W kompie wykryto 4 obiekty "cloaked Malware"!

Dla specjalistów Bezpieczeństwo
#1

witam, prosze o pomoc, poniewaz program wykrył w systemie obiekty Malware i byc moze cos wiecej. Prosze o poradę jak sie ich pozbyc i jak wyczyscic pendrive (poniewaz podejrzewam ze tez jest zainfekowany). Poniżej wklejam całego loga z HijacThis. Prosze o instrukcje postępowania w miarę przejrzystym językiem, ponieważ nie jestem zbyt wielką specjalistą w tej tematyce. Mam nadzieje ze kompa da sie jeszcze uratowac?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:33:51, on 2008-07-09

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Program Files\PrevxCSI\prevxcsi.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\System32\s3trayp.exe

C:\Windows\System32\oodtray.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe

C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe

C:\Program Files\MarBit\ALLPassword Manager\ALLPasswordManager.exe

C:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: ALLPassword Manager - {4C7FFB7A-EEA6-43A5-8D02-6DBD648FFB05} - C:\PROGRA~1\MarBit\ALLPAS~1\ALLPAS~1.DLL

O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Windows\system32\ieso0.dll

O4 - HKLM…\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM…\Run: [s3Trayp] S3trayp.exe -chkautorun

O4 - HKLM…\Run: [iSUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start

O4 - HKLM…\Run: [OODefragTray] C:\Windows\system32\oodtray.exe

O4 - HKLM…\Run: [iSTray] “C:\Program Files\Spyware Doctor\pctsTray.exe”

O4 - HKLM…\Run: [00PCTFW] “C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe” -s

O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

O4 - HKLM…\Run: [RRT-Auto] C:\Users\Administrator\Desktop\roboczy\RRT.exe auto

O4 - HKCU…\Run: [uIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe

O4 - HKCU…\Run: [kxva] C:\Windows\system32\kxvo.exe

O4 - HKCU…\Run: [ALLPasswordManager] C:\Program Files\MarBit\ALLPassword Manager\ALLPasswordManager.exe

O4 - HKUS\S-1-5-19…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘USŁUGA SIECIOWA’)

O4 - Global Startup: Ashampoo AntiVirus Service.lnk = C:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra ‘Tools’ menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avGuard Service (avGuard) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe

O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe

O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

End of file - 5436 bytes

Z góry dziękuję , Aga

#2

Witam

pendrive’a wyczyscisz

http://www.techsupportforum.com/sectool … fector.exe

uruchamiasz kompa w trybie awaryjnym, wciskasz F8 przy starcie i te wpisy dajesz na fix

O4 - HKCU\..\Run: [kxva] C:\Windows\system32\kxvo.exe

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'USŁUGA LOKALNA')

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt

wrzuc tez log z combofix’a, co i jak masz napisane tu

viewtopic.php?f=16&t=36654

#3

fix w hijackthis

Podaj log z Combofix

#4

witam

" uruchamiasz kompa w trybie awaryjnym, wciskasz F8 przy starcie i te wpisy dajesz na fix" - nie bardzo wiem co oznacza “na fix”?

A moze mieszkasz w Wawie lub okolicach i mógłbys mi pomóc osobiście, bo nie wiem czy sobie z tym poradze?

Aga

#5

Podaj log z Combofix

#6

podaje log z Combo:

ComboFix 08-07-08.5 - Administrator 2008-07-09 7:49:18.1 - NTFSx86

Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1250.1.1045.18.1095 [GMT 2:00]

Running from: C:\Users\Administrator\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\Windows\gpefaowr.exe

C:\Windows\system32\fool0.dll

C:\Windows\system32\fool1.dll

C:\Windows\system32\iconv.dll

C:\Windows\system32\ieso0.dll

C:\Windows\system32\kxvo.exe

D:\Autorun.inf

E:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))

.

2008-07-09 00:33 . 2008-07-09 00:33

2008-07-09 00:06 . 2008-07-09 00:06

2008-07-08 23:04 . 2008-07-08 23:04 17,408 --a------ C:\Windows\System32\drivers\pxark.sys

2008-07-08 23:03 . 2008-07-09 06:54

2008-07-08 23:03 . 2008-07-09 06:54

2008-07-08 23:03 . 2008-07-08 23:03

2008-07-08 22:57 . 2008-07-08 22:57 16,244 --a------ C:\Windows\System32\rrt_is.wav

2008-07-08 22:57 . 2008-07-08 22:57 7,302 --a------ C:\Windows\System32\rrt_vf.wav

2008-07-08 22:57 . 2008-07-08 22:57 7,148 --a------ C:\Windows\System32\rrt_tv.wav

2008-07-08 22:57 . 2008-07-08 22:57 6,282 --a------ C:\Windows\System32\rrt_tn.wav

2008-07-08 21:27 . 2008-07-08 21:27 1,282 --a------ C:\Windows\System32\libFLAC.dll

2008-07-08 21:27 . 2008-07-08 21:27 1,281 --a------ C:\Windows\System32\madFlac.ax

2008-07-08 21:26 . 2008-07-08 21:26 1,283 --a------ C:\Windows\System32\DivXMedia.ax

2008-07-08 21:26 . 2008-07-08 21:26 1,281 --a------ C:\Windows\System32\DivXsm.exe

2008-07-08 21:26 . 2008-07-08 21:26 1,281 --a------ C:\Windows\System32\divxdec.ax

2008-07-08 19:42 . 162,515 C:\3hmhv2k.com

2008-07-06 20:18 . 2008-07-06 20:34

2008-07-06 16:25 . 2008-07-08 16:30

2008-07-06 16:24 . 2008-07-08 18:12

2008-07-06 11:33 . 2008-07-06 11:33

2008-07-06 11:33 . 2008-07-06 11:33 56 --ah----- C:\Windows\System32\ezsidmv.dat

2008-07-06 11:32 . 2008-07-06 12:46

2008-07-06 11:28 . 2008-07-06 11:28

2008-07-06 11:28 . 2008-07-06 11:28

2008-07-06 11:28 . 2008-07-06 11:28

2008-07-06 11:28 . 2008-07-06 11:28

2008-07-05 21:28 . 2008-07-09 00:01 0 -rahs---- C:\d8hii.cmd

2008-07-05 20:33 . 2008-07-05 20:33

2008-07-05 20:31 . 2008-07-05 20:31

2008-07-05 20:27 . 2008-07-05 20:27

2008-06-30 19:55 . 2008-06-30 19:55

2008-06-30 19:54 . 1997-11-19 15:49 303,616 --a------ C:\Windows\IsUninst.exe

2008-06-28 16:12 . 2007-08-24 19:44 101,504 -ra------ C:\Windows\System32\drivers\ewusbmdm.sys

2008-06-28 16:12 . 2007-08-24 19:44 23,424 -ra------ C:\Windows\System32\drivers\ewdcsc.sys

2008-06-28 16:10 . 2008-06-28 16:13

2008-06-19 20:30 . 2008-06-19 20:31 38 --a------ C:\Windows\avisplitter.INI

2008-06-18 15:20 . 2008-06-18 15:20

2008-06-17 15:00 . 2007-04-16 16:25 7,168 --a------ C:\Windows\System32\drivers\AshAvScan.sys

2008-06-16 18:52 . 2008-07-08 21:26 1,284 --a------ C:\Windows\System32\FLVSplitter.ax

2008-06-16 18:52 . 2008-07-08 21:26 1,284 --a------ C:\Windows\System32\cpuinf32.dll

2008-06-16 18:52 . 2008-07-08 21:26 1,283 --a------ C:\Windows\System32\splitter.ax

2008-06-16 18:52 . 2008-07-08 21:26 1,283 --a------ C:\Windows\System32\i263_32.drv

2008-06-16 18:52 . 2008-07-08 21:26 1,283 --a------ C:\Windows\System32\DVDVideo.ax

2008-06-16 18:52 . 2008-07-08 21:26 1,282 --a------ C:\Windows\System32\mplvpx.dll

2008-06-16 18:52 . 2008-07-08 21:26 1,282 --a------ C:\Windows\System32\lmpgspl.ax

2008-06-16 18:52 . 2008-07-08 21:26 1,281 --a------ C:\Windows\System32\WMV9VCM.dll

2008-06-16 18:52 . 2008-07-08 21:26 1,281 --a------ C:\Windows\System32\lmpgvd.ax

2008-06-16 18:45 . 2008-07-08 21:26 1,283 --a------ C:\Windows\System32\mmfinfo.dll

2008-06-16 18:45 . 2008-07-08 21:26 1,279 --a------ C:\Windows\System32\ogm.dll

2008-06-16 18:45 . 2008-07-08 21:26 1,279 --a------ C:\Windows\System32\mp4.dll

2008-06-16 18:45 . 2008-07-08 21:26 1,279 --a------ C:\Windows\System32\mkx.dll

2008-06-16 18:45 . 2008-07-08 21:26 1,279 --a------ C:\Windows\System32\avi.dll

2008-06-16 18:44 . 2008-07-08 21:26 1,288 --a------ C:\Windows\System32\CoreAVCDecoder.ax

2008-06-16 18:44 . 2008-07-08 21:26 1,285 --a------ C:\Windows\System32\mkunicode.dll

2008-06-16 18:44 . 2008-07-08 21:26 1,282 --a------ C:\Windows\System32\mkzlib.dll

2008-06-16 18:44 . 2008-07-08 21:26 1,278 --a------ C:\Windows\System32\ts.dll

2008-06-15 17:00 . 2008-06-15 17:10

2008-06-14 19:58 . 2008-04-23 06:42 428,544 --a------ C:\Windows\System32\EncDec.dll

2008-06-14 19:58 . 2008-04-23 06:42 293,376 --a------ C:\Windows\System32\psisdecd.dll

2008-06-14 19:58 . 2008-04-23 06:41 218,624 --a------ C:\Windows\System32\psisrndr.ax

2008-06-14 19:58 . 2008-04-23 06:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax

2008-06-13 20:21 . 2008-06-13 20:34

2008-06-13 19:44 . 2008-06-13 19:44

2008-06-13 19:33 . 2008-06-13 19:33 717,296 --a------ C:\Windows\System32\drivers\sptd.sys

2008-06-13 19:32 . 2008-06-13 19:32

2008-06-12 21:59 . 2008-06-12 21:59

2008-06-12 21:58 . 2008-06-12 22:52

2008-06-11 21:55 . 2008-06-11 21:55

2008-06-11 14:17 . 2008-04-25 04:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb

2008-06-11 14:17 . 2008-04-26 10:08 1,314,816 --a------ C:\Windows\System32\quartz.dll

2008-06-11 14:17 . 2008-04-25 06:35 826,880 --a------ C:\Windows\System32\wininet.dll

2008-06-11 14:17 . 2008-05-10 03:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys

2008-06-10 14:54 . 2008-06-18 15:04

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-09 05:08 --------- d—a-w C:\ProgramData\TEMP

2008-07-08 20:24 --------- d-----w C:\Users\Agnieszka\AppData\Roaming\uTorrent

2008-07-08 19:59 --------- d-----w C:\Program Files\MarBit

2008-07-05 19:46 --------- d-----w C:\Users\Agnieszka\AppData\Roaming\Thinstall

2008-06-20 20:49 --------- d-----w C:\Users\Administrator\AppData\Roaming\Any Video Converter

