rafylk
(Rkolkowski)
2 Październik 2007 21:38
#1
Mam tego trojana na kompie. Na pulpicie czerwona tapeta z napisem. Ciągle wyskakują mi okienka że trzeba ściągnąć jakieś programy. Na pulpicie pojawiają się ciągle 3 nowe ikony. Bardzo proszę o pomoc, bo nie mogę sobie z tym poradzić a nie jestem doświadczonym użytkownikiem.
Oto log z hijackthis.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:36:02, on 2007-10-02
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: MSVPS System - {ECBD04D1-1133-4480-8A8C-BC9FDD54D6C1} - C:\WINDOWS\div32.dll
O3 - Toolbar: The advpn - {E99D4D0C-EB54-46AF-B62A-3AA1F31D53E5} - C:\WINDOWS\advpn.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O21 - SSODL: mssql - {B6D8F617-A748-426D-B122-0DE250069385} - C:\WINDOWS\mssql.dll
O21 - SSODL: syscore - {3A81BBA6-5E17-4A2D-B915-E7BACD610D00} - C:\WINDOWS\syscore.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 7722 bytes
Gutek
(Gutek)
2 Październik 2007 22:25
#2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 O2 - BHO: MSVPS System - {ECBD04D1-1133-4480-8A8C-BC9FDD54D6C1} - C:\WINDOWS\div32.dll O3 - Toolbar: The advpn - {E99D4D0C-EB54-46AF-B62A-3AA1F31D53E5} - C:\WINDOWS\advpn.dll O21 - SSODL: mssql - {B6D8F617-A748-426D-B122-0DE250069385} - C:\WINDOWS\mssql.dll O21 - SSODL: syscore - {3A81BBA6-5E17-4A2D-B915-E7BACD610D00} - C:\WINDOWS\syscore.dll
usuń wpisy HJT
Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym daj log z ComboFix
rafylk
(Rkolkowski)
3 Październik 2007 14:28
#3
Zrobiłem wszystko co kazałeś. Nie udało mi się jednak uzyskać loga z combofixa’a. Było napisane, że combofix nie ma dostępu do pliku, bo inny program używa tego pliku. Może to przez pandę antyvirus. Wydaje mi się jednak że trojana udało się usunąć, gdyż zniknęły 3 ikony z pulpitu dotyczące trojana, nie pojawiają się już okienka z informacją o trojanie i antyspywarze. W razie czego moge przesłać loga z jakiegoś innego programu.
adam9870
(adam9870)
3 Październik 2007 15:50
#4
W takim razie spróbuj wykonać i wkleić log z narzędzia Deckard’s System Scanner . Ew. możesz spróbować wyłączyć Pandę na czas tworzenia loga z ComboFixa.
rafylk
(Rkolkowski)
3 Październik 2007 17:42
#5
Już zapodaję loga z dss
Wyłączyłem najpierw pandę.
Deckard’s System Scanner v20070905.67 Run by Rafal on 2007-10-03 19:39:05 Computer is in Normal Mode. -------------------------------------------------------------------------------- – System Restore -------------------------------------------------------------- Successfully created a Deckard’s System Scanner Restore Point. – Last 5 Restore Point(s) – 157: 2007-10-03 17:39:14 UTC - RP169 - Deckard’s System Scanner Restore Point 156: 2007-10-03 13:58:18 UTC - RP168 - ComboFix created restore point 155: 2007-10-02 14:20:32 UTC - RP167 - Zainstalowane Panda Internet Security 2007 154: 2007-10-02 14:04:42 UTC - RP166 - Usunięty Kaspersky Internet Security 6.0. 153: 2007-10-02 14:02:53 UTC - RP165 - Usunięto PowerArchiver 2007 Polish – First Restore Point – 1: 2007-08-03 15:50:02 UTC - RP13 - Removed Marvell Miniport Driver Backed up registry hives. Performed disk cleanup. – HijackThis (run as Rafal.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:39, on 2007-10-03 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\carpserv.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Rafal\Pulpit\dss.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Rafal.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [CARPService] carpserv.exe O4 - HKLM…\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 “EPSON Stylus Photo RX420 Series” /O6 “USB001” /M “Stylus Photo RX420” O4 - HKLM…\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe – End of file - 6757 bytes – HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups) ----------- backup-20071002-172135-166 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 backup-20071003-152010-181 O3 - Toolbar: The advpn - {E99D4D0C-EB54-46AF-B62A-3AA1F31D53E5} - C:\WINDOWS\advpn.dll backup-20071003-152010-379 O21 - SSODL: syscore - {3A81BBA6-5E17-4A2D-B915-E7BACD610D00} - C:\WINDOWS\syscore.dll backup-20071003-152010-398 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 backup-20071003-152010-786 O2 - BHO: MSVPS System - {ECBD04D1-1133-4480-8A8C-BC9FDD54D6C1} - C:\WINDOWS\div32.dll backup-20071003-152010-996 O21 - SSODL: mssql - {B6D8F617-A748-426D-B122-0DE250069385} - C:\WINDOWS\mssql.dll backup-20071003-152158-679 O21 - SSODL: syscore - {7CA2E446-4D2E-44A9-A078-BC4EA6238C88} - C:\WINDOWS\syscore.dll backup-20071003-152158-811 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 – File Associations ----------------------------------------------------------- .cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL “%1”,%* .cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser “%1”,%* .js - JSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAI~1\PavScrip.exe “%1” %* .vbs - VBSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAI~1\PavScrip.exe “%1” %* – Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 netflt (Panda Net Driver [NDIS Layer]) - c:\windows\system32\drivers\netflt.sys R0 Tpkd - c:\windows\system32\drivers\tpkd.sys R0 VOBID - c:\windows\system32\drivers\vobid.sys R1 APPFLT (App Filter Plugin) - c:\windows\system32\drivers\appflt.sys R1 DSAFLT (DSA Filter Plugin) - c:\windows\system32\drivers\dsaflt.sys R1 FNETMON (NetMon Filter Plugin) - c:\windows\system32\drivers\fnetmon.sys R1 IDSFLT (Ids Filter Plugin) - c:\windows\system32\drivers\idsflt.sys R1 NETFLTDI (Panda Net Driver [TDI Layer]) - c:\windows\system32\drivers\netfltdi.sys R1 ShldDrv (Panda File Shield Driver) - c:\windows\system32\drivers\shlddrv.sys R1 SMSFLT (SMS Filter Plugin) - c:\windows\system32\drivers\smsflt.sys R1 vobiw - c:\windows\system32\drivers\vobiw.sys R1 WNMFLT (Wifi Monitor Filter Plugin) - c:\windows\system32\drivers\wnmflt.sys R2 cpoint (Panda CPoint Driver) - c:\windows\system32\drivers\cpoint.sys R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys R2 PavProc (Panda Process Protection Driver) - c:\windows\system32\drivers\pavproc.sys R2 StreamDispatcher - c:\windows\system32\drivers\strmdisp.sys R3 ASAPIW2K - c:\windows\system32\drivers\asapiw2k.sys R3 AvFlt (Antivirus Filter Driver) - c:\windows\system32\drivers\av5flt.sys (file missing) R3 cdrdrv - c:\windows\system32\drivers\cdrdrv.sys S3 catchme - c:\docume~1\rafal\ustawi~1\temp\catchme.sys (file missing) S3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys S3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys S3 mohfilt - c:\windows\system32\drivers\mohfilt.sys (file missing) S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys S3 usb2vcom (USB to Serial Bridge Controller) - c:\windows\system32\drivers\usb2vcom.sys (file missing) S3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys – Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 PAVFNSVR (Panda Function Service) - “c:\program files\panda software\panda internet security 2007\pavfnsvr.exe” R2 PavPrSrv (Panda Process Protection Service) - “c:\program files\common files\panda software\pavshld\pavprsrv.exe” R2 PAVSRV (Panda anti-virus service) - “c:\program files\panda software\panda internet security 2007\pavsrv51.exe” R2 pmshellsrv (Panda Antispam Engine) - c:\program files\panda software\panda internet security 2007\antispam\pskmssvc.exe R2 PNMSRV (Panda Network Manager) - “c:\program files\panda software\panda internet security 2007\firewall\pnmsrv.exe” R2 PSIMSVC (Panda IManager Service) - “c:\program files\panda software\panda internet security 2007\psimsvc.exe” R2 TPSrv (Panda TPSrv) - “c:\program files\panda software\panda internet security 2007\tpsrv.exe” – Device Manager: Disabled ---------------------------------------------------- No disabled devices found. – Scheduled Tasks ------------------------------------------------------------- 2007-09-01 16:29:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job – Files created between 2007-09-03 and 2007-10-03 ----------------------------- 2007-10-03 15:51:14 2540 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-02 23:03:24 0 d-------- C:\Program Files\Reg Organizer 2.5 Full 2007-10-02 17:08:50 0 d-------- C:\Program Files\Trend Micro 2007-10-02 16:20:53 165308 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT 2007-10-02 16:20:49 16256 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys 2007-10-02 16:20:49 23296 --a------ C:\WINDOWS\system32\drivers\smsflt.sys 2007-10-02 16:20:49 185472 --a------ C:\WINDOWS\system32\drivers\idsflt.sys 2007-10-02 16:20:49 9216 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys 2007-10-02 16:20:49 36864 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys 2007-10-02 16:20:49 44544 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS 2007-10-02 16:20:48 103936 --a------ C:\WINDOWS\system32\drivers\netfltdi.sys 2007-10-02 16:20:48 141312 --a------ C:\WINDOWS\system32\drivers\netflt.sys 2007-10-02 16:20:41 446464 --a------ C:\WINDOWS\system32\HHActiveX.dll 2007-10-02 16:20:37 139264 --a------ C:\WINDOWS\system32\TpUtil.dll 2007-10-02 16:20:37 101888 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL 2007-10-02 16:20:37 245760 --a------ C:\WINDOWS\system32\PavSHook.dll 2007-10-02 16:20:37 57344 --a------ C:\WINDOWS\system32\pavipc.dll 2007-10-02 16:20:37 16640 --a------ C:\WINDOWS\system32\drivers\cpoint.sys 2007-10-02 16:20:33 0 d-------- C:\WINDOWS\system32\PAV 2007-10-02 16:20:33 45056 --a------ C:\WINDOWS\system32\avldr.dll 2007-10-02 16:20:32 9488 --a------ C:\WINDOWS\system32\sporder.dll 2007-10-02 16:19:06 0 d-------- C:\Program Files\Panda Software 2007-10-02 16:18:52 26752 --a------ C:\WINDOWS\system32\drivers\ShldDrv.sys 2007-10-02 16:18:52 165120 --a------ C:\WINDOWS\system32\drivers\PavProc.sys 2007-10-02 16:18:52 0 d-------- C:\Program Files\Common Files\Panda Software 2007-09-29 19:03:36 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-09-29 19:03:33 0 d-------- C:\Program Files\DVDFab Platinum – Find3M Report --------------------------------------------------------------- 2007-10-02 21:43:05 0 d-------- C:\Program Files\Gadu-Gadu 2007-10-02 16:27:25 355830 --a------ C:\WINDOWS\system32\perfh015.dat 2007-10-02 16:27:25 49712 --a------ C:\WINDOWS\system32\perfc015.dat 2007-10-02 16:20:32 0 d–h----- C:\Program Files\InstallShield Installation Information 2007-10-02 16:18:52 0 d-------- C:\Program Files\Common Files 2007-10-01 17:58:15 0 dr-h----- C:\Documents and Settings\Rafal\Dane aplikacji\SecuROM 2007-10-01 17:24:54 0 d-------- C:\Program Files\EA SPORTS 2007-09-30 11:19:25 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Vso 2007-09-30 11:19:25 33 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\pcouffin.log 2007-09-30 11:19:23 47360 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\pcouffin.sys 2007-09-30 11:19:23 1144 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\pcouffin.inf 2007-09-30 11:19:23 7176 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\pcouffin.cat 2007-09-30 11:19:23 81920 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\ezpinst.exe 2007-09-29 20:21:23 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Ahead 2007-09-01 16:27:56 0 d-------- C:\Program Files\JoWood 2007-09-01 15:13:51 0 d-------- C:\Program Files\Team17 Software Ltd 2007-09-01 15:13:21 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\InstallShield 2007-08-29 21:44:49 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Sun 2007-08-29 21:42:23 1277 --a------ C:\WINDOWS\mozver.dat 2007-08-29 21:42:17 0 d-------- C:\Program Files\Java 2007-08-29 21:39:11 0 d-------- C:\Program Files\Common Files\Java 2007-08-24 22:47:57 0 d-------- C:\Program Files\Windows Media Connect 2 2007-08-24 22:11:24 0 d-------- C:\Program Files\BitComet 2007-08-24 22:07:49 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll 2007-08-21 22:03:17 0 d-------- C:\Program Files\Common Files\Teleca Shared 2007-08-21 21:28:50 0 d-------- C:\Program Files\Sony Ericsson 2007-08-21 13:59:47 0 d-------- C:\Program Files\Common Files\Adobe 2007-08-21 13:59:34 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Adobe 2007-08-20 14:54:56 0 d-------- C:\Program Files\MSXML 4.0 2007-08-20 14:48:25 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Teleca 2007-08-20 14:43:32 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Sony Ericsson 2007-08-13 22:18:36 0 d-------- C:\Program Files\QuickTime 2007-08-13 21:55:30 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Apple Computer 2007-08-13 21:50:20 0 d-------- C:\Program Files\Apple Software Update 2007-08-10 20:34:16 0 d-------- C:\Program Files\ffdshow 2007-08-10 13:07:45 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Macromedia 2007-08-09 21:48:33 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Gadu-Gadu 2007-08-06 12:39:35 0 d-------- C:\Program Files\Creative 2007-08-05 18:47:10 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Creative 2007-08-05 17:49:07 0 d-------- C:\Program Files\Electronic Arts 2007-08-05 17:31:45 0 d-------- C:\Program Files\Alcohol Soft 2007-08-05 16:51:33 0 d-------- C:\Program Files\VID_0E8F&PID_0003 2007-08-05 16:50:34 0 d-------- C:\Program Files\Common Files\InstallShield 2007-08-05 15:53:10 0 d-------- C:\Program Files\epson 2007-08-05 15:51:35 0 d-------- C:\Program Files\Messenger 2007-08-03 20:02:51 0 d-------- C:\Program Files\Movie Maker 2007-08-03 20:00:26 0 d-------- C:\Program Files\Windows NT 2007-08-03 19:26:15 0 d-------- C:\Program Files\WapSter 2007-08-03 18:03:06 0 d-------- C:\Program Files\Symantec 2007-08-03 18:02:34 0 d–h----- C:\Program Files\WindowsUpdate 2007-08-03 18:02:26 0 d-------- C:\Program Files\Ahead 2007-08-03 17:59:22 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Talkback 2007-08-03 17:59:16 0 --a------ C:\WINDOWS\nsreg.dat 2007-08-03 17:59:14 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Mozilla 2007-08-03 17:49:38 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Symantec 2007-08-03 17:39:28 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Help 2007-08-03 17:39:13 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Identities – Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2004-05-14 09:47 C:\WINDOWS\SOUNDMAN.EXE] “CARPService”=“carpserv.exe” [2002-11-19 13:17 C:\WINDOWS\system32\carpserv.exe] “PinnacleDriverCheck”=“C:\WINDOWS\System32\PSDrvCheck.exe” [2003-11-10 16:06] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 13:50] “EPSON Stylus Photo RX420 Series”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.exe” [2004-04-09 06:00] “CTSysVol”=“C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe” [2003-09-17 10:43] “UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 01:00] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-06-29 06:24] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “Creative MediaSource Go”=“C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe” [2003-08-12 13:48] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-10-27 20:14:21] Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-21 13:41:04] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 08:15:54] Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE [1999-05-17 14:59:04] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] avldr.dll 2005-09-27 12:13 45056 C:\WINDOWS\system32\avldr.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @=“Service” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @=“Volume shadow copy” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Corel MEDIA FOLDERS INDEXER 8.LNK] path=C:\Documents and Settings\All Users\Menu Start\Programy\CorelDRAW Classic\Narzędzia graficzne\Corel MEDIA FOLDERS INDEXER 8.LNK backup=C:\WINDOWS\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN] “C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE” /s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCANINICIO] “C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe” – End of Deckard’s System Scanner: finished at 2007-10-03 19:40:24 ------------
Gutek
(Gutek)
3 Październik 2007 21:41
#6
Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym:
Pobierz program SDFix
rafylk
(Rkolkowski)
4 Październik 2007 17:14
#7
Raport z smitfraudfix, jednak byl zapisany. Podać jeszcze z SDFix?
SmitFraudFix v2.235 Scan done at 15:51:07,00, 2007-10-03 Run from C:\Documents and Settings\Rafal\Pulpit\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri’s WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\main_uninstaller.exe Deleted C:\WINDOWS\msmhost.dll Deleted Deleting [HKEY_CLASSES_ROOT\CLSID{C2D72703-D286-4114-9409-12124C5C8B99}] C:\WINDOWS\mssql.dll Deleted Deleting [HKEY_CLASSES_ROOT\CLSID{59C281AE-2B06-4E6A-BE98-60E6C3031D8E}] C:\WINDOWS\privacy_danger\ Deleted C:\WINDOWS\syscore.dll Deleted Deleting [HKEY_CLASSES_ROOT\CLSID{350BB4C6-42E8-4C2E-825F-762D1C3AEBC2}] C:\DOCUME~1\Rafal\Pulpit\Error Cleaner.url Deleted C:\DOCUME~1\Rafal\Pulpit\Privacy Protector.url Deleted C:\DOCUME~1\Rafal\Pulpit\Spyware?Malware Protection.url Deleted C:\DOCUME~1\Rafal\Ulubione\Error Cleaner.url Deleted C:\DOCUME~1\Rafal\Ulubione\Privacy Protector.url Deleted C:\Program Files\VideoAccessCodec\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip…{9FD5002A-DDE7-4530-B422-C67843238C56}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS1\Services\Tcpip…{9FD5002A-DDE7-4530-B422-C67843238C56}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS2\Services\Tcpip…{9FD5002A-DDE7-4530-B422-C67843238C56}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End
Gutek
(Gutek)
4 Październik 2007 22:17
#8
Tak z SDFix + Combofix(Deckard’s System Scanner)
rafylk
(Rkolkowski)
5 Październik 2007 13:28
#9
Raport z Deckard’s System Scanner:
Deckard’s System Scanner v20070905.67 Run by Rafal on 2007-10-05 15:27:10 Computer is in Normal Mode. -------------------------------------------------------------------------------- – HijackThis (run as Rafal.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:27, on 2007-10-05 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\carpserv.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Rafal\Pulpit\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Rafal.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [CARPService] carpserv.exe O4 - HKLM…\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 “EPSON Stylus Photo RX420 Series” /O6 “USB001” /M “Stylus Photo RX420” O4 - HKLM…\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe – End of file - 6650 bytes – Files created between 2007-09-05 and 2007-10-05 ----------------------------- 2007-10-03 20:19:01 0 d-------- C:\Program Files\PowerArchiver 2007-10-03 15:51:14 2540 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-02 23:03:24 0 d-------- C:\Program Files\Reg Organizer 2.5 Full 2007-10-02 17:08:50 0 d-------- C:\Program Files\Trend Micro 2007-10-02 16:20:53 176760 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT 2007-10-02 16:20:49 16256 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys 2007-10-02 16:20:49 23296 --a------ C:\WINDOWS\system32\drivers\smsflt.sys 