Rootkit - nie mogę zainstalować/odinstalować antywirusow

kephas · 6 Wrzesień 2007 21:54

Witam,

Złapałem (właściwie to moje dzieciaki) virusa, który zablokował możliwość instalacji/odinstalowania programów antywirusowych. Widziałem podobne wątki z tym samym problemem, ale jak sądzę każda sprawa jest nieco inna. Poniżej daję logi i proszę o pomoc w naprawieniu sytuacji. Nie chciałbym czegoś skopać a mam dużo rodzinnych zdjęć w kompie i ryzyko związane z osobistym “grzebaniem” mnie - laika - jest zbyt duże.

Pozdrawiam

Piotr

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:44:49, on 2007-09-06 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Spyware Terminator\sp_rsser.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Downloads\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - D:\Programy\Sidebar\sbhelp.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKLM…\Run: [spywareTerminator] “C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe” O4 - HKLM…\Run: [!AVG Anti-Spyware] “F:\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM…\Run: [AVPDWIN] “C:\Program Files\Panda Software\Panda Demo\pandasft.exe” O4 - HKLM…\Run: [LanzarL2007] “C:\DOCUME~1\Dom\USTAWI~1\Temp{AE34FB1F-A124-47FF-BDF6-E458A0F329AB}{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}…\L2007tmp\Setup.exe” /SETUP:"/l0x0015" O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Rainlendar2] D:\Programy\Rainlendar2\Rainlendar2.exe O4 - HKCU…\Run: [Desktop calendar] D:\Programy\Rainlendar2\Rainlendar2.exe O4 - HKCU…\Run: [AlcoholAutomount] “C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” /automount O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Startup: Stardock ObjectDock.lnk = D:\Programy\ObjectDock\ObjectDock.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone - szybkie uruchamianie.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - D:\Programy\Sidebar\sbhelp.dll O9 - Extra ‘Tools’ menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - D:\Programy\Sidebar\sbhelp.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing) O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing) O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar … vSniff.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 7622240460 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 7626553913 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game01.zylom.com/activex/zylomgamesplayer.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (file missing) O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

