TojanDownloader POMOCY


(Ahamrol) #1

Problem z TrojanDownloader.xl i Windows registry... systematycznie co jakieś 15-20 minut pojawiał się na ekranie monitora jedna z trzech informacji o zagrożeniu spowodowanym albo jakimś plikiem wml.exe albo TrojanDownloader.xs albo jakiś błąd krytyczny w Windows registry, a wszystko sprowadza się do tego że mogę to zlikwidować instalując jeden z programów, który jest do kupienia na stronie http://antispyware-reviews.biz/?wmid=46 ... R3n1c2Bg8A Używam antywirusa avast! Ale zakupilam wyżej podany program ale problem nie znika tzn nie pojawiaja sie już komunikaty ale komuter strasznie muli i co chwile się zawieszaa. Podobne wątki już się pojawiły, ale jestem laikiem i przyznam, że mam problem ze zrozumieniem ich treści, tzn. wiem już jak zrobić log za pomocą programu HijackThis i na dole zamieszczam, ale nie wiem co dalej? Co mam usunąć, jak i za pomocą czego? Proszę o pomoc i o to, żeby wyjaśnić to najprościej jak się da :glupek2: Z góry bardzo dziękuję za wszelką pomoc.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:20, on 2008-04-14

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATKOSD2\ATKOSD2.exe

C:\Program Files\ATK Hotkey\Hcontrol.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ASUS\ATK Media\DMEDIA.EXE

C:\Program Files\ASUS\ASUS Live Update\ALU.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ASUS\Splendid\ACMON.exe

C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\Wireless Console 2\wcourier.exe

C:\WINDOWS\system32\ASUSTPE.exe

C:\WINDOWS\system32\ACEngSvr.exe

C:\WINDOWS\ASScrPro.exe

C:\Program Files\Atheros\ACU.exe

C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\PC-Antispyware\PCA-Purchased.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Gadu-Gadu\gg.exe

c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\ATK Hotkey\ATKOSD.exe

C:\Program Files\ATK Hotkey\KBFiltr.exe

C:\Program Files\ATK Hotkey\WDC.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asus.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - C:\Program Files\PC-Antispyware\IeExtension.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll

O4 - HKLM..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"

O4 - HKLM..\Run: [ATKHOTKEY] "C:\Program Files\ATK Hotkey\Hcontrol.exe"

O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM..\Run: [skyTel] SkyTel.EXE

O4 - HKLM..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE

O4 - HKLM..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe

O4 - HKLM..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM..\Run: [ACMON] "C:\Program Files\ASUS\Splendid\ACMON.exe"

O4 - HKLM..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe

O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"

O4 - HKLM..\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

O4 - HKLM..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM..\Run: [PowerForPhone] "C:\Program Files\P4P\P4P.exe"

O4 - HKLM..\Run: [Wireless Console 2] "C:\Program Files\Wireless Console 2\wcourier.exe"

O4 - HKLM..\Run: [ASUSTPE] C:\WINDOWS\system32\ASUSTPE.exe

O4 - HKLM..\Run: [ASUS Camera ScreenSaver] C:\WINDOWS\ASScrProlog.exe

O4 - HKLM..\Run: [ASUS Screen Saver Protector] C:\WINDOWS\ASScrPro.exe

O4 - HKLM..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui

O4 - HKLM..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM..\Run: [PC-Antispyware] "C:\Program Files\PC-Antispyware\PCA-Purchased.exe" hide

O4 - HKCU..\Run: [startCCC] c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKLM..\Policies\Explorer\Run: [bI2IhdoNX3] C:\Documents and Settings\All Users\Dane aplikacji\ejyfmxwr\kjirklmx.exe

O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - .DEFAULT User Startup: CCC.lnk = ? (User 'Default user')

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: vtULcaYq - vtULcaYq.dll (file missing)

O23 - Service: Usługa konfiguracji Atheros (ACS) - Atheros - C:\WINDOWS\system32\acs.exe

O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

--

End of file - 12166 bytes


(Cyba91) #2

zrób jeszcze raz scana hijackThis,wyszukaj wartości:

O4 - HKLM…\Policies\Explorer\Run: [bI2IhdoNX3] C:\Documents and Settings\All Users\Dane aplikacji\ejyfmxwr\kjirklmx.exe

O20 - Winlogon Notify: vtULcaYq - vtULcaYq.dll (file missing)

Zaznacz je po lewej stronie ptaszakiem w tym takim małym białym kwadraciku a później wybierz “fix error” :wink:


(Leon$) #3

Wyłącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

Pobierz program SDFix


(Ahamrol) #4

dziękuje bardzo za pomoc ale niestety jestem az takim laikiem ze nie mogę sobie poradzić już na samym początku przy wejsciu do trybu awaryjnego. Nie pojawia mi sie żaden plik o nazwie SDFix mimo że go wcześniej wypakowałam


(huber2t) #5

Sprawdź gdzie wypakowałaś ten plik ale najprawdopodobniej powinien być tutaj:


(Ahamrol) #6

Plik jest wypakowany tak jak powinien byc, problem raczej mam w momencie uruchomienia trybu awaryjnego. W momencie gdy chcę uruchomic windowsa w tym trybie pojawia się czarny obraz z migająca ‘kreską’ i to przez bardzo dlugi czas. Czy to tak powinno byc?

(Chciałam tylko przypomniec że w tych spawach jestem kompletnym laikiem i nigdy wczesniej takich operacji na moim komputerze nie przeprowadzałam)


(Leon$) #7

Skoro masz problemy z trybem awaryjnym więc pobierz Combofix i w trybie normalnym przeskanuj system potem pokaż log

:slight_smile:


(Ahamrol) #8

Oto log:

ComboFix 08-04-13.1 - Agosh 2008-04-15 19:41:20.4 - FAT32 x86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.1472 [GMT 1:00]

Running from: C:\Documents and Settings\Agosh\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))

.

2008-04-14 20:41 . 2008-04-14 05:41

2008-04-14 20:32 . 2008-04-14 20:32

2008-04-14 18:43 . 2008-04-14 18:43

2008-04-14 18:38 . 2008-04-14 18:38

2008-04-13 23:59 . 2008-04-13 23:59

2008-04-13 22:58 . 2008-04-13 22:58

2008-04-13 22:58 . 2008-04-13 22:58 25,472 --a------ C:\WINDOWS\system32\drivers\pca-firewall.sys

2008-04-13 22:35 . 2008-04-13 22:36

2008-04-13 21:54 . 2008-03-29 18:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr

2008-04-13 21:54 . 2008-03-29 18:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys

2008-04-13 21:54 . 2008-03-29 18:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys

2008-04-13 21:54 . 2008-03-29 18:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2008-04-13 21:54 . 2008-03-29 18:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys

2008-04-13 21:53 . 2008-04-13 21:53

2008-04-13 21:53 . 2008-03-29 18:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe

2008-04-13 21:53 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx

2008-04-13 21:53 . 2008-03-29 18:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys

2008-04-13 21:53 . 2008-01-17 16:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys

2008-04-13 21:53 . 2008-03-29 18:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys

2008-04-13 21:43 . 2008-04-13 21:43

2008-04-13 19:44 . 2008-04-13 19:45

2008-04-13 19:00 . 2008-04-13 19:00

2008-04-13 19:00 . 2008-04-13 14:08 217,088 --a------ C:\WINDOWS\dsktbwfe.dll

2008-04-13 19:00 . 2008-04-13 14:08 204,800 --a------ C:\WINDOWS\sgoblxtm.dll

2008-04-13 19:00 . 2008-04-13 14:08 200,704 --a------ C:\WINDOWS\ogxtsepr.dll

2008-04-13 19:00 . 2008-04-13 14:08 98,304 --a------ C:\WINDOWS\spnkfwad.exe

2008-04-13 18:55 . 2008-04-13 18:55

2008-04-13 17:24 . 2007-11-22 17:00 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx

2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx

2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

2008-03-23 14:56 . 2008-03-23 14:56

2008-03-22 19:35 . 2008-03-22 19:35

2008-03-22 19:35 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-03-22 19:33 . 2008-03-22 19:33

2008-03-20 20:18 . 2008-03-20 20:18

2008-03-20 09:09 . 2008-03-20 09:09 1,845,504 --------- C:\WINDOWS\system32\dllcache\win32k.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-12 18:26 --------- d-----w C:\Program Files\QuickTime

2008-03-12 06:54 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Yahoo! Companion

2008-03-12 06:54 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Yahoo!

