Starsznie utrudniajacy zycie problem z ... virusem?spywarem?

system · 14 Listopad 2007 14:44

Tworza mi sie ikony takie jak te:

Oraz bez przerwy wyskakuja powiadomienia:

Co mam z tym zrobic ? Probowalem Panda oraz Ad-Aware’m i nic nie pomaga

Log z HJT:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:01:59, on 2007-11-14 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\FTRTSVC.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\nvraidservice.exe C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe C:\WINDOWS\system32\CTHELPER.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE C:\Program Files\neostrada tp\neostradatp.exe C:\Program Files\neostrada tp\ComComp.exe C:\Program Files\neostrada tp\Watch.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - C:\WINDOWS\system32\cbxyayw.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll O2 - BHO: {1c84d700-13ee-49fb-d3c4-0695903e1af3} - {3fa1e309-5960-4c3d-bf94-ee31007d48c1} - C:\WINDOWS\system32\udnqftha.dll O2 - BHO: (no name) - {63B9F9DE-D33E-47EE-9CF1-BE2161D7A750} - C:\Program Files\NetMeeting\qubokypax4444.dll (file missing) O2 - BHO: (no name) - {7F216D4C-4CAC-4CD9-BDFD-5E3796DB1D3C} - C:\Program Files\NetMeeting\qubokypax83122.dll (file missing) O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\SYSTEM32\jcxeazgo.dll O2 - BHO: 0 - {CE43A31C-6980-42A2-DDA5-8ECB7A4B01B8} - C:\Program Files\Internet Explorer\temad.dll (file missing) O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\SYSTEM32\jcxeazgo.dll O4 - HKLM…\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe O4 - HKLM…\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [CTHelper] CTHELPER.EXE O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file) O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.gomyhit.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.virusschlacht.com O15 - Trusted Zone: *.avsystemcare.com (HKLM) O15 - Trusted Zone: *.gomyhit.com (HKLM) O15 - Trusted Zone: *.imageservr.com (HKLM) O15 - Trusted Zone: *.imagesrvr.com (HKLM) O15 - Trusted Zone: *.onerateld.com (HKLM) O15 - Trusted Zone: *.trustedantivirus.com (HKLM) O15 - Trusted Zone: *.virusschlacht.com (HKLM) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows … 9012694546 O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O17 - HKLM\System\CCS\Services\Tcpip…{4CB40AF1-ACC3-49C1-B170-2A2E9AE5F23D}: NameServer = 10.1.0.3,10.1.0.1 O17 - HKLM\System\CCS\Services\Tcpip…{775C0CBD-BA6C-4ECD-94D8-1EA71CA28CF6}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CS1\Services\Tcpip…{4CB40AF1-ACC3-49C1-B170-2A2E9AE5F23D}: NameServer = 10.1.0.3,10.1.0.1 O17 - HKLM\System\CS2\Services\Tcpip…{4CB40AF1-ACC3-49C1-B170-2A2E9AE5F23D}: NameServer = 10.1.0.3,10.1.0.1 O20 - Winlogon Notify: cbxyayw - C:\WINDOWS\SYSTEM32\cbxyayw.dll O20 - Winlogon Notify: jcxeazgo - C:\WINDOWS\SYSTEM32\jcxeazgo.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing) O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe – End of file - 7366 bytes

Log z ComboFix:

ComboFix 07-11-08.1 - KAT_666 2007-11-14 15:54:45.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.180 [GMT 1:00] Running from: C:\Documents and Settings\KAT_666\Pulpit\ComboFix.exe * Created a new restore point . ADS - system32: deleted 82209 bytes in 2 streams. Unable to gain System Privileges ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Menu Start\Live Safety Center.lnk C:\Documents and Settings\All Users\Menu Start\Online Security Guide.lnk C:\Documents and Settings\KAT_666\Dane aplikacji\BestsellerAntivirus C:\Documents and Settings\KAT_666\Dane aplikacji\BestsellerAntivirus\avtasks.dat C:\Documents and Settings\KAT_666\Dane aplikacji\BestsellerAntivirus\Logs\av.log C:\Documents and Settings\KAT_666\Dane aplikacji\BestsellerAntivirus\Logs\ga6Support.log C:\Documents and Settings\KAT_666\Dane aplikacji\BestsellerAntivirus\Logs\update.log C:\Documents and Settings\KAT_666\Pulpit\Live Safety Center.lnk C:\Documents and Settings\KAT_666\Pulpit\Online Security Guide.lnk C:\Documents and Settings\KAT_666\Ulubione\Online Security Guide.lnk C:\Program Files\Internet Explorer\xuver.html C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\UGA6P C:\WINDOWS\system32\dccdd.bak1 C:\WINDOWS\system32\dccdd.bak2 C:\WINDOWS\system32\dccdd.ini C:\WINDOWS\system32\ddccd.dll C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\jcxeazgo.dllbox C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\pthreadVC.dll C:\WINDOWS\system32\rqtss.bak1 C:\WINDOWS\system32\rqtss.bak2 C:\WINDOWS\system32\rqtss.ini C:\WINDOWS\system32\wanpacket.dll C:\WINDOWS\system32\wpcap.dll C:\WINDOWS\system32\x2 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE -------\LEGACY_NETWORK_MONITOR -------\LEGACY_NPF -------\DomainService -------\NPF ((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 ))))))))))))))))))))))))))))))) . 2007-11-14 15:54 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-14 15:18 2007-11-14 15:15 2007-11-14 05:41 85,056 --a------ C:\WINDOWS\system32\heilnnxu.dll 2007-11-14 05:38 80,448 --a------ C:\WINDOWS\system32\udnqftha.dll 2007-11-14 05:33 144,480 --a------ C:\WINDOWS\system32\jcxeazgo.dll 2007-11-14 05:32 144,480 --a------ C:\WINDOWS\system32\bmlcmprh.dll 2007-11-13 13:23 88,128 --a------ C:\WINDOWS\system32\flrtfvso.dll 2007-11-13 05:35 81,472 --a------ C:\WINDOWS\system32\oamrlour.dll 2007-11-12 18:43 2007-11-12 18:43 2007-11-12 10:27 2007-11-12 10:22 2007-11-12 10:22 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-11-11 23:47 2007-11-11 23:43 2007-11-11 22:02 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll 2007-11-11 22:02 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-11-11 22:02 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-11-11 22:02 89,088 --a------ C:\WINDOWS\system32\atl71.dll 2007-11-11 22:02 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-11-11 21:49 2007-11-11 21:48 2007-11-11 21:48 2007-11-11 21:48 2007-11-11 21:48 2007-11-11 21:48 2007-11-11 21:48 35,328 --a------ C:\WINDOWS\system32\cbxyayw.dll 2007-11-11 21:36 2007-11-08 11:39 2007-11-03 13:43 2007-10-26 03:04 2007-10-19 21:46 2007-10-19 20:00 2007-10-19 20:00 2007-10-19 11:33 2007-10-16 21:21 2007-10-15 20:35 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-14 14:58 --------- d-----w C:\Program Files\neostrada tp 2007-11-14 14:49 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-14 14:24 --------- d-----w C:\Program Files\FlashGet 2007-11-12 17:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-11-12 17:36 --------- d-----w C:\Program Files\Gadu-Gadu 2007-11-05 22:49 --------- d-----w C:\Program Files\BitComet 2007-10-29 01:05 --------- d-----w C:\Program Files\eMule 2007-10-19 11:41 --------- d-----w C:\Program Files\DOSBox-0.72 2007-10-11 16:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Zylom 2007-10-06 19:21 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\Ventrilo 2007-10-06 19:20 --------- d-----w C:\Program Files\Ventrilo 2007-10-03 21:23 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\InstallShield 2007-09-30 22:38 --------- d-----w C:\Program Files\Dota Keys 2007-09-29 15:47 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\GetRightToGo 2007-09-29 14:10 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-09-29 01:51 --------- d-----w C:\Program Files\Teamspeak2_RC2 2007-09-29 01:51 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\teamspeak2 2007-09-28 17:26 --------- d-----w C:\Program Files\WC3Banlist 2007-09-28 17:22 --------- d-----w C:\Program Files\WinPcap 2007-09-26 20:19 --------- d-----w C:\Program Files\mIRC 2007-09-26 15:42 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment 2007-09-26 12:53 --------- d-----w C:\Program Files\SystemRequirementsLab 2007-09-24 17:05 --------- d-----w C:\Program Files\ePSXe 2007-09-23 11:34 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\vlc 2007-09-17 23:00 --------- d-----w C:\Program Files\SubEdit-Player 2007-09-16 16:52 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\Microsoft Web Folders 2007-09-04 21:57 737,280 ----a-w C:\WINDOWS\iun6002.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}] 2007-11-11 21:48 35328 --a------ C:\WINDOWS\system32\cbxyayw.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{3fa1e309-5960-4c3d-bf94-ee31007d48c1}] 2007-11-14 05:38 80448 --a------ C:\WINDOWS\system32\udnqftha.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{63B9F9DE-D33E-47EE-9CF1-BE2161D7A750}] C:\Program Files\NetMeeting\qubokypax4444.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{7F216D4C-4CAC-4CD9-BDFD-5E3796DB1D3C}] C:\Program Files\NetMeeting\qubokypax83122.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{A95B2816-1D7E-4561-A202-68C0DE02353A}] 2007-11-14 05:33 144480 --a------ C:\WINDOWS\SYSTEM32\jcxeazgo.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{CE43A31C-6980-42A2-DDA5-8ECB7A4B01B8}] C:\Program Files\Internet Explorer\temad.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{11A69AE4-FBED-4832-A2BF-45AF82825583}”= C:\WINDOWS\SYSTEM32\jcxeazgo.dll [2007-11-14 05:33 144480] [HKEY_CLASSES_ROOT\CLSID{11A69AE4-FBED-4832-A2BF-45AF82825583}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NVRaidService”=“C:\WINDOWS\system32\nvraidservice.exe” [2004-06-11 04:15] “iKeyWorks”=“C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe” [2004-08-31 12:33] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 12:49] “UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 00:00] “CTHelper”=“CTHELPER.EXE” [2003-06-09 03:07 C:\WINDOWS\system32\CTHELPER.EXE] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}”= C:\WINDOWS\system32\cbxyayw.dll [2007-11-11 21:48 35328] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyayw] cbxyayw.dll 2007-11-11 21:48 35328 C:\WINDOWS\system32\cbxyayw.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jcxeazgo] jcxeazgo.dll 2007-11-14 05:33 144480 C:\WINDOWS\system32\jcxeazgo.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “Authentication Packages”= msv1_0 C:\WINDOWS\system32\ddccd.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1c64c846] rundll32.exe “C:\WINDOWS\system32\heilnnxu.dll”,b [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtasks] C:\Program Files\BestsellerAntivirus\rtasks.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart] “C:\Program Files\Common Files\BestsellerAntivirus\bm.exe” dm=http://bestsellerantivirus.com;'http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{032d3e60-6e96-11dc-ab83-000fea32f414}] \Shell\AutoRun\command - G:\Autorun.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{76277BAE-0003-7541-B287-7107A6F49FC2}] C:\WINDOWS\system32:lpr.exe . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-14 15:58:42 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-14 15:59:16 - machine was rebooted . — E O F —