Złączono Posta : 07.09.2007 (Pią) 0:05

ComboFix 07-08-30.3 - “Dom” 2007-09-06 23:58:05.2 - NTFS x86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.393 [GMT 2:00] ADS removed - C:\WINDOWS\system32\ntoskrnl.exe: Nie można odnaleźć określonego pliku. ((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 ))))))))))))))))))))))))))))))) 2007-09-06 23:16 2007-09-06 07:07 2,182,272 --a–c— C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2007-09-06 04:04 2007-09-06 03:58 2007-09-06 03:36 2007-09-06 03:09 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-09-06 02:35 2007-09-06 02:35 2007-09-06 02:28 2007-09-06 02:07 2007-09-06 00:43 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys 2007-09-06 00:42 2007-09-06 00:42 2007-09-05 23:54 2007-09-05 23:54 2007-09-05 23:50 2007-09-02 07:57 2007-08-31 20:40 2007-08-17 16:33 737,280 --a------ C:\WINDOWS\iun6002.exe 2007-08-17 16:31 2007-08-10 01:12 2007-08-10 01:10 2007-08-08 00:27 2007-08-07 23:19 2007-08-07 19:14 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-09-06 23:16 --------- d–h----- C:\Program Files\InstallShield Installation Information 2007-09-06 00:55 --------- d-------- C:\Program Files\iTunes 2007-09-06 00:22 --------- d-------- C:\Program Files\TurboGo 2007-09-05 23:53 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-07 23:34 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys 2007-08-05 00:11 --------- d-------- C:\Program Files\EA GAMES 2007-08-05 00:07 --------- d-------- C:\Program Files\Alcohol Soft 2007-08-05 00:03 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-28 00:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-07-28 00:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-07-28 00:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-07-28 00:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-07-27 23:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-07-27 23:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-07-27 23:57 95608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll 2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll 2007-07-19 18:14 444776 --a------ C:\WINDOWS\system32\d3dx10_35.dll 2007-07-19 18:14 3727720 --a------ C:\WINDOWS\system32\d3dx9_35.dll 2007-07-19 18:14 1358192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll 2007-07-01 17:08 1 --a------ C:\WINDOWS\system32\SI.bin 2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-20 20:46 266088 --a------ C:\WINDOWS\system32\xactengine2_8.dll 2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll 2007-06-13 15:23 1034752 --a------ C:\WINDOWS\explorer.exe 2005-05-11 23:36 12288 --a------ C:\WINDOWS\Fonts.\RandFont.dll 1999-05-17 14:58 99840 --a------ C:\Program Files\Common Files\IRAABOUT.DLL 1998-12-09 03:53 70144 --a------ C:\Program Files\Common Files\IRAMDMTR.DLL 1998-12-09 03:53 48640 --a------ C:\Program Files\Common Files\IRALPTTR.DLL 1998-12-09 03:53 31744 --a------ C:\Program Files\Common Files\IRAWEBTR.DLL 1998-12-09 03:53 186368 --a------ C:\Program Files\Common Files\IRAREG.DLL 1998-12-09 03:53 17920 --a------ C:\Program Files\Common Files\IRASRIAL.DLL ((((((((((((((((((((((((((((( snapshot_2007-09-06_ 31319,37 ))))))))))))))))))))))))))))))))))))))))) ----a-w 141,424 2006-08-24 06:28:54 C:\WINDOWS\Downloaded Program Files\asinst.dll ----a-w 231,072 2006-05-17 12:32:30 C:\WINDOWS\Downloaded Program Files\avsniff.dll ----a-w 198,304 2006-05-17 12:32:32 C:\WINDOWS\Downloaded Program Files\avsniffdlgs.dll ----a-w 537,704 2006-05-17 12:26:10 C:\WINDOWS\Downloaded Program Files\AXXPEE.dll ----a-w 500,120 2007-05-07 14:38:46 C:\WINDOWS\Downloaded Program Files\daas_s.dll ----a-w 42,112 2006-05-17 12:26:12 C:\WINDOWS\Downloaded Program Files\ecmldr32.dll ----a-w 284,016 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\ecmsvr32.dll ----a-w 192,920 2007-05-07 14:39:00 C:\WINDOWS\Downloaded Program Files\fsauc.dll ----a-w 254,360 2007-05-07 14:39:24 C:\WINDOWS\Downloaded Program Files\fscax.dll ----a-w 201,896 2006-05-17 12:28:00 C:\WINDOWS\Downloaded Program Files\navapi32.dll ----a-w 124,272 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\naveng32.dll ----a-w 914,800 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\navex32a.dll ----a-w 161,480 2006-05-17 12:32:42 C:\WINDOWS\Downloaded Program Files\rufsi.dll ----a-w 97,744 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\scrauth.dat ----a-w 396,845 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\tcdefs.dat ----a-w 1,773,316 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\tcscan7.dat ----a-w 386,194 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\tcscan8.dat ----a-w 899,759 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\tcscan9.dat ----a-w 67,619 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\tscan1.dat ----a-w 3,240 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\tscan1hd.dat ----a-w 992,973 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan1.dat ----a-w 570,702 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan2.dat ----a-w 149,996 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan3.dat ----a-w 320,253 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan4.dat ----a-w 4,403,699 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan5.dat ----a-w 391,763 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan6.dat ----a-w 11,763,158 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan7.dat ----a-w 1,798,654 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan8.dat ----a-w 4,906,582 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan9.dat ----a-w 73,728 2006-08-02 10:39:06 C:\WINDOWS\system32\asuninst.exe ----a-w 11,776 2003-03-25 16:53:50 C:\WINDOWS\system32\ZPORT4AS.dll ----a-w 110,592 2007-03-29 07:20:50 C:\WINDOWS\system32\ActiveScan\as.dll ----a-w 233,472 2006-10-05 14:15:26 C:\WINDOWS\system32\ActiveScan\ascontrol.dll ----a-w 96,256 2005-06-03 12:03:18 C:\WINDOWS\system32\ActiveScan\asmdat.dll ----a-w 36,864 2003-08-01 09:00:16 C:\WINDOWS\system32\ActiveScan\certdll.dll ----a-w 86,016 2005-05-20 11:42:44 C:\WINDOWS\system32\ActiveScan\instlsp.dll ----a-w 4,608 2006-02-16 16:20:20 C:\WINDOWS\system32\ActiveScan\memvfile.dll ----a-w 348,160 2005-10-25 16:08:32 C:\WINDOWS\system32\ActiveScan\msvcr71.dll ----a-w 139,264 2004-05-04 13:01:02 C:\WINDOWS\system32\ActiveScan\pavaleas.dll ----a-w 45,056 2006-07-14 11:04:10 C:\WINDOWS\system32\ActiveScan\pavdr.exe ----a-w 159,832 2006-04-10 08:50:02 C:\WINDOWS\system32\ActiveScan\pavexcom.dll ----a-w 94,208 2006-02-14 11:05:38 C:\WINDOWS\system32\ActiveScan\pavinas.dll ----a-w 180,224 2006-02-16 16:35:38 C:\WINDOWS\system32\ActiveScan\pavoe.dll ----a-w 122,880 2006-10-05 14:15:38 C:\WINDOWS\system32\ActiveScan\pavpz.dll ----a-w 8,704 2006-06-30 12:13:38 C:\WINDOWS\system32\ActiveScan\pfdnnt.exe ----a-w 49,152 2004-02-04 12:08:42 C:\WINDOWS\system32\ActiveScan\port32.dll ----a-w 69,632 2006-08-01 11:23:10 C:\WINDOWS\system32\ActiveScan\pscpu.dll ----a-w 1,388,544 2006-08-23 11:06:08 C:\WINDOWS\system32\ActiveScan\pskahk.dll ----a-w 10,752 2006-08-17 09:38:14 C:\WINDOWS\system32\ActiveScan\pskalloc.dll ----a-w 61,440 2006-09-04 09:49:54 C:\WINDOWS\system32\ActiveScan\pskas.dll ----a-w 779,264 2006-08-18 06:46:18 C:\WINDOWS\system32\ActiveScan\pskavs.dll ----a-w 417,792 2007-03-26 12:25:34 C:\WINDOWS\system32\ActiveScan\pskcmp.dll ----a-w 90,112 2006-08-09 08:42:24 C:\WINDOWS\system32\ActiveScan\pskfss.dll ----a-w 208,896 2006-07-19 08:55:58 C:\WINDOWS\system32\ActiveScan\pskhtml.dll ----a-w 9,728 2006-01-20 14:57:00 C:\WINDOWS\system32\ActiveScan\pskmas.dll ----a-w 14,336 2006-05-17 07:50:12 C:\WINDOWS\system32\ActiveScan\pskmdfs.dll ----a-w 33,280 2006-08-16 08:58:12 C:\WINDOWS\system32\ActiveScan\pskpack.dll ----a-w 266,240 2006-06-30 12:42:36 C:\WINDOWS\system32\ActiveScan\pskscs.dll ----a-w 62,976 2006-08-17 12:33:14 C:\WINDOWS\system32\ActiveScan\pskutil.dll ----a-w 13,312 2006-08-08 11:13:10 C:\WINDOWS\system32\ActiveScan\pskvfile.dll ----a-w 69,632 2006-08-18 06:53:08 C:\WINDOWS\system32\ActiveScan\pskvfs.dll ----a-w 167,936 2006-08-18 06:49:50 C:\WINDOWS\system32\ActiveScan\pskvm.dll ----a-w 353,840 2007-04-18 15:16:04 C:\WINDOWS\system32\ActiveScan\psscan.dll ----a-w 35,328 2007-01-22 12:42:48 C:\WINDOWS\system32\ActiveScan\rawvfile.dll ----a-w 9,488 1997-09-18 04:12:32 C:\WINDOWS\system32\ActiveScan\sporder.dll ----a-w 69,632 2006-02-28 15:23:40 C:\WINDOWS\system32\ActiveScan\tcpvfile.dll ----a-w 213,048 2005-05-16 17:34:48 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll ----a-w 65,536 2006-03-20 11:17:24 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe ----a-w 798,720 2006-03-20 11:17:20 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-04-27 09:41] “HPHUPD08”=“C:\Program Files\HP\Digital Imaging{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe” [2005-06-01 18:35] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2005-05-11 23:12] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06] “SpywareTerminator”=“C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe” [2007-09-06 00:42] “!AVG Anti-Spyware”=“F:\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 11:25] “AVPDWIN”=“C:\Program Files\Panda Software\Panda Demo\pandasft.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 09:44] “Rainlendar2”=“D:\Programy\Rainlendar2\Rainlendar2.exe” [] “Desktop calendar”=“D:\Programy\Rainlendar2\Rainlendar2.exe” [] “AlcoholAutomount”=“C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” [2007-07-02 12:27] C:\DOCUME~1\Dom\MENUST~1\Programy\AUTOST~1\ Stardock ObjectDock.lnk - D:\Programy\ObjectDock\ObjectDock.exe [2007-05-06 18:35:37] SafeBoot registry key needs repairs. This machine cannot enter Safe Mode. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system] @=“Driver Group” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs] @=“Service” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys] @=“Driver” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}] @=“DiskDrive” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96A-E325-11CE-BFC1-08002BE10318}] @=“Hdc” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96B-E325-11CE-BFC1-08002BE10318}] @=“Keyboard” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96F-E325-11CE-BFC1-08002BE10318}] @=“Mouse” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E97D-E325-11CE-BFC1-08002BE10318}] @=“System” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @=“Volume” [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] “Gadu-Gadu”=“D:\Internet\Gadu-Gadu\gg.exe” /tray [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” R1 sp_rsdrv2;Spyware Terminator Driver 2;??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp *Newly Created Service* - CATCHME *Newly Created Service* - DMADMIN *Newly Created Service* - GMER *Newly Created Service* - NTMSSVC Contents of the ‘Scheduled Tasks’ folder 2007-08-31 15:19:40 C:\WINDOWS\Tasks\1-Click Maintenance.job - D:\Programy\Windows Utilities\SystemOptimizer.exe 2007-08-31 11:44:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-07 00:01:07 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “mule_st_key”=“C:\Documents and Settings\Dom\Dane aplikacji\m\flec006.exe” [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\srosa] “ImagePath”="??\C:\WINDOWS\system32\drivers\srosa.sys" Completion time: 2007-09-07 0:02:34 C:\ComboFix-quarantined-files.txt … 2007-09-07 00:02 C:\ComboFix2.txt … 2007-09-06 03:14 — E O F —

