W32/EmailWorm.VF

_LoToS · 27 Październik 2007 14:10

File: sysnces.exe

Status: 	

INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5: ab8c449f2c0e7958fe161aace7827a13

Packers detected: 	

PE_PATCH

Bit9 reports: File not found

Scanner results

Scan taken on 27 Oct 2007 14:05:03 (GMT)

A-Squared 	

Found nothing

AntiVir 	

Found nothing

ArcaVir 	

Found nothing

Avast 	

Found nothing

AVG Antivirus 	

Found nothing

BitDefender 	

Found nothing

ClamAV 	

Found nothing

CPsecure 	

Found nothing

Dr.Web 	

Found nothing

F-Prot Antivirus 	

Found nothing

F-Secure Anti-Virus 	

Found nothing

Fortinet 	

Found nothing

Kaspersky Anti-Virus 	

Found nothing

NOD32 	

Found nothing

Norman Virus Control 	

Found W32/EMailWorm.VF

Panda Antivirus 	

Found nothing

Rising Antivirus 	

Found nothing

Sophos Antivirus 	

Found nothing

VirusBuster 	

Found nothing

VBA32 	

Found nothing

HijackThis

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:06:23, on 2007-10-27 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe D:\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\bgsvcgen.exe C:\Spyware Doctor\svcntaux.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-19…\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O16 - DPF: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper) - O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne … nicode.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: B’s Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Spyware Doctor\swdsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe – End of file - 4589 bytes

Combofix

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:06:23, on 2007-10-27 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe D:\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\bgsvcgen.exe C:\Spyware Doctor\svcntaux.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-19…\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O16 - DPF: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper) - O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne … nicode.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: B’s Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Spyware Doctor\swdsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe – End of file - 4589 bytes

PS Porty pozamykane programem WWDC , na dodatek spybot tea timer co sekundę pokazuje że coś chce zmienić rejestr "2007-10-27 16:46:02 Odmówiono value “BootExecute” (new data: “”) usunięte in Session manager!

2007-10-27 16:46:02 Odmówiono value “ExcludeFromKnownDlls” (new data: “”) usunięte in Session manager!" Zaznaczyłem żeby to blokował.

jessica · 27 Październik 2007 14:51

Nie wiem, o co Ci chodzi:

dajesz wyniki skanu nieistniejącego pliku
piszesz: log z ComboFixa, a zamiast niego jest drugi log z Hijacka?

Log jest czysty.

jessi

_LoToS · 27 Październik 2007 15:01

Chodzi mi o to że dzisiaj przeglądałem sobie dysk C i znalazłem dziwny plik , przeskanowałem go na stronie virusscanjotti.org i antywirus NORMAN znalazł W32/Emailworm.VF

Combofix

ComboFix 07-08-09.3 - “Michaˆ” 2007-10-27 15:50:46.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.201 [GMT 2:00] ((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 ))))))))))))))))))))))))))))))) 2007-10-27 15:40 2007-10-27 15:40 2007-10-27 15:40 2007-10-22 09:23 67,123 --a------ C:\sysnces.exe 2007-10-01 07:02 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-10-27 15:47 --------- d-------- C:\DOCUME~1\MICHA~1\DANEAP~1\SiteAdvisor 2007-10-27 15:32 --------- d-------- C:\Program Files\SkanerOnline 2007-10-23 20:16 --------- d-------- C:\Program Files\SwiftSwitch 2007-09-28 18:44 --------- d-------- C:\Program Files\Gadu-Gadu 2007-09-23 13:58 206 --a------ C:\WINDOWS\system32\aefcb6_r.dll 2007-09-23 13:35 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-09-22 14:13 --------- d-------- C:\Program Files\eMule 2007-09-22 14:11 --------- d–h----- C:\Program Files\InstallShield Installation Information 2007-09-14 15:15 4212 —h----- C:\WINDOWS\system32\zllictbl.dat 2007-09-06 12:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-09-06 12:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-09-06 12:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-09-06 12:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-09-06 12:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-09-06 12:00 95608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-09-06 12:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-08-31 13:39 11409 --a------ C:\WINDOWS\mozver.dat 2007-08-16 12:47 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-08-14 10:48 164 --a------ C:\install.dat 2007-08-10 23:09 49712 --a------ C:\WINDOWS\system32\perfc015.dat 2007-08-10 23:09 355830 --a------ C:\WINDOWS\system32\perfh015.dat 2007-08-10 17:12 396288 --a------ C:\HijackThis.exe 2007-02-11 00:56 548 --a------ C:\Program Files\Total Commander.lnk ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 12:06] “ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-03-09 01:02] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 16:58] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “NoDevMgrPage”=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “LinkResolveIgnoreLinkInfo”=0 (0x0) “NoResolveSearch”=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoRecentDocsMenu”=0 (0x0) “NoFavoritesMenu”=1 (0x1) “NoViewContextMenu”=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Exif Launcher 2.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Exif Launcher 2.lnk backup=C:\WINDOWS\pss\Exif Launcher 2.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg!AVG Anti-Spyware] “D:\AVG Anti-Spyware 7.5\avgas.exe” /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti Trojan Elite] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Elite Antikeylogger] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD] D:\Odkurzacz\odk_mcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray] C:\Spyware Doctor\SDTrayApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD] “D:\Spybot - Search & Destroy\SpybotSD.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] R0 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys R1 IkSysFlt;System Filter Driver;C:\WINDOWS\System32\drivers\iksysflt.sys R1 IKSysSec;System Security Driver;C:\WINDOWS\System32\drivers\iksyssec.sys R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\System32\Drivers\sskbfd.sys S0 IKFileSec;File Security Driver;C:\WINDOWS\System32\drivers\ikfilesec.sys ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-27 15:53:20 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-10-27 15:55:10 — E O F —

dajesz wyniki skanu nieistniejącego pliku tzn.?

PS A oprócz tego co opisałem na górze TeaTimer cały czas sie pyta czy dopuścić do zmiany rejestru

jessica · 27 Październik 2007 15:07

No tak - teraz go widzę i uważam, że powinien zostać usunięty.

Jeśli masz czym usuwać, to go usuń.

Jeśli nie masz, to zrób to:

Wklej do Notatnika :

File::

C:\sysnces.exe

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

jessi

_LoToS · 27 Październik 2007 15:35

ComboFix 07-08-09.3 - “Michaˆ” 2007-10-27 17:14:26.7 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.45 [GMT 2:00] Command switches used :: C:\Documents and Settings\Michaˆ\Pulpit\Log’i\CFScript.txt FILE:: C:\sysnces.exe ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\sysnces.exe ((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 ))))))))))))))))))))))))))))))) 2007-10-27 15:40 2007-10-27 15:40 2007-10-27 15:40 2007-10-01 07:02 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-10-27 17:09 --------- d-------- C:\DOCUME~1\MICHA~1\DANEAP~1\SiteAdvisor 2007-10-27 15:32 --------- d-------- C:\Program Files\SkanerOnline 2007-10-23 20:16 --------- d-------- C:\Program Files\SwiftSwitch 2007-09-28 18:44 --------- d-------- C:\Program Files\Gadu-Gadu 2007-09-23 13:58 206 --a------ C:\WINDOWS\system32\aefcb6_r.dll 2007-09-23 13:35 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-09-22 14:13 --------- d-------- C:\Program Files\eMule 2007-09-22 14:11 --------- d–h----- C:\Program Files\InstallShield Installation Information 2007-09-14 15:15 4212 —h----- C:\WINDOWS\system32\zllictbl.dat 2007-09-06 12:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-09-06 12:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-09-06 12:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-09-06 12:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-09-06 12:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-09-06 12:00 95608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-09-06 12:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-08-31 13:39 11409 --a------ C:\WINDOWS\mozver.dat 2007-08-16 12:47 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-08-14 10:48 164 --a------ C:\install.dat 2007-08-10 23:09 49712 --a------ C:\WINDOWS\system32\perfc015.dat 2007-08-10 23:09 355830 --a------ C:\WINDOWS\system32\perfh015.dat 2007-08-10 17:12 396288 --a------ C:\HijackThis.exe 2007-02-11 00:56 548 --a------ C:\Program Files\Total Commander.lnk ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 12:06] “ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-03-09 01:02] “MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe” [2001-10-26 19:29] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 16:58] “SpybotSD TeaTimer”=“D:\Spybot - Search & Destroy\TeaTimer.exe” [2005-05-31 01:04] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “NoDevMgrPage”=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “LinkResolveIgnoreLinkInfo”=0 (0x0) “NoResolveSearch”=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoRecentDocsMenu”=0 (0x0) “NoFavoritesMenu”=1 (0x1) “NoViewContextMenu”=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Exif Launcher 2.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Exif Launcher 2.lnk backup=C:\WINDOWS\pss\Exif Launcher 2.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg!AVG Anti-Spyware] “D:\AVG Anti-Spyware 7.5\avgas.exe” /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti Trojan Elite] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Elite Antikeylogger] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD] D:\Odkurzacz\odk_mcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray] C:\Spyware Doctor\SDTrayApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD] “D:\Spybot - Search & Destroy\SpybotSD.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] R0 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys R1 IkSysFlt;System Filter Driver;C:\WINDOWS\System32\drivers\iksysflt.sys R1 IKSysSec;System Security Driver;C:\WINDOWS\System32\drivers\iksyssec.sys R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\System32\Drivers\sskbfd.sys S0 IKFileSec;File Security Driver;C:\WINDOWS\System32\drivers\ikfilesec.sys ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-27 17:17:52 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-10-27 17:20:03 C:\ComboFix-quarantined-files.txt … 2007-10-27 17:19 C:\ComboFix2.txt … 2007-10-27 15:55 — E O F —

Jeszcze jedna rzecz , co to jest?

7-09-06 12:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe

jessica · 27 Październik 2007 18:42

Teraz jest czysto.

To od avasta.

jessi