LostWorld · 14 Listopad 2007 15:01

Pobierz narzędzie SDFix

*Klikamy 2 krotknie na ikonę SDFix.exe ,program wypakuje się domyślnie do lokalizacji C:\ SDFix

*Wchodzimy do trybu awaryjnego z obsługą sieci:

>>>>>> Jak wejść do trybu awaryjnego z obsługą sieci?

*F8 podczas bootowania systemu.

*Używamy narzędzia BootSafe.exe zaznaczamy opcje Safe Mode- Networking i klikamy reboot

*Gdy już jesteśmy w trybie awaryjnym,wchodzimy do folderu SDFix i uruchamiamy narzędzie klikająć

2-krotnie na plik RunThis.bat lewym przyciskiem myszy.

*Wciskamy Y co uruchomi proces usuwania

*Kiedy proces usuwania się zakończy wciskamy dowolny klawisz>>nastąpi restart.

*Po restarcie SDFix dokończy proces usuwania,kiedy w oknie narzędzia SDFix pojawi się napis Finished

klikamy dowolny klawisz,narzędzie zakończy swoją pracę,na pulpicie załadują się ikony.

*Wchodzimy do folderu SDFix i kopiujemy zawartość pliku tekstowego Report.txt i wklejamy go na forum

system · 14 Listopad 2007 15:24

Log z SDFix:

SDFix: Version 1.114 Run by Administrator on 2007-11-14 at 16:19 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-14 16:22:05 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:83,84,5c,7c,cf,77,d9,ca,f2,1c,9f,84,ce,ac,91,93,58,58,cc,df,4e,… “p0”=“C:\Program Files\DAEMON Tools” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,73,f3,41,ad,58,bd,db,9e,6f,ab,1c,e3,c5,9f,1c,fb,35,… “khjeh”=hex:42,11,27,7c,b6,27,29,22,bd,f3,fb,1f,20,cf,c7,c1,a8,d1,bc,93,26,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:79,f9,38,c4,3b,f2,fa,f5,33,7a,2c,0e,cd,39,15,70,c7,4c,bb,7d,19,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:83,84,5c,7c,cf,77,d9,ca,f2,1c,9f,84,ce,ac,91,93,58,58,cc,df,4e,… “p0”=“C:\Program Files\DAEMON Tools” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,73,f3,41,ad,58,bd,db,9e,6f,ab,1c,e3,c5,9f,1c,fb,35,… “khjeh”=hex:42,11,27,7c,b6,27,29,22,bd,f3,fb,1f,20,cf,c7,c1,a8,d1,bc,93,26,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:79,f9,38,c4,3b,f2,fa,f5,33,7a,2c,0e,cd,39,15,70,c7,4c,bb,7d,19,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Wed 14 Nov 2007 6,470 …SH. — “C:\WINDOWS\system32\ilkkj.bak1” Wed 14 Nov 2007 20,640 …SH. — “C:\WINDOWS\system32\jcxeazgo.dllbox” Sat 8 Sep 2007 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp” Wed 14 Nov 2007 4,286 A…H. — “C:\Documents and Settings\KAT_666\Ustawienia lokalne\Temp\ico8.tmp” Wed 14 Nov 2007 4,286 A…H. — “C:\Documents and Settings\KAT_666\Ustawienia lokalne\Temp\ico9.tmp” Wed 14 Nov 2007 4,286 A…H. — “C:\Documents and Settings\KAT_666\Ustawienia lokalne\Temp\icoA.tmp” Wed 14 Nov 2007 4,286 A…H. — “C:\Documents and Settings\KAT_666\Ustawienia lokalne\Temp\icoB.tmp” Wed 14 Nov 2007 4,286 A…H. — “C:\Documents and Settings\KAT_666\Ustawienia lokalne\Temp\icoC.tmp” Finished!

Dodam tylko, ze nie pomoglo…

Gutek · 14 Listopad 2007 17:33

usuń pliki

Daj log z ComboFix

system · 15 Listopad 2007 17:06

usunalem recznie.