2008-03-09 14:52 --------- d-----w C:\Program Files\SopCast

2008-03-09 14:50 --------- d-----w C:\Program Files\7-Zip

2008-03-08 07:19 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\DivX

2008-03-08 07:13 --------- d-----w C:\Program Files\Yahoo!

2008-03-08 07:13 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Yahoo!

2008-03-04 20:54 --------- d-----w C:\Program Files\DivX

2008-03-04 19:50 892,928 ----a-w C:\WINDOWS\system32\iconv.dll

2008-03-04 19:50 405,504 ----a-w C:\WINDOWS\system32\libmplayer.dll

2008-03-04 19:50 3,108,864 ----a-w C:\WINDOWS\system32\libavcodec.dll

2008-03-04 19:50 126,976 ----a-w C:\WINDOWS\system32\libmpeg2_ff.dll

2008-03-04 19:48 79,360 ----a-w C:\WINDOWS\system32\mkzlib.dll

2008-03-04 19:48 23,552 ----a-w C:\WINDOWS\system32\mkunicode.dll

2008-03-04 19:48 163,840 ----a-w C:\WINDOWS\system32\ts.dll

2008-03-04 19:48 159,744 ----a-w C:\WINDOWS\system32\mmfinfo.dll

2008-03-04 19:48 148,480 ----a-w C:\WINDOWS\system32\mkx.dll

2008-03-04 19:48 141,312 ----a-w C:\WINDOWS\system32\mp4.dll

2008-03-04 19:48 120,832 ----a-w C:\WINDOWS\system32\ogm.dll

2008-03-04 19:48 --------- d-----w C:\Program Files\Real Alternative

2008-03-02 20:14 --------- d-----w C:\Program Files\Common Files\xing shared

2008-03-02 20:13 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll

2008-03-02 20:13 --------- d-----w C:\Program Files\Real

2008-03-02 20:13 --------- d-----w C:\Program Files\Common Files\Real

2008-03-02 20:09 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\BESTplayer

2008-03-01 17:32 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-02-29 18:44 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-02-29 08:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-02-29 08:59 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-02-26 20:23 --------- d-----w C:\Program Files\Kyodai Mahjongg 2006

2008-02-26 20:03 --------- d-----w C:\Program Files\Kyodai

2008-02-25 21:06 --------- d-----w C:\Program Files\MarBit

2008-02-25 21:04 --------- d-----w C:\Program Files\iTunes

2008-02-25 21:04 --------- d-----w C:\Program Files\Bonjour

2008-02-25 21:04 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Apple Computer

2008-02-25 21:03 --------- d-----w C:\Program Files\Apple Software Update

2008-02-25 21:03 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer

2008-02-25 21:02 --------- d-----w C:\Program Files\Common Files\Apple

2008-02-25 21:02 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple

2008-02-25 20:59 --------- d-----w C:\Program Files\Google

2008-02-25 07:37 --------- d-----w C:\Program Files\MSXML 4.0

2008-02-23 17:12 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2008-02-23 17:12 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\skypePM

2008-02-23 17:10 --------- d-----w C:\Program Files\Skype

2008-02-23 17:10 --------- d-----w C:\Program Files\Common Files\Skype

2008-02-23 17:10 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype

2008-02-23 17:10 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Skype

2008-02-23 17:06 --------- d-----w C:\Program Files\Gadu-Gadu

2008-02-22 22:45 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\LightScribe

2008-02-22 22:45 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Ahead

2008-02-22 22:43 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\CyberLink

2008-02-22 22:37 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\ATI

2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-02-21 01:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-20 05:38 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll

2008-02-20 05:38 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll

2008-01-30 21:35 606,848 ----a-w C:\WINDOWS\flashax.exe

2008-01-30 21:35 503,808 ----a-w C:\WINDOWS\Asus_Camera_ScreenSaver.scr

2008-01-30 21:35 4,499,453 ----a-w C:\WINDOWS\ASUS Camera ScreenSaver.exe

2008-01-30 21:35 37,232 ----a-w C:\WINDOWS\ASScrProlog.exe

2008-01-30 21:35 33,136 ----a-w C:\WINDOWS\ASScrPro.exe

2008-01-30 21:35 274,800 ----a-w C:\WINDOWS\ASUS Camera ScreenSaver Uninstaller.exe

2008-01-30 21:35 12,288 ----a-w C:\WINDOWS\impborl.dll

2008-01-29 11:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll

.