2008-06-18 13:16 --------- d-----w C:\Program Files\DivX

2008-06-17 13:00 --------- d-----w C:\Program Files\Ashampoo

2008-06-12 18:39 --------- d-----w C:\Users\Administrator\AppData\Roaming\dvdcss

2008-06-12 01:08 --------- d-----w C:\Program Files\Windows Mail

2008-06-11 15:26 --------- d-----w C:\Program Files\NAPI-PROJEKT

2008-06-10 15:24 --------- d-----w C:\Users\Agnieszka\AppData\Roaming\DivX

2008-06-03 06:05 --------- d-----w C:\Program Files\Spyware Doctor

2008-06-01 21:26 --------- d-----w C:\Program Files\Any Video Converter

2008-05-28 06:08 --------- d-----w C:\Program Files\PC Tools Firewall Plus

2008-05-26 10:07 --------- d-----w C:\Program Files\Batch Watermark Creator

2008-05-26 10:01 --------- d-----w C:\Program Files\BT Engine

2008-05-22 22:19 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe

2008-05-21 16:37 --------- d-----w C:\Program Files\IEPro

2008-05-11 17:01 --------- d-----w C:\Users\Administrator\AppData\Roaming\Ashampoo

2008-05-11 16:58 --------- d-----w C:\Program Files\Xilisoft

2008-05-07 21:24 452,668 ----a-w C:\Windows\Snowflakes (plug-in) Uninstaller.exe

2008-05-07 21:22 456,244 ----a-w C:\Windows\Natura Sound Therapy Uninstaller.exe

2008-05-02 19:53 174 --sha-w C:\Program Files\desktop.ini

2008-04-22 22:47 295,936 ----a-w C:\Windows\System32\gdi32.dll

2008-04-22 22:44 2,032,128 ----a-w C:\Windows\System32\win32k.sys

2008-04-22 22:41 988,216 ----a-w C:\Windows\System32\winload.exe

2008-04-22 22:41 927,288 ----a-w C:\Windows\System32\winresume.exe

2008-04-22 22:41 615,992 ----a-w C:\Windows\System32\ci.dll

2008-04-22 22:41 6,656 ----a-w C:\Windows\System32\kbd106n.dll

2008-04-22 22:41 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll

2008-04-22 22:41 40,960 ----a-w C:\Windows\System32\srclient.dll

2008-04-22 22:41 378,368 ----a-w C:\Windows\System32\srcore.dll

2008-04-22 22:41 318,464 ----a-w C:\Windows\System32\rstrui.exe

2008-04-22 22:41 19,000 ----a-w C:\Windows\System32\kd1394.dll

2008-04-22 22:41 14,848 ----a-w C:\Windows\System32\srdelayed.exe

2008-04-22 21:55 101,888 ----a-w C:\Windows\System32\ifxcardm.dll

2008-04-22 21:54 82,432 ----a-w C:\Windows\System32\axaltocm.dll

2008-04-22 21:45 996,352 ----a-w C:\Windows\System32\WMNetMgr.dll

2008-04-22 21:44 99,840 ----a-w C:\Windows\System32\ulib.dll

2008-04-22 21:43 94,208 ----a-w C:\Windows\System32\diantz.exe

2008-04-22 21:42 98,304 ----a-w C:\Windows\System32\TapiMigPlugin.dll

2008-04-22 21:41 98,304 ----a-w C:\Windows\System32\makecab.exe

2008-04-22 21:40 95,744 ----a-w C:\Windows\System32\xwtpw32.dll

2008-04-22 21:39 97,280 ----a-w C:\Windows\System32\OptionalFeatures.exe

2008-04-22 21:38 98,816 ----a-w C:\Windows\System32\sdshext.dll

2008-04-22 21:36 22,632 ----a-w C:\Windows\System32\streamci.dll

2008-04-22 21:36 177,208 ----a-w C:\Windows\System32\halmacpi.dll

2008-04-22 21:36 15,872 ----a-w C:\Windows\System32\hcrstco.dll

2008-04-22 21:36 141,880 ----a-w C:\Windows\System32\halacpi.dll

2008-04-22 21:36 14,848 ----a-w C:\Windows\System32\iscsilog.dll

2008-04-22 21:16 44,032 ----a-w C:\Windows\System32\cbsra.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“UIWatcher”=“C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe” [2007-07-09 14:13 1741168]

“ALLPasswordManager”=“C:\Program Files\MarBit\ALLPassword Manager\ALLPasswordManager.exe” [2008-05-09 20:48 958464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-04-13 06:07 69632]

“OODefragTray”=“C:\Windows\system32\oodtray.exe” [2007-05-11 02:08 2512392]

“ISTray”=“C:\Program Files\Spyware Doctor\pctsTray.exe” [2008-06-03 03:12 1107848]

“00PCTFW”=“C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe” [2008-03-28 14:37 2598808]

“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792]

“S3Trayp”=“S3trayp.exe” [2007-08-13 14:45 200704 C:\Windows\System32\s3trayp.exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

Ashampoo AntiVirus Service.lnk - C:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe [2008-06-17 15:00:07 669008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“EnableLUA”= 0 (0x0)

“EnableUIADesktopToggle”= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“vidc.i420”= i263_32.drv

“VIDC.YV12”= yv12vfw.dll

[HKLM~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

“TCP Query User{9C63625E-E3D3-4D1B-8E2A-B87BD49698C8}C:\program files\wapster\aqq\aqq.exe”= UDP:C:\program files\wapster\aqq\aqq.exe:AQQ

“UDP Query User{78DE89C0-C815-45B5-9AEE-469488A4CF8E}C:\program files\wapster\aqq\aqq.exe”= TCP:C:\program files\wapster\aqq\aqq.exe:AQQ

“{2A4BCD4C-20C1-4746-BD86-B1C45DFE1883}”= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

“{4C23AC47-3D90-49CB-8168-90BBA863E5A5}”= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

“TCP Query User{DDC7BE39-03E5-4DDE-A0F2-C4B9AC61950D}C:\program files\gadu-gadu\gg.exe”= UDP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny

“UDP Query User{3FA83537-511E-49F3-A8C1-AC1FCC06E686}C:\program files\gadu-gadu\gg.exe”= TCP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny

“{4BCB8336-73AC-48FC-926F-D693D2CFC1A5}”= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

“{328F93B1-86FC-4AE3-8BD0-7A1EDF8537B7}”= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

“{F80995CF-A89A-4D17-B76F-5F84C338C998}”= C:\Program Files\Skype\Phone\Skype.exe:Skype

“{E38706FA-7EEE-4183-91DF-F3E6D55FB9BB}”= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail

“{2C17729C-5F53-40E2-A314-2AD6BFC387D6}”= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail

“{6CB4B2ED-9067-49DE-B819-7B36A2C312C3}”= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail

“{5E79A9F3-DBF8-4C0B-AD43-481AC4968DBE}”= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail

“{EE59440D-4A88-4E97-9FC9-2AA7B53858A1}”= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail

“{6F494C83-E7AD-44A5-B767-5248A7AF2B09}”= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail

“{5D250031-1E26-45A3-B782-A100C87784AF}”= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail

“{DF6CADBA-AB2A-49C6-872B-45B746E85D23}”= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail

“{E5EC2A2C-8EF5-463E-AAFE-C73FC35FFFD6}”= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail

“{E199E6F4-4865-44FB-95CA-4904B061D617}”= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail

[HKLM~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]

“C:\Program Files\IEPro\MiniDM.exe”= C:\Program Files\IEPro\MiniDM.exe:*:Enabled:MiniDM

“C:\Program Files\WapSter\AQQ\AQQ.exe”= C:\Program Files\WapSter\AQQ\AQQ.exe:*:Enabled:P2P AQQ

R0 pxark;pxark;C:\Windows\system32\drivers\pxark.sys [2008-07-08 23:04]

R0 ViBus;ViBus;C:\Windows\system32\DRIVERS\ViBus.sys [2007-10-19 19:02]

R0 ViPrt;VIA SATA IDE Device Driver;C:\Windows\system32\DRIVERS\ViPrt.sys [2007-10-19 19:03]

R1 pctfw2;pctfw2;C:\Windows\System32\drivers\pctfw2.sys [2008-03-12 09:30]

R1 pctmp;PC Tools Firewall Memory Protection Driver;C:\Windows\system32\drivers\pctmp.sys [2008-02-21 08:56]

R1 pctssipc;PC Tools Security Suite IPC Driver;C:\Windows\system32\drivers\pctssipc.sys [2008-02-21 08:56]

R2 avGuard;avGuard Service;C:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe [2008-02-07 10:36]

R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-07-08 23:03]

R3 AshAvScan;AshAvScan;C:\Windows\system32\DRIVERS\AshAvScan.sys [2007-04-16 16:25]

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\Windows\system32\DRIVERS\fetnd5bv.sys [2007-09-21 20:24]

R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;C:\Windows\system32\DRIVERS\netr73.sys [2006-09-28 22:41]

R3 S3GIGP;S3GIGP;C:\Windows\system32\DRIVERS\VTGKModeDX32.sys [2007-09-12 14:17]

S4 ErrDev;Błąd sprzętowy — sterownik urządzenia (Microsoft);C:\Windows\system32\drivers\errdev.sys [2008-04-22 23:36]

S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-04-22 23:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3453a195-451b-11dd-a2cd-0040d0d30a0f}]

\shell\AutoRun\command - J:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{afb2f0de-451b-11dd-9b38-0040d0d30a0f}]

\shell\AutoRun\command - J:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c1b75fcf-396f-11dd-9a88-0040d0d30a0f}]

\shell\AutoRun\command - G:\start.exe

*Newly Created Service* - CATCHME

.

        • ORPHANS REMOVED - - - -

HKLM-Run-RRT-Auto - C:\Users\Administrator\Desktop\roboczy\RRT.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-09 08:13:05

Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-07-09 8:17:20

ComboFix-quarantined-files.txt 2008-07-09 06:15:53

Pre-Run: 11,929,964,544 bajtów wolnych

Post-Run: 11,689,836,544 bajtów wolnych

238 — E O F — 2008-07-07 17:44:47

PS. Dalej nie rozumiem tego fragmentu: "fix w hijackthis

O4 - HKCU…\Run: [kxva] C:\Windows\system32\kxvo.exe" ? co to znaczy i co mam zrobic? A

#7

Usuń te wpisy w HJT

włącz HijackThis - Do a system scan only >> w oknie programu pokaże się log >> zaznacz kratki przy podanych wpisach >> klikasz Fix checked

Pobierz Combofix ale nie uruchamiaj wklej do notatnika:

Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe

Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum

Usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

#8

ok, czyli ten fragment mam zaznaczyc i usunąc w HijJacks?

#9

W HijackThis robisz tak

włącz HijackThis - Do a system scan only - w oknie programu pokaże się log - zaznacz kratki przy podanych wpisach - klikasz Fix checked

Reszta jest do Combofix

#10

witam, podaje jeszcze raz scan z HijackT, ponieważ wydaje mi sie ze ten wpis >> O4 - HKCU…\Run: [kxva] C:\Windows\system32\kxvo.exe<< zniknął?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:44:16, on 2008-07-09

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\PrevxCSI\prevxcsi.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\s3trayp.exe

C:\Windows\System32\oodtray.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe

C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe

C:\Program Files\MarBit\ALLPassword Manager\ALLPasswordManager.exe

C:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: ALLPassword Manager - {4C7FFB7A-EEA6-43A5-8D02-6DBD648FFB05} - C:\PROGRA~1\MarBit\ALLPAS~1\ALLPAS~1.DLL

O4 - HKLM…\Run: [s3Trayp] S3trayp.exe -chkautorun

O4 - HKLM…\Run: [iSUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start

O4 - HKLM…\Run: [OODefragTray] C:\Windows\system32\oodtray.exe

O4 - HKLM…\Run: [iSTray] “C:\Program Files\Spyware Doctor\pctsTray.exe”

O4 - HKLM…\Run: [00PCTFW] “C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe” -s

O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

O4 - HKCU…\Run: [uIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe

O4 - HKCU…\Run: [ALLPasswordManager] C:\Program Files\MarBit\ALLPassword Manager\ALLPasswordManager.exe

O4 - HKUS\S-1-5-19…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-19…\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘USŁUGA SIECIOWA’)

O4 - Global Startup: Ashampoo AntiVirus Service.lnk = C:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra ‘Tools’ menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avGuard Service (avGuard) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe

O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe

O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

End of file - 4762 bytes

Czy to możliwe? :wink:

#11

Tak ponieważ wcześniej o to prosił Cię huber2t może już usunąłeś. W logu z Combofix widać że plik został usunięty teraz zauważyłem.

Wykonaj moją prośbę z Combofix i daj log z usuwania na forum.

#12

witam, przepraszam, ale pilnie musialam podjechac do pracy. Już jestem on line :slight_smile: Zaraz spróbuje to zrobic to z Combo, a czy loga po usuwaniu mam dac z Combo czy z Hijacka? Troche mi sie to wszystko myli , sory . Aga

#13

Daj loga z Combofix

#14

Jeszcze sie tylko upewnie że ten fragment poniżej zapisuje jako CFscript.txt a potem mam to przeciagnac na Combo?

File::

C:\Windows\system32\kxvo.exe

C:\3hmhv2k.com

D:\3hmhv2k.com

E:\3hmhv2k.com

C:\d8hii.cmd

D:\d8hii.cmd

E:\d8hii.cmd

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3453a195-451b-11dd-a2cd-0040d0d30a0f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{afb2f0de-451b-11dd-9b38-0040d0d30a0f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c1b75fcf-396f-11dd-9a88-0040d0d30a0f}]

#15

Tak zrób tak jak napisałaś

#16

wyskoczył komunikat, że System Windows nie może odnaleźć pliku 327882R2FWJFW\mircmd.com ???

#17

Usuń instalke Combofix z dysku. Usuń folder C: \Qoobox jeśli jest. Usuń folder C:\327882R2FWJFW

Pobierz jeszcze raz Combofix a potem przeciągnij ikonkę CFscript.txt na ikonkę Combofix

#18

poszło, a to jest log z Combofix

ComboFix 08-07-08.9 - Administrator 2008-07-09 17:55:10.1 - NTFSx86

Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1250.1.1045.18.985 [GMT 2:00]

Running from: C:\Users\Administrator\Desktop\ComboFix.exe

Command switches used :: C:\Users\Administrator\Desktop\CFScript.txt

* Created a new restore point

FILE ::

C:\3hmhv2k.com

C:\d8hii.cmd

C:\Windows\system32\kxvo.exe

D:\3hmhv2k.com

D:\d8hii.cmd

E:\3hmhv2k.com

E:\d8hii.cmd

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\3hmhv2k.com

C:\d8hii.cmd

D:\3hmhv2k.com

D:\d8hii.cmd

E:\3hmhv2k.com

E:\d8hii.cmd

.

((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))

.

2008-07-09 08:54 . 2008-04-26 10:25 3,600,952 --a------ C:\Windows\System32\ntkrnlpa.exe

2008-07-09 08:54 . 2008-04-26 10:25 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe

2008-07-09 08:54 . 2008-04-26 10:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys

2008-07-09 08:54 . 2008-04-12 05:32 784,896 --a------ C:\Windows\System32\rpcrt4.dll

2008-07-09 08:54 . 2008-05-10 05:35 564,736 --a------ C:\Windows\System32\emdmgmt.dll

2008-07-09 08:54 . 2008-04-05 03:21 72,192 --a------ C:\Windows\System32\drivers\pacer.sys

2008-07-09 08:54 . 2008-04-05 05:34 15,360 --a------ C:\Windows\System32\pacerprf.dll

2008-07-09 08:52 . 2008-05-08 23:59 430,080 --a------ C:\Windows\System32\vbscript.dll

2008-07-09 08:52 . 2008-05-08 23:59 180,224 --a------ C:\Windows\System32\scrobj.dll

2008-07-09 08:52 . 2008-05-08 23:59 172,032 --a------ C:\Windows\System32\scrrun.dll

2008-07-09 08:52 . 2008-05-08 23:59 155,648 --a------ C:\Windows\System32\wscript.exe

2008-07-09 08:52 . 2008-05-08 23:58 135,168 --a------ C:\Windows\System32\wshom.ocx

2008-07-09 08:52 . 2008-05-08 23:58 135,168 --a------ C:\Windows\System32\cscript.exe

2008-07-09 08:52 . 2008-05-08 23:59 90,112 --a------ C:\Windows\System32\wshext.dll

2008-07-09 00:33 . 2008-07-09 00:33

2008-07-09 00:06 . 2008-07-09 00:06

2008-07-08 23:04 . 2008-07-08 23:04 17,408 --a------ C:\Windows\System32\drivers\pxark.sys

2008-07-08 23:03 . 2008-07-09 14:44

2008-07-08 23:03 . 2008-07-09 14:44

2008-07-08 23:03 . 2008-07-08 23:03

2008-07-08 22:57 . 2008-07-08 22:57 16,244 --a------ C:\Windows\System32\rrt_is.wav

2008-07-08 22:57 . 2008-07-08 22:57 7,302 --a------ C:\Windows\System32\rrt_vf.wav

2008-07-08 22:57 . 2008-07-08 22:57 7,148 --a------ C:\Windows\System32\rrt_tv.wav

2008-07-08 22:57 . 2008-07-08 22:57 6,282 --a------ C:\Windows\System32\rrt_tn.wav

2008-07-08 21:27 . 2008-07-08 21:27 1,282 --a------ C:\Windows\System32\libFLAC.dll

2008-07-08 21:27 . 2008-07-08 21:27 1,281 --a------ C:\Windows\System32\madFlac.ax

2008-07-08 21:26 . 2008-07-08 21:26 1,283 --a------ C:\Windows\System32\DivXMedia.ax

2008-07-08 21:26 . 2008-07-08 21:26 1,281 --a------ C:\Windows\System32\DivXsm.exe

2008-07-08 21:26 . 2008-07-08 21:26 1,281 --a------ C:\Windows\System32\divxdec.ax

2008-07-06 20:18 . 2008-07-06 20:34

2008-07-06 16:25 . 2008-07-08 16:30

2008-07-06 16:24 . 2008-07-08 18:12

2008-07-06 11:33 . 2008-07-06 11:33

2008-07-06 11:33 . 2008-07-06 11:33 56 --ah----- C:\Windows\System32\ezsidmv.dat

2008-07-06 11:32 . 2008-07-06 12:46

2008-07-06 11:28 . 2008-07-06 11:28

2008-07-06 11:28 . 2008-07-06 11:28

2008-07-06 11:28 . 2008-07-06 11:28

2008-07-06 11:28 . 2008-07-06 11:28

2008-07-05 20:33 . 2008-07-05 20:33

2008-07-05 20:31 . 2008-07-05 20:31

2008-07-05 20:27 . 2008-07-05 20:27

2008-06-30 19:55 . 2008-06-30 19:55

2008-06-30 19:54 . 1997-11-19 15:49 303,616 --a------ C:\Windows\IsUninst.exe

2008-06-28 16:12 . 2007-08-24 19:44 101,504 -ra------ C:\Windows\System32\drivers\ewusbmdm.sys

2008-06-28 16:12 . 2007-08-24 19:44 23,424 -ra------ C:\Windows\System32\drivers\ewdcsc.sys

2008-06-28 16:10 . 2008-06-28 16:13

2008-06-19 20:30 . 2008-06-19 20:31 38 --a------ C:\Windows\avisplitter.INI

2008-06-18 15:20 . 2008-06-18 15:20

2008-06-17 15:00 . 2007-04-16 16:25 7,168 --a------ C:\Windows\System32\drivers\AshAvScan.sys

2008-06-16 18:52 . 2008-07-08 21:26 1,284 --a------ C:\Windows\System32\FLVSplitter.ax

2008-06-16 18:52 . 2008-07-08 21:26 1,284 --a------ C:\Windows\System32\cpuinf32.dll

2008-06-16 18:52 . 2008-07-08 21:26 1,283 --a------ C:\Windows\System32\splitter.ax

2008-06-16 18:52 . 2008-07-08 21:26 1,283 --a------ C:\Windows\System32\i263_32.drv

2008-06-16 18:52 . 2008-07-08 21:26 1,283 --a------ C:\Windows\System32\DVDVideo.ax

2008-06-16 18:52 . 2008-07-08 21:26 1,282 --a------ C:\Windows\System32\mplvpx.dll

2008-06-16 18:52 . 2008-07-08 21:26 1,282 --a------ C:\Windows\System32\lmpgspl.ax

2008-06-16 18:52 . 2008-07-08 21:26 1,281 --a------ C:\Windows\System32\WMV9VCM.dll

2008-06-16 18:52 . 2008-07-08 21:26 1,281 --a------ C:\Windows\System32\lmpgvd.ax

2008-06-16 18:45 . 2008-07-08 21:26 1,283 --a------ C:\Windows\System32\mmfinfo.dll

2008-06-16 18:45 . 2008-07-08 21:26 1,279 --a------ C:\Windows\System32\ogm.dll

2008-06-16 18:45 . 2008-07-08 21:26 1,279 --a------ C:\Windows\System32\mp4.dll

2008-06-16 18:45 . 2008-07-08 21:26 1,279 --a------ C:\Windows\System32\mkx.dll

2008-06-16 18:45 . 2008-07-08 21:26 1,279 --a------ C:\Windows\System32\avi.dll

2008-06-16 18:44 . 2008-07-08 21:26 1,288 --a------ C:\Windows\System32\CoreAVCDecoder.ax

2008-06-16 18:44 . 2008-07-08 21:26 1,285 --a------ C:\Windows\System32\mkunicode.dll

2008-06-16 18:44 . 2008-07-08 21:26 1,282 --a------ C:\Windows\System32\mkzlib.dll

2008-06-16 18:44 . 2008-07-08 21:26 1,278 --a------ C:\Windows\System32\ts.dll

2008-06-15 17:00 . 2008-06-15 17:10

2008-06-14 19:58 . 2008-04-23 06:42 428,544 --a------ C:\Windows\System32\EncDec.dll

2008-06-14 19:58 . 2008-04-23 06:42 293,376 --a------ C:\Windows\System32\psisdecd.dll

2008-06-14 19:58 . 2008-04-23 06:41 218,624 --a------ C:\Windows\System32\psisrndr.ax

2008-06-14 19:58 . 2008-04-23 06:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax

2008-06-13 20:21 . 2008-06-13 20:34

2008-06-13 19:44 . 2008-06-13 19:44

2008-06-13 19:33 . 2008-06-13 19:33 717,296 --a------ C:\Windows\System32\drivers\sptd.sys

2008-06-13 19:32 . 2008-06-13 19:32

2008-06-12 21:59 . 2008-06-12 21:59

2008-06-12 21:58 . 2008-06-12 22:52

2008-06-11 21:55 . 2008-06-11 21:55

2008-06-11 14:17 . 2008-04-25 04:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb

2008-06-11 14:17 . 2008-04-26 10:08 1,314,816 --a------ C:\Windows\System32\quartz.dll

2008-06-11 14:17 . 2008-04-25 06:35 826,880 --a------ C:\Windows\System32\wininet.dll

2008-06-11 14:17 . 2008-05-10 03:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys

2008-06-10 14:54 . 2008-06-18 15:04

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-09 15:23 --------- d—a-w C:\ProgramData\TEMP

2008-07-08 20:24 --------- d-----w C:\Users\Agnieszka\AppData\Roaming\uTorrent

2008-07-08 19:59 --------- d-----w C:\Program Files\MarBit

2008-07-05 19:46 --------- d-----w C:\Users\Agnieszka\AppData\Roaming\Thinstall

2008-06-20 20:49 --------- d-----w C:\Users\Administrator\AppData\Roaming\Any Video Converter

2008-06-18 13:16 --------- d-----w C:\Program Files\DivX

2008-06-17 13:00 --------- d-----w C:\Program Files\Ashampoo

2008-06-12 18:39 --------- d-----w C:\Users\Administrator\AppData\Roaming\dvdcss

2008-06-12 01:08 --------- d-----w C:\Program Files\Windows Mail

2008-06-11 15:26 --------- d-----w C:\Program Files\NAPI-PROJEKT

2008-06-10 15:24 --------- d-----w C:\Users\Agnieszka\AppData\Roaming\DivX

2008-06-03 06:05 --------- d-----w C:\Program Files\Spyware Doctor

2008-06-01 21:26 --------- d-----w C:\Program Files\Any Video Converter

2008-05-28 06:08 --------- d-----w C:\Program Files\PC Tools Firewall Plus

2008-05-26 10:07 --------- d-----w C:\Program Files\Batch Watermark Creator

2008-05-26 10:01 --------- d-----w C:\Program Files\BT Engine

2008-05-22 22:19 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe

2008-05-21 16:37 --------- d-----w C:\Program Files\IEPro

2008-05-11 17:01 --------- d-----w C:\Users\Administrator\AppData\Roaming\Ashampoo

2008-05-11 16:58 --------- d-----w C:\Program Files\Xilisoft

2008-05-07 21:24 452,668 ----a-w C:\Windows\Snowflakes (plug-in) Uninstaller.exe

2008-05-07 21:22 456,244 ----a-w C:\Windows\Natura Sound Therapy Uninstaller.exe

2008-05-02 19:53 174 --sha-w C:\Program Files\desktop.ini

2008-04-22 22:47 295,936 ----a-w C:\Windows\System32\gdi32.dll

2008-04-22 22:44 2,032,128 ----a-w C:\Windows\System32\win32k.sys

2008-04-22 22:41 988,216 ----a-w C:\Windows\System32\winload.exe

2008-04-22 22:41 927,288 ----a-w C:\Windows\System32\winresume.exe

2008-04-22 22:41 615,992 ----a-w C:\Windows\System32\ci.dll

2008-04-22 22:41 6,656 ----a-w C:\Windows\System32\kbd106n.dll

2008-04-22 22:41 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll

2008-04-22 22:41 40,960 ----a-w C:\Windows\System32\srclient.dll

2008-04-22 22:41 378,368 ----a-w C:\Windows\System32\srcore.dll

2008-04-22 22:41 318,464 ----a-w C:\Windows\System32\rstrui.exe

2008-04-22 22:41 19,000 ----a-w C:\Windows\System32\kd1394.dll

2008-04-22 22:41 14,848 ----a-w C:\Windows\System32\srdelayed.exe

2008-04-22 21:55 101,888 ----a-w C:\Windows\System32\ifxcardm.dll

2008-04-22 21:54 82,432 ----a-w C:\Windows\System32\axaltocm.dll

2008-04-22 21:45 996,352 ----a-w C:\Windows\System32\WMNetMgr.dll

2008-04-22 21:44 99,840 ----a-w C:\Windows\System32\ulib.dll

2008-04-22 21:43 94,208 ----a-w C:\Windows\System32\diantz.exe

2008-04-22 21:42 98,304 ----a-w C:\Windows\System32\TapiMigPlugin.dll

2008-04-22 21:41 98,304 ----a-w C:\Windows\System32\makecab.exe

2008-04-22 21:40 95,744 ----a-w C:\Windows\System32\xwtpw32.dll

2008-04-22 21:39 97,280 ----a-w C:\Windows\System32\OptionalFeatures.exe

2008-04-22 21:38 98,816 ----a-w C:\Windows\System32\sdshext.dll

2008-04-22 21:36 22,632 ----a-w C:\Windows\System32\streamci.dll

2008-04-22 21:36 177,208 ----a-w C:\Windows\System32\halmacpi.dll

2008-04-22 21:36 15,872 ----a-w C:\Windows\System32\hcrstco.dll

2008-04-22 21:36 141,880 ----a-w C:\Windows\System32\halacpi.dll

2008-04-22 21:36 14,848 ----a-w C:\Windows\System32\iscsilog.dll

2008-04-22 21:16 44,032 ----a-w C:\Windows\System32\cbsra.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“UIWatcher”=“C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe” [2007-07-09 14:13 1741168]

“ALLPasswordManager”=“C:\Program Files\MarBit\ALLPassword Manager\ALLPasswordManager.exe” [2008-05-09 20:48 958464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-04-13 06:07 69632]

“OODefragTray”=“C:\Windows\system32\oodtray.exe” [2007-05-11 02:08 2512392]

“ISTray”=“C:\Program Files\Spyware Doctor\pctsTray.exe” [2008-06-03 03:12 1107848]