nie moge znalezc nigdzie…

ComboFix 07-11-08.1 - KAT_666 2007-11-15 18:09:45.2 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.375 [GMT 1:00] Running from: C:\Documents and Settings\KAT_666\Pulpit\virus\ComboFix.exe . Unable to gain System Privileges ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Administrator\Pulpit\Live Safety Center.lnk C:\Documents and Settings\Administrator\Pulpit\Online Security Guide.lnk C:\Documents and Settings\Administrator\Ulubione\Online Security Guide.lnk C:\Documents and Settings\All Users\Menu Start\Live Safety Center.lnk C:\Documents and Settings\All Users\Menu Start\Online Security Guide.lnk C:\Documents and Settings\KAT_666\Pulpit\Live Safety Center.lnk C:\Documents and Settings\KAT_666\Pulpit\Online Security Guide.lnk C:\Documents and Settings\KAT_666\Ulubione\Online Security Guide.lnk C:\WINDOWS\system32\gmvfytoj.dllbox C:\WINDOWS\system32\ilkkj.bak1 C:\WINDOWS\system32\ilkkj.bak2 C:\WINDOWS\system32\ilkkj.ini C:\WINDOWS\system32\jcxeazgo.dllbox C:\WINDOWS\system32\jkkli.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 ))))))))))))))))))))))))))))))) . 2007-11-15 18:03 2007-11-15 16:18 85,056 --a------ C:\WINDOWS\system32\mgbmceaw.dll 2007-11-15 16:12 79,936 --a------ C:\WINDOWS\system32\hraefpau.dll 2007-11-15 16:09 144,480 --a------ C:\WINDOWS\system32\lperscnj.dll 2007-11-15 16:09 144,480 --a------ C:\WINDOWS\system32\gmvfytoj.dll.vir 2007-11-15 16:06 71,232 --a------ C:\WINDOWS\system32\nqwegrxq.exe 2007-11-14 16:19 2007-11-14 16:18 2007-11-14 16:18 2007-11-14 16:18 2007-11-14 16:18 2007-11-14 16:18 2007-11-14 16:18 2007-11-14 16:18 2007-11-14 15:54 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-14 15:18 2007-11-14 05:41 85,056 --a------ C:\WINDOWS\system32\heilnnxu.dll 2007-11-14 05:38 80,448 --a------ C:\WINDOWS\system32\udnqftha.dll 2007-11-14 05:32 144,480 --a------ C:\WINDOWS\system32\bmlcmprh.dll 2007-11-13 13:23 88,128 --a------ C:\WINDOWS\system32\flrtfvso.dll 2007-11-13 05:35 81,472 --a------ C:\WINDOWS\system32\oamrlour.dll 2007-11-12 18:43 2007-11-12 18:43 2007-11-12 10:27 2007-11-12 10:22 2007-11-12 10:22 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-11-11 23:47 2007-11-11 23:43 2007-11-11 22:02 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll 2007-11-11 22:02 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-11-11 22:02 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-11-11 22:02 89,088 --a------ C:\WINDOWS\system32\atl71.dll 2007-11-11 22:02 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-11-11 21:49 2007-11-11 21:48 2007-11-11 21:48 2007-11-11 21:48 2007-11-11 21:48 2007-11-11 21:48 2007-11-11 21:48 35,328 --a------ C:\WINDOWS\system32\cbxyayw.dll.vir 2007-11-11 21:36 2007-11-08 11:39 2007-11-03 13:43 2007-10-26 03:04 2007-10-19 21:46 2007-10-19 20:00 2007-10-19 20:00 2007-10-19 11:33 2007-10-16 21:21 2007-10-15 20:35 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-15 17:02 --------- d-----w C:\Program Files\neostrada tp 2007-11-14 14:49 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-14 14:24 --------- d-----w C:\Program Files\FlashGet 2007-11-12 17:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-11-12 17:36 --------- d-----w C:\Program Files\Gadu-Gadu 2007-11-05 22:49 --------- d-----w C:\Program Files\BitComet 2007-10-29 01:05 --------- d-----w C:\Program Files\eMule 2007-10-19 11:41 --------- d-----w C:\Program Files\DOSBox-0.72 2007-10-11 16:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Zylom 2007-10-06 19:21 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\Ventrilo 2007-10-06 19:20 --------- d-----w C:\Program Files\Ventrilo 2007-10-03 21:23 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\InstallShield 2007-09-30 22:38 --------- d-----w C:\Program Files\Dota Keys 2007-09-29 15:47 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\GetRightToGo 2007-09-29 14:10 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-09-29 01:51 --------- d-----w C:\Program Files\Teamspeak2_RC2 2007-09-29 01:51 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\teamspeak2 2007-09-28 17:26 --------- d-----w C:\Program Files\WC3Banlist 2007-09-28 17:22 --------- d-----w C:\Program Files\WinPcap 2007-09-26 20:19 --------- d-----w C:\Program Files\mIRC 2007-09-26 15:42 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment 2007-09-26 12:53 --------- d-----w C:\Program Files\SystemRequirementsLab 2007-09-24 17:05 --------- d-----w C:\Program Files\ePSXe 2007-09-23 11:34 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\vlc 2007-09-17 23:00 --------- d-----w C:\Program Files\SubEdit-Player 2007-09-16 16:52 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\Microsoft Web Folders 2007-09-04 21:57 737,280 ----a-w C:\WINDOWS\iun6002.exe 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{21e4e1f3-b435-45bb-9666-9b527df0c847}] 2007-11-15 16:12 79936 --a------ C:\WINDOWS\system32\hraefpau.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{63B9F9DE-D33E-47EE-9CF1-BE2161D7A750}] C:\Program Files\NetMeeting\qubokypax4444.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{7F216D4C-4CAC-4CD9-BDFD-5E3796DB1D3C}] C:\Program Files\NetMeeting\qubokypax83122.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{CE43A31C-6980-42A2-DDA5-8ECB7A4B01B8}] C:\Program Files\Internet Explorer\temad.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NVRaidService”=“C:\WINDOWS\system32\nvraidservice.exe” [2004-06-11 04:15] “iKeyWorks”=“C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe” [2004-08-31 12:33] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 12:49] “UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 00:00] “CTHelper”=“CTHELPER.EXE” [2003-06-09 03:07 C:\WINDOWS\system32\CTHELPER.EXE] “1c64c846”=“C:\WINDOWS\system32\mgbmceaw.dll” [2007-11-15 16:18] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “Authentication Packages”= msv1_0 C:\WINDOWS\system32\jkkli.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1c64c846] rundll32.exe “C:\WINDOWS\system32\heilnnxu.dll”,b [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtasks] C:\Program Files\BestsellerAntivirus\rtasks.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart] “C:\Program Files\Common Files\BestsellerAntivirus\bm.exe” dm=http://bestsellerantivirus.com;’>http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{032d3e60-6e96-11dc-ab83-000fea32f414}] \Shell\AutoRun\command - G:\Autorun.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{76277BAE-0003-7541-B287-7107A6F49FC2}] C:\WINDOWS\system32:lpr.exe . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-15 18:13:20 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-15 18:13:58 - machine was rebooted . — E O F —

