TR/Crypt.XPACK.Gen - natręt denerwujący/trojan

[inzaghi89]

Mam problem z wirusem/trojanem napisanym w temacie. Zaraz po uruchomieniu komputera, po ówczesnym załadowaniu się AntiVir''a i połączenia sieciowego pokazują się okienka, które zamieszczam na screenie.

Jeden jest w C: jak widać na screenie, a drugi Coc&settprofiltemp internetie.5jakiś folder jeszcze

[Aby zobaczyć linki, zarejestruj się tutaj]

Co ciekawsze log z hijacka jest czysty :/.

Klikałem już praktycznie wszystko prócz ignore i wciąż jest to samo.

Dodam jeszcze, że poza tym 3 plikiem od razu do kwarantanny dodał mi się plik z drugiej partycji D:system volume information_restore{jakiś ciąg}RP91A0034393.exe

[Zafi]

wyłącz i włącz przywracanie systemu. Zobacz czy pomoże

[inzaghi89]

Na szczęście wyłączenie przywracania systemu pomogło, po jego ponownym włączeniu wszystko hula jak talala .

Dzięki serdecznie i tak w gwoli ścisłości chciałbym się spytać, czy miałem rację podejżewając plik w system volume information?

edit.
jednak nie pomogło. Zaraz po wysłaniu tego postu znów mi wyskoczył komunikat o tych/tym trojanach.

edit2.
co ciekawe jeśli wykonam całkowity skan systemu nie wykrywa mi żadnego wirusu, problem pojawia się po rozruchu systemu, wyskakują te dwa okienka, które załączyłem na screenie, a potem jest spokój.

[Serafin]

Hmm... skoro wykrywa Ci go tylko przy starcie systemu to musi mieć do tego
klucz w rejestrze.

Wrzuć tu log hijacka i log z

[Aby zobaczyć linki, zarejestruj się tutaj]

[inzaghi89]

Prosze bardzo, oto i log:

"Silent Runners.vbs", revision R50,

[Aby zobaczyć linki, zarejestruj się tutaj]

Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"CTFMON.EXE" = "C:WINDOWSsystem32ctfmon.exe" [MS]
"Konnekt" = ""Crogram FilesKonnektkonnekt.exe" /autostart" ["Stamina"]
"Steam" = "(empty string)" [file not found]

HKLMSoftwareMicrosoftWindowsCurrentVersionRun {++}
"NvCplDaemon" = "RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]
"ZoneAlarm Client" = ""Crogram FilesZone LabsZoneAlarmzlclient.exe"" ["Zone Labs, LLC"]
"SunJavaUpdateSched" = ""Crogram FilesJavajre1.6.0_01binjusched.exe"" ["Sun Microsystems, Inc."]
"WheelMouse" = "Crogram FilesA4TechMouseAmoumain.exe" ["A4Tech Co.,Ltd."]
"LogitechCommunicationsManager" = ""Crogram FilesCommon FilesLogiShrdLComMgrCommunications_Helper.exe"" ["Labtec Inc,"]
"(Default)" = "(empty string)" [file not found]
"LogitechQuickCamRibbon" = ""Crogram FilesLabtecWebCam10WebCam10.exe" /hide" ["Labtec Inc."]
"lxcgmon.exe" = ""Crogram FilesLexmark 2300 Serieslxcgmon.exe"" ["Lexmark International, Inc."]
"EzPrint" = ""Crogram FilesLexmark 2300 Seriesezprint.exe"" ["Lexmark International Inc."]
"FaxCenterServer" = ""Crogram FilesLexmark Fax Solutionsfm3032.exe" /s" [null data]
"NeroFilterCheck" = "Crogram FilesCommon FilesAheadLibNeroCheck.exe" ["Nero AG"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"LXCGCATS" = "rundll32 C:WINDOWSSystem32spoolDRIVERSW32X863LXCGtime.dll,_RunDLLEntry@16" [MS]
"avgnt" = ""Crogram FilesAntiVir PersonalEdition Classicavgnt.exe" /min" ["Avira GmbH"]
"Microsoft" = "soundvol32.exe" [null data]

HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
InProcServer32(Default) = "Crogram FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
InProcServer32(Default) = "Crogram FilesJavajre1.6.0_01binssv.dll" ["Sun Microsystems, Inc."]

HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
InProcServer32(Default) = "C:WINDOWSSystem32hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
InProcServer32(Default) = "C:WINDOWSSystem32nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
InProcServer32(Default) = "C:WINDOWSSystem32nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
InProcServer32(Default) = "C:WINDOWSSystem32nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:WINDOWSSystem32nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
InProcServer32(Default) = "C:WINDOWSSystem32nvshell.dll" ["NVIDIA Corporation"]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
InProcServer32(Default) = "Crogram FilesZone LabsZoneAlarmzlavscan.dll" ["Zone Labs, LLC"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]
"{2F5AC606-70CF-461C-BFE1-734234536262}" = "WindowBlinds CPL Extension"
-> {HKLM...CLSID} = "DisplayCplExt Class"
InProcServer32(Default) = "Crogram FilesStardockObject DesktopWindowBlindswbui.dll" ["Stardock.Net, Inc"]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = ""Crogram FilesOpenOffice.org 2.2programshlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = ""Crogram FilesOpenOffice.org 2.2programshlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = ""Crogram FilesOpenOffice.org 2.2programshlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = ""Crogram FilesOpenOffice.org 2.2programshlxthdl.dll"" ["Sun Microsystems, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
InProcServer32(Default) = "C:WINDOWSsystem32shdocvw.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
InProcServer32(Default) = "Crogram FilesCommon FilesAheadLibNeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
InProcServer32(Default) = "Crogram FilesCommon FilesAheadLibNeroDigitalExt.dll" ["Nero AG"]
"{8903F6C9-25E3-40AC-A98F-E6D35CD0469C}" = "PSPad"
-> {HKLM...CLSID} = "PSPad"
InProcServer32(Default) = "CROGRA~1PSPADE~1PSPADS~1.DLL" [null data]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
InProcServer32(Default) = "Crogram FilesAntiVir PersonalEdition Classicshlext.dll" ["Avira GmbH"]

HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows
<<!>> "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]

HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify
<<!>> WBSrvDLLName = "CROGRA~1StardockOBJECT~1WINDOW~1wbsrv.dll" ["Stardock"]

HKLMSoftwareClassesFoldershellexColumnHandlers
{7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
InProcServer32(Default) = "Crogram FilesCommon FilesAheadLibNeroDigitalExt.dll" ["Nero AG"]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = ""Crogram FilesOpenOffice.org 2.2programshlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
InProcServer32(Default) = "Crogram FilesCommon FilesAdobeAcrobatActiveXPDFShell.dll" ["Adobe Systems, Inc."]

HKLMSoftwareClasses*shellexContextMenuHandlers
PSPad(Default) = "{8903F6C9-25E3-40AC-A98F-E6D35CD0469C}"
-> {HKLM...CLSID} = "PSPad"
InProcServer32(Default) = "CROGRA~1PSPADE~1PSPADS~1.DLL" [null data]
Shell Extension for Malware scanning(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
InProcServer32(Default) = "Crogram FilesAntiVir PersonalEdition Classicshlext.dll" ["Avira GmbH"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]
ZLAVShExt(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
InProcServer32(Default) = "Crogram FilesZone LabsZoneAlarmzlavscan.dll" ["Zone Labs, LLC"]

HKLMSoftwareClassesDirectoryshellexContextMenuHandlers
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]

HKLMSoftwareClassesFoldershellexContextMenuHandlers
Shell Extension for Malware scanning(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
InProcServer32(Default) = "Crogram FilesAntiVir PersonalEdition Classicshlext.dll" ["Avira GmbH"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]
ZLAVShExt(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
InProcServer32(Default) = "Crogram FilesZone LabsZoneAlarmzlavscan.dll" ["Zone Labs, LLC"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"EnableLUA" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral
"Wallpaper" = "C:WINDOWSsystem32configsystemprofileUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCUControl PanelDesktop
"Wallpaper" = "Cocuments and SettingsFilipUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"


Startup items in "Filip" & "All Users" startup folders:
-------------------------------------------------------

Cocuments and SettingsAll UsersMenu StartProgramyAutostart
"Color Calibration" -> shortcut to: "Crogram FilesSECMagicTune3.5_ClientGammaTray.exe" [empty string]
"MagicTune 3.5" -> shortcut to: "Crogram FilesSECMagicTune3.5_ClientMagicTuneTray.exe" [empty string]
"NaturalColorLoad" -> shortcut to: "Crogram FilesSECNatural ColorNaturalColorLoad.exe" [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000004LibraryPath = "C:WINDOWSsystem32pnrpnsp.dll" [MS]
000000000005LibraryPath = "C:WINDOWSsystem32pnrpnsp.dll" [MS]

Transport Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name] , (at) ## range:
%SystemRoot%system32mswsock.dll [MS] , 01 - 03, 06 - 22
%SystemRoot%system32rsvpsp.dll [MS] , 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLMSoftