Komunikat jw. pojawił się wczoraj wraz z czerwoną ikonką w tray-u. Po uruchomieniu w trybie awaryjnym SmitfraudFix w opcji 2 oraz SdFix, ikonka zniknęła i komunikat przestał się pojawiać. Podejrzewam, że coś mogło zostać, dlatego proszę o zerknięcie w logi z dnia dzisiejszego:
HJT
Logfile of HijackThis v1.99.1 Scan saved at 18:15:44, on 2007-12-27 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe C:\Program Files\Internet Explorer\iexplore.exe D:\Użytki\HJT\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM…\Run: [LogitechCommunicationsManager] “C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe” O4 - HKLM…\Run: [LogitechQuickCamRibbon] “D:\Program Files\Logitech\QuickCam10.exe” /hide O4 - HKLM…\Run: [LVCOMSX] “C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe” O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - D:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - D:\Program Files\FlashGet\jc_all.htm O9 - Extra button: Kolekcja wycinków HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Zaznaczanie HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe O15 - Trusted Zone: http://www.ise.edu.pl O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/Shar … vSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/Shar … /cabsa.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
SR
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “AVG7_CC” = “C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP” [“GRISOFT, s.r.o.”] “LogitechCommunicationsManager” = ““C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe”” [“Logitech Inc.”] “LogitechQuickCamRibbon” = ““D:\Program Files\Logitech\QuickCam10.exe” /hide” [“Logitech Inc.”] “LVCOMSX” = ““C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe”” [“Logitech Inc.”] “HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0347C33E-8762-4905-BF09-768834316C61}(Default) = “HP Print Enhancer” -> {HKLM…CLSID} = “HP Print Enhancer” \InProcServer32(Default) = “C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll” [“Hewlett-Packard Co.”] {053F9267-DC04-4294-A72C-58F732D338C0}(Default) = (no title provided) -> {HKLM…CLSID} = “HP Print Clips” \InProcServer32(Default) = “C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll” [“Hewlett-Packard Co.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)” -> {HKLM…CLSID} = “Skype add-on (mastermind)” \InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files\WinRAR\rarext.dll” [null data] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {HKLM…CLSID} = “Shell Extension for CDRW” \InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Ahead Software AG”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “D:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “d:\PROGRA~1\ALCOHO~1\ALCOHO~1\AxShlex.dll” [“Alcohol Soft Development Team”] “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Shell Extension” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”] “{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Find Extension” -> {HKLM…CLSID} = “AVG7 Find Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Admin” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] “Microsoft Office” -> shortcut to: “D:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] Enabled Scheduled Tasks: ------------------------ “At10” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At11” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At12” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At13” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At14” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At15” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At16” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At17” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At18” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At19” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At20” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At21” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At22” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At23” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At24” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At3” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At4” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At5” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At6” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At7” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At8” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] “At9” -> launches: “C:\WINDOWS\system32\mA8ouQ0a.exe” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {58ECB495-38F0-49CB-A538-10282ABF65E7}\ “ButtonText” = “Kolekcja wycinków HP” “CLSIDExtension” = “{E763472E-A716-4CD9-89BD-DBDA6122F741}” -> {HKLM…CLSID} = “ClipBookBtn Class” \InProcServer32(Default) = “C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll” [“Hewlett-Packard Co.”] {700259D7-1666-479A-93B1-3250410481E8}\ “ButtonText” = “Zaznaczanie HP Smart” “CLSIDExtension” = “{A93C41D8-01F8-4F8B-B14C-DE20B117E636}” -> {HKLM…CLSID} = “EnhSelectionBtn Class” \InProcServer32(Default) = “C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll” [“Hewlett-Packard Co.”] {77BF5300-1474-4EC7-9980-D32B190E9B07}\ “ButtonText” = “Skype” “CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}” -> {HKLM…CLSID} = “Skype add-on (button)” \InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”] {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “D:\PROGRA~1\FlashGet\flashget.exe” [“Amaze Soft”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG E-mail Scanner, AVGEMS, “C:\PROGRA~1\Grisoft\AVG7\avgemc.exe” [“GRISOFT, s.r.o.”] AVG7 Alert Manager Server, Avg7Alrt, “C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe” [“GRISOFT, s.r.o.”] AVG7 Update Service, Avg7UpdSvc, “C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe” [“GRISOFT, s.r.o.”] hpqcxs08, hpqcxs08, “C:\WINDOWS\system32\svchost.exe -k hpdevmgmt” {“C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll” [“Hewlett-Packard Co.”]} HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Ahead Software AG”] Logitech Process Monitor, LVPrcSrv, “c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe” [“Logitech Inc.”] StarWind iSCSI Service, StarWindService, “d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] Usługa HP CUE DeviceDiscovery, hpqddsvc, “C:\WINDOWS\system32\svchost.exe -k hpdevmgmt” {“C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll” [“Hewlett-Packard Co.”]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class{4D36E96B-E325-11CE-BFC1-08002BE10318}\ “UpperFilters” = <> “klengine” [null data] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor i250\Driver = “CNMLM50.DLL” [“CANON INC.”] LIDIL hpzll5ha\Driver = “hpzll5ha.dll” [“Hewlett-Packard Company”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 68 seconds, including 5 seconds for message boxes)
ComboFix
http://wklej.org/id/ed6f023588
Gutek
(Gutek)
28 Grudzień 2007 19:03
#2
start>>>wszystkie programy>>>akcesoria>>>narzędzia systemowe>>>zplanowane zadania
"At10" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At11" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At12" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At13" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At14" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At15" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At16" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At17" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At18" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At19" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At20" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At21" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At22" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At23" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At24" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At3" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At4" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At5" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At6" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At7" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At8" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
"At9" -> launches: "C:\WINDOWS\system32\mA8ouQ0a.exe" [file not found]
Skasuj wszystkie wymienione At
Daj log z ComboFix
Dzięki, myślałem, że temat spadł już za nisko i nikt nie odpowie. Skasowałem At-y i daję nowy log z ComboFix:
ComboFix 07-12-21.4 - Admin 2007-12-28 22:11:33.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.230 [GMT 1:00] Running from: D:\Użytki\HJT\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 ))))))))))))))))))))))))))))))) . 2007-12-28 21:55 . 2007-12-28 21:59 356 --a------ C:\drmHeader.bin 2007-12-26 22:33 . 2007-12-26 22:33 16 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe 2007-12-26 22:32 . 2007-12-27 17:15 36,169 --a------ C:\WINDOWS\system32\clean.config 2007-12-26 22:32 . 2007-12-26 22:32 16,896 --a–c— C:\Documents and Settings\Admin\nax.exe 2007-12-20 22:35 . 2007-12-20 22:35 2007-12-20 22:17 . 2007-12-20 22:17 2007-12-20 22:16 . 2007-12-20 22:16 2007-12-20 22:15 . 2007-12-20 22:15 2007-12-20 22:15 . 2007-12-20 22:15 2007-12-20 22:14 . 2007-12-20 22:14 2007-12-20 22:12 . 2007-12-20 22:16 2007-12-20 22:04 . 2007-12-20 22:04 2007-12-20 22:04 . 2007-03-30 16:11 267,864 -ra------ C:\WINDOWS\system32\hpzids01.dll 2007-12-20 22:04 . 2007-12-20 22:17 149,435 --a------ C:\WINDOWS\HPHins15.dat 2007-12-20 22:04 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll 2007-12-20 22:04 . 2007-06-07 09:56 2,828 --------- C:\WINDOWS\hphmdl15.dat 2007-12-16 14:23 . 2007-12-16 14:23 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-28 21:07 --------- d-----w C:\Documents and Settings\Admin\Dane aplikacji\uTorrent 2007-12-28 17:52 --------- d-----w C:\Documents and Settings\Admin\Dane aplikacji\Skype 2007-12-28 12:48 --------- d-----w C:\Documents and Settings\Admin\Dane aplikacji\AVG7 2007-12-26 23:14 1,327 -c–a-w C:\Documents and Settings\Admin\clean.reg 2007-11-07 09:24 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-02 18:30 --------- d-----w C:\Program Files\uTorrent 2006-08-11 12:11 19,584 -c–a-w C:\Documents and Settings\Admin\Dane aplikacji\GDIPFONTCACHEV1.DAT 2006-01-01 20:59 36 -c–a-w C:\Documents and Settings\Admin\klextlock.dat 2005-02-02 16:21 560 -c–a-w C:\Documents and Settings\Admin\Dane aplikacji\ViewerApp.dat 2004-03-11 11:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2006-09-29 15:28 56 --sh–r C:\WINDOWS\system32\97AB06C4F7.sys 2007-09-21 18:54 11,480 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{0347C33E-8762-4905-BF09-768834316C61}] 2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{053F9267-DC04-4294-A72C-58F732D338C0}] 2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2007-12-21 12:24] “LogitechCommunicationsManager”=“C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe” [2006-06-26 08:46] “LogitechQuickCamRibbon”=“D:\Program Files\Logitech\QuickCam10.exe” [2006-06-26 09:34] “LVCOMSX”=“C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe” [2006-06-26 09:33] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2007-03-11 21:34] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 08:44] “AVG7_Run”=“C:\PROGRA~1\Grisoft\AVG7\avgw.exe” [2007-10-22 16:23] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24] Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Action Manager 32.lnk] backup=C:\WINDOWS\pss\Action Manager 32.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dgatjdg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] 2004-09-07 14:25 1400944 --------- C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager] 2006-06-26 08:46 497200 --a------ C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX] 2006-06-26 09:33 243248 --a------ C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pkjbbc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qdemikr] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\watch] R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-12-03 17:44] R1 KlEngine;KlEngine;C:\WINDOWS\system32\drivers\KlEngine.sys [2003-04-15 08:44] S2 BulkUsb;USB Scanner Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 05:58] S2 clean4bee-2c5b;clean4bee-2c5b;C:\WINDOWS\system32\clean4bee-2c5b.sys [] S3 SER120;OTI Serial port driver;C:\WINDOWS\system32\DRIVERS\SER120.sys [2005-03-22 10:03] S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-28 22:14:29 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-28 22:15:41
Gutek
(Gutek)
28 Grudzień 2007 21:50
#4
Wklej do Notatnika:
File::
C:\WINDOWS\system32\dllgh8jkd1q8.exe
Driver::
clean4bee-2c5b
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dgatjdg]
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Pobierz program SDFix
Logi po wykonaniu wskazówek:
ComboFix