((((((((((((((((((((((((((((( snapshot@2008-04-13_23.43.19.81 )))))))))))))))))))))))))))))))))))))))))

.

  • 2008-04-13 22:41:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
  • 2008-04-15 17:22:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat

  • 2008-04-15 17:23:00 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_128.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{10F0C2A9-8E38-43e3-204D-45524C494E20}]

2008-04-13 23:03 176128 --a------ C:\Program Files\PC-Antispyware\IeExtension.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“StartCCC”=“c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 12:35 90112]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 11:54 2131392]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2008-02-01 17:26 22014760]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-03-03 18:37 68856]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 14:00 15360]

“Yahoo! Pager”=“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” [2007-08-30 17:43 4670704]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ATKOSD2”=“C:\Program Files\ATKOSD2\ATKOSD2.exe” [2007-07-03 10:48 7708672]

“ATKHOTKEY”=“C:\Program Files\ATK Hotkey\Hcontrol.exe” [2007-07-12 10:25 225280]

“RTHDCPL”=“RTHDCPL.EXE” [2006-10-30 04:49 16269312 C:\WINDOWS\RTHDCPL.exe]

“SkyTel”=“SkyTel.EXE” [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]

“ATKMEDIA”=“C:\Program Files\ASUS\ATK Media\DMEDIA.EXE” [2006-11-02 08:27 61440]

“ASUS Live Update”=“C:\Program Files\ASUS\ASUS Live Update\ALU.exe” [2007-07-19 15:41 49520]

“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-05-25 05:02 786521]

“ACMON”=“C:\Program Files\ASUS\Splendid\ACMON.exe” [2007-07-10 10:59 851968]

“ABLKSR”=“C:\WINDOWS\ABLKSR\ABLKSR.exe” [2006-01-02 19:14 61440]

“RemoteControl”=“C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe” [2007-01-08 22:26 68640]

“SecurDisc”=“C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe” [2007-06-01 10:06 1629744]

“SMSERIAL”=“C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe” [2006-11-22 02:31 630784]

“PowerForPhone”=“C:\Program Files\P4P\P4P.exe” []

“Wireless Console 2”=“C:\Program Files\Wireless Console 2\wcourier.exe” [2007-07-05 16:53 1040384]

“ASUSTPE”=“C:\WINDOWS\system32\ASUSTPE.exe” [2007-01-16 16:13 106496]

“ASUS Camera ScreenSaver”=“C:\WINDOWS\ASScrProlog.exe” [2008-01-30 22:35 37232]

“ASUS Screen Saver Protector”=“C:\WINDOWS\ASScrPro.exe” [2008-01-30 22:35 33136]

“ACU”=“C:\Program Files\Atheros\ACU.exe” [2007-05-03 17:42 376921]

“Symantec PIF AlertEng”=“C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” [2008-01-29 17:38 583048]

“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2008-03-02 21:13 185896]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 04:25 144784]

“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2008-03-28 23:37 413696]

“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2008-03-30 10:36 267048]

“PC-Antispyware”=“C:\Program Files\PC-Antispyware\PCA-Purchased.exe” [2008-04-13 23:03 10772480]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 14:00 15360]

[HKLM~\startupfolder\C:^Documents and Settings^Agosh^Menu Start^Programy^Autostart^CCC.lnk]

path=C:\Documents and Settings\Agosh\Menu Start\Programy\Autostart\CCC.lnk

backup=C:\WINDOWS\pss\CCC.lnkStartup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

–a------ 2007-06-01 10:05 1057328 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

–a------ 2007-01-08 22:17 52256 C:\Program Files\ASUSTek\ASUSDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]