Złączono Posta : 07.09.2007 (Pią) 0:18

“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Rainlendar2” = “D:\Programy\Rainlendar2\Rainlendar2.exe” [file not found] “Desktop calendar” = “D:\Programy\Rainlendar2\Rainlendar2.exe” [file not found] “AlcoholAutomount” = ““C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” /automount” [“Alcohol Soft Development Team”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Inc.”] “HPHUPD08” = “C:\Program Files\HP\Digital Imaging{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe” [“Hewlett-Packard”] “HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “Adobe Reader Speed Launcher” = ““C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”” [“Adobe Systems Incorporated”] “SpywareTerminator” = ““C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe”” [“Crawler.com”] “!AVG Anti-Spyware” = ““F:\AVG Anti-Spyware 7.5\avgas.exe” /minimized” [“GRISOFT s.r.o.”] “AVPDWIN” = ““C:\Program Files\Panda Software\Panda Demo\pandasft.exe”” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = “flashget urlcatch” -> {HKLM…CLSID} = “FGCatchUrl” \InProcServer32(Default) = “C:\Program Files\FlashGet\jccatch.dll” [“www.flashget.com”] {45AD732C-2CE2-4666-B366-B2214AD57A49}(Default) = “Idea2 SidebarBrowserMonitor Class” -> {HKLM…CLSID} = “Idea2 SidebarBrowserMonitor Class” \InProcServer32(Default) = “D:\Programy\Sidebar\sbhelp.dll” [“Idea2”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] {F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided) -> {HKLM…CLSID} = “FlashGet GetFlash Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\getflash.dll” [“www.flashget.com”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Unbind” -> {HKLM…CLSID} = “Microsoft Office Binder Unbind” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” = “TuneUp Shredder Shell Extension” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “D:\Programy\Windows Utilities\SDShelEx-win32.dll” [“TuneUp Software GmbH”] “{44440D00-FF19-4AFC-B765-9A0970567D97}” = “TuneUp Theme Extension” -> {HKLM…CLSID} = “TuneUp Theme Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\uxtuneup.dll” [“TuneUp Software GmbH”] “{F2185E5D-720E-4956-90D9-75F6AC141575}” = “Idea2 SidebarIconHandler Class” -> {HKLM…CLSID} = “SidebarIconHandler Class” \InProcServer32(Default) = “D:\Programy\Sidebar\sbhelp.dll” [“Idea2”] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Inc.”] “{BD88A479-9623-4897-8546-BC62B9628F44}” = “SPTHandler” -> {HKLM…CLSID} = “SPTHandler” \InProcServer32(Default) = “C:\Program Files\Spyware Terminator\sptcontmenu.dll” [“Crawler.com”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “F:\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“GRISOFT s.r.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“lsdelete” [null data]| [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “F:\AVG Anti-Spyware 7.5\context.dll” [“GRISOFT s.r.o.”] SPTContMenu(Default) = “{BD88A479-9623-4897-8546-BC62B9628F44}” -> {HKLM…CLSID} = “SPTHandler” \InProcServer32(Default) = “C:\Program Files\Spyware Terminator\sptcontmenu.dll” [“Crawler.com”] TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “D:\Programy\Windows Utilities\SDShelEx-win32.dll” [“TuneUp Software GmbH”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “F:\AVG Anti-Spyware 7.5\context.dll” [“GRISOFT s.r.o.”] TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “D:\Programy\Windows Utilities\SDShelEx-win32.dll” [“TuneUp Software GmbH”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ SPTContMenu(Default) = “{BD88A479-9623-4897-8546-BC62B9628F44}” -> {HKLM…CLSID} = “SPTHandler” \InProcServer32(Default) = “C:\Program Files\Spyware Terminator\sptcontmenu.dll” [“Crawler.com”] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ SPTContMenu(Default) = “{BD88A479-9623-4897-8546-BC62B9628F44}” -> {HKLM…CLSID} = “SPTHandler” \InProcServer32(Default) = “C:\Program Files\Spyware Terminator\sptcontmenu.dll” [“Crawler.com”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Dom\Dane aplikacji\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp” Startup items in “Dom” & “All Users” startup folders: ----------------------------------------------------- C:\Documents and Settings\Dom\Menu Start\Programy\Autostart “Stardock ObjectDock” -> shortcut to: “D:\Programy\ObjectDock\ObjectDock.exe” [“Stardock”] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] “HP Image Zone - szybkie uruchamianie” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe -s” [null data] Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” -> launches: “D:\Programy\Windows Utilities\SystemOptimizer.exe /schedulestart” [“TuneUp Software GmbH”] “AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task” [“Apple Computer, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] {09FE188B-6E85-479E-9411-51FB2220DF80}\ “ButtonText” = “Subscribe in Desktop Sidebar” “MenuText” = “Subscribe in Desktop Sidebar” “CLSIDExtension” = “{45AD732C-2CE2-4666-B366-B2214AD57A49}” -> {HKLM…CLSID} = “Idea2 SidebarBrowserMonitor Class” \InProcServer32(Default) = “D:\Programy\Sidebar\sbhelp.dll” [“Idea2”] {85D1F590-48F4-11D9-9669-0800200C9A66}\ “MenuText” = “Uninstall BitDefender Online Scanner v8” “Exec” = “%windir%\bdoscandel.exe” [file not found] {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “FlashGet” “Exec” = “C:\Program Files\FlashGet\FlashGet.exe” [“FlashGet.com”] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “TuneUp” = “file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ad-Aware 2007 Service, aawservice, ““C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe”” [“Lavasoft AB”] Spyware Terminator Realtime Shield Service, sp_rssrv, ““C:\Program Files\Spyware Terminator\sp_rsser.exe”” [“Crawler.com”] TuneUp Design Expansion, UxTuneUp, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”]} Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ OLFax Ports\Driver = “OLFMNT40.DLL” [MS] PCL Language Monitor\Driver = “hpz3l3xu.dll” [“Hewlett-Packard Company”] ---------- (launch time: 2007-09-07 00:11:00) <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 120 seconds. ---------- (total run time: 233 seconds)

Gutek · 6 Wrzesień 2007 22:22

Pobierz program SDFix

kephas · 6 Wrzesień 2007 22:33

Najpierw muszę ten tryb awaryjny przywrócić - za cholerę nie chce mnie tam wpuścić (automatycznie się resetuje).

