Wirus albo nie?

Alfonso · 30 Wrzesień 2007 13:07

Witam

Jak co dzień włączyłem komputer ale dziś podczas włączania avast wykrył mi wirusa “D:\WINDOWS\system32\update.exe”. Nazwa jego to Win32:Trojan-gen. {Other}. Plik dałem do kwarantanny jak jest zalecane przez program.

Ponad to przeskanowałem po tym system adware i powykrywał mi kilka złych wpisów w rejestrze lub wartości:

Nie wiem co o tym myśleć. Czy należy się tym przejmować? Zapewne jeśli usunę update.exe to system będzie krzyczał, że nie może go znaleźć i czy w tym przypadku wystarczy, że go zgram oryginalnego z cd?

Niżej daje logi:

HijackThis:

Logfile of HijackThis v1.99.1 Scan saved at 14:48:05, on 2007-09-30 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe D:\Program Files\Alwil Software\Avast4\ashServ.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\RUNDLL32.EXE D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe D:\WINDOWS\SOUNDMAN.EXE C:\Program Files\DAEMON Tools\daemon.exe D:\WINDOWS\system32\ctfmon.exe D:\WINDOWS\system32\spoolsv.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\MD40323\ICON.EXE D:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe D:\Program Files\Alwil Software\Avast4\ashWebSv.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Mozilla Firefox\firefox.exe E:\PROGRAMY\Programy - logi systemu\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKCU…\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [startkey] D:\WINDOWS\system32\update.exe O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: 2Mega Camera Manager Monitor.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Pobierz z BitSpirit - C:\Program Files\BitSpirit\bsurl.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

Silent Runner:

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “D:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “startkey” = “D:\WINDOWS\system32\update.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “avast!” = “D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) - {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” ["MEGAUPLOAD "] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “D:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” - {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “D:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” - {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “D:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” - {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “D:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” - {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “D:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” - {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “D:\Documents and Settings\Łukasz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “D:\WINDOWS\System32\logon.scr” [MS] Startup items in “Łukasz” “All Users” startup folders: -------------------------------------------------------- D:\Documents and Settings\Łukasz\Menu Start\Programy\Autostart “Adobe Gamma” - shortcut to: “D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] D:\Documents and Settings\All Users\Menu Start\Programy\Autostart “2Mega Camera Manager Monitor” - shortcut to: “C:\Program Files\MD40323\ICON.EXE” [empty string] “Adobe Reader Speed Launch” - shortcut to: “C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “Adobe Reader Synchronizer” - shortcut to: “C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe” [null data] “Microsoft Office” - shortcut to: “D:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” - {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” ["MEGAUPLOAD "] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) - {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” ["MEGAUPLOAD "] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “D:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ “Tabs” = “D:\Documents and Settings\Łukasz\Dane aplikacji\MegauploadToolbar\tabwelcome.html” [null data] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““D:\Program Files\Alwil Software\Avast4\ashServ.exe”” [“ALWIL Software”] avast! iAVS4 Control Service, aswUpdSv, ““D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [“ALWIL Software”] avast! Mail Scanner, avast! Mail Scanner, ““D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““D:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] NVIDIA Display Driver Service, NVSvc, “D:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] StarWind AE Service, StarWindServiceAE, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe” [“Rocket Division Software”] ---------- : Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 43 seconds, including 10 seconds for message boxes)

