Yaris2709
(Yaris2709)
15 Kwiecień 2007 20:07
#1
złapałem brzydkiego trojana, jak go usunąć.
to są logi z hijackthis, pojawia się też próba połączenia z jakąś stroną ale NOD32 go blokuje i rozłącza, to jest Spy.VBStat.J
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:59:30, on 2007-04-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\usr\MYSQL\bin\mysqld.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Kalendarz XP\Kalendarz.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Download\HiJackThis_v2\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.piotrkow.net.pl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {287FF496-118D-4455-A33C-3E8C8BAF1477} - C:\WINDOWS\system32\rqronnk.dll
O2 - BHO: (no name) - {30814D14-F676-4AF3-8E1A-16444E710BB7} - C:\WINDOWS\system32\tkjbkgwp.dll
O2 - BHO: (no name) - {3B05702E-4DD8-4913-BB11-3C81C1D78A40} - C:\WINDOWS\system32\mljjk.dll (file missing)
O2 - BHO: (no name) - {42E2538F-578B-45CA-ABD1-D08D1FDC9F7A} - C:\WINDOWS\system32\vturr.dll (file missing)
O2 - BHO: (no name) - {5848A170-DB4A-4D7D-AF6A-E755395CEA1B} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\ytusfpgb.dll (file missing)
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Pobierz przez Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Pobierz wszystko przez Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\ZendStudio-5.2.0\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\ZendStudio-5.2.0\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mks.com.pl
O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099666990515
O20 - Winlogon Notify: rqronnk - C:\WINDOWS\SYSTEM32\rqronnk.dll
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: MySql - Unknown owner - c:\usr/MYSQL/bin/mysqld.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 7595 bytes
Złączono Posta : 15.04.2007 (Nie) 22:13
serwer z którym próbuje się połaczyć ma adres http://82.98.235.61/ms_s_2.dll?uid=0B2341E6EB4F11DB9C62003048895BFC&guid=f4b5e4cf+A5A3A20360384759A1E7959D8C8C8FFD Win32/Spy.VBStat.J trojan Połączenie zostało przerwane to jest wpis z NOD32
adam9870
(adam9870)
15 Kwiecień 2007 20:32
#2
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
C:\WINDOWS\system32\rqronnk.dll
C:\WINDOWS\system32\tkjbkgwp.dll
Po wklejeniu każdej ścieżki z osobna kliknij na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgódź się na restart. Jeśli po wklejeniu którejś ze ścieżek pojawi się jakiś błąd, nie przejmuj się nim tylko przejdź do wykonywania dalszych czynności.
Usuń wpisy HJT.
Użyj VundoFix + FixVundo + VirtumundoBeGone . Wszystkie narzędzia należy uruchomić w trybie awaryjnym.
Po wykonaniu pokaż nowy log z hjt, SilentRunners + log numer 1 z L2Mfix .
Yaris2709
(Yaris2709)
15 Kwiecień 2007 20:54
#3
które są u nie wpisy HJT?
Gutek
(Gutek)
15 Kwiecień 2007 21:12
#4
Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Później zrób to o co poprosił adam
Yaris2709
(Yaris2709)
15 Kwiecień 2007 21:30
#5
ok tak, też zrobiłem, teraz chodzi VundoFix
Złączono Posta : 16.04.2007 (Pon) 20:31
czy może ktoś teraz sprawdzić loga
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:28:45, on 2007-04-16
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\usr\MYSQL\bin\mysqld.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kalendarz XP\Kalendarz.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Download\HiJackThis_v2\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.piotrkow.net.pl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Pobierz przez Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Pobierz wszystko przez Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\ZendStudio-5.2.0\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\ZendStudio-5.2.0\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099666990515
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: MySql - Unknown owner - c:\usr/MYSQL/bin/mysqld.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
--
End of file - 6781 bytes
Yaris2709
(Yaris2709)
1 Czerwiec 2007 17:20
#7
oto log z combofix
“AREK” - 2007-06-01 19:15:42 Dodatek Service Pack 2 ComboFix 07-05.27.BV - Running from: “D:\Download” ADS removed - svchost.exe: deleted 0 bytes in 1 streams. (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) “C:\WINDOWS\system32\oledb32.dll” “C:\WINDOWS\system32\taskmgr.com ” “C:\WINDOWS\regedit.com ” ((((((((((((((((((((((((((((((( Files Created from 2007-05-01 to 2007-06-01 )))))))))))))))))))))))))))))))))) 2007-05-26 23:32 2007-05-26 23:28 2007-05-26 07:23 2,560 --a------ C:\WINDOWS_MSRSTRT.EXE 2007-05-24 19:06 2007-05-24 19:05 2007-05-22 21:36 1,048,576 --ah----- C:\DOCUME~1\Ania\NTUSER.DAT 2007-05-22 21:36 2007-05-22 21:36 2007-05-22 21:36 2007-05-22 21:36 2007-05-22 21:36 2007-05-22 21:36 2007-05-22 21:36 2007-05-17 21:46 2007-05-17 21:37 2007-05-17 21:28 2007-05-17 21:27 2007-05-17 21:17 2007-05-02 22:21 2007-05-02 22:15 36,624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-05-02 22:15 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-05-02 22:15 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-05-02 22:15 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2007-05-02 22:15 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe 2007-05-02 22:15 