Wolna praca komputera

Sokol121 · 24 Wrzesień 2007 19:18

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:16:56, on 2007-09-24 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\dllcache\qsch0st.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe C:\WINDOWS\System32\system32.com C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [ElbyCheckElbyCDFL] “C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe” /L ElbyCDFL O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM…\Run: [Associates System32] c:\windows\system32\reg32.exe O4 - HKLM…\Run: [rn4d] C:\WINDOWS\System32\kolder.exe C:\WINDOWS\System32\dirote.exe O4 - HKLM…\Run: [sub7] C:\WINDOWS\System32\Sub7.exe O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM…\RunServices: [Associates System32] c:\windows\system32\reg32.exe O4 - HKLM…\RunServices: [Microsoft RN] system32.com O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Associates System32] c:\windows\system32\reg32.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-21-299502267-839522115-842925246-1003…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User ‘?’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘?’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O20 - Winlogon Notify: bnreg - C:\Documents and Settings\All Users\Dokumenty\Settings\bn.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\qsch0st.exe – End of file - 3303 bytes

arekmalek · 24 Wrzesień 2007 19:34

wpisy zafixuj (hijack, do a system scan only, zaznaczasz, fix checked), a w trybie awaryjnym z wylaczonym przywracaniem systemu usuwasz pliki pogrubione. Daj log z Combofix, HijackThis (temat przyklejony)

Gutek · 24 Wrzesień 2007 20:30

daruj sobie :x

Daj log z ComboFix

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

Sokol121 · 27 Wrzesień 2007 14:11

ComboFix 07-09-21.2 - “Admin” 2007-09-27 16:06:16.1 - FAT32x86 . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\system34.exe . ((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 ))))))))))))))))))))))))))))))) . 2007-09-27 16:03 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-25 20:53 2007-09-25 20:53 2007-09-24 21:16 2007-09-24 21:10 2007-09-19 21:04 204,288 --a------ C:\WINDOWS\system32\ingdp.exe 2007-09-18 21:31 924,454 --a------ C:\dkdoep.exe 2007-09-18 21:31 668,694 --a------ C:\Web.bat 2007-09-18 21:31 656,979 --a------ C:\tow.com 2007-09-18 21:31 496 --a------ C:\WINDOWS\system32\xtreg.reg 2007-09-18 21:31 115 --a------ C:\WINDOWS\system32\xt0.exe 2007-09-18 21:31 2007-09-18 21:31 2007-09-18 20:23 322 --a------ C:\WINDOWS\system32\dremnx.dll 2007-09-18 14:44 2007-09-17 20:39 174 --a------ C:\WINDOWS\system32\Sub7.dll 2007-09-17 20:34 1,064,101 --a------ C:\hunterwkfs.exe 2007-09-17 20:34 2007-09-17 20:34 2007-09-17 20:34 2007-09-17 20:34 2007-09-17 20:32 1,064,101 --a------ C:\WINDOWS\system32\hunterwkfs.exe 2007-09-13 20:26 224,256 --a------ C:\WINDOWS\system32\inscegdp.exe 2007-09-12 21:20 204,288 --a------ C:\WINDOWS\system32\insedp.exe 2007-08-30 14:19 254,570 --a------ C:\WINDOWS\system32\sxchst.exe 2007-08-30 13:39 175,722 --a------ C:\WINDOWS\system32\sxchost.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-08-12 12:17 --------- d-------- C:\Program Files\Kalendarz XP 2007-07-12 21:02 970653 --a------ C:\WINDOWS\fdf.exe 2007-07-09 09:42 8173 --a------ C:\WINDOWS\system32\ortecnx.dll 2007-07-09 09:38 24351 --a------ C:\WINDOWS\system32\brecnx.dll 2007-07-03 19:53 147456 -r-hs---- C:\WINDOWS\system32\dllcache\qsch0st.exe 2007-06-27 06:32 24494 --a------ C:\WINDOWS\system32\erecnx.dll 2007-04-11 13:41:08 184,320 --sh–r C:\WINDOWS\system32\lnternat.exe 2002-09-20 14:05:24 113,664 --sh–r C:\WINDOWS\system32\system32.com . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2005-02-22 21:05] “ElbyCheckElbyCDFL”=“C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe” [2001-12-06 13:09] “PrinTray”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe” [2001-11-14 04:33] “Associates System32”=“c:\windows\system32\reg32.exe” [] “rn4d”=“C:\WINDOWS\System32\kolder.exe” [2003-08-08 10:56] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2002-09-20 16:05] “Associates System32”=“c:\windows\system32\reg32.exe” [] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] “Associates System32”=c:\windows\system32\reg32.exe “Microsoft RN”=system32.com [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “Associates System32”=c:\windows\system32\reg32.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bnreg] C:\Documents and Settings\All Users\Dokumenty\Settings\bn.dll 2007-05-03 18:50 14048 C:\Documents and Settings\All Users\Dokumenty\Settings\bn.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “DNSQueryTimeouts”= 1 2 2 4 8 0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\meshal] C:\WINDOWS\System32\xcoSys.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft RN] system32.com [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msennger] C:\Program Files\cominc\cominc.com [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSmsg] down.com *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-27 16:07:44 Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-27 16:08:36 C:\ComboFix-quarantined-files.txt … 2007-09-27 16:08 . — E O F —

jessica · 27 Wrzesień 2007 14:54

Wklej do Notatnika :

File::

C:\WINDOWS\system32\ingdp.exe 

C:\dkdoep.exe 

C:\Web.bat 

C:\tow.com 

C:\WINDOWS\system32\xtreg.reg 

C:\WINDOWS\system32\xt0.exe 

C:\WINDOWS\system32\dremnx.dll 

 C:\WINDOWS\system32\Sub7.dll 

C:\hunterwkfs.exe

C:\WINDOWS\system32\hunterwkfs.exe 

C:\WINDOWS\system32\inscegdp.exe 

C:\WINDOWS\system32\insedp.exe 

C:\WINDOWS\system32\sxchst.exe 

C:\WINDOWS\system32\sxchost.exe

C:\WINDOWS\fdf.exe 

C:\WINDOWS\system32\ortecnx.dll 

C:\WINDOWS\system32\brecnx.dll 

C:\WINDOWS\system32\dllcache\qsch0st.exe 

C:\WINDOWS\system32\erecnx.dll 

C:\WINDOWS\system32\lnternat.exe 

C:\WINDOWS\system32\system32.com

C:\Documents and Settings\All Users\Dokumenty\Settings\bn.dll


Folder::

C:\FOUND.010


Driver::

Microsoft Agent


Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Associates System32"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"rn4d"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Associates System32"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"Associates System32"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"Microsoft RN"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Associates System32"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bnreg]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\meshal]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft RN]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSmsg]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe ) - podobnie jak na tym obrazku –> Klik

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Daj nowy log z ComboFixa.

Czy znasz te powyższe ?

jessi