Zablokowany upload

marios24 · 23 Październik 2007 12:20

Witam.

Swiezo po reinstalacji winzgrozy na wejsciu mam zablokowany upload. Dziwne rzeczy dzieja sie tez z samym system zwiechy i brak reakcji na myche.Prosze o sprawdzenia logow.

Z Gory thx.

Logfile of HijackThis v1.99.1 Scan saved at 14:10:48, on 2007-10-23 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\dllcache\ivchost.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ATK0100\HControl.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Wireless Console 2\wcourier.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe C:\WINDOWS\System32\algs.exe C:\WINDOWS\System32\mmdmm.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Asus\Asus ChkMail\ChkMail.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\nvsvc86.exe F:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay O4 - HKLM…\Run: [skrót do strony właściwości High Definition Audio] HDAShCut.exe O4 - HKLM…\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe O4 - HKLM…\Run: [intelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” O4 - HKLM…\Run: [intelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless O4 - HKLM…\Run: [EOUApp] “C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe” O4 - HKLM…\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM…\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe O4 - HKLM…\Run: [mmsass] mmdmm.exe O4 - HKLM…\Run: [Network Security XP] C:\WINDOWS\System32\nvsvc86.exe O4 - HKLM…\RunServices: [mmsass] mmdmm.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip…{636EF263-1D90-4AD3-BA1E-5DE6C5C413DE}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “HControl” = “C:\WINDOWS\ATK0100\HControl.exe” [empty string] “ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay” [null data] “Skrót do strony właściwości High Definition Audio” = “HDAShCut.exe” [“Windows ® Server 2003 DDK provider”] “SMSERIAL” = “sm56hlpr.exe” [“Motorola Inc.”] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “Wireless Console 2” = “C:\Program Files\Wireless Console 2\wcourier.exe” [null data] “IntelZeroConfig” = ““C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”” [“Intel Corporation”] “IntelWireless” = ““C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless” [“Intel Corporation”] “EOUApp” = ““C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe”” [“Intel Corporation”] “Power_Gear” = “C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1” [“ASUSTeK Computer Inc.”] “Application Layer Gateway Service” = “C:\WINDOWS\System32\algs.exe” [null data] “mmsass” = “mmdmm.exe” [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Marios” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “ASUS ChkMail” -> shortcut to: “C:\Program Files\Asus\Asus ChkMail\ChkMail.exe” [“asus”] “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ <> The running services cannot be counted. Presence of a spyware service is suspected. The script has been forced to exit. ---------- (launch time: 2007-10-23 14:09:56) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 42 seconds, including 2 seconds for message boxes)

adam9870 · 23 Październik 2007 13:43

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Pobierz ComboFix i zapisz go bezpośrednio na pulpicie.

Otwórz Notatnik i wklej w nim to:

Z menu Notatnika wybierz Plik >>> Zapisz jako >>> zapisz plik pod nazwą CFScript w miejscu, w którym zapisałeś ComboFixa, czyli w bezpośrednio na Pulpicie.

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe) - tak jak to zostało przedstawione na poniższym obrazku:

Jeśli po przeciągnięciu pliki CFScrit.txt na ikonkę ComboFixa ujrzysz komunikat - “1 or 2” - odpowiedz na niego wciskając klawisz 1.

Po restarcie skasuj folder C:\Qoobox.

Usuń powyżej przedstawione wpisy HJT, jeśli będą.

Po wykonaniu wklej log z ComboFix.

marios24 · 23 Październik 2007 16:03

ComboFix 07-10-23.2 - Marios 2007-10-23 17:51:07.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.692 [GMT 2:00] Running from: C:\Documents and Settings\Marios\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Marios\Pulpit\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\System32\algs.exe C:\WINDOWS\system32\dllcache\ivchost.exe C:\WINDOWS\System32\mmdmm.exe C:\WINDOWS\System32\nvsvc86.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\bck7.dat C:\WINDOWS\System32\algs.exe C:\WINDOWS\system32\dllcache\ivchost.exe C:\WINDOWS\System32\mmdmm.exe C:\WINDOWS\System32\nvsvc86.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_ASC3550F -------\LEGACY_MSHEXDEFX -------\mshexdefx ((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 ))))))))))))))))))))))))))))))) . 2007-10-23 17:50 51,200 --a------ C:\WINDOWS\NirCmd.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-23 10:33 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg 2007-10-23 10:33 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-23 10:33 --------- d-----w C:\Program Files\SAGEM 2007-10-23 10:30 --------- d-----w C:\Program Files\Asus 2007-10-23 10:28 --------- d-----w C:\Documents and Settings\Marios\Dane aplikacji\Intel 2007-10-23 10:27 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys 2007-10-23 10:27 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Dane aplikacji\Intel 2007-10-23 10:26 --------- d-----w C:\Program Files\Intel 2007-10-23 10:23 --------- d-----w C:\Program Files\Wireless Console 2 2007-10-23 10:21 --------- d-----w C:\Program Files\Synaptics 2007-10-23 10:19 --------- d-----w C:\Program Files\Realtek 2007-10-23 10:19 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-23 10:17 --------- d-----w C:\Documents and Settings\Marios\Dane aplikacji\ATI 2007-10-23 10:14 --------- d-----w C:\Program Files\ATI Technologies 2007-10-23 10:06 --------- d-----w C:\Program Files\microsoft frontpage 2007-10-23 10:02 --------- d-----w C:\Program Files\Usługi online . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “@”="" [] “HControl”=“C:\WINDOWS\ATK0100\HControl.exe” [2005-11-10 13:47] “ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2005-08-12 14:43] “Skrót do strony właściwości High Definition Audio”=“HDAShCut.exe” [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe] “SMSERIAL”=“sm56hlpr.exe” [2005-05-27 01:12 C:\WINDOWS\sm56hlpr.exe] “RTHDCPL”=“RTHDCPL.EXE” [2005-09-06 14:39 C:\WINDOWS\RTHDCPL.EXE] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2005-10-21 08:26] “Wireless Console 2”=“C:\Program Files\Wireless Console 2\wcourier.exe” [2005-10-17 17:09] “IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2005-12-28 11:55] “IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2005-12-28 11:56] “EOUApp”=“C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe” [2005-12-28 12:00] “Power_Gear”=“C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe” [2005-10-05 17:50] “Network Security XP”=“C:\WINDOWS\System32\nvsvc86.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “@”="" [] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2002-09-20 18:05] “Network Security XP”=“C:\WINDOWS\System32\nvsvc86.exe” [] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] “mmsass”=mmdmm.exe [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “Network Security XP”=C:\WINDOWS\System32\nvsvc86.exe . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-23 17:52:47 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-23 17:53:06 - machine was rebooted . — E O F —

Jeszcze pytanko. Czy (w przyszłosci) aby sprzwdzic jakie pliki sa zainfekowane moge zapisac cały plik logowania (np Hijack) i sprzwdzic w Combofixie??

adam9870 · 23 Październik 2007 16:06

Żadnych szkodliwych plików już nie widać. Czeka Cię więc jedynie drobna korekta rejestru. Zatem otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Po wykonaniu wklej nowy log z ComboFix.

marios24 · 23 Październik 2007 16:23

ComboFix 07-10-23.2 - Marios 2007-10-23 18:18:51.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.684 [GMT 2:00] Running from: C:\Documents and Settings\Marios\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 ))))))))))))))))))))))))))))))) . 2007-10-23 17:50 51,200 --a------ C:\WINDOWS\NirCmd.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-23 10:33 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg 2007-10-23 10:33 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-23 10:33 --------- d-----w C:\Program Files\SAGEM 2007-10-23 10:30 --------- d-----w C:\Program Files\Asus 2007-10-23 10:28 --------- d-----w C:\Documents and Settings\Marios\Dane aplikacji\Intel 2007-10-23 10:27 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys 2007-10-23 10:27 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Dane aplikacji\Intel 2007-10-23 10:26 --------- d-----w C:\Program Files\Intel 2007-10-23 10:23 --------- d-----w C:\Program Files\Wireless Console 2 2007-10-23 10:21 --------- d-----w C:\Program Files\Synaptics 2007-10-23 10:19 --------- d-----w C:\Program Files\Realtek 2007-10-23 10:19 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-23 10:17 --------- d-----w C:\Documents and Settings\Marios\Dane aplikacji\ATI 2007-10-23 10:14 --------- d-----w C:\Program Files\ATI Technologies 2007-10-23 10:06 --------- d-----w C:\Program Files\microsoft frontpage 2007-10-23 10:02 --------- d-----w C:\Program Files\Usługi online . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “HControl”=“C:\WINDOWS\ATK0100\HControl.exe” [2005-11-10 13:47] “ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2005-08-12 14:43] “Skrót do strony właściwości High Definition Audio”=“HDAShCut.exe” [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe] “SMSERIAL”=“sm56hlpr.exe” [2005-05-27 01:12 C:\WINDOWS\sm56hlpr.exe] “RTHDCPL”=“RTHDCPL.EXE” [2005-09-06 14:39 C:\WINDOWS\RTHDCPL.EXE] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2005-10-21 08:26] “Wireless Console 2”=“C:\Program Files\Wireless Console 2\wcourier.exe” [2005-10-17 17:09] “IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2005-12-28 11:55] “IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2005-12-28 11:56] “EOUApp”=“C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe” [2005-12-28 12:00] “Power_Gear”=“C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe” [2005-10-05 17:50] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2002-09-20 18:05] . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-23 18:19:27 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-23 18:19:44 . — E O F —

jessica · 23 Październik 2007 16:33

Jest OK!.

Nie rozumiem Twojego rozumowania.

Jeśli wszystkie pliki z Hijacka zapiszesz jako Script.txt, to ComboFix je wszystkie usunie, bez względu na to, czy są dobre, czy złe.

jessi

marios24 · 23 Październik 2007 18:17

Rzeczywiscie głupie to pytanie… Co ma piernik do wiatraka???No coz, nowicjusz…

Pojawiły sie kolejne infekcje. Porty mam pozamykane, chyba podcza instalacji programow cos sie dossało. Nod wykryw mi jakies trojany ale nie usuwa.

Z ggory thx.

ComboFix 07-10-23.2 - Marios 2007-10-23 20:11:07.4 - NTFSx86 Running from: F:\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 ))))))))))))))))))))))))))))))) . 2007-10-23 19:51 2007-10-23 19:48 569,344 --a------ C:\WINDOWS\system32\imagr5.dll 2007-10-23 19:48 544,768 --a------ C:\WINDOWS\system32\imagx5.dll 2007-10-23 19:48 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll 2007-10-23 19:48 89,184 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys 2007-10-23 19:48 38,912 --a------ C:\WINDOWS\system32\picn20.dll 2007-10-23 19:47 2007-10-23 19:46 2007-10-23 19:43 3,176 --a------ C:\WINDOWS\mozver.dat 2007-10-23 19:41 2007-10-23 19:41 2007-10-23 19:41 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll 2007-10-23 19:41 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll 2007-10-23 19:41 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll 2007-10-23 19:41 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll 2007-10-23 19:41 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2007-10-23 19:41 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll 2007-10-23 19:23 2007-10-23 19:20 2007-10-23 19:19 2007-10-23 19:19 2007-10-23 19:19 41,068 --------- C:\WINDOWS\system32\ActPanel.dll 2007-10-23 19:06 2007-10-23 18:41 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-10-23 18:41 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-10-23 18:41 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-10-23 17:50 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-23 14:06 568,712 --a------ C:\WINDOWS\WMIDiag.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-23 17:20 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg 2007-10-23 17:20 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-23 17:17 --------- d-----w C:\Program Files\Asus 2007-10-23 10:28 --------- d-----w C:\Documents and Settings\Marios\Dane aplikacji\Intel 2007-10-23 10:27 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys 2007-10-23 10:27 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Dane aplikacji\Intel 2007-10-23 10:26 --------- d-----w C:\Program Files\Intel 2007-10-23 10:23 --------- d-----w C:\Program Files\Wireless Console 2 2007-10-23 10:21 --------- d-----w C:\Program Files\Synaptics 2007-10-23 10:19 --------- d-----w C:\Program Files\Realtek 2007-10-23 10:19 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-23 10:17 --------- d-----w C:\Documents and Settings\Marios\Dane aplikacji\ATI 2007-10-23 10:14 --------- d-----w C:\Program Files\ATI Technologies 2007-10-23 10:06 --------- d-----w C:\Program Files\microsoft frontpage 2007-10-23 10:02 --------- d-----w C:\Program Files\Usługi online 2002-09-20 16:05:24 523,264 --sh–r C:\WINDOWS\system32\jobxpoz.exe 2002-09-20 16:05:24 516,608 --sh–r C:\WINDOWS\system32\regs32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “HControl”=“C:\WINDOWS\ATK0100\HControl.exe” [2005-11-10 13:47] “ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2005-08-12 14:43] “Skrót do strony właściwości High Definition Audio”=“HDAShCut.exe” [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe] “SMSERIAL”=“sm56hlpr.exe” [2005-05-27 01:12 C:\WINDOWS\sm56hlpr.exe] “RTHDCPL”=“RTHDCPL.EXE” [2005-09-06 14:39 C:\WINDOWS\RTHDCPL.EXE] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2005-10-21 08:26] “Wireless Console 2”=“C:\Program Files\Wireless Console 2\wcourier.exe” [2005-10-17 17:09] “IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2005-12-28 11:55] “IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2005-12-28 11:56] “EOUApp”=“C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe” [2005-12-28 12:00] “Power_Gear”=“C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe” [2005-10-05 17:50] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-10-23 18:40] “ASUS Live Update”=“C:\Program Files\ASUS\ASUS Live Update\ALU.exe” [2005-11-02 19:33] “RegistryMechanic”="" [] “Windows Service Agccnt”=“jobxpoz.exe” [2002-09-20 18:05 C:\WINDOWS\system32\jobxpoz.exe] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50] “Windows Services Agant”=“regs32.exe” [2002-09-20 18:05 C:\WINDOWS\system32\regs32.exe] “WinampAgent”=“C:\Programy\Winamp\winampa.exe” [2006-05-25 19:35] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Windows Service Agccnt”=“jobxpoz.exe” [2002-09-20 18:05 C:\WINDOWS\system32\jobxpoz.exe] “AutoConnect”=“C:\Programy\AutoConnect\AutoConnect.exe” [2004-08-28 20:27] “Windows Services Agant”=“regs32.exe” [2002-09-20 18:05 C:\WINDOWS\system32\regs32.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] “Windows Service Agccnt”=jobxpoz.exe “Windows Services Agant”=regs32.exe [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “Windows Service Agccnt”=jobxpoz.exe . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-23 20:11:47 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-23 20:12:04 . — E O F —

Złączono Posta : 23.10.2007 (Wto) 20:19

Hijack.

Logfile of HijackThis v1.99.1 Scan saved at 20:17:40, on 2007-10-23 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\ATK0100\HControl.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Wireless Console 2\wcourier.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\ASUS\ASUS Live Update\ALU.exe C:\WINDOWS\System32\jobxpoz.exe C:\Program Files\Asus\Asus ChkMail\ChkMail.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Programy\AutoConnect\AutoConnect.exe C:\WINDOWS\System32\regs32.exe C:\Programy\Winamp\winampa.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE F:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay O4 - HKLM…\Run: [skrót do strony właściwości High Definition Audio] HDAShCut.exe O4 - HKLM…\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe O4 - HKLM…\Run: [intelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” O4 - HKLM…\Run: [intelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless O4 - HKLM…\Run: [EOUApp] “C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe” O4 - HKLM…\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe O4 - HKLM…\Run: [Windows Service Agccnt] jobxpoz.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [Windows Services Agant] regs32.exe O4 - HKLM…\Run: [WinampAgent] C:\Programy\Winamp\winampa.exe O4 - HKLM…\RunServices: [Windows Service Agccnt] jobxpoz.exe O4 - HKLM…\RunServices: [Windows Services Agant] regs32.exe O4 - HKCU…\Run: [Windows Service Agccnt] jobxpoz.exe O4 - HKCU…\Run: [AutoConnect] C:\Programy\AutoConnect\AutoConnect.exe O4 - HKCU…\Run: [Windows Services Agant] regs32.exe O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O17 - HKLM\System\CCS\Services\Tcpip…{636EF263-1D90-4AD3-BA1E-5DE6C5C413DE}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

Gutek · 23 Październik 2007 22:14

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżkę

C:\WINDOWS\system32\jobxpoz.exe

C:\WINDOWS\system32\regs32.exe

i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

marios24 · 24 Październik 2007 11:25

Po wykonaniu wklejam logi. Co moze powodowac brak mozliwosci wlaczenia zapory XP.

Gutek · 24 Październik 2007 18:31

plik do usunięcia

Pobierz program SDFix

marios24 · 24 Październik 2007 19:57

SDFix: Version 1.111 Run by Marios on 2007-10-24 at 21:49 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\system32\o - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Tue 23 Oct 2007 5 A.SH. — “C:\WINDOWS\system32\fcbab2_s.dll” Finished!

jessica · 25 Październik 2007 06:57

SDFix usunął jednego Trojana.

Nic więcej podejrzanego nie widać.

Czy objawy ustąpiły?

jessi

marios24 · 25 Październik 2007 15:33

Wciaz nie moge właczyc zapory. Przeskanowałem cały sys. NODem, probowałem sposobow podanych tu http://forum.dobreprogramy.pl/viewtopic.php?t=91047

Niestety nie pomagaja. Podczas czyszczenia rejestru JvPowerTools program nagle sie zatrzymuje (zawsze w tym samym miejscu) i zawiesza.Myslałem ze to problem aplikacji ale z innymi wersjami to samo.