2007-10-02 16:20:49 185472 --a------ C:\WINDOWS\system32\drivers\idsflt.sys 2007-10-02 16:20:49 9216 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys 2007-10-02 16:20:49 36864 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys 2007-10-02 16:20:49 44544 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS 2007-10-02 16:20:48 103936 --a------ C:\WINDOWS\system32\drivers\netfltdi.sys 2007-10-02 16:20:48 141312 --a------ C:\WINDOWS\system32\drivers\netflt.sys 2007-10-02 16:20:41 446464 --a------ C:\WINDOWS\system32\HHActiveX.dll 2007-10-02 16:20:37 139264 --a------ C:\WINDOWS\system32\TpUtil.dll 2007-10-02 16:20:37 101888 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL 2007-10-02 16:20:37 245760 --a------ C:\WINDOWS\system32\PavSHook.dll 2007-10-02 16:20:37 57344 --a------ C:\WINDOWS\system32\pavipc.dll 2007-10-02 16:20:37 16640 --a------ C:\WINDOWS\system32\drivers\cpoint.sys 2007-10-02 16:20:33 0 d-------- C:\WINDOWS\system32\PAV 2007-10-02 16:20:33 45056 --a------ C:\WINDOWS\system32\avldr.dll 2007-10-02 16:20:32 9488 --a------ C:\WINDOWS\system32\sporder.dll 2007-10-02 16:19:06 0 d-------- C:\Program Files\Panda Software 2007-10-02 16:18:52 26752 --a------ C:\WINDOWS\system32\drivers\ShldDrv.sys 2007-10-02 16:18:52 165120 --a------ C:\WINDOWS\system32\drivers\PavProc.sys 2007-10-02 16:18:52 0 d-------- C:\Program Files\Common Files\Panda Software 2007-09-29 19:03:36 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-09-29 19:03:33 0 d-------- C:\Program Files\DVDFab Platinum – Find3M Report --------------------------------------------------------------- 2007-10-04 19:10:30 0 d-------- C:\Program Files\ACDSee32 2007-10-03 20:03:50 0 d-------- C:\Program Files\BitComet 2007-10-02 21:43:05 0 d-------- C:\Program Files\Gadu-Gadu 2007-10-02 16:27:25 355830 --a------ C:\WINDOWS\system32\perfh015.dat 2007-10-02 16:27:25 49712 --a------ C:\WINDOWS\system32\perfc015.dat 2007-10-02 16:20:32 0 d–h----- C:\Program Files\InstallShield Installation Information 2007-10-02 16:18:52 0 d-------- C:\Program Files\Common Files 2007-10-01 17:58:15 0 dr-h----- C:\Documents and Settings\Rafal\Dane aplikacji\SecuROM 2007-10-01 17:24:54 0 d-------- C:\Program Files\EA SPORTS 2007-09-30 11:19:25 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Vso 2007-09-30 11:19:25 33 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\pcouffin.log 2007-09-30 11:19:23 47360 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\pcouffin.sys 2007-09-30 11:19:23 1144 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\pcouffin.inf 2007-09-30 11:19:23 7176 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\pcouffin.cat 2007-09-30 11:19:23 81920 --a------ C:\Documents and Settings\Rafal\Dane aplikacji\ezpinst.exe 2007-09-29 20:21:23 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Ahead 2007-09-01 16:27:56 0 d-------- C:\Program Files\JoWood 2007-09-01 15:13:51 0 d-------- C:\Program Files\Team17 Software Ltd 2007-09-01 15:13:21 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\InstallShield 2007-08-29 21:44:49 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Sun 2007-08-29 21:42:23 1277 --a------ C:\WINDOWS\mozver.dat 2007-08-29 21:42:17 0 d-------- C:\Program Files\Java 2007-08-29 21:39:11 0 d-------- C:\Program Files\Common Files\Java 2007-08-24 22:47:57 0 d-------- C:\Program Files\Windows Media Connect 2 2007-08-24 22:07:49 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll 2007-08-21 22:03:17 0 d-------- C:\Program Files\Common Files\Teleca Shared 2007-08-21 21:28:50 0 d-------- C:\Program Files\Sony Ericsson 2007-08-21 13:59:47 0 d-------- C:\Program Files\Common Files\Adobe 2007-08-21 13:59:34 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Adobe 2007-08-20 14:54:56 0 d-------- C:\Program Files\MSXML 4.0 2007-08-20 14:48:25 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Teleca 2007-08-20 14:43:32 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Sony Ericsson 2007-08-13 22:18:36 0 d-------- C:\Program Files\QuickTime 2007-08-13 21:55:30 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Apple Computer 2007-08-13 21:50:20 0 d-------- C:\Program Files\Apple Software Update 2007-08-10 20:34:16 0 d-------- C:\Program Files\ffdshow 2007-08-10 13:07:45 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Macromedia 2007-08-09 21:48:33 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Gadu-Gadu 2007-08-06 12:39:35 0 d-------- C:\Program Files\Creative 2007-08-05 18:47:10 0 d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Creative 2007-08-05 17:49:07 0 d-------- C:\Program Files\Electronic Arts 2007-08-05 17:31:45 0 d-------- C:\Program Files\Alcohol Soft 2007-08-05 16:51:33 0 d-------- C:\Program Files\VID_0E8F&PID_0003 2007-08-05 16:50:34 0 d-------- C:\Program Files\Common Files\InstallShield 2007-08-05 15:53:10 0 d-------- C:\Program Files\epson 2007-08-05 15:51:35 0 d-------- C:\Program Files\Messenger 2007-08-03 17:59:16 0 --a------ C:\WINDOWS\nsreg.dat – Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2004-05-14 09:47 C:\WINDOWS\SOUNDMAN.EXE] “CARPService”=“carpserv.exe” [2002-11-19 13:17 C:\WINDOWS\system32\carpserv.exe] “PinnacleDriverCheck”=“C:\WINDOWS\System32\PSDrvCheck.exe” [2003-11-10 16:06] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 13:50] “EPSON Stylus Photo RX420 Series”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.exe” [2004-04-09 06:00] “CTSysVol”=“C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe” [2003-09-17 10:43] “UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 01:00] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-06-29 06:24] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “Creative MediaSource Go”=“C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe” [2003-08-12 13:48] – End of Deckard’s System Scanner: finished at 2007-10-05 15:27:29 ------------
Złączono Posta : 05.10.2007 (Pią) 14:46
Oto raport z SDFix’a.
SDFix: Version 1.107 Run by Rafal on 2007-10-05 at 15:38 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “C:\Program Files\Microsoft Office\Office\1045\WFXMSRVR.EXE”=“C:\Program Files\Microsoft Office\Office\1045\WFXMSRVR.EXE:*:Enabled:WFXMSRVR” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Wed 13 Oct 2004 1,694,208 …H. — “C:\Program Files\Messenger\msmsgs.exe” Mon 30 Mar 1998 5,946,880 …H. — “C:\Corel\Graphics8\programs\CNSFlt80.dll” Thu 1 Jun 2000 421,376 …H. — “C:\Corel\Graphics8\programs\convintl.dll” Wed 5 Nov 1997 77,312 …H. — “C:\Corel\Graphics8\programs\Mos1680.dll” Thu 6 Nov 1997 4,608 …H. — “C:\Corel\Graphics8\programs\Mos3280.dll” Wed 3 Oct 2007 0 A…H. — “C:\Deckard\System Scanner\20071005152643\backup\DOCUME~1\Rafal\USTAWI~1\Temp\BIT2A.tmp” Finished!
rafylk
(Rkolkowski)
6 Październik 2007 08:00
#11
Bardzo dziękuję za pomoc .
yasteroo
(Yasteroo)
13 Październik 2007 13:49
#12
Log z HijackThis
Logfile of HijackThis v1.99.1 Scan saved at 15:13:13, on 2007-10-13 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\bin\btwdins.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Wireless\IEEE802.11b WLAN PCI Card v3.0\WLPCICfg.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\Download\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - Startup: .protected O4 - Global Startup: IEEE802.11b WLAN PCI Card Utility.lnk = C:\Program Files\Wireless\IEEE802.11b WLAN PCI Card v3.0\WLPCICfg.exe O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Wyślij do interfejsu &Bluetooth - C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: @btrez.dll ,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\btsendto_ie.htm O9 - Extra ‘Tools’ menuitem: @btrez.dll ,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\btsendto_ie.htm O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O23 - Service: ##Id_String1 .6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Oprogramowanie interfejsu Bluetooth\bin\btwdins.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
Log z SDFix
SDFix: Version 1.108 Run by Administrator on 2007-10-13 at 15:03 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\dat.txt - Deleted C:\WINDOWS\rs.txt - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll ,-22019" “D:\Programy\BearShare\BearShare.exe”=“D:\Programy\BearShare\BearShare.exe:*:Enabled:BearShare” “C:\Program Files\Bonjour\mDNSResponder.exe”=“C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour” “C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny” “D:\CS\hl.exe”=“D:\CS\hl.exe:*:Enabled:Half-Life Launcher” “C:\Program Files\WapSter\AQQ\AQQ.exe”=“C:\Program Files\WapSter\AQQ\AQQ.exe:*:Enabled:P2P AQQ” “C:\PROGRA~1\WapSter\AQQ\AQQ.exe”=“C:\PROGRA~1\WapSter\AQQ\AQQ.exe:*:Enabled:P2P AQQ” “C:\Program Files\FlashGet\flashget.exe”=“C:\Program Files\FlashGet\flashget.exe:*:Enabled:Flashget” “C:\Program Files\PPStream\PPStream.exe”=“C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPStream” “C:\Program Files\TVAnts\Tvants.exe”=“C:\Program Files\TVAnts\Tvants.exe:*:Enabled:TVAnts” “C:\Program Files\Konnekt\konnekt.exe”=“C:\Program Files\Konnekt\konnekt.exe:*:Enabled:Konnekt - Core” “C:\Program Files\Skype\Phone\Skype.exe”=“C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll ,-22019" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Fri 12 Oct 2007 0 A…H. — “C:\Documents and Settings\Asia\Ustawienia lokalne\Temp\BITCA0.tmp” Fri 12 Oct 2007 20,992 A…H. — “C:\Documents and Settings\Asia\Ustawienia lokalne\Temp\BITBF7.tmp” Fri 12 Oct 2007 0 A…H. — “C:\Documents and Settings\Asia\Ustawienia lokalne\Temp\BIT5481.tmp” Finished!
oraz z ComboFix
ComboFix 07-10-12.4 - Asia 2007-10-13 15:18:15.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.46 [GMT 2:00] Running from: D:\Download\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:.protected C:\Documents and Settings\Asia\Menu Start\Programy\Autostart.protected C:\Documents and Settings\Asia\Menu Start\Programy\Autostart.protected C:\Documents and Settings\Asia\Pulpit\Error Cleaner.url C:\Documents and Settings\Asia\Pulpit\Error Cleaner.url C:\Documents and Settings\Asia\Pulpit\Error Cleaner.url C:\Documents and Settings\Asia\Pulpit\Privacy Protector.url C:\Documents and Settings\Asia\Pulpit\Privacy Protector.url C:\Documents and Settings\Asia\Pulpit\Privacy Protector.url C:\Documents and Settings\Asia\Pulpit\Spyware&Malware Protection.url C:\Documents and Settings\Asia\Pulpit\Spyware&Malware Protection.url C:\Documents and Settings\Asia\Pulpit\Spyware&Malware Protection.url C:\Documents and Settings\Asia\Ulubione\Error Cleaner.url C:\Documents and Settings\Asia\Ulubione\Error Cleaner.url C:\Documents and Settings\Asia\Ulubione\Error Cleaner.url C:\Documents and Settings\Asia\Ulubione\Privacy Protector.url C:\Documents and Settings\Asia\Ulubione\Privacy Protector.url C:\Documents and Settings\Asia\Ulubione\Privacy Protector.url C:\Documents and Settings\Asia\Ulubione\Spyware&Malware Protection.url C:\Documents and Settings\Asia\Ulubione\Spyware&Malware Protection.url C:\Documents and Settings\Asia\Ulubione\Spyware&Malware Protection.url C:\WINDOWS\system32\drivers\etc.protected . ((((((((((((((((((((((((( Files Created from 2007-09-13 to 2007-10-13 ))))))))))))))))))))))))))))))) . 2007-10-13 15:17 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-13 15:02 2007-10-13 14:48 1,712 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-12 22:25 2007-10-12 22:25 2007-10-12 22:25 2007-10-12 22:25 2007-10-12 22:25 2007-10-12 22:25 2007-10-12 22:25 2007-10-12 22:05 2007-10-12 16:02 245,760 --a------ C:\Program Files\Uninstall Ask Toolbar.dll 2007-10-08 14:14 2007-10-06 14:41 2007-09-30 16:08 2007-09-28 21:18 921,600 --a------ C:\WINDOWS\system32\vorbisenc.dll 2007-09-28 21:18 237,568 --a------ C:\WINDOWS\system32\OggDS.dll 2007-09-28 21:17 188,416 --a------ C:\WINDOWS\system32\vorbis.dll 2007-09-28 21:17 45,056 --a------ C:\WINDOWS\system32\ogg.dll 2007-09-28 21:16 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll 2007-09-28 21:15 755,200 --a------ C:\WINDOWS\system32\ir50_32.dll 2007-09-28 21:15 245,760 --a------ C:\WINDOWS\system32\mplvpx.dll 2007-09-28 21:11 740,442 --a------ C:\WINDOWS\system32\DivX.dll 2007-09-28 21:10 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-09-28 21:09 167,936 --a------ C:\WINDOWS\system32\ts.dll 2007-09-28 21:09 142,848 --a------ C:\WINDOWS\system32\mp4.dll 2007-09-28 21:08 151,040 --a------ C:\WINDOWS\system32\mkx.dll 2007-09-28 21:08 79,360 --a------ C:\WINDOWS\system32\mkzlib.dll 2007-09-28 21:08 23,552 --a------ C:\WINDOWS\system32\mkunicode.dll 2007-09-28 21:07 2007-09-28 21:02 2007-09-28 18:47 2007-09-26 16:15 2007-09-26 16:08 2007-09-26 15:50 2007-09-23 13:46 2007-09-19 09:42 2007-09-18 20:45 2007-09-18 09:40 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-28 19:15 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll 2007-09-10 19:40 --------- d-----w C:\Program Files\StormII 2007-09-10 19:40 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Storm 2007-09-10 19:32 --------- d-----w C:\Program Files\PPStream 2007-09-10 19:32 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\ppstream 2007-09-10 19:32 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\ppstream 2007-09-10 19:32 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\ppstream 2007-09-10 19:27 --------- d-----w C:\Program Files\FlashGet 2007-09-09 20:00 --------- d-----w C:\Program Files\WEBDEV 2007-09-08 07:50 --------- d-----w C:\Program Files\WapSter 2007-09-08 07:46 --------- d-----w C:\Program Files\Gadu-Gadu 2007-09-05 15:40 --------- d-----w C:\Program Files\Robster Productions 2007-09-04 21:00 --------- d-----w C:\Program Files\Common Files\Ahead 2007-09-04 21:00 --------- d-----w C:\Program Files\Ahead 2007-09-04 20:58 --------- d-----w C:\Program Files\AskTBar 2007-09-01 15:35 --------- d-----w C:\Program Files\Bonjour 2007-09-01 15:21 --------- d-----w C:\Program Files\Common Files\Macrovision Shared 2007-09-01 11:37 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\FLEXnet 2007-08-31 07:35 --------- d-----w C:\Program Files\CCleaner 2007-08-31 06:39 --------- d-----w C:\Program Files\Common Files\Skype 2007-08-30 18:45 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\Skype 2007-08-30 18:45 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\Skype 2007-08-30 18:45 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\Skype 2007-08-30 18:44 --------- d-----w C:\Program Files\Skype 2007-08-30 18:44 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype 2007-08-30 11:57 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys 2007-08-30 11:57 298,104 ----a-w C:\WINDOWS\system32\IMON.DLL 2007-08-30 11:57 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys 2007-08-30 11:37 61,440 ----a-w C:\WINDOWS\uninstal.exe 2007-08-30 11:37 --------- d-----w C:\Program Files\Ontrack 2007-08-30 10:39 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\Gadu-Gadu 2007-08-30 10:39 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\Gadu-Gadu 2007-08-30 10:39 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\Gadu-Gadu 2007-08-30 07:33 --------- d-----w C:\Program Files\MarBit 2007-08-30 07:14 --------- d-----w C:\Program Files\QuickTime 2007-08-30 07:14 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\QuickTime 2007-08-29 09:03 --------- d-----w C:\Program Files\WIDCOMM 2007-08-28 15:35 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\PLAux 2007-08-28 15:35 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\PLAux 2007-08-28 15:35 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\PLAux 2007-08-26 19:31 --------- d-----w C:\Program Files\Common Files\Adobe 2007-08-26 19:28 --------- d-----w C:\Program Files\Winamp 2007-08-26 19:28 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\MusicIP 2007-08-26 19:28 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\MusicIP 2007-08-26 19:28 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\MusicIP 2007-08-26 19:26 --------- d-----w C:\Program Files\ffdshow 2007-08-26 19:26 --------- d-----w C:\Program Files\AC3Filter 2007-08-26 19:25 --------- d-----w C:\Program Files\Alwil Software 2007-08-26 19:20 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\Microsoft Web Folders 2007-08-26 19:20 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\Microsoft Web Folders 2007-08-26 19:20 --------- d-----w C:\Documents and Settings\Asia\Dane aplikacji\Microsoft Web Folders 2007-08-26 19:16 --------- d-----w C:\Program Files\Wireless 2007-08-26 19:14 --------- d-----w C:\Program Files\Intel 2007-08-26 19:12 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-08-26 19:12 --------- d-----w C:\Program Files\Realtek Sound Manager 2007-08-26 19:12 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-08-26 19:12 --------- d-----w C:\Program Files\AvRack 2007-08-26 19:02 --------- d-----w C:\Program Files\microsoft frontpage 2007-08-26 18:59 --------- d-----w C:\Program Files\Usługi online . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-08-30 13:57] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2006-01-12 16:40] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-10-22 12:22] “nwiz”=“nwiz.exe” [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-10-22 12:22] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ IEEE802.11b WLAN PCI Card Utility.lnk - C:\Program Files\Wireless\IEEE802.11b WLAN PCI Card v3.0\WLPCICfg.exe [2007-08-26 21:16:25] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= file:///C:\WINDOWS\privacy_danger\index.htm FriendlyName= Privacy Protection R3 WLPCIV27;IEEE802.11b WLAN PCI Card v3.0 Driver;C:\WINDOWS\system32\DRIVERS\WLPCIV27.sys S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-13 15:20:17 Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-13 15:20:49 . — E O F —
Z góry dziekuje
P.S miałem takiego samego trojana co kolega z pierwszego posta, zrobiłem wszystkie polecone czynności i zamiesciłem na koniec logi z prośbą o sprawdzenie.