SafeGroup

SafeGroup > Bezpieczeństwo > Pomoc po zainfekowaniu > prosze o przeanalizowanie LOGA z HiJackThis
Pełna wersja: prosze o przeanalizowanie LOGA z HiJackThis
Aktualnie przeglądasz uproszczoną wersję forum. Kliknij tutaj, by zobaczyć wersję z pełnym formatowaniem.

hooli87

23.08.2007, 11:13
Cytat: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:53, on 2007-08-23
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:AcerEmpowering TechnologyePowerePower_DMC.exe
CTonguerogram FilesJavajre1.6.0_02binjusched.exe
CTongueROGRA~1WapsterAQQAQQ.exe
C:WINDOWSsystem32ctfmon.exe
C:progra~1crawlernotescnotes.exe
CTonguerogram FilesLaunch ManagerLManager.exe
C:WINDOWSsystem32igfxext.exe
C:WINDOWSsystem32igfxsrvc.exe
CTonguerogram FilesLavasoftAd-Aware 2007aawservice.exe
C:AcerEmpowering TechnologyadmServ.exe
CTonguerogram FilesAcerAcer ArcadeKernelTVCLCapSvc.exe
CTonguerogram FilesAcerAcer ArcadeKernelCLML_NTServiceCLMLServer.exe
CTonguerogram FilesAcerAcer ArcadeKernelCLML_NTServiceCLMLService.exe
CTonguerogram FilesCommon FilesLightScribeLSSrvc.exe
CTonguerogram FilesMicrosoft SQL ServerMSSQL$AUTODESKVAULTBinnsqlservr.exe
CTonguerogram FilesCyberLinkShared FilesRichVideo.exe
C:WINDOWSsystem32svchost.exe
CTonguerogram FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
CTonguerogram FilesAcerAcer ArcadeKernelTVCLSched.exe
C:WINDOWSsystem32wbemunsecapp.exe
C:WINDOWSSystem32svchost.exe
CTonguerogram FilesInternet ExplorerIEXPLORE.EXE
CTonguerogram FilesWinRARWinRAR.exe
CTonguerogram FilesTrend MicroHijackThisHijackThis.exe
C:WINDOWSsystem32dumprep.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =

[Aby zobaczyć linki, zarejestruj się tutaj]

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL =

[Aby zobaczyć linki, zarejestruj się tutaj]

R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page =

[Aby zobaczyć linki, zarejestruj się tutaj]

R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) =

[Aby zobaczyć linki, zarejestruj się tutaj]

R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext =

[Aby zobaczyć linki, zarejestruj się tutaj]

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - CTonguerogram FilesIE7ProIE7Pro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - CTonguerogram FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - CTongueROGRA~1MEGAUP~1MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - CTonguerogram FilesSpybot - Search & DestroySDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - CTonguerogram FilesJavajre1.6.0_02binssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:WINDOWSsystem32eDStoolbar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - CTongueROGRA~1MEGAUP~1MEGAUP~1.DLL
O4 - HKLM..Run: [ePower_DMC]C:AcerEmpowering TechnologyePowerePower_DMC.exe
O4 - HKLM..Run: [NeroFilterCheck]C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Run: [SunJavaUpdateSched]"CTonguerogram FilesJavajre1.6.0_02binjusched.exe"
O4 - HKLM..Run: [Adobe Reader Speed Launcher]"CTonguerogram FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [RavAV]C:WINDOWSRavMonE.exe
O4 - HKLM..RunServices: [Intel Driver]csrs.exe
O4 - HKCU..Run: [AQQ]CTongueROGRA~1WapsterAQQAQQ.exe
O4 - HKCU..Run: [ctfmon.exe]C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [CrawlerNotes]c:progra~1crawlernotescnotes.exe /notesshow
O4 - HKCU..Run: [AutoConnect]CTonguerogram FilesAutoConnectAutoConnect.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA LOKALNA'')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA SIECIOWA'')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''SYSTEM'')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''Default user'')
O4 - Startup: Skrót do LManager.lnk = CTonguerogram FilesLaunch ManagerLManager.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -

[Aby zobaczyć linki, zarejestruj się tutaj]

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - CTonguerogram FilesIE7ProIE7Pro.dll
O9 - Extra ''Tools'' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - CTonguerogram FilesIE7ProIE7Pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - CTonguerogram FilesJavajre1.6.0_02binssv.dll
O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - CTonguerogram FilesJavajre1.6.0_02binssv.dll
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) -

[Aby zobaczyć linki, zarejestruj się tutaj]

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

[Aby zobaczyć linki, zarejestruj się tutaj]

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) -

[Aby zobaczyć linki, zarejestruj się tutaj]

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) -

[Aby zobaczyć linki, zarejestruj się tutaj]

O17 - HKLMSystemCCSServicesTcpip..{2D167C70-4369-4CCB-975F-9F195016B5DA}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCCSServicesTcpip..{A129A8F1-B658-4F26-9BFB-03144735B66E}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCCSServicesTcpip..{BB06B819-DAF8-4D12-B2D0-84DD4D871E64}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCCSServicesTcpip..{CFDD7D83-8F32-4E84-809E-95C2A12565F3}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCS1ServicesTcpipParameters: NameServer = 85.255.116.18 85.255.112.185
O17 - HKLMSystemCCSServicesTcpipParameters: NameServer = 85.255.116.18 85.255.112.185
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - CTonguerogram FilesLavasoftAd-Aware 2007aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - CTonguerogram FilesCommon FilesAutodesk SharedServiceAdskScSrv.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:AcerEmpowering TechnologyadmServ.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - CTonguerogram FilesAcerAcer ArcadeKernelTVCLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - CTonguerogram FilesAcerAcer ArcadeKernelTVCLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - CTonguerogram FilesAcerAcer ArcadeKernelCLML_NTServiceCLMLServer.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - CTonguerogram FilesCommon FilesLightScribeLSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - CTonguerogram FilesCyberLinkShared FilesRichVideo.exe
O23 - Service: ServiceLayer - Nokia. - CTonguerogram FilesPC Connectivity SolutionServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - CTonguerogram FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe

--
End of file - 7617 bytes

Serafin

23.08.2007, 12:54
Cytat: R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM..Run: [RavAV]C:WINDOWS RavMonE.exe
O4 - HKLM..RunServices: [Intel Driver] csrs.exe
O17 - HKLMSystemCCSServicesTcpip..{2D167C70-4369-4CCB-975F-9F195016B5DA}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCCSServicesTcpip..{A129A8F1-B658-4F26-9BFB-03144735B66E}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCCSServicesTcpip..{BB06B819-DAF8-4D12-B2D0-84DD4D871E64}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCCSServicesTcpip..{CFDD7D83-8F32-4E84-809E-95C2A12565F3}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCS1ServicesTcpipParameters: NameServer = 85.255.116.18 85.255.112.185
O17 - HKLMSystemCCSServicesTcpipParameters: NameServer = 85.255.116.18 85.255.112.185


Usuń pogrubione pliki w trybie awaryjnym i wyłączonym przywracaniem systemu, wpisy skasuj w hijacku.
Zastosuj

[Aby zobaczyć linki, zarejestruj się tutaj]


Po zabiegach dajesz logi z hijacka,

[Aby zobaczyć linki, zarejestruj się tutaj]

,

[Aby zobaczyć linki, zarejestruj się tutaj]

Oraz raport z Fixwareout

hooli87

23.08.2007, 15:48
Cytat: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:35:59, on 2007-08-23
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:AcerEmpowering TechnologyePowerePower_DMC.exe
CTonguerogram FilesAdobeReader 8.0ReaderReader_sl.exe
CTongueROGRA~1WapsterAQQAQQ.exe
C:progra~1crawlernotescnotes.exe
C:WINDOWSsystem32ctfmon.exe
CTonguerogram FilesLaunch ManagerLManager.exe
C:WINDOWSsystem32igfxext.exe
C:WINDOWSsystem32igfxsrvc.exe
CTonguerogram FilesLavasoftAd-Aware 2007aawservice.exe
C:AcerEmpowering TechnologyadmServ.exe
CTonguerogram FilesAcerAcer ArcadeKernelTVCLCapSvc.exe
CTonguerogram FilesAcerAcer ArcadeKernelCLML_NTServiceCLMLServer.exe
CTonguerogram FilesAcerAcer ArcadeKernelCLML_NTServiceCLMLService.exe
CTonguerogram FilesCommon FilesLightScribeLSSrvc.exe
CTonguerogram FilesMicrosoft SQL ServerMSSQL$AUTODESKVAULTBinnsqlservr.exe
CTonguerogram FilesCyberLinkShared FilesRichVideo.exe
C:WINDOWSsystem32svchost.exe
CTonguerogram FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
CTonguerogram FilesAcerAcer ArcadeKernelTVCLSched.exe
C:WINDOWSsystem32wbemunsecapp.exe
C:WINDOWSSystem32svchost.exe
CTonguerogram FilesInternet ExplorerIEXPLORE.EXE
C:WINDOWSsystem32wuauclt.exe
CTonguerogram FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =

[Aby zobaczyć linki, zarejestruj się tutaj]