Moze mam jeszcze jakiegos robaka… Przesyłam logi. Z gory thx.

ComboFix 07-10-23.2 - Marios 2007-10-25 12:07:00.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.594 [GMT 2:00] Running from: C:\Documents and Settings\Marios\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 ))))))))))))))))))))))))))))))) . 2007-10-25 00:26 23 --ahs---- C:\WINDOWS\system32\ecdcdde_r.dll 2007-10-25 00:13 2007-10-24 22:54 436,560 --a------ C:\WINDOWS\system32\prfh0415.dat 2007-10-24 22:54 67,496 --a------ C:\WINDOWS\system32\prfc0415.dat 2007-10-24 22:52 2007-10-24 22:50 2007-10-24 22:49 2007-10-24 22:49 2007-10-24 22:49 2007-10-24 22:49 2007-10-24 22:49 2007-10-24 22:49 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll 2007-10-24 21:48 2007-10-24 20:26 2007-10-24 20:26 332,288 -----c— C:\WINDOWS\system32\dllcache\netapi32.dll 2007-10-24 19:53 24,816 --a------ C:\WINDOWS\system32\mdimon.dll 2007-10-24 19:52 2007-10-24 19:52 2007-10-24 00:37 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll 2007-10-24 00:37 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll 2007-10-24 00:36 2007-10-24 00:34 2007-10-24 00:34 1,089,536 --a------ C:\WINDOWS\system32\ROBOEX32.DLL 2007-10-24 00:34 663,552 --a------ C:\WINDOWS\system32\mgxoschk.dll 2007-10-24 00:34 85,504 --a------ C:\WINDOWS\system32\HtmlWH.dll 2007-10-24 00:34 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll 2007-10-23 23:29 2007-10-23 22:47 2007-10-23 22:45 2007-10-23 22:23 2007-10-23 22:06 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-10-23 22:03 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe 2007-10-23 22:01 2007-10-23 22:00 451,072 --a------ C:\WINDOWS\Radeon Omega Drivers v3.8.360 Uninstall.exe 2007-10-23 21:59 2007-10-23 21:49 2007-10-23 21:42 5 --ahs---- C:\WINDOWS\system32\fcbab2_s.dll 2007-10-23 20:46 2007-10-23 20:46 2007-10-23 20:13 0 --a------ C:\WINDOWS\nsreg.dat 2007-10-23 19:51 2007-10-23 19:48 569,344 --a------ C:\WINDOWS\system32\imagr5.dll 2007-10-23 19:48 544,768 --a------ C:\WINDOWS\system32\imagx5.dll 2007-10-23 19:48 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll 2007-10-23 19:48 89,184 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys 2007-10-23 19:48 38,912 --a------ C:\WINDOWS\system32\picn20.dll 2007-10-23 19:47 2007-10-23 19:46 2007-10-23 19:43 3,788 --a------ C:\WINDOWS\mozver.dat 2007-10-23 19:41 2007-10-23 19:41 2007-10-23 19:41 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll 2007-10-23 19:41 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll 2007-10-23 19:41 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll 2007-10-23 19:41 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll 2007-10-23 19:41 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2007-10-23 19:41 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll 2007-10-23 19:23 2007-10-23 19:20 2007-10-23 19:19 2007-10-23 19:19 2007-10-23 19:19 41,068 --------- C:\WINDOWS\system32\ActPanel.dll 2007-10-23 19:06 2007-10-23 18:41 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-10-23 18:41 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-10-23 18:41 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-10-23 17:50 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-23 14:06 568,712 --a------ C:\WINDOWS\WMIDiag.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-24 20:53 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-23 17:20 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg 2007-10-23 17:17 --------- d-----w C:\Program Files\Asus 2007-10-23 10:28 --------- d-----w C:\Documents and Settings\Marios\Dane aplikacji\Intel 2007-10-23 10:27 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys 2007-10-23 10:27 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Dane aplikacji\Intel 2007-10-23 10:26 --------- d-----w C:\Program Files\Intel 2007-10-23 10:23 --------- d-----w C:\Program Files\Wireless Console 2 2007-10-23 10:21 --------- d-----w C:\Program Files\Synaptics 2007-10-23 10:19 --------- d-----w C:\Program Files\Realtek 2007-10-23 10:19 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-23 10:17 --------- d-----w C:\Documents and Settings\Marios\Dane aplikacji\ATI 2007-10-23 10:14 --------- d-----w C:\Program Files\ATI Technologies 2007-10-23 10:06 --------- d-----w C:\Program Files\microsoft frontpage 2007-10-23 10:02 --------- d-----w C:\Program Files\Usługi online 2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Wireless Console 2”=“C:\Program Files\Wireless Console 2\wcourier.exe” [2005-10-17 17:09] “IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2005-12-28 11:55] “IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2005-12-28 11:56] “EOUApp”=“C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe” [2005-12-28 12:00] “Power_Gear”=“C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe” [2005-10-05 17:50] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-10-23 18:40] “ASUS Live Update”=“C:\Program Files\ASUS\ASUS Live Update\ALU.exe” [2005-11-02 19:33] “RegistryMechanic”="" [] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50] “WinampAgent”=“C:\Programy\Winamp\winampa.exe” [2006-05-25 19:35] “AtiPTA”=“atiptaxx.exe” [2006-02-22 02:05 C:\WINDOWS\system32\atiptaxx.exe] “TrayServer”=“C:\Programy\TrayServer.exe” [2006-10-04 15:41] “PCSuiteTrayApplication”=“D:\Rozne\Nokia Pc Suite\Nokia PC Suite 6\LaunchApplication.exe” [2006-11-28 14:12] “SMSERIAL”=“sm56hlpr.exe” [2005-05-27 01:12 C:\WINDOWS\sm56hlpr.exe] “RTHDCPL”=“RTHDCPL.EXE” [2005-09-06 14:39 C:\WINDOWS\RTHDCPL.EXE] “RemoteControl”=“C:\Programy\PDVDServ.exe” [2004-11-02 20:24] “HControl”=“C:\WINDOWS\ATK0100\HControl.exe” [2005-11-10 13:47] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] “Windows Service Agccnt”=jobxpoz.exe [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “PcSync”=D:\Rozne\Nokia Pc Suite\Nokia PC Suite 6\PcSync2.exe /NoDialog “Windows Service Agccnt”=jobxpoz.exe S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Common\Database\bin\fbserver.exe . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-25 12:08:06 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-25 12:08:27 . — E O F —

Logfile of HijackThis v1.99.1 Scan saved at 12:06:05, on 2007-10-25 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Wireless Console 2\wcourier.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\ASUS\ASUS Live Update\ALU.exe C:\Programy\Winamp\winampa.exe D:\Rozne\Nokia Pc Suite\Nokia PC Suite 6\LaunchApplication.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\RTHDCPL.EXE C:\Programy\PDVDServ.exe C:\WINDOWS\ATK0100\HControl.exe C:\Program Files\Asus\Asus ChkMail\ChkMail.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Programy\AutoConnect\AutoConnect.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Marios\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe O4 - HKLM…\Run: [intelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” O4 - HKLM…\Run: [intelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless O4 - HKLM…\Run: [EOUApp] “C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe” O4 - HKLM…\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [WinampAgent] C:\Programy\Winamp\winampa.exe O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [TrayServer] C:\Programy\TrayServer.exe O4 - HKLM…\Run: [PCSuiteTrayApplication] D:\Rozne\Nokia Pc Suite\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM…\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [RemoteControl] C:\Programy\PDVDServ.exe O4 - HKLM…\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM…\RunServices: [Windows Service Agccnt] jobxpoz.exe O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programy\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{636EF263-1D90-4AD3-BA1E-5DE6C5C413DE}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\Common\Database\bin\fbserver.exe (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Wireless Console 2” = “C:\Program Files\Wireless Console 2\wcourier.exe” [null data] “IntelZeroConfig” = ““C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”” [“Intel Corporation”] “IntelWireless” = ““C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless” [“Intel Corporation”] “EOUApp” = ““C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe”” [“Intel Corporation”] “Power_Gear” = “C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1” [“ASUSTeK Computer Inc.”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “ASUS Live Update” = “C:\Program Files\ASUS\ASUS Live Update\ALU.exe” [empty string] “RegistryMechanic” = “(empty string)” [file not found] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “WinampAgent” = “C:\Programy\Winamp\winampa.exe” [null data] “AtiPTA” = “atiptaxx.exe” [“ATI Technologies, Inc.”] “TrayServer” = “C:\Programy\TrayServer.exe” [“MAGIX AG”] “PCSuiteTrayApplication” = “D:\Rozne\Nokia Pc Suite\Nokia PC Suite 6\LaunchApplication.exe -startup” [“Nokia”] “SMSERIAL” = “sm56hlpr.exe” [“Motorola Inc.”] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “RemoteControl” = “C:\Programy\PDVDServ.exe” [“Cyberlink Corp.”] “HControl” = “C:\WINDOWS\ATK0100\HControl.exe” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\rarext.dll” [null data] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programy\Microsoft Office\OFFICE11\msohev.dll” [MS] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “PhoneBrowser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “D:\Rozne\Nokia Pc Suite\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ FineReader8(Default) = “{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}” -> {HKLM…CLSID} = “FineReader8ExplorerContextMenuHandler” \InProcServer32(Default) = “C:\Programy\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll” [“ABBYY Software”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Marios\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Marios” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “ASUS ChkMail” -> shortcut to: “C:\Program Files\Asus\Asus ChkMail\ChkMail.exe” [“asus”] “Bluetooth Manager” -> shortcut to: “C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe” [“TOSHIBA CORPORATION.”] “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 22 - 23 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Programy\MICROS~1\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] Intel® PROSet/Wireless Event Log, EvtEng, “C:\Program Files\Intel\Wireless\Bin\EvtEng.exe” [“Intel Corporation”] Intel® PROSet/Wireless Registry Service, RegSrvc, “C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe” [“Intel Corporation”] Intel® PROSet/Wireless Service, S24EventMonitor, “C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe” ["Intel Corporation "] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] ServiceLayer, ServiceLayer, ““C:\Program Files\PC Connectivity Solution\ServiceLayer.exe”” [“Nokia.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] Toshiba Bluetooth Monitor\Driver = “tbtmon.dll” [“Toshiba America Business Solutions, Inc.”] ---------- (launch time: 2007-10-25 12:06:11) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 28 seconds, including 6 seconds for message boxes)