Gutek · 15 Listopad 2007 19:16

Wklej do Notatnika:

File:: C:\WINDOWS\system32\mgbmceaw.dll C:\WINDOWS\system32\hraefpau.dll C:\WINDOWS\system32\lperscnj.dll C:\WINDOWS\system32\gmvfytoj.dll.vir C:\WINDOWS\system32\nqwegrxq.exe C:\WINDOWS\system32\heilnnxu.dll C:\WINDOWS\system32\udnqftha.dll C:\WINDOWS\system32\bmlcmprh.dll C:\WINDOWS\system32\flrtfvso.dll C:\WINDOWS\system32\oamrlour.dll C:\WINDOWS\system32\cbxyayw.dll.vir C:\WINDOWS\system32\jkkli.dll C:\Program Files\Internet Explorer\temad.dll C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 Folder:: C:\WINDOWS\QXJjaXN6ZXdza2k C:\WINDOWS\system32\rMa01yy C:\WINDOWS\system32\rev3 C:\WINDOWS\system32\dn5 C:\Temp\abW9 C:\Program Files\NetMeeting C:\Program Files\BestsellerAntivirus C:\Program Files\Common Files\BestsellerAntivirus Registry:: [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{21e4e1f3-b435-45bb-9666-9b527df0c847}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{63B9F9DE-D33E-47EE-9CF1-BE2161D7A750}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{7F216D4C-4CAC-4CD9-BDFD-5E3796DB1D3C}] [-HKEY_LOCAL_MACHINE~\Browser Helper Objects{CE43A31C-6980-42A2-DDA5-8ECB7A4B01B8}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “1c64c846”=- [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1c64c846] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtasks] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo, ale przed logiem:

Wklej do Notatnika:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=-

"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\

  00

Z menu Notatnika Plik Zapisz jako Ustaw rozszerzenie na “Wszystkie pliki” Zapisz jako FIX.REG uruchom ten plik (dwuklik).