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL =

[Aby zobaczyć linki, zarejestruj się tutaj]

R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page =

[Aby zobaczyć linki, zarejestruj się tutaj]

R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) =

[Aby zobaczyć linki, zarejestruj się tutaj]

R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext =

[Aby zobaczyć linki, zarejestruj się tutaj]

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - CTonguerogram FilesIE7ProIE7Pro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - CTonguerogram FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - CTongueROGRA~1MEGAUP~1MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - CTonguerogram FilesSpybot - Search & DestroySDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - CTonguerogram FilesJavajre1.6.0_02binssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:WINDOWSsystem32eDStoolbar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - CTongueROGRA~1MEGAUP~1MEGAUP~1.DLL
O4 - HKLM..Run: [ePower_DMC]C:AcerEmpowering TechnologyePowerePower_DMC.exe
O4 - HKLM..Run: [NeroFilterCheck]C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher]"CTonguerogram FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKCU..Run: [AQQ]CTongueROGRA~1WapsterAQQAQQ.exe
O4 - HKCU..Run: [CrawlerNotes]c:progra~1crawlernotescnotes.exe /notesshow
O4 - HKCU..Run: [AutoConnect]CTonguerogram FilesAutoConnectAutoConnect.exe
O4 - HKCU..Run: [ctfmon.exe]C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA LOKALNA'')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA SIECIOWA'')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''SYSTEM'')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''Default user'')
O4 - Startup: Skrót do LManager.lnk = CTonguerogram FilesLaunch ManagerLManager.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -

[Aby zobaczyć linki, zarejestruj się tutaj]

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - CTonguerogram FilesIE7ProIE7Pro.dll
O9 - Extra ''Tools'' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - CTonguerogram FilesIE7ProIE7Pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - CTonguerogram FilesJavajre1.6.0_02binssv.dll
O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - CTonguerogram FilesJavajre1.6.0_02binssv.dll
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) -

[Aby zobaczyć linki, zarejestruj się tutaj]

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

[Aby zobaczyć linki, zarejestruj się tutaj]

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) -

[Aby zobaczyć linki, zarejestruj się tutaj]

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) -

[Aby zobaczyć linki, zarejestruj się tutaj]

O17 - HKLMSystemCCSServicesTcpip..{2D167C70-4369-4CCB-975F-9F195016B5DA}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCCSServicesTcpip..{A129A8F1-B658-4F26-9BFB-03144735B66E}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCCSServicesTcpip..{BB06B819-DAF8-4D12-B2D0-84DD4D871E64}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCCSServicesTcpip..{CFDD7D83-8F32-4E84-809E-95C2A12565F3}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCS1ServicesTcpipParameters: NameServer = 85.255.116.18 85.255.112.185
O17 - HKLMSystemCCSServicesTcpipParameters: NameServer = 85.255.116.18 85.255.112.185
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - CTonguerogram FilesLavasoftAd-Aware 2007aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - CTonguerogram FilesCommon FilesAutodesk SharedServiceAdskScSrv.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:AcerEmpowering TechnologyadmServ.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - CTonguerogram FilesAcerAcer ArcadeKernelTVCLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - CTonguerogram FilesAcerAcer ArcadeKernelTVCLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - CTonguerogram FilesAcerAcer ArcadeKernelCLML_NTServiceCLMLServer.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - CTonguerogram FilesCommon FilesLightScribeLSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - CTonguerogram FilesCyberLinkShared FilesRichVideo.exe
O23 - Service: ServiceLayer - Nokia. - CTonguerogram FilesPC Connectivity SolutionServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - CTonguerogram FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe

--
End of file - 7393 bytes


Cytat: "Silent Runners.vbs", revision 52,

[Aby zobaczyć linki, zarejestruj się tutaj]

Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"AQQ" = "CTongueROGRA~1WapsterAQQAQQ.exe" ["AQQ Sp. z o.o."]
"CrawlerNotes" = "c:progra~1crawlernotescnotes.exe /notesshow" ["Crawler.com"]
"AutoConnect" = "CTonguerogram FilesAutoConnectAutoConnect.exe" [file not found]
"ctfmon.exe" = "C:WINDOWSsystem32ctfmon.exe" [MS]

HKLMSoftwareMicrosoftWindowsCurrentVersionRun {++}
"ePower_DMC" = "C:AcerEmpowering TechnologyePowerePower_DMC.exe" ["Acer Incorporated"]
"NeroFilterCheck" = "C:WINDOWSsystem32NeroCheck.exe" ["Ahead Software Gmbh"]
"Adobe Reader Speed Launcher" = ""CTonguerogram FilesAdobeReader 8.0ReaderReader_sl.exe"" ["Adobe Systems Incorporated"]

HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{00011268-E188-40DF-A514-835FCD78B1BF}(Default) = "IE7Pro"
-> {HKLM...CLSID} = "IE7Pro BHO"
InProcServer32(Default) = "CTonguerogram FilesIE7ProIE7Pro.dll" ["IE7Pro.com"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
InProcServer32(Default) = "CTonguerogram FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided)
-> {HKLM...CLSID} = "Megaupload Toolbar"
InProcServer32(Default) = "CTongueROGRA~1MEGAUP~1MEGAUP~1.DLL" ["MEGAUPLOAD "]
{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "CTonguerogram FilesSpybot - Search & DestroySDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
InProcServer32(Default) = "CTonguerogram FilesJavajre1.6.0_02binssv.dll" ["Sun Microsystems, Inc."]

HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
InProcServer32(Default) = "C:WINDOWSsystem32hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "CTonguerogram FilesSynapticsSynTPSynTPCpl.dll" ["Synaptics, Inc."]
"{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}" = "EPM-PO Shell Extension"
-> {HKLM...CLSID} = "EPM-PO Shell Extensions"
InProcServer32(Default) = "epm-po.dll" ["Acer Labs USA"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
InProcServer32(Default) = "CTonguerogram FilesCommon FilesAutodesk SharedThumbnailAcThumbnail16.dll" ["Autodesk"]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Uchwyt nakładania ikony podpisu cyfrowego"
-> {HKLM...CLSID} = "AcSignIcon"
InProcServer32(Default) = "C:WINDOWSsystem32AcSignIcon.dll" ["Autodesk"]
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"
-> {HKLM...CLSID} = "ACDWFTHMBPRXY"
InProcServer32(Default) = "CTonguerogram FilesCommon FilesAutodesk SharedThumbnailAcDwfThmbPrxy16.dll" ["Autodesk"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "CTonguerogram FilesMicrosoft OfficeOffice10msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "CTonguerogram FilesWinRARrarext.dll" [null data]
"{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}" = "AQQ File Transfer Shell Extension"
-> {HKLM...CLSID} = "AQQ File Transfer Shell Extension"
InProcServer32(Default) = "CTongueROGRA~1WapsterAQQSystemAQQSHE~1.DLL" [null data]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
InProcServer32(Default) = "CTonguerogram Files7-Zip7-zip.dll" ["Igor Pavlov"]

HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
InProcServer32(Default) = "C:WINDOWSsystem32WPDShServiceObj.dll" [MS]

HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
<<!>> "System" = "kdfem.exe" [file not found]

HKLMSystemCurrentControlSetControlSession Manager
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify
<<!>> igfxcuiDLLName = "igfxdev.dll" ["Intel Corporation"]
<<!>> WRNotifierDLLName = "WRLogonNTF.dll" [file not found]

HKLMSoftwareClassesFoldershellexColumnHandlers
{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
InProcServer32(Default) = "CTonguerogram FilesCommon FilesAdobeAcrobatActiveXPDFShell.dll" ["Adobe Systems, Inc."]

HKLMSoftwareClasses*shellexContextMenuHandlers
7-Zip(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
InProcServer32(Default) = "CTonguerogram Files7-Zip7-zip.dll" ["Igor Pavlov"]
AQQFileTransfer(Default) = "{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}"
-> {HKLM...CLSID} = "AQQ File Transfer Shell Extension"
InProcServer32(Default) = "CTongueROGRA~1WapsterAQQSystemAQQSHE~1.DLL" [null data]
Autodesk.DWF.ContextMenu(Default) = "{6C18531F-CA85-45F7-8278-FF33CF0A5964}"
-> {HKLM...CLSID} = "DWFShellExt Class"
InProcServer32(Default) = "CTonguerogram FilesCommon FilesAutodesk Shareddwf CommonDWFShellExtension.dll" ["Autodesk, Inc."]
EDSshellExt(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"
-> {HKLM...CLSID} = "eDSshlExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32eDSshellExt.dll" ["HiTRUST"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "CTonguerogram FilesWinRARrarext.dll" [null data]

HKLMSoftwareClassesDirectoryshellexContextMenuHandlers
7-Zip(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
InProcServer32(Default) = "CTonguerogram Files7-Zip7-zip.dll" ["Igor Pavlov"]
EDSshellExt(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"
-> {HKLM...CLSID} = "eDSshlExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32eDSshellExt.dll" ["HiTRUST"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "CTonguerogram FilesWinRARrarext.dll" [null data]

HKLMSoftwareClassesFoldershellexContextMenuHandlers
InventorMenu(Default) = "{6FDE7A70-351B-11d6-988B-0010B57A8BB7}"
-> {HKLM...CLSID} = "Autodesk Inventor® Part Document"
InProcServer32(Default) = "CTonguerogram FilesAutodeskInventor 11BinDT.dll" ["Autodesk, Inc."]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "CTonguerogram FilesWinRARrarext.dll" [null data]


Default executables:
--------------------

HKCUSoftwareClasses.scr(Default) = "AutoCADScriptFile"
<<!>> HKCUSoftwareClassesAutoCADScriptFileshellopencommand(Default) = ""C:WINDOWSsystem32notepad.exe" "%1"" [MS]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral
"Wallpaper" = "C:WINDOWSsystem32configsystemprofileUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCUControl PanelDesktop
"Wallpaper" = "CGrinocuments and SettingsdomUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"


Startup items in "dom" & "All Users" startup folders:
-----------------------------------------------------

CGrinocuments and SettingsdomMenu StartProgramyAutostart
"Skrót do LManager" -> shortcut to: "CTonguerogram FilesLaunch ManagerLManager.exe" ["Dritek System Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%system32wshbth.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000004LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]

Transport Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name] , (at) ## range:
%SystemRoot%system32mswsock.dll [MS] , 01 - 05, 08 - 19
%SystemRoot%system32rsvpsp.dll [MS] , 06 - 07


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCUSoftwareMicrosoftInternet ExplorerToolbarWebBrowser
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"
-> {HKLM...CLSID} = "Megaupload Toolbar"
InProcServer32(Default) = "CTongueROGRA~1MEGAUP~1MEGAUP~1.DLL" ["MEGAUPLOAD "]

HKLMSoftwareMicrosoftInternet ExplorerToolbar
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" = (no title provided)
-> {HKLM...CLSID} = "Acer eDataSecurity Management"
InProcServer32(Default) = "C:WINDOWSsystem32eDStoolbar.dll" ["HiTRUST"]
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided)
-> {HKLM...CLSID} = "Megaupload Toolbar"
InProcServer32(Default) = "CTongueROGRA~1MEGAUP~1MEGAUP~1.DLL" ["MEGAUPLOAD "]

Extensions (Tools menu items, main toolbar menu buttons)

HKLMSoftwareMicrosoftInternet ExplorerExtensions
{0026439F-A980-4F18-8C95-4F1CBBF9C1D8}
"ButtonText" = "IE7Pro Preferences"
"MenuText" = "IE7Pro Preferences"
"CLSIDExtension" = "{B119EB0C-C021-46CF-85B0-34A760E0D5FE}"
-> {HKLM...CLSID} = "IE7Pro ToolsExt"
InProcServer32(Default) = "CTonguerogram FilesIE7ProIE7Pro.dll" ["IE7Pro.com"]

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
InProcServer32(Default) = "CTonguerogram FilesJavajre1.6.0_02binssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
InProcServer32(Default) = "CTonguerogram FilesJavajre1.6.0_02binnpjpi160_02.dll" ["Sun Microsystems, Inc."]


Miscellaneous IE Hijack Points
------------------------------

HKLMSoftwareMicrosoftInternet ExplorerAboutURLs
<<H>> "Tabs" = "CGrinocuments and SettingsdomDane aplikacjiMEGAUPLOADTOOLBARtabwelcome.html" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, ""CTonguerogram FilesLavasoftAd-Aware 2007aawservice.exe"" ["Lavasoft AB"]
AdminWorks Agent X6, AWService, ""C:AcerEmpowering TechnologyadmServ.exe"" ["Avocent Inc."]
Bluetooth Support Service, BthServ, "C:WINDOWSsystem32svchost.exe -k bthsvcs" {"C:WINDOWSSystem32bthserv.dll" [MS] }
CyberLink Background Capture Service (CBCS), CLCapSvc, ""CTonguerogram FilesAcerAcer ArcadeKernelTVCLCapSvc.exe"" [empty string]
CyberLink Media Library Service, CyberLink Media Library Service, ""CTonguerogram FilesAcerAcer ArcadeKernelCLML_NTServiceCLMLServer.exe"" ["Cyberlink"]
Cyberlink RichVideo Service(CRVS), RichVideo, ""CTonguerogram FilesCyberLinkShared FilesRichVideo.exe"" [empty string]
CyberLink Task Scheduler (CTS), CLSched, ""CTonguerogram FilesAcerAcer ArcadeKernelTVCLSched.exe"" [empty string]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""CTonguerogram FilesCommon FilesLightScribeLSSrvc.exe"" ["Hewlett-Packard Company"]
MSSQL$AUTODESKVAULT, MSSQL$AUTODESKVAULT, ""CTonguerogram FilesMicrosoft SQL ServerMSSQL$AUTODESKVAULTBinnsqlservr.exe" -sAUTODESKVAULT" [MS]
Symantec Core LC, Symantec Core LC, ""CTonguerogram FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe"" ["Symantec Corporation"]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:WINDOWSsystem32svchost.exe -k WudfServiceGroup" {"C:WINDOWSSystem32WUDFSvc.dll" [MS] }