ComboFix 07-12-21.4 - Admin 2007-12-29 10:33:06.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.230 [GMT 1:00] Running from: D:\Użytki\HJT\ComboFix.exe Command switches used :: D:\Użytki\HJT\CFscript.txt * Created a new restore point FILE C:\WINDOWS\system32\dllgh8jkd1q8.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\dllgh8jkd1q8.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_CLEAN4BEE-2C5B -------\clean4bee-2c5b ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 ))))))))))))))))))))))))))))))) . 2007-12-28 21:55 . 2007-12-28 22:40 356 --a------ C:\drmHeader.bin 2007-12-26 22:32 . 2007-12-27 17:15 36,169 --a------ C:\WINDOWS\system32\clean.config 2007-12-26 22:32 . 2007-12-26 22:32 16,896 --a–c— C:\Documents and Settings\Admin\nax.exe 2007-12-20 22:35 . 2007-12-20 22:35 2007-12-20 22:17 . 2007-12-20 22:17 2007-12-20 22:16 . 2007-12-20 22:16 2007-12-20 22:15 . 2007-12-20 22:15 2007-12-20 22:15 . 2007-12-20 22:15 2007-12-20 22:14 . 2007-12-20 22:14 2007-12-20 22:12 . 2007-12-20 22:16 2007-12-20 22:04 . 2007-12-20 22:04 2007-12-20 22:04 . 2007-03-30 16:11 267,864 -ra------ C:\WINDOWS\system32\hpzids01.dll 2007-12-20 22:04 . 2007-12-20 22:17 149,435 --a------ C:\WINDOWS\HPHins15.dat 2007-12-20 22:04 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll 2007-12-20 22:04 . 2007-06-07 09:56 2,828 --------- C:\WINDOWS\hphmdl15.dat 2007-12-16 14:23 . 2007-12-16 14:23 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-29 09:19 --------- d-----w C:\Documents and Settings\Admin\Dane aplikacji\AVG7 2007-12-28 21:07 --------- d-----w C:\Documents and Settings\Admin\Dane aplikacji\uTorrent 2007-12-28 17:52 --------- d-----w C:\Documents and Settings\Admin\Dane aplikacji\Skype 2007-12-26 23:14 1,327 -c–a-w C:\Documents and Settings\Admin\clean.reg 2007-11-07 09:24 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-02 18:30 --------- d-----w C:\Program Files\uTorrent 2006-08-11 12:11 19,584 -c–a-w C:\Documents and Settings\Admin\Dane aplikacji\GDIPFONTCACHEV1.DAT 2006-01-01 20:59 36 -c–a-w C:\Documents and Settings\Admin\klextlock.dat 2005-02-02 16:21 560 -c–a-w C:\Documents and Settings\Admin\Dane aplikacji\ViewerApp.dat 2004-03-11 11:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2006-09-29 15:28 56 --sh–r C:\WINDOWS\system32\97AB06C4F7.sys 2007-09-21 18:54 11,480 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{0347C33E-8762-4905-BF09-768834316C61}] 2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{053F9267-DC04-4294-A72C-58F732D338C0}] 2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [2007-12-21 12:24] “LogitechCommunicationsManager”=“C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe” [2006-06-26 08:46] “LogitechQuickCamRibbon”=“D:\Program Files\Logitech\QuickCam10.exe” [2006-06-26 09:34] “LVCOMSX”=“C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe” [2006-06-26 09:33] “HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2007-03-11 21:34] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 08:44] “AVG7_Run”=“C:\PROGRA~1\Grisoft\AVG7\avgw.exe” [2007-10-22 16:23] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24] Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Action Manager 32.lnk] backup=C:\WINDOWS\pss\Action Manager 32.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] 2004-09-07 14:25 1400944 --------- C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager] 2006-06-26 08:46 497200 --a------ C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX] 2006-06-26 09:33 243248 --a------ C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pkjbbc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qdemikr] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\watch] R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-12-03 17:44] R1 KlEngine;KlEngine;C:\WINDOWS\system32\drivers\KlEngine.sys [2003-04-15 08:44] S2 BulkUsb;USB Scanner Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 05:58] S3 SER120;OTI Serial port driver;C:\WINDOWS\system32\DRIVERS\SER120.sys [2005-03-22 10:03] S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-29 10:39:16 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180] -> C:\DOCUME~1\Admin\USTAWI~1\Temp\ajexqfjx.dll . Completion time: 2007-12-29 10:41:36 - machine was rebooted C:\ComboFix2.txt … 2007-12-28 22:15
SDFix
Gutek
(Gutek)
29 Grudzień 2007 15:51
#6
Wklej do Notatnika:
File::
C:\DOCUME~1\Admin\USTAWI~1\Temp\ajexqfjx.dll
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo
Gutek
(Gutek)
29 Grudzień 2007 18:35
#8
Ja już nic nie widzę, proponuję - Optymalizacja XP: viewtopic.php?t=76580