system · 17 Listopad 2007 13:30

ComboFix 07-11-08.1 - KAT_666 2007-11-17 14:28:35.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.255 [GMT 1:00] Running from: C:\Documents and Settings\KAT_666\Pulpit\virus\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 ))))))))))))))))))))))))))))))) . 2007-11-15 18:03 2007-11-14 16:19 2007-11-14 16:18 2007-11-14 16:18 2007-11-14 16:18 2007-11-14 16:18 2007-11-14 16:18 2007-11-14 16:18 2007-11-14 16:18 2007-11-14 15:54 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-14 15:18 2007-11-12 18:43 2007-11-12 18:43 2007-11-12 10:27 2007-11-12 10:22 2007-11-12 10:22 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-11-11 23:47 2007-11-11 23:43 2007-11-11 22:02 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll 2007-11-11 22:02 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-11-11 22:02 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-11-11 22:02 89,088 --a------ C:\WINDOWS\system32\atl71.dll 2007-11-11 22:02 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-11-11 21:48 2007-11-11 21:36 2007-11-08 11:39 2007-11-03 13:43 2007-10-26 03:04 2007-10-19 21:46 2007-10-19 20:00 2007-10-19 20:00 2007-10-19 11:33 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-17 13:26 --------- d-----w C:\Program Files\neostrada tp 2007-11-14 14:49 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-14 14:27 --------- d-----w C:\Program Files\Warcraft III 2007-11-14 14:24 --------- d-----w C:\Program Files\FlashGet 2007-11-12 17:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-11-12 17:36 --------- d-----w C:\Program Files\Gadu-Gadu 2007-11-11 12:57 --------- d-----w C:\Program Files\NAPI-PROJEKT 2007-11-05 22:49 --------- d-----w C:\Program Files\BitComet 2007-10-29 01:05 --------- d-----w C:\Program Files\eMule 2007-10-19 11:41 --------- d-----w C:\Program Files\DOSBox-0.72 2007-10-11 16:00 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Zylom 2007-10-06 19:21 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\Ventrilo 2007-10-06 19:20 --------- d-----w C:\Program Files\Ventrilo 2007-10-03 21:23 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\InstallShield 2007-09-30 22:38 --------- d-----w C:\Program Files\Dota Keys 2007-09-29 15:47 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\GetRightToGo 2007-09-29 14:10 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-09-29 01:51 --------- d-----w C:\Program Files\Teamspeak2_RC2 2007-09-29 01:51 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\teamspeak2 2007-09-28 17:26 --------- d-----w C:\Program Files\WC3Banlist 2007-09-28 17:22 --------- d-----w C:\Program Files\WinPcap 2007-09-26 20:19 --------- d-----w C:\Program Files\mIRC 2007-09-26 15:42 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment 2007-09-26 12:53 --------- d-----w C:\Program Files\SystemRequirementsLab 2007-09-24 17:05 --------- d-----w C:\Program Files\ePSXe 2007-09-23 11:34 --------- d-----w C:\Documents and Settings\KAT_666\Dane aplikacji\vlc 2007-09-17 23:00 --------- d-----w C:\Program Files\SubEdit-Player 2007-09-04 21:57 737,280 ----a-w C:\WINDOWS\iun6002.exe 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NVRaidService”=“C:\WINDOWS\system32\nvraidservice.exe” [2004-06-11 04:15] “iKeyWorks”=“C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe” [2004-08-31 12:33] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 12:49] “UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 00:00] “CTHelper”=“CTHELPER.EXE” [2003-06-09 03:07 C:\WINDOWS\system32\CTHELPER.EXE] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe” R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{76277BAE-0003-7541-B287-7107A6F49FC2}] C:\WINDOWS\system32:lpr.exe . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-17 14:29:18 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-17 14:29:45 . — E O F —

Gutek · 17 Listopad 2007 17:14

Pobierz Gmer

Rootkit=>szukaj=>bez zaznaczania pokaż wszystko=> Ctrl + V do posta wklej
Rootkit => zaznaczone tylko Pokazuj wszystko + Usługi => Szukaj => Kopiuj => Ctrl + V do posta wklej