ComboFix: “ťukasz” - 2007-09-30 14:49:47 Dodatek Service Pack 2 NTFS ComboFix 07-06-3B - Running from: “E:\PROGRAMY\Programy - logi systemu” ((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 ))))))))))))))))))))))))))))))) 2007-09-30 12:51 2007-09-30 01:16 2007-09-30 01:16 2007-09-29 22:00 536 --a------ D:\WINDOWS\eReg.dat 2007-09-29 13:13 2007-09-29 13:12 2007-09-29 00:50 2007-09-28 19:13 2007-09-28 19:13 2007-09-28 18:42 2007-09-28 16:22 2007-09-28 16:18 3,145,728 --a------ D:\DOCUME~1\UKASZ~1\ntuser.dat 2007-09-26 21:58 442,368 -ra------ D:\WINDOWS\system32\vp6vfw.dll 2007-09-25 22:29 9,600 --a------ D:\WINDOWS\system32\drivers\hidusb.sys 2007-09-20 13:34 344,064 --a------ D:\WINDOWS\system32\msvcr70.dll 2007-09-15 22:22 108,144 --a------ D:\WINDOWS\system32\CmdLineExt.dll 2007-09-13 18:38 68,888 --a------ D:\WINDOWS\system32\xinput1_3.dll 2007-09-13 18:38 62,744 --a------ D:\WINDOWS\system32\xinput1_2.dll 2007-09-13 18:38 3,426,072 --a------ D:\WINDOWS\system32\d3dx9_32.dll 2007-09-13 18:38 251,672 --a------ D:\WINDOWS\system32\xactengine2_5.dll 2007-09-13 18:38 237,848 --a------ D:\WINDOWS\system32\xactengine2_4.dll 2007-09-13 18:38 236,824 --a------ D:\WINDOWS\system32\xactengine2_3.dll 2007-09-13 18:38 2,414,360 --a------ D:\WINDOWS\system32\d3dx9_31.dll 2007-09-13 18:38 15,128 --a------ D:\WINDOWS\system32\x3daudio1_1.dll 2007-09-12 23:14 2007-09-11 15:05 2007-09-11 15:04 2007-09-11 15:00 2007-09-11 15:00 2007-09-11 14:59 14,048 --------- D:\WINDOWS\system32\spmsg2.dll 2007-09-09 20:48 25,544 --a------ D:\WINDOWS\system32\drivers\hamachi.sys 2007-09-09 20:48 2007-09-08 21:50 85,376 --a------ D:\WINDOWS\system32\drivers\NABTSFEC.sys 2007-09-08 21:50 54,784 --a------ D:\WINDOWS\system32\vfwwdm32.dll 2007-09-08 21:50 5,504 --a------ D:\WINDOWS\system32\drivers\MSTEE.sys 2007-09-08 21:50 47,616 --a------ D:\WINDOWS\system\IYUV_32.DLL 2007-09-08 21:50 19,328 --a------ D:\WINDOWS\system32\drivers\WSTCODEC.SYS 2007-09-08 21:50 17,024 --a------ D:\WINDOWS\system32\drivers\CCDECODE.sys 2007-09-08 21:50 15,360 --a------ D:\WINDOWS\system32\drivers\StreamIP.sys 2007-09-08 21:50 11,136 --a------ D:\WINDOWS\system32\drivers\SLIP.sys 2007-09-08 21:50 10,880 --a------ D:\WINDOWS\system32\drivers\NdisIP.sys 2007-09-08 21:49 73,216 --a------ D:\WINDOWS\system32\RGBQUANT.DLL 2007-09-08 21:49 69,632 --a------ D:\WINDOWS\system32\vfw504.dll 2007-09-08 21:49 53,248 --a------ D:\WINDOWS\system32\VideoThumb.dll 2007-09-08 21:49 516,635 --a------ D:\WINDOWS\system32\drivers\Ca100v.sys 2007-09-08 21:49 28,672 --a------ D:\WINDOWS\system32\VWJPG.dll 2007-09-08 21:49 28,672 --a------ D:\WINDOWS\system32\VWBMP.dll 2007-09-08 21:49 28,672 --a------ D:\WINDOWS\system32\VMIO.dll 2007-09-08 21:49 278,528 --a------ D:\WINDOWS\system32\USB_CAM.dll 2007-09-08 21:49 192,512 --a------ D:\WINDOWS\system32\IPSK.dll 2007-09-08 21:49 184,320 --a------ D:\WINDOWS\system32\jpg32.dll 2007-09-08 21:49 159,744 --a------ D:\WINDOWS\system32\aip504.dll 2007-09-08 21:49 131,072 --a------ D:\WINDOWS\system32\SP5X_32.DLL 2007-09-08 21:49 131,072 --a------ D:\WINDOWS\system\SP5X_32.DLL 2007-09-08 21:49 10,986 --a------ D:\WINDOWS\system32\drivers\Bulk100.sys 2007-09-08 21:49 1,706,800 --a------ D:\WINDOWS\system32\GdiPlus.dll 2007-09-08 21:49 2007-09-08 21:41 2007-09-08 21:39 31,616 --a------ D:\WINDOWS\system32\drivers\usbccgp.sys 2007-09-04 20:35 2,297,552 --a------ D:\WINDOWS\system32\d3dx9_26.dll 2007-08-14 16:24 2007-08-14 01:00 2007-08-11 21:44 1,165 --a------ D:\WINDOWS\mozver.dat 2007-08-11 19:40 2007-08-11 15:17 223,128 --a------ D:\WINDOWS\system32\drivers\dtscsi.sys 2007-08-11 15:14 685,816 --a------ D:\WINDOWS\system32\drivers\sptd.sys 2007-08-11 14:58 3,072 --a------ D:\WINDOWS\system32\drivers\audstub.sys 2007-08-11 14:57 77,312 --a------ D:\WINDOWS\system32\usbui.dll 2007-08-11 14:57 58,624 --a------ D:\WINDOWS\system32\drivers\redbook.sys 2007-08-11 14:57 44,672 --a------ D:\WINDOWS\system32\drivers\UAGP35.SYS 2007-08-11 14:57 27,165 --a------ D:\WINDOWS\system32\drivers\fetnd5.sys 2007-08-11 14:57 20,992 --a------ D:\WINDOWS\system32\drivers\RTL8139.sys 2007-08-11 14:56 9,936 --a------ D:\WINDOWS\system\LZEXPAND.DLL 2007-08-11 14:56 9,168 --a------ D:\WINDOWS\system\VER.DLL 2007-08-11 14:56 85,532 --a------ D:\WINDOWS\system32\dgsetup.dll 2007-08-11 14:56 83,456 --a------ D:\WINDOWS\system\OLECLI.DLL 2007-08-11 14:56 8,704 --a------ D:\WINDOWS\system32\batt.dll 2007-08-11 14:56 8,192 -ra------ D:\WINDOWS\system32\kbdhept.dll 2007-08-11 14:56 75,776 --a------ D:\WINDOWS\system32\storprop.dll 2007-08-11 14:56 70,144 --a------ D:\WINDOWS\NOTEPAD.EXE 2007-08-11 14:56 70,096 --a------ D:\WINDOWS\system\AVICAP.DLL 2007-08-11 14:56 7,168 --a------ D:\WINDOWS\system32\kbdcz.dll 2007-08-11 14:56 69,552 --a------ D:\WINDOWS\system\MMSYSTEM.DLL 2007-08-11 14:56 6,656 -ra------ D:\WINDOWS\system32\kbdhela3.dll 2007-08-11 14:56 6,656 --a------ D:\WINDOWS\system32\kbdycl.dll 2007-08-11 14:56 6,656 --a------ D:\WINDOWS\system32\kbdsl1.dll 2007-08-11 14:56 6,656 --a------ D:\WINDOWS\system32\kbdsl.dll 2007-08-11 14:56 6,656 --a------ D:\WINDOWS\system32\kbdhu.dll 2007-08-11 14:56 6,656 --a------ D:\WINDOWS\system32\kbdcz2.dll 2007-08-11 14:56 6,656 --a------ D:\WINDOWS\system32\kbdcz1.dll 2007-08-11 14:56 6,656 --a------ D:\WINDOWS\system32\kbdcr.dll 2007-08-11 14:56 6,656 --a------ D:\WINDOWS\system32\KBDAL.DLL 2007-08-11 14:56 6,144 -ra------ D:\WINDOWS\system32\kbdtuq.dll 2007-08-11 14:56 6,144 -ra------ D:\WINDOWS\system32\kbdtuf.dll 2007-08-11 14:56 6,144 -ra------ D:\WINDOWS\system32\kbdlv1.dll 2007-08-11 14:56 6,144 -ra------ D:\WINDOWS\system32\kbdlv.dll 2007-08-11 14:56 6,144 -ra------ D:\WINDOWS\system32\kbdhela2.dll 2007-08-11 14:56 6,144 -ra------ D:\WINDOWS\system32\kbdgkl.dll 2007-08-11 14:56 6,144 -ra------ D:\WINDOWS\system32\kbdest.dll 2007-08-11 14:56 5,632 -ra------ D:\WINDOWS\system32\kbdmon.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-09-12 21:17:15 82,010 ----a-w D:\WINDOWS\system32\perfc015.dat 2007-09-12 21:17:15 484,634 ----a-w D:\WINDOWS\system32\perfh015.dat 2007-09-04 18:43:10 163,644 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys 2007-08-11 11:04:04 -------- d-----w D:\Program Files\Usługi online 2007-07-30 17:19:20 92,504 ----a-w D:\WINDOWS\system32\cdm.dll 2007-07-30 17:19:12 43,352 ----a-w D:\WINDOWS\system32\wups2.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}=D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL [2007-07-31 18:25] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “nwiz”=“nwiz.exe” [2006-10-22 12:22 D:\WINDOWS\system32\nwiz.exe] “avast!”=“D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 12:06] “SoundMan”=“SOUNDMAN.EXE” [2006-03-01 10:22 D:\WINDOWS\soundman.exe] “DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2005-12-10 16:57] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“D:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-06-18 19:04] “startkey”=“D:\WINDOWS\system32\update.exe” [] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* ************************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-30 14:50:36 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-09-30 14:51:05 — E O F —

jessica · 30 Wrzesień 2007 14:11

Z logu Sillent Runnera wynika, że to jest już bezplikowy wpis, więc wystarczy go sfiksować:

>>Hijack>>scan(Do a system scan only)>>zaznacz (V) >> Fix checked.

Tak, to na pewno był " Bifrose" i trzeba go było usunąć.

Plik “update.exe” w folderze “system32” nie jest plikiem Windowsa, tak więc spokojnie.

Nic więcej podejrzanego nie widzę.

jessi