jessica · 26 Październik 2007 10:16

Wklej do Notatnika :

File::

C:\WINDOWS\system32\jobxpoz.exe


Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"Windows Service Agccnt"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run] 

"Windows Service Agccnt"=-

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Daj ten log.

Nic więcej podejrzanego nie widzę.

Jeśli chodzi o Twój problem z zaporą, to zapoznaj się z tym –http://www.searchengines.pl/index.php?s=a056b113c8db6ccfe8d6dd368da9faafshowtopic=79791.

jessi

marios24 · 26 Październik 2007 15:50

ComboFix 07-10-23.2 - Marios 2007-10-26 17:46:21.7 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.572 [GMT 2:00] Running from: C:\Documents and Settings\Marios\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Marios\Pulpit\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\system32\jobxpoz.exe . ((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 ))))))))))))))))))))))))))))))) . 2007-10-25 21:51 10 --a------ C:\WINDOWS\Syskernel12.dll 2007-10-25 21:43 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2007-10-25 19:58 249,856 --------- C:\WINDOWS\Setup1.exe 2007-10-25 19:58 73,216 --a------ C:\WINDOWS\ST6UNST.EXE 2007-10-25 17:09 2007-10-25 00:26 23 --ahs---- C:\WINDOWS\system32\ecdcdde_r.dll 2007-10-25 00:13 2007-10-24 22:54 436,560 --a------ C:\WINDOWS\system32\prfh0415.dat 2007-10-24 22:54 67,496 --a------ C:\WINDOWS\system32\prfc0415.dat 2007-10-24 22:52 2007-10-24 22:50 2007-10-24 22:49 2007-10-24 22:49 2007-10-24 22:49 2007-10-24 22:49 2007-10-24 22:49 2007-10-24 22:49 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll 2007-10-24 21:48 2007-10-24 20:26 2007-10-24 20:26 332,288 -----c— C:\WINDOWS\system32\dllcache\netapi32.dll 2007-10-24 19:53 24,816 --a------ C:\WINDOWS\system32\mdimon.dll 2007-10-24 19:52 2007-10-24 19:52 2007-10-24 00:37 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll 2007-10-24 00:37 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll 2007-10-24 00:36 2007-10-24 00:34 2007-10-24 00:34 1,089,536 --a------ C:\WINDOWS\system32\ROBOEX32.DLL 2007-10-24 00:34 663,552 --a------ C:\WINDOWS\system32\mgxoschk.dll 2007-10-24 00:34 85,504 --a------ C:\WINDOWS\system32\HtmlWH.dll 2007-10-24 00:34 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll 2007-10-23 23:29 2007-10-23 22:47 2007-10-23 22:45 2007-10-23 22:23 2007-10-23 22:06 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-10-23 22:03 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe 2007-10-23 22:01 2007-10-23 22:00 451,072 --a------ C:\WINDOWS\Radeon Omega Drivers v3.8.360 Uninstall.exe 2007-10-23 21:59 2007-10-23 21:49 2007-10-23 21:42 5 --ahs---- C:\WINDOWS\system32\fcbab2_s.dll 2007-10-23 20:46 2007-10-23 20:46 2007-10-23 20:13 0 --a------ C:\WINDOWS\nsreg.dat 2007-10-23 19:51 2007-10-23 19:48 569,344 --a------ C:\WINDOWS\system32\imagr5.dll 2007-10-23 19:48 544,768 --a------ C:\WINDOWS\system32\imagx5.dll 2007-10-23 19:48 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll 2007-10-23 19:48 89,184 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys 2007-10-23 19:48 38,912 --a------ C:\WINDOWS\system32\picn20.dll 2007-10-23 19:47 2007-10-23 19:46 2007-10-23 19:43 3,788 --a------ C:\WINDOWS\mozver.dat 2007-10-23 19:41 2007-10-23 19:41 2007-10-23 19:41 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll 2007-10-23 19:41 