Gutek · 6 Wrzesień 2007 22:35

kephas · 6 Wrzesień 2007 23:32

temp oczyściłem, sdfix wyrzucal komunikaty, że nie może znaleźć plików test???.txt

czy powinienem coś zrobić ponadto?

SDFix: Version 1.102 Run by Administrator on 2007-09-07 at 01:07 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\sdfix\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “C:\Program Files\FlashGet\flashget.exe”=“C:\Program Files\FlashGet\flashget.exe:*:Enabled:FlashGet” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp C:\Documents and Settings\Dom\Dane aplikacji\Microsoft\Word~WRL0005.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL0002.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL0003.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL0004.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL0005.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL0006.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL0007.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL0256.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL0261.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL0396.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL0780.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL0976.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL1071.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL1681.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL1705.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL1914.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL1955.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL2085.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL2236.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL2407.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL2849.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL2856.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL2974.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3074.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3126.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3128.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3227.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3252.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3296.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3335.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3342.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3345.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3404.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3468.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3520.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3576.tmp C:\Documents and Settings\Dom\Moje dokumenty\Lukasz\SamorzĄd 2006 SSP 1 STO Warszawa\Gazetka\Wakacje~WRL3817.tmp C:\Program Files\InterActual\InterActual Player\iti154.tmp C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\c3d1ac703af22ad23576d007bc6ee098\BIT1.tmp Finished

Złączono Posta : 07.09.2007 (Pią) 2:07

pusciłem jeszcze combofix (raport poniżej) - rozumiem, że jestem wyleczony?

