10:38:12.1 - NTFSx86