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll 2007-10-23 19:41 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll 2007-10-23 19:41 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll 2007-10-23 19:41 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2007-10-23 19:41 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll 2007-10-23 19:23 2007-10-23 19:20 2007-10-23 19:19 2007-10-23 19:19 2007-10-23 19:19 41,068 --------- C:\WINDOWS\system32\ActPanel.dll 2007-10-23 19:06 2007-10-23 18:41 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-10-23 18:41 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-10-23 18:41 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-10-23 17:50 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-23 14:06 568,712 --a------ C:\WINDOWS\WMIDiag.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-24 20:53 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-23 17:20 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg 2007-10-23 17:17 --------- d-----w C:\Program Files\Asus 2007-10-23 10:28 --------- d-----w C:\Documents and Settings\Marios\Dane aplikacji\Intel 2007-10-23 10:27 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys 2007-10-23 10:27 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Dane aplikacji\Intel 2007-10-23 10:26 --------- d-----w C:\Program Files\Intel 2007-10-23 10:23 --------- d-----w C:\Program Files\Wireless Console 2 2007-10-23 10:21 --------- d-----w C:\Program Files\Synaptics 2007-10-23 10:19 --------- d-----w C:\Program Files\Realtek 2007-10-23 10:19 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-23 10:17 --------- d-----w C:\Documents and Settings\Marios\Dane aplikacji\ATI 2007-10-23 10:14 --------- d-----w C:\Program Files\ATI Technologies 2007-10-23 10:06 --------- d-----w C:\Program Files\microsoft frontpage 2007-10-23 10:02 --------- d-----w C:\Program Files\Usługi online 2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2005-12-28 11:55] “IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2005-12-28 11:56] “EOUApp”=“C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe” [2005-12-28 12:00] “Power_Gear”=“C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe” [2005-10-05 17:50] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-10-23 18:40] “ASUS Live Update”=“C:\Program Files\ASUS\ASUS Live Update\ALU.exe” [2005-11-02 19:33] “RegistryMechanic”="" [] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50] “AtiPTA”=“atiptaxx.exe” [2006-02-22 02:05 C:\WINDOWS\system32\atiptaxx.exe] “TrayServer”=“C:\Programy\TrayServer.exe” [2006-10-04 15:41] “PCSuiteTrayApplication”=“D:\Rozne\Nokia Pc Suite\Nokia PC Suite 6\LaunchApplication.exe” [2006-11-28 14:12] “SMSERIAL”=“sm56hlpr.exe” [2005-05-27 01:12 C:\WINDOWS\sm56hlpr.exe] “RTHDCPL”=“RTHDCPL.EXE” [2005-09-06 14:39 C:\WINDOWS\RTHDCPL.EXE] “RemoteControl”=“C:\Programy\PDVDServ.exe” [2004-11-02 20:24] “HControl”=“C:\WINDOWS\ATK0100\HControl.exe” [2005-11-10 13:47] “WinampAgent”=“C:\Programy\Winamp\wianmpa.exe” [] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “PcSync”=D:\Rozne\Nokia Pc Suite\Nokia PC Suite 6\PcSync2.exe /NoDialog S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Common\Database\bin\fbserver.exe . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-26 17:47:27 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-26 17:47:50 . — E O F —