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe 2007-05-02 22:06 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-01 17:13:17 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-05-31 19:18:21 -------- d-----w C:\Program Files\Kalendarz XP 2007-05-30 10:26:45 -------- d-----w C:\DOCUME~1\AREK\DANEAP~1\Skype 2007-05-29 21:31:59 -------- d-----w C:\Program Files\FTP Commander 2007-05-29 18:58:32 -------- d-----w C:\DOCUME~1\AREK\DANEAP~1\HateML 2007-05-26 21:31:04 -------- d-----w C:\Program Files\GIMP-2.0 2007-05-26 05:23:03 2,560 ----a-w C:\WINDOWS_MSRSTRT.EXE 2007-05-26 05:21:16 -------- d-----w C:\Program Files\Common Files\Agnitum Shared 2007-05-24 19:35:23 -------- d-----w C:\DOCUME~1\AREK\DANEAP~1\Vso 2007-05-19 14:12:21 -------- d-----w C:\Program Files\Odkurzacz 2007-05-18 19:19:42 -------- d-----w C:\Program Files\The Bat! 2007-05-16 19:31:32 -------- d-----w C:\Program Files\DivX 2007-05-07 20:18:57 -------- d-----w C:\Program Files\KoolMoves Ekspert V3.60.2 2007-04-29 19:14:33 -------- d-----w C:\Program Files\Spyware Doctor 2007-04-29 10:10:35 -------- d-----w C:\Program Files\ffdshow 2007-04-29 07:31:51 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-04-26 21:58:19 83,536 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys 2007-04-26 21:57:59 59,984 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys 2007-04-26 21:55:39 26,064 ----a-w C:\WINDOWS\system32\drivers\kcom.sys 2007-04-26 21:55:23 52,304 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-04-26 21:55:20 39,248 ----a-w C:\WINDOWS\system32\drivers\ikfileflt.sys 2007-04-26 21:52:57 -------- d-----w C:\DOCUME~1\AREK\DANEAP~1\PC Tools 2007-04-26 19:25:07 -------- d-----w C:\Program Files\SkanerOnline 2007-04-24 17:48:28 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-04-24 05:56:36 10,752 ----a-w C:\WINDOWS\system32\ff_vfw.dll 2007-04-24 05:15:22 60,273 ----a-w C:\WINDOWS\system32\pthreadGC2.dll 2007-04-18 16:14:32 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-14 19:53:21 -------- d-----w C:\Program Files\PRO100 2007-04-12 21:38:04 -------- d-----w C:\DOCUME~1\AREK\DANEAP~1\MySQL 2007-04-11 13:23:36 1,011,712 ----a-w C:\WINDOWS\system32\VchReg.dll 2007-04-01 18:26:06 -------- d-----w C:\DOCUME~1\AREK\DANEAP~1\Ripit4me 2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll 2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll 2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll 2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll 2007-03-25 09:52:19 56,712 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-03-25 09:52:19 374,702 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-03-22 19:42:32 10,935 ----a-w C:\WINDOWS\mozver.dat 2007-03-17 13:45:36 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-16 22:04:59 13 ----a-w C:\DOCUME~1\AREK\DANEAP~1\tidy_cfg.dat 2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll 2007-03-08 15:38:47 579,072 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:38:47 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:38:47 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 15:37:33 1,843,840 ----a-w C:\WINDOWS\system32\win32k.sys 2006-11-24 21:03:16 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys 2005-10-23 19:02:51 56 --sh–r C:\WINDOWS\system32\1C838C96E8.sys (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “nwiz”=“nwiz.exe” [2003-07-28 14:19 C:\WINDOWS\system32\nwiz.exe] “CARPService”=“carpserv.exe” [2002-11-19 13:17 C:\WINDOWS\system32\carpserv.exe] “HPHUPD05”=“C:\Program Files\Hewlett-Packard{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe” [2004-04-01 16:51] “HP Component Manager”=“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [2003-12-22 09:38] “HP Software Update”=“C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe” [2004-09-13 16:49] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” [2006-12-15 03:23] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2006-01-02 21:39] “AudioDeck”=“C:\Program Files\VIAudioi\SBADeck\ADeck.exe” [2005-04-08 13:00] “QuickTime Task”=“D:\Program Files\QuickTime\qttask.exe” [2006-06-03 22:54] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe” [2005-10-28 16:25] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [2006-08-03 00:46] “NvMediaCenter”=“C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit” [] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* Contents of the ‘Scheduled Tasks’ folder 2007-05-31 18:36:01 C:\WINDOWS\tasks\HP Usg Daily.job ******************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-01 19:18:29 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-06-01 19:19:22 C:\ComboFix-quarantined-files.txt … 2007-06-01 19:19 — E O F —
Złączono Posta : 01.06.2007 (Pią) 19:22
i jeszcze coś takiego
2000-06-08 17:00 483600 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\OLEDB32.DLL.vir
2004-08-04 01:44 139776 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\TASKMGR.COM.vir
2004-08-04 01:44 149504 --a------ C:\Qoobox\Quarantine\C\WINDOWS\REGEDIT.COM.vir
Zmienna PATH folderu dla woluminu Instalki
Numer seryjny woluminu: F4B5-E4CF
C:\QOOBOX
\---Quarantine
+---C
| \---WINDOWS
| | REGEDIT.COM.vir
| |
| \---system32
| OLEDB32.DLL.vir
| TASKMGR.COM.vir
|
\---Registry_backups