Print Monitors:
---------------

HKLMSystemCurrentControlSetControlPrintMonitors
Microsoft Shared Fax MonitorDriver = "FXSMON.DLL" [MS]


---------- (launch time: 2007-08-23 16:38:14)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 58 seconds.
---------- (total run time: 110 seconds)


Cytat: Username "dom" - 2007-08-23 16:41:55 [Fixwareout edited 2007/07/05]

»»»»»Prerun check
HKLMSOFTWARE~Winlogon "System"="kdfem.exe"

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
"nameserver"="85.255.116.18 85.255.112.185" <Value cleared.
HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicestcpipparametersinterfaces{2D167C70-4369-4CCB-975F-9F195016B5DA}
"nameserver"="85.255.116.18,85.255.112.185" <Value cleared.
HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicestcpipparametersinterfaces{A129A8F1-B658-4F26-9BFB-03144735B66E}
"nameserver"="85.255.116.18,85.255.112.185" <Value cleared.
HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicestcpipparametersinterfaces{BB06B819-DAF8-4D12-B2D0-84DD4D871E64}
"nameserver"="85.255.116.18,85.255.112.185" <Value cleared.
HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicestcpipparametersinterfaces{CFDD7D83-8F32-4E84-809E-95C2A12565F3}
"nameserver"="85.255.116.18,85.255.112.185" <Value cleared.
HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicestcpipparametersinterfaces{18647E97-125C-4B1D-A4F9-B8B7751E72BD}
"DhcpNameServer"="85.255.116.18,85.255.112.185" <Value cleared.
HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicestcpipparametersinterfaces{A129A8F1-B658-4F26-9BFB-03144735B66E}
"DhcpNameServer"="85.255.116.18,85.255.112.185" <Value cleared.
HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicestcpipparametersinterfaces{CFDD7D83-8F32-4E84-809E-95C2A12565F3}
"DhcpNameServer"="85.255.116.18,85.255.112.185" <Value cleared.

Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS.


System was rebooted successfully.

»»»»» Postrun check
HKLMSOFTWARE~Winlogon "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe"
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe"
"Adobe Reader Speed Launcher"=""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe""

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"AQQ"="C:\PROGRA~1\Wapster\AQQ\AQQ.exe"
"CrawlerNotes"="c:\progra~1\crawler\notes\cnotes.exe /notesshow"
"AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe"
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


Cytat: ComboFix 07-08-17.2 - "dom" 2007-08-23 16:45:10.2 - FAT32 x86
Microsoft Windows XP Home Edition5.1.2600.2.1250.1.1045.18.118 [GMT 2:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


CGrinOCUME~1domDANEAP~1..ravmonlog
f:autorun.inf


((((((((((((((((((((((((( Files Created from 2007-07-23 to 2007-08-23)))))))))))))))))))))))))))))))


2007-08-23 16:41 8,810 --a------ C:dnsbak.reg
2007-08-23 16:40 51,200 --a------ C:WINDOWSnircmd.exe
2007-08-23 12:56 <DIR> d-------- C:WINDOWSpss
2007-08-23 12:00 <DIR> d-------- CTonguerogram FilesTrend Micro
2007-08-23 11:17 <DIR> d-------- CTonguerogram FilesAutoConnect
2007-08-23 10:47 <DIR> d-------- CTonguerogram FilesMegauploadToolbar
2007-08-23 10:47 <DIR> d-------- CGrinOCUME~1domDANEAP~1MegauploadToolbar
2007-08-22 15:06 <DIR> d-------- CTonguerogram FilesReal Alternative
2007-08-22 15:06 <DIR> d-------- CGrinOCUME~1domDANEAP~1Real
2007-08-22 15:06 <DIR> d-------- CGrinOCUME~1domDANEAP~1Media Player Classic
2007-08-22 15:06 <DIR> d-------- CGrinOCUME~1ALLUSE~1DANEAP~1Real
2007-08-21 20:27 <DIR> d-------- CTonguerogram FilesIE7Pro
2007-08-21 20:27 <DIR> d-------- CGrinOCUME~1domDANEAP~1IE7Pro
2007-08-21 18:40 <DIR> d-------- CGrinOCUME~1ALLUSE~1DANEAP~1Spybot - Search & Destroy
2007-08-20 18:01 221,184 --a------ C:WINDOWSsystem32wmpns.dll
2007-08-07 20:42 <DIR> d-------- CTonguerogram Files7-Zip
2007-08-07 09:36 <DIR> d-------- CGrinOCUME~1domDANEAP~1vlc
2007-07-23 20:57 <DIR> d-------- CTonguerogram FilesAxis Communications