ComboFix 07-08-30.3 - “Dom” 2007-09-07 1:54:32.3 - NTFS x86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.465 [GMT 2:00] ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_SROSA -------\srosa ((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 ))))))))))))))))))))))))))))))) 2007-09-07 01:03 2007-09-06 23:16 2007-09-06 07:07 2,181,632 --a–c— C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2007-09-06 04:04 2007-09-06 03:58 2007-09-06 03:36 2007-09-06 03:09 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-09-06 02:35 2007-09-06 02:28 2007-09-06 02:07 2007-09-06 00:43 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys 2007-09-06 00:42 2007-09-06 00:42 2007-09-05 23:54 2007-09-05 23:54 2007-09-05 23:50 2007-09-02 07:57 2007-08-31 20:40 2007-08-17 16:33 737,280 --a------ C:\WINDOWS\iun6002.exe 2007-08-17 16:31 2007-08-10 01:12 2007-08-10 01:10 2007-08-08 00:27 2007-08-07 23:19 2007-08-07 19:14 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-09-06 23:16 --------- d–h----- C:\Program Files\InstallShield Installation Information 2007-09-06 00:55 --------- d-------- C:\Program Files\iTunes 2007-09-06 00:22 --------- d-------- C:\Program Files\TurboGo 2007-09-05 23:53 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-07 23:34 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys 2007-08-05 00:11 --------- d-------- C:\Program Files\EA GAMES 2007-08-05 00:07 --------- d-------- C:\Program Files\Alcohol Soft 2007-08-05 00:03 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-28 00:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-07-28 00:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-07-28 00:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-07-28 00:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-07-27 23:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-07-27 23:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-07-27 23:57 95608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll 2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll 2007-07-19 18:14 444776 --a------ C:\WINDOWS\system32\d3dx10_35.dll 2007-07-19 18:14 3727720 --a------ C:\WINDOWS\system32\d3dx9_35.dll 2007-07-19 18:14 1358192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll 2007-07-01 17:08 1 --a------ C:\WINDOWS\system32\SI.bin 2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-20 20:46 266088 --a------ C:\WINDOWS\system32\xactengine2_8.dll 2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll 2007-06-13 15:23 1034752 --a------ C:\WINDOWS\explorer.exe 2005-05-11 23:36 12288 --a------ C:\WINDOWS\Fonts.\RandFont.dll 1999-05-17 14:58 99840 --a------ C:\Program Files\Common Files\IRAABOUT.DLL 1998-12-09 03:53 70144 --a------ C:\Program Files\Common Files\IRAMDMTR.DLL 1998-12-09 03:53 48640 --a------ C:\Program Files\Common Files\IRALPTTR.DLL 1998-12-09 03:53 31744 --a------ C:\Program Files\Common Files\IRAWEBTR.DLL 1998-12-09 03:53 186368 --a------ C:\Program Files\Common Files\IRAREG.DLL 1998-12-09 03:53 17920 --a------ C:\Program Files\Common Files\IRASRIAL.DLL ((((((((((((((((((((((((((((( snapshot_2007-09-06_ 31319,37 ))))))))))))))))))))))))))))))))))))))))) ----a-w 2,180,864 2005-03-02 18:14:56 C:\WINDOWS$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe ----a-w 725,728 2005-02-24 17:36:08 C:\WINDOWS$hf_mig$\KB890859\update\update.exe ----a-w 2,183,424 2007-02-28 16:09:25 C:\WINDOWS$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe ----a-w 723,680 2005-10-12 23:21:33 C:\WINDOWS$hf_mig$\KB931784\update\update.exe -c----w 317,440 2006-12-01 09:45:28 C:\WINDOWS$NtUninstallKB939683$\unregmp2.exe -c----w 216,288 2005-06-28 08:23:38 C:\WINDOWS$NtUninstallKB939683$\spuninst\spuninst.exe -c----w 371,424 2005-06-28 08:23:54 C:\WINDOWS$NtUninstallKB939683$\spuninst\updspapi.dll ----a-w 141,424 2006-08-24 06:28:54 C:\WINDOWS\Downloaded Program Files\asinst.dll ----a-w 231,072 2006-05-17 12:32:30 C:\WINDOWS\Downloaded Program Files\avsniff.dll ----a-w 198,304 2006-05-17 12:32:32 C:\WINDOWS\Downloaded Program Files\avsniffdlgs.dll ----a-w 537,704 2006-05-17 12:26:10 C:\WINDOWS\Downloaded Program Files\AXXPEE.dll ----a-w 500,120 2007-05-07 14:38:46 C:\WINDOWS\Downloaded Program Files\daas_s.dll ----a-w 42,112 2006-05-17 12:26:12 C:\WINDOWS\Downloaded Program Files\ecmldr32.dll ----a-w 284,016 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\ecmsvr32.dll ----a-w 192,920 2007-05-07 14:39:00 C:\WINDOWS\Downloaded Program Files\fsauc.dll ----a-w 254,360 2007-05-07 14:39:24 C:\WINDOWS\Downloaded Program Files\fscax.dll ----a-w 201,896 2006-05-17 12:28:00 C:\WINDOWS\Downloaded Program Files\navapi32.dll ----a-w 124,272 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\naveng32.dll ----a-w 914,800 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\navex32a.dll ----a-w 161,480 2006-05-17 12:32:42 C:\WINDOWS\Downloaded Program Files\rufsi.dll ----a-w 97,744 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\scrauth.dat ----a-w 396,845 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\tcdefs.dat ----a-w 1,773,316 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\tcscan7.dat ----a-w 386,194 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\tcscan8.dat ----a-w 899,759 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\tcscan9.dat ----a-w 67,619 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\tscan1.dat ----a-w 3,240 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\tscan1hd.dat ----a-w 992,973 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan1.dat ----a-w 570,702 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan2.dat ----a-w 149,996 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan3.dat ----a-w 320,253 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan4.dat ----a-w 4,403,699 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan5.dat ----a-w 391,763 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan6.dat ----a-w 11,763,158 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan7.dat ----a-w 1,798,654 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan8.dat ----a-w 4,906,582 2007-08-28 23:00:00 C:\WINDOWS\Downloaded Program Files\virscan9.dat ------w 2,181,632 2007-02-28 16:04:58 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe ----a-w 163,328 2007-09-05 09:43:25 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE ----a-w 380,928 2007-09-06 23:03:45 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT ----a-w 8,192 2007-09-06 23:03:45 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat ----a-w 163,328 2007-09-05 09:43:25 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE ----a-w 380,928 2007-09-06 23:03:30 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT ----a-w 8,192 2007-09-06 23:03:30 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat ----a-w 318,976 2007-06-27 14:00:02 C:\WINDOWS\inf\unregmp2.exe ----a-w 16,096 2005-10-12 23:21:28 C:\WINDOWS\SoftwareDistribution\Download\a5506577491f4ecc1370b18df3c5a494\spmsg.dll ----a-w 216,288 2005-10-12 23:21:30 C:\WINDOWS\SoftwareDistribution\Download\a5506577491f4ecc1370b18df3c5a494\spuninst.exe ----a-w 2,181,632 2007-02-28 16:04:58 C:\WINDOWS\SoftwareDistribution\Download\a5506577491f4ecc1370b18df3c5a494\sp2gdr\ntoskrnl.exe ----a-w 2,183,424 2007-02-28 16:09:25 C:\WINDOWS\SoftwareDistribution\Download\a5506577491f4ecc1370b18df3c5a494\sp2qfe\ntoskrnl.exe ----a-w 22,752 2005-10-12 23:21:27 C:\WINDOWS\SoftwareDistribution\Download\a5506577491f4ecc1370b18df3c5a494\update\spcustom.dll ----a-w 723,680 2005-10-12 23:21:33 C:\WINDOWS\SoftwareDistribution\Download\a5506577491f4ecc1370b18df3c5a494\update\update.exe ----a-w 386,784 2005-10-12 23:21:40 C:\WINDOWS\SoftwareDistribution\Download\a5506577491f4ecc1370b18df3c5a494\update\updspapi.dll ----a-w 16,096 2005-02-24 17:36:08 C:\WINDOWS\SoftwareDistribution\Download\ef0eb4021a89170edd4d57c53df1dbef\spmsg.dll ----a-w 212,704 2005-02-24 17:36:08 C:\WINDOWS\SoftwareDistribution\Download\ef0eb4021a89170edd4d57c53df1dbef\spuninst.exe ----a-w 2,180,608 2005-03-02 18:09:04 C:\WINDOWS\SoftwareDistribution\Download\ef0eb4021a89170edd4d57c53df1dbef\sp2gdr\ntoskrnl.exe ----a-w 2,180,864 2005-03-02 18:14:56 C:\WINDOWS\SoftwareDistribution\Download\ef0eb4021a89170edd4d57c53df1dbef\sp2qfe\ntoskrnl.exe ----a-w 22,240 2005-02-24 17:36:08 C:\WINDOWS\SoftwareDistribution\Download\ef0eb4021a89170edd4d57c53df1dbef\update\spcustom.dll ----a-w 725,728 2005-02-24 17:36:08 C:\WINDOWS\SoftwareDistribution\Download\ef0eb4021a89170edd4d57c53df1dbef\update\update.exe ----a-w 387,296 2005-02-24 17:36:08 C:\WINDOWS\SoftwareDistribution\Download\ef0eb4021a89170edd4d57c53df1dbef\update\updspapi.dll ----a-w 13,536 2005-06-28 08:20:24 C:\WINDOWS\SoftwareDistribution\Download\f4b7db19a20ddac5b17ba8b04cdfd622\spmsg.dll ----a-w 216,288 2005-06-28 08:23:38 C:\WINDOWS\SoftwareDistribution\Download\f4b7db19a20ddac5b17ba8b04cdfd622\spuninst.exe ----a-w 318,976 2007-06-27 14:00:02 C:\WINDOWS\SoftwareDistribution\Download\f4b7db19a20ddac5b17ba8b04cdfd622\unregmp2.exe ----a-w 723,680 2005-06-28 08:25:02 C:\WINDOWS\SoftwareDistribution\Download\f4b7db19a20ddac5b17ba8b04cdfd622\update\update.exe ----a-w 371,424 2005-06-28 08:23:54 C:\WINDOWS\SoftwareDistribution\Download\f4b7db19a20ddac5b17ba8b04cdfd622\update\updspapi.dll ----a-w 73,728 2006-08-02 10:39:06 C:\WINDOWS\system32\asuninst.exe ----a-w 2,181,632 2007-02-28 16:04:58 C:\WINDOWS\system32\ntoskrnl.exe ----a-w 11,776 2003-03-25 16:53:50 C:\WINDOWS\system32\ZPORT4AS.dll ----a-w 110,592 2007-03-29 07:20:50 C:\WINDOWS\system32\ActiveScan\as.dll ----a-w 233,472 2006-10-05 14:15:26 C:\WINDOWS\system32\ActiveScan\ascontrol.dll ----a-w 96,256 2005-06-03 12:03:18 C:\WINDOWS\system32\ActiveScan\asmdat.dll ----a-w 36,864 2003-08-01 09:00:16 C:\WINDOWS\system32\ActiveScan\certdll.dll ----a-w 86,016 2005-05-20 11:42:44 C:\WINDOWS\system32\ActiveScan\instlsp.dll ----a-w 4,608 2006-02-16 16:20:20 C:\WINDOWS\system32\ActiveScan\memvfile.dll ----a-w 348,160 2005-10-25 16:08:32 C:\WINDOWS\system32\ActiveScan\msvcr71.dll ----a-w 139,264 2004-05-04 13:01:02 C:\WINDOWS\system32\ActiveScan\pavaleas.dll ----a-w 45,056 2006-07-14 11:04:10 C:\WINDOWS\system32\ActiveScan\pavdr.exe ----a-w 159,832 2006-04-10 08:50:02 C:\WINDOWS\system32\ActiveScan\pavexcom.dll ----a-w 94,208 2006-02-14 11:05:38 C:\WINDOWS\system32\ActiveScan\pavinas.dll ----a-w 180,224 2006-02-16 16:35:38 C:\WINDOWS\system32\ActiveScan\pavoe.dll ----a-w 122,880 2006-10-05 14:15:38 C:\WINDOWS\system32\ActiveScan\pavpz.dll ----a-w 8,704 2006-06-30 12:13:38 C:\WINDOWS\system32\ActiveScan\pfdnnt.exe ----a-w 49,152 2004-02-04 12:08:42 C:\WINDOWS\system32\ActiveScan\port32.dll ----a-w 69,632 2006-08-01 11:23:10 C:\WINDOWS\system32\ActiveScan\pscpu.dll ----a-w 1,388,544 2006-08-23 11:06:08 C:\WINDOWS\system32\ActiveScan\pskahk.dll ----a-w 10,752 2006-08-17 09:38:14 C:\WINDOWS\system32\ActiveScan\pskalloc.dll ----a-w 61,440 2006-09-04 09:49:54 C:\WINDOWS\system32\ActiveScan\pskas.dll ----a-w 779,264 2006-08-18 06:46:18 C:\WINDOWS\system32\ActiveScan\pskavs.dll ----a-w 417,792 2007-03-26 12:25:34 C:\WINDOWS\system32\ActiveScan\pskcmp.dll ----a-w 90,112 2006-08-09 08:42:24 C:\WINDOWS\system32\ActiveScan\pskfss.dll ----a-w 208,896 2006-07-19 08:55:58 C:\WINDOWS\system32\ActiveScan\pskhtml.dll ----a-w 9,728 2006-01-20 14:57:00 C:\WINDOWS\system32\ActiveScan\pskmas.dll ----a-w 14,336 2006-05-17 07:50:12 C:\WINDOWS\system32\ActiveScan\pskmdfs.dll ----a-w 33,280 2006-08-16 08:58:12 C:\WINDOWS\system32\ActiveScan\pskpack.dll ----a-w 266,240 2006-06-30 12:42:36 C:\WINDOWS\system32\ActiveScan\pskscs.dll ----a-w 62,976 2006-08-17 12:33:14 C:\WINDOWS\system32\ActiveScan\pskutil.dll ----a-w 13,312 2006-08-08 11:13:10 C:\WINDOWS\system32\ActiveScan\pskvfile.dll ----a-w 69,632 2006-08-18 06:53:08 C:\WINDOWS\system32\ActiveScan\pskvfs.dll ----a-w 167,936 2006-08-18 06:49:50 C:\WINDOWS\system32\ActiveScan\pskvm.dll ----a-w 353,840 2007-04-18 15:16:04 C:\WINDOWS\system32\ActiveScan\psscan.dll ----a-w 35,328 2007-01-22 12:42:48 C:\WINDOWS\system32\ActiveScan\rawvfile.dll ----a-w 9,488 1997-09-18 04:12:32 C:\WINDOWS\system32\ActiveScan\sporder.dll ----a-w 69,632 2006-02-28 15:23:40 C:\WINDOWS\system32\ActiveScan\tcpvfile.dll ----a-w 213,048 2005-05-16 17:34:48 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll ----a-w 65,536 2006-03-20 11:17:24 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe ----a-w 798,720 2006-03-20 11:17:20 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll ----a-w 317,440 2006-12-01 09:45:28 C:\WINDOWS\inf\unregmp2.exe ----a-w 2,182,272 2004-08-04 07:39:10 C:\WINDOWS\system32\ntoskrnl.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-04-27 09:41] “HPHUPD08”=“C:\Program Files\HP\Digital Imaging{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe” [2005-06-01 18:35] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2005-05-11 23:12] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06] “SpywareTerminator”=“C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe” [2007-09-06 00:42] “!AVG Anti-Spyware”=“F:\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 11:25] “AVPDWIN”=“C:\Program Files\Panda Software\Panda Demo\pandasft.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 09:44] “Rainlendar2”=“D:\Programy\Rainlendar2\Rainlendar2.exe” [] “Desktop calendar”=“D:\Programy\Rainlendar2\Rainlendar2.exe” [] “AlcoholAutomount”=“C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” [2007-07-02 12:27] C:\DOCUME~1\Dom\MENUST~1\Programy\AUTOST~1\ Stardock ObjectDock.lnk - D:\Programy\ObjectDock\ObjectDock.exe [2007-05-06 18:35:37] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] “Gadu-Gadu”=“D:\Internet\Gadu-Gadu\gg.exe” /tray [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” R1 sp_rsdrv2;Spyware Terminator Driver 2;??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp Contents of the ‘Scheduled Tasks’ folder 2007-08-31 15:19:40 C:\WINDOWS\Tasks\1-Click Maintenance.job - D:\Programy\Windows Utilities\SystemOptimizer.exe 2007-08-31 11:44:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-07 01:58:54 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-09-07 2:01:42 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-09-07 02:01 C:\ComboFix2.txt … 2007-09-07 00:02 C:\ComboFix3.txt … 2007-09-06 03:14 — E O F —

Złączono Posta : 07.09.2007 (Pią) 10:27

mogę juz instalować/odinstalować oprogramowanie antywirusowe

jednak katalog /m w którym siedział rootkit nie daje sie skasowac (widoczne sa teraz pliki .zip do wysylki które wygenerowal) nawet programem killbox

nadal nie jestem pewien, czy wszystko jest ok

skanowanie antywirem (panda) nic nie wykazuje

jessica · 7 Wrzesień 2007 08:37

Zrób dwa logi z GMER na ustawieniach:

>>gmer>>Rootkit>>Szukaj>>Kopiuj>>CTRL+V do Notatnika (zapisz gdzieś)
>>Rootkit>>zaznacz tylko “Usługi” i “Pokaż wszystko”>>Szukaj>>Kopiuj>>CTRL+V do Notatnika (zapisz gdzieś)

Ponieważ logi będą długie, więc wklej na http://wklej.org/, a w poście daj tylko link.

EDIT:

Przed zrobieniem logów zrób to:

Otwórz Notatnik i wklej do niego:

Plik >>> zapisz jako >>> zmień rozszerzenie z TXT na wszystkie typy plików >>> zapisz pod nazwą FIX.BAT

( np. na C:\ )

Uruchom Gmer, w >>>zakładce Procesy wybierz Gmer Awaryjny. Komputer się zresetuje i uruchomi się Gmer.

Wybierz znów >>>zakładkę Procesy i na dole w „Poleceniu” przez trzy kropki wskaż plik FIX.BAT , po czym go uruchom (dwuklik).

jessi