–a------ 2007-06-20 12:49 451872 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

–a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear]

–a------ 2006-07-26 18:01 90112 C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“UpdatesDisableNotify”=dword:00000001

“AntiVirusOverride”=dword:00000001

“FirewallOverride”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=

“C:\Program Files\Bonjour\mDNSResponder.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=

“C:\Program Files\Yahoo!\Messenger\YServer.exe”=

“C:\Program Files\iTunes\iTunes.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]

R1 pca-firewall;pca-firewall;C:\WINDOWS\system32\drivers\pca-firewall.sys [2008-04-13 22:58]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]

R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-08-21 01:50]

R3 RTSTOR;USB Mass Stroage Device;C:\WINDOWS\system32\drivers\RTSTOR.SYS [2006-06-10 00:07]

R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-03-28 19:52]

S3 usbstor;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2006-03-02 14:00]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]

msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

“C:\Program Files\Common Files\LightScribe\LSRunOnce.exe”

.

Contents of the ‘Scheduled Tasks’ folder

“2008-03-21 16:10:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-15 19:43:04

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe

  • C:\Program Files\PC-Antispyware\PopupBlocker.dll

.

Completion time: 2008-04-15 19:43:26

ComboFix-quarantined-files.txt 2008-04-15 18:43:20

ComboFix3.txt 2008-04-13 22:43:40

ComboFix2.txt 2008-04-14 20:40:34

Pre-Run: 103,642,136,576 bajtów wolnych

Post-Run: 103,628,832,768 bajtów wolnych

.

2008-04-11 01:54:39 — E O F —


(huber2t) #9

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\WINDOWS\dsktbwfe.dll

C:\WINDOWS\sgoblxtm.dll

C:\WINDOWS\ogxtsepr.dll

C:\WINDOWS\spnkfwad.exe

C:\WINDOWS\system32\drivers\pca-firewall.sys


Folder::

C:\FOUND.003

C:\FOUND.002

C:\FOUND.001

C:\Documents and Settings\All Users\Dane aplikacji\ejyfmxwr


Driver::

pca-firewall

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

02f8f1e3c410a4cc.gif

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

Jeśli wszystko pójdzie dobrze, to po restarcie usuń ręcznie folder C: \Qoobox


(Ahamrol) #10

Oto log:

ComboFix 08-04-13.1 - Agosh 2008-04-16 8:06:52.6 - FAT32 x86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.1318 [GMT 1:00]

Running from: C:\Documents and Settings\Agosh\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings\Agosh\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

FILE ::

C:\WINDOWS\dsktbwfe.dll

C:\WINDOWS\ogxtsepr.dll

C:\WINDOWS\sgoblxtm.dll

C:\WINDOWS\spnkfwad.exe

C:\WINDOWS\system32\drivers\pca-firewall.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\drivers\pca-firewall.sys

.

---- Previous Run -------

.

C:\Documents and Settings\All Users\Dane aplikacji\ejyfmxwr

C:\FOUND.001

C:\FOUND.001\FILE0000.CHK

C:\FOUND.002

C:\FOUND.002\FILE0000.CHK

C:\FOUND.002\FILE0001.CHK

C:\FOUND.003

C:\FOUND.003\FILE0000.CHK

C:\FOUND.003\FILE0001.CHK

C:\FOUND.003\FILE0002.CHK

C:\FOUND.003\FILE0003.CHK

C:\FOUND.003\FILE0004.CHK

C:\FOUND.003\FILE0005.CHK

C:\WINDOWS\dsktbwfe.dll

C:\WINDOWS\ogxtsepr.dll

C:\WINDOWS\sgoblxtm.dll

C:\WINDOWS\spnkfwad.exe

C:\WINDOWS\system32\drivers\pca-firewall.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PCA-FIREWALL

-------\Service_pca-firewall

-------\Legacy_PCA-FIREWALL

-------\Service_pca-firewall

((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))

.