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 21:14 9344 --a------ C:WINDOWSsystem32driversNSDriver.sys
2007-08-20 21:14 8320 --a------ C:WINDOWSsystem32driversAWRTRD.sys
2007-07-22 16:20 --------- d-------- CTonguerogram FilesAudacity
2007-07-19 08:58 3583488 --a------ C:WINDOWSsystem32dllcachemshtml.dll
2007-07-13 01:32 765952 --a------ C:WINDOWSsystem32dllcachevgx.dll
2007-07-07 17:54 --------- d-------- CTonguerogram FilesLavasoft
2007-07-07 17:53 --------- d-------- CTonguerogram FilesCommon FilesWise Installation Wizard
2007-07-03 12:42 --------- d-------- CTonguerogram FilesMap24
2007-07-03 12:42 --------- d-------- CGrinOCUME~1domDANEAP~1Map24
2007-06-29 12:38 --------- d-------- CTonguerogram Filesmp3DirectCut
2007-06-27 16:09 823808 --a------ C:WINDOWSsystem32dllcachewininet.dll
2007-06-27 16:09 671232 --a------ C:WINDOWSsystem32dllcachemstime.dll
2007-06-27 16:09 6058496 --------- C:WINDOWSsystem32dllcacheieframe.dll
2007-06-27 16:09 52224 --------- C:WINDOWSsystem32dllcachemsfeedsbs.dll
2007-06-27 16:09 477696 --a------ C:WINDOWSsystem32dllcachemshtmled.dll
2007-06-27 16:09 459264 --------- C:WINDOWSsystem32dllcachemsfeeds.dll
2007-06-27 16:09 44544 --a------ C:WINDOWSsystem32dllcacheiernonce.dll
2007-06-27 16:09 27648 --a------ C:WINDOWSsystem32dllcachejsproxy.dll
2007-06-27 16:09 267776 --------- C:WINDOWSsystem32dllcacheiertutil.dll
2007-06-27 16:09 232960 --a------ C:WINDOWSsystem32dllcachewebcheck.dll
2007-06-27 16:09 193024 --a------ C:WINDOWSsystem32dllcachemsrating.dll
2007-06-27 16:09 1152000 --a------ C:WINDOWSsystem32dllcacheurlmon.dll
2007-06-27 16:09 105984 --a------ C:WINDOWSsystem32dllcacheurl.dll
2007-06-27 16:09 102400 --a------ C:WINDOWSsystem32dllcacheoccache.dll
2007-06-27 16:08 384512 --a------ C:WINDOWSsystem32dllcacheiedkcs32.dll
2007-06-27 16:08 383488 --------- C:WINDOWSsystem32dllcacheieapfltr.dll
2007-06-27 16:08 230400 --a------ C:WINDOWSsystem32dllcacheieaksie.dll
2007-06-27 16:08 153088 --a------ C:WINDOWSsystem32dllcacheieakeng.dll
2007-06-27 16:08 132608 --a------ C:WINDOWSsystem32dllcacheextmgr.dll
2007-06-27 16:08 124928 --a------ C:WINDOWSsystem32dllcacheadvpack.dll
2007-06-27 10:30 625152 --a------ C:WINDOWSsystem32dllcacheiexplore.exe
2007-06-27 10:27 63488 --a------ C:WINDOWSsystem32dllcacheie4uinit.exe
2007-06-27 10:27 13824 --------- C:WINDOWSsystem32dllcacheieudinit.exe
2007-06-27 09:00 161792 --a------ C:WINDOWSsystem32dllcacheieakui.dll
2007-06-26 08:10 1104896 --a------ C:WINDOWSsystem32msxml3.dll
2007-06-26 08:10 1104896 --a------ C:WINDOWSsystem32dllcachemsxml3.dll
2007-06-19 15:32 282112 --a------ C:WINDOWSsystem32gdi32.dll
2007-06-19 15:32 282112 --a------ C:WINDOWSsystem32dllcachegdi32.dll
2007-06-13 15:23 1034752 --a------ C:WINDOWSsystem32dllcacheexplorer.exe
2007-06-13 15:23 1034752 --a------ C:WINDOWSexplorer.exe
2007-06-11 23:51 10834944 --a------ C:WINDOWSsystem32dllcachewmp.dll
2007-03-08 19:17:40 56 --sh--r C:WINDOWSsystem3248A1109D8D.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"ePower_DMC"="C:AcerEmpowering TechnologyePowerePower_DMC.exe" [2006-08-10 19:29]
"NeroFilterCheck"="C:WINDOWSsystem32NeroCheck.exe" [2001-07-09 10:50]
"Adobe Reader Speed Launcher"="CTonguerogram FilesAdobeReader 8.0ReaderReader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"AQQ"="CTongueROGRA~1WapsterAQQAQQ.exe" [2007-02-28 13:18]
"CrawlerNotes"="c:progra~1crawlernotescnotes.exe" [2007-04-11 07:25]
"AutoConnect"="CTonguerogram FilesAutoConnectAutoConnect.exe" []
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [2004-08-04 20:00]

CGrinocuments and SettingsdomMenu StartProgramyAutostart
Skr˘t do LManager.lnk - CTonguerogram FilesLaunch ManagerLManager.exe [2007-01-08 09:06:10]

R1 OsaFsLoc;OsaFsLoc;??C:WINDOWSsystem32driversOsaFsLoc.sys
R2 MSSQL$AUTODESKVAULT;MSSQL$AUTODESKVAULT;"CTonguerogram FilesMicrosoft SQL ServerMSSQL$AUTODESKVAULTBinnsqlservr.exe" -sAUTODESKVAULT
R2 osaio;osaio;??C:WINDOWSsystem32driversosaio.sys
R2 osanbm;osanbm;??C:WINDOWSsystem32driversosanbm.sys
R3 Cam5603D;Acer OrbiCam;C:WINDOWSsystem32DriversBisonCam.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:WINDOWSsystem32DRIVERSDKbFltr.sys
R3 EMSCR;EMSCR;C:WINDOWSsystem32DRIVERSEMS7SK.sys
R3 ESDCR;ESDCR;C:WINDOWSsystem32DRIVERSESD7SK.sys
R3 ESMCR;ESMCR;C:WINDOWSsystem32DRIVERSESM7SK.sys
R3 USBSTOR;Sterownik magazynu masowego USB;C:WINDOWSsystem32DRIVERSUSBSTOR.SYS
S3 MSIRCOMM;Microsoft IR Communications Driver;C:WINDOWSsystem32DRIVERSMSIRCOMM.sys
S3 NdisFilt;OSA NdisFilter Protocol;C:WINDOWSsystem32DriversNdisFilt.sys
S3 SQLAgent$AUTODESKVAULT;SQLAgent$AUTODESKVAULT;"CTonguerogram FilesMicrosoft SQL ServerMSSQL$AUTODESKVAULTBinnsqlagent.EXE" -i AUTODESKVAULT


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

[Aby zobaczyć linki, zarejestruj się tutaj]

Rootkit scan 2007-08-23 16:47:23
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-23 16:47:57
C:ComboFix-quarantined-files.txt ... 2007-08-23 16:47

--- E O F ---

Serafin

23.08.2007, 20:41
Cytat: R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O17 - HKLMSystemCCSServicesTcpip..{2D167C70-4369-4CCB-975F-9F195016B5DA}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCCSServicesTcpip..{A129A8F1-B658-4F26-9BFB-03144735B66E}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCCSServicesTcpip..{BB06B819-DAF8-4D12-B2D0-84DD4D871E64}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCCSServicesTcpip..{CFDD7D83-8F32-4E84-809E-95C2A12565F3}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLMSystemCS1ServicesTcpipParameters: NameServer = 85.255.116.18 85.255.112.185
O17 - HKLMSystemCCSServicesTcpipParameters: NameServer = 85.255.116.18 85.255.112.185


Skasuj w hijacku. czy "problemy" ustąpiły :?:

hooli87

24.08.2007, 08:01
Dziekuje bardzo za pomoc problemy ustapily

Maciej13

13.11.2011, 11:28
Jedną chwileczkę...

Do Notatnika :

Kod:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon]
"System"=""

[-HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyWRNotifier]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager]
"BootExecute"=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,
00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00


Plik => Zapisz jako => Zmień rozszerzenie z .txtna Wszystkie pliki=> Następnie zapisz pod nazwą FIX.REG

Uruchom utworzony plik FIX.REG , a później potwierdź dodanie do Rejestrui zresetuj komputer.

Później pokaż nowy log z Silent Runners .
SafeGroup > Bezpieczeństwo > Pomoc po zainfekowaniu > prosze o przeanalizowanie LOGA z HiJackThis