“00PCTFW”=“C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe” [2008-03-28 14:37 2598808]

“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792]

“S3Trayp”=“S3trayp.exe” [2007-08-13 14:45 200704 C:\Windows\System32\s3trayp.exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

Ashampoo AntiVirus Service.lnk - C:\Program Files\Ashampoo\Ashampoo AntiVirus\GuardGui.exe [2008-06-17 15:00:07 669008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“EnableLUA”= 0 (0x0)

“EnableUIADesktopToggle”= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“vidc.i420”= i263_32.drv

“VIDC.YV12”= yv12vfw.dll

[HKLM~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

“TCP Query User{9C63625E-E3D3-4D1B-8E2A-B87BD49698C8}C:\program files\wapster\aqq\aqq.exe”= UDP:C:\program files\wapster\aqq\aqq.exe:AQQ

“UDP Query User{78DE89C0-C815-45B5-9AEE-469488A4CF8E}C:\program files\wapster\aqq\aqq.exe”= TCP:C:\program files\wapster\aqq\aqq.exe:AQQ

“{2A4BCD4C-20C1-4746-BD86-B1C45DFE1883}”= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

“{4C23AC47-3D90-49CB-8168-90BBA863E5A5}”= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

“TCP Query User{DDC7BE39-03E5-4DDE-A0F2-C4B9AC61950D}C:\program files\gadu-gadu\gg.exe”= UDP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny

“UDP Query User{3FA83537-511E-49F3-A8C1-AC1FCC06E686}C:\program files\gadu-gadu\gg.exe”= TCP:C:\program files\gadu-gadu\gg.exe:Gadu-Gadu - program główny

“{4BCB8336-73AC-48FC-926F-D693D2CFC1A5}”= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

“{328F93B1-86FC-4AE3-8BD0-7A1EDF8537B7}”= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

“{F80995CF-A89A-4D17-B76F-5F84C338C998}”= C:\Program Files\Skype\Phone\Skype.exe:Skype

“{E38706FA-7EEE-4183-91DF-F3E6D55FB9BB}”= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail

“{2C17729C-5F53-40E2-A314-2AD6BFC387D6}”= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail

“{6CB4B2ED-9067-49DE-B819-7B36A2C312C3}”= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail

“{5E79A9F3-DBF8-4C0B-AD43-481AC4968DBE}”= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail

“{EE59440D-4A88-4E97-9FC9-2AA7B53858A1}”= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail

“{6F494C83-E7AD-44A5-B767-5248A7AF2B09}”= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail

“{5D250031-1E26-45A3-B782-A100C87784AF}”= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail

“{DF6CADBA-AB2A-49C6-872B-45B746E85D23}”= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail

“{E5EC2A2C-8EF5-463E-AAFE-C73FC35FFFD6}”= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail

“{E199E6F4-4865-44FB-95CA-4904B061D617}”= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail

[HKLM~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]

“C:\Program Files\IEPro\MiniDM.exe”= C:\Program Files\IEPro\MiniDM.exe:*:Enabled:MiniDM

“C:\Program Files\WapSter\AQQ\AQQ.exe”= C:\Program Files\WapSter\AQQ\AQQ.exe:*:Enabled:P2P AQQ

R0 pxark;pxark;C:\Windows\system32\drivers\pxark.sys [2008-07-08 23:04]

R0 ViBus;ViBus;C:\Windows\system32\DRIVERS\ViBus.sys [2007-10-19 19:02]

R0 ViPrt;VIA SATA IDE Device Driver;C:\Windows\system32\DRIVERS\ViPrt.sys [2007-10-19 19:03]

R1 pctfw2;pctfw2;C:\Windows\System32\drivers\pctfw2.sys [2008-03-12 09:30]

R1 pctmp;PC Tools Firewall Memory Protection Driver;C:\Windows\system32\drivers\pctmp.sys [2008-02-21 08:56]

R1 pctssipc;PC Tools Security Suite IPC Driver;C:\Windows\system32\drivers\pctssipc.sys [2008-02-21 08:56]

R2 avGuard;avGuard Service;C:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe [2008-02-07 10:36]

R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-07-08 23:03]

R3 AshAvScan;AshAvScan;C:\Windows\system32\DRIVERS\AshAvScan.sys [2007-04-16 16:25]

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\Windows\system32\DRIVERS\fetnd5bv.sys [2007-09-21 20:24]

R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;C:\Windows\system32\DRIVERS\netr73.sys [2006-09-28 22:41]

R3 S3GIGP;S3GIGP;C:\Windows\system32\DRIVERS\VTGKModeDX32.sys [2007-09-12 14:17]

S4 ErrDev;Błąd sprzętowy — sterownik urządzenia (Microsoft);C:\Windows\system32\drivers\errdev.sys [2008-04-22 23:36]

S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-04-22 23:38]

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-09 18:02:54

Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-07-09 18:05:32

ComboFix-quarantined-files.txt 2008-07-09 16:05:21

ComboFix2.txt 2008-07-09 06:17:22

Pre-Run: 9,925,349,376 bajtów wolnych

Post-Run: 9,789,194,240 bajtów wolnych

249 — E O F — 2008-07-09 07:04:00

I jaka diagnoza??

#19

Log wygląda na czysty

zrób optymalizacje uruchamiania

http://cybertrash.netarteria.pl/cyber/i … 378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE

:slight_smile:

#20

witam, to pierwsze polecenie nie do przejścia (za trudne) ;>

drugie: wywaliłam folder i Combo

trzecie: to jest opis XP a ja mam Vistę (czy to ma znaczenie?)

czwarte: przeskanuje kompa

Mam pytanie najważniejsze: jak czegoś takiego uniknąć w przyszłości??? Czego mam unikać, jakie programy zainstalowac żeby było jak najbezpieczniej?

Aga