2008-04-16 08:09 . 2003-07-29 03:18 3,839 --a------ C:\WINDOWS\system32\drivers\GETPADD.sys

2008-04-14 20:41 . 2008-04-14 05:41

2008-04-14 18:38 . 2008-04-14 18:38

2008-04-13 22:58 . 2008-04-13 22:58

2008-04-13 22:35 . 2008-04-13 22:36

2008-04-13 21:54 . 2008-03-29 18:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr

2008-04-13 21:54 . 2008-03-29 18:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys

2008-04-13 21:54 . 2008-03-29 18:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys

2008-04-13 21:54 . 2008-03-29 18:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2008-04-13 21:54 . 2008-03-29 18:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys

2008-04-13 21:53 . 2008-04-13 21:53

2008-04-13 21:53 . 2008-03-29 18:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe

2008-04-13 21:53 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx

2008-04-13 21:53 . 2008-03-29 18:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys

2008-04-13 21:53 . 2008-01-17 16:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys

2008-04-13 21:53 . 2008-03-29 18:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys

2008-04-13 21:43 . 2008-04-13 21:43

2008-04-13 19:44 . 2008-04-13 19:45

2008-04-13 18:55 . 2008-04-13 18:55

2008-04-13 17:24 . 2007-11-22 17:00 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx

2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx

2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

2008-03-23 14:56 . 2008-03-23 14:56

2008-03-22 19:35 . 2008-03-22 19:35

2008-03-22 19:35 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-03-22 19:33 . 2008-03-22 19:33

2008-03-20 20:18 . 2008-03-20 20:18

2008-03-20 09:09 . 2008-03-20 09:09 1,845,504 --------- C:\WINDOWS\system32\dllcache\win32k.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-12 18:26 --------- d-----w C:\Program Files\QuickTime

2008-03-12 06:54 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Yahoo! Companion

2008-03-12 06:54 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Yahoo!

2008-03-09 14:52 --------- d-----w C:\Program Files\SopCast

2008-03-09 14:50 --------- d-----w C:\Program Files\7-Zip

2008-03-08 07:19 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\DivX

2008-03-08 07:13 --------- d-----w C:\Program Files\Yahoo!

2008-03-08 07:13 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Yahoo!

2008-03-04 20:54 --------- d-----w C:\Program Files\DivX

2008-03-04 19:50 892,928 ----a-w C:\WINDOWS\system32\iconv.dll

2008-03-04 19:50 405,504 ----a-w C:\WINDOWS\system32\libmplayer.dll

2008-03-04 19:50 3,108,864 ----a-w C:\WINDOWS\system32\libavcodec.dll

2008-03-04 19:50 126,976 ----a-w C:\WINDOWS\system32\libmpeg2_ff.dll

2008-03-04 19:48 79,360 ----a-w C:\WINDOWS\system32\mkzlib.dll

2008-03-04 19:48 23,552 ----a-w C:\WINDOWS\system32\mkunicode.dll

2008-03-04 19:48 163,840 ----a-w C:\WINDOWS\system32\ts.dll

2008-03-04 19:48 159,744 ----a-w C:\WINDOWS\system32\mmfinfo.dll

2008-03-04 19:48 148,480 ----a-w C:\WINDOWS\system32\mkx.dll

2008-03-04 19:48 141,312 ----a-w C:\WINDOWS\system32\mp4.dll

2008-03-04 19:48 120,832 ----a-w C:\WINDOWS\system32\ogm.dll

2008-03-04 19:48 --------- d-----w C:\Program Files\Real Alternative

2008-03-02 20:14 --------- d-----w C:\Program Files\Common Files\xing shared

2008-03-02 20:13 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll

2008-03-02 20:13 --------- d-----w C:\Program Files\Real

2008-03-02 20:13 --------- d-----w C:\Program Files\Common Files\Real

2008-03-02 20:09 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\BESTplayer

2008-03-01 17:32 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-02-29 18:44 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-02-29 08:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-02-29 08:59 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-02-26 20:23 --------- d-----w C:\Program Files\Kyodai Mahjongg 2006

2008-02-26 20:03 --------- d-----w C:\Program Files\Kyodai

2008-02-25 21:06 --------- d-----w C:\Program Files\MarBit

2008-02-25 21:04 --------- d-----w C:\Program Files\iTunes

2008-02-25 21:04 --------- d-----w C:\Program Files\Bonjour

2008-02-25 21:04 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Apple Computer

2008-02-25 21:03 --------- d-----w C:\Program Files\Apple Software Update

2008-02-25 21:03 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer

2008-02-25 21:02 --------- d-----w C:\Program Files\Common Files\Apple

2008-02-25 21:02 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple

2008-02-25 20:59 --------- d-----w C:\Program Files\Google

2008-02-25 07:37 --------- d-----w C:\Program Files\MSXML 4.0

2008-02-23 17:12 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2008-02-23 17:12 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\skypePM

2008-02-23 17:10 --------- d-----w C:\Program Files\Skype

2008-02-23 17:10 --------- d-----w C:\Program Files\Common Files\Skype

2008-02-23 17:10 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype

2008-02-23 17:10 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Skype

2008-02-23 17:06 --------- d-----w C:\Program Files\Gadu-Gadu

2008-02-22 22:45 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\LightScribe

2008-02-22 22:45 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\Ahead

2008-02-22 22:43 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\CyberLink

2008-02-22 22:37 --------- d-----w C:\Documents and Settings\Agosh\Dane aplikacji\ATI

2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-02-21 01:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-20 05:38 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll

2008-02-20 05:38 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll

2008-01-30 21:35 606,848 ----a-w C:\WINDOWS\flashax.exe

2008-01-30 21:35 503,808 ----a-w C:\WINDOWS\Asus_Camera_ScreenSaver.scr

2008-01-30 21:35 4,499,453 ----a-w C:\WINDOWS\ASUS Camera ScreenSaver.exe

2008-01-30 21:35 37,232 ----a-w C:\WINDOWS\ASScrProlog.exe

2008-01-30 21:35 33,136 ----a-w C:\WINDOWS\ASScrPro.exe

2008-01-30 21:35 274,800 ----a-w C:\WINDOWS\ASUS Camera ScreenSaver Uninstaller.exe

2008-01-30 21:35 12,288 ----a-w C:\WINDOWS\impborl.dll

2008-01-29 11:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll

.

((((((((((((((((((((((((((((( snapshot@2008-04-13_23.43.19.81 )))))))))))))))))))))))))))))))))))))))))

.

  • 2008-04-13 22:41:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
  • 2008-04-16 07:09:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat

  • 2008-04-16 07:09:50 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_140.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{10F0C2A9-8E38-43e3-204D-45524C494E20}]

2008-04-13 23:03 176128 --a------ C:\Program Files\PC-Antispyware\IeExtension.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“StartCCC”=“c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 12:35 90112]

“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-11-14 11:54 2131392]

“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2008-02-01 17:26 22014760]

“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-03-03 18:37 68856]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 14:00 15360]

“Yahoo! Pager”=“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” [2007-08-30 17:43 4670704]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ATKOSD2”=“C:\Program Files\ATKOSD2\ATKOSD2.exe” [2007-07-03 10:48 7708672]

“ATKHOTKEY”=“C:\Program Files\ATK Hotkey\Hcontrol.exe” [2007-07-12 10:25 225280]

“RTHDCPL”=“RTHDCPL.EXE” [2006-10-30 04:49 16269312 C:\WINDOWS\RTHDCPL.exe]

“SkyTel”=“SkyTel.EXE” [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]

“ATKMEDIA”=“C:\Program Files\ASUS\ATK Media\DMEDIA.EXE” [2006-11-02 08:27 61440]

“ASUS Live Update”=“C:\Program Files\ASUS\ASUS Live Update\ALU.exe” [2007-07-19 15:41 49520]

“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-05-25 05:02 786521]

“ACMON”=“C:\Program Files\ASUS\Splendid\ACMON.exe” [2007-07-10 10:59 851968]

“ABLKSR”=“C:\WINDOWS\ABLKSR\ABLKSR.exe” [2006-01-02 19:14 61440]

“RemoteControl”=“C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe” [2007-01-08 22:26 68640]

“SecurDisc”=“C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe” [2007-06-01 10:06 1629744]

“SMSERIAL”=“C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe” [2006-11-22 02:31 630784]

“PowerForPhone”=“C:\Program Files\P4P\P4P.exe” []

“Wireless Console 2”=“C:\Program Files\Wireless Console 2\wcourier.exe” [2007-07-05 16:53 1040384]

“ASUSTPE”=“C:\WINDOWS\system32\ASUSTPE.exe” [2007-01-16 16:13 106496]

“ASUS Camera ScreenSaver”=“C:\WINDOWS\ASScrProlog.exe” [2008-01-30 22:35 37232]

“ASUS Screen Saver Protector”=“C:\WINDOWS\ASScrPro.exe” [2008-01-30 22:35 33136]

“ACU”=“C:\Program Files\Atheros\ACU.exe” [2007-05-03 17:42 376921]

“Symantec PIF AlertEng”=“C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” [2008-01-29 17:38 583048]

“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2008-03-02 21:13 185896]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 04:25 144784]

“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2008-03-28 23:37 413696]

“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2008-03-30 10:36 267048]

“PC-Antispyware”=“C:\Program Files\PC-Antispyware\PCA-Purchased.exe” [2008-04-13 23:03 10772480]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 14:00 15360]

[HKLM~\startupfolder\C:^Documents and Settings^Agosh^Menu Start^Programy^Autostart^CCC.lnk]

path=C:\Documents and Settings\Agosh\Menu Start\Programy\Autostart\CCC.lnk

backup=C:\WINDOWS\pss\CCC.lnkStartup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

–a------ 2007-06-01 10:05 1057328 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

–a------ 2007-01-08 22:17 52256 C:\Program Files\ASUSTek\ASUSDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]

–a------ 2007-06-20 12:49 451872 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

–a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear]

–a------ 2006-07-26 18:01 90112 C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“FirewallDisableNotify”=dword:00000001

“UpdatesDisableNotify”=dword:00000001

“AntiVirusOverride”=dword:00000001

“FirewallOverride”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=

“C:\Program Files\Bonjour\mDNSResponder.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=

“C:\Program Files\Yahoo!\Messenger\YServer.exe”=

“C:\Program Files\iTunes\iTunes.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]

R1 pca-firewall;pca-firewall;C:\WINDOWS\system32\drivers\pca-firewall.sys [2008-04-16 08:10]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]

R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-08-21 01:50]

R3 RTSTOR;USB Mass Stroage Device;C:\WINDOWS\system32\drivers\RTSTOR.SYS [2006-06-10 00:07]

R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-03-28 19:52]

S3 usbstor;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2006-03-02 14:00]

*Newly Created Service* - PCA-FIREWALL

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]

msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

“C:\Program Files\Common Files\LightScribe\LSRunOnce.exe”

.

Contents of the ‘Scheduled Tasks’ folder

“2008-03-21 16:10:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-16 08:10:10

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe

  • C:\Program Files\PC-Antispyware\PopupBlocker.dll

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE

C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE

C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE

C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE

C:\WINDOWS\SYSTEM32\ACS.EXE

C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE

C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE

C:\PROGRAM FILES\NERO\NERO 7\INCD\INCDSRV.EXE

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\SYSTEM32\ACENGSVR.EXE

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\PROGRAM FILES\ATK HOTKEY\ATKOSD.EXE

C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\MOM.EXE

C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

C:\Program Files\ATK Hotkey\KBFiltr.exe

C:\Program Files\ATK Hotkey\WDC.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2008-04-16 8:12:01 - machine was rebooted [Agosh]

ComboFix-quarantined-files.txt 2008-04-16 07:11:56

ComboFix4.txt 2008-04-13 22:43:40

ComboFix3.txt 2008-04-14 20:40:34

ComboFix2.txt 2008-04-15 18:43:28

Pre-Run: 103,531,446,272 bajtów wolnych

Post-Run: 103,518,011,392 bajt˘w wolnych

.

2008-04-11 01:54:39 — E O F —


(huber2t) #11

Log wygląda na czysty

Przeskanuj komputer tym http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum


(Gutek) #12

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350


(Ahamrol) #13

oto raport kasperskiego:

http://wklej.org/id/ae82112896

Dziekuje Wam bardzo za pomoc.


(huber2t) #14

Log jest czysty


(Leon$) #15

przeskanuj Kasperskim obszar Mój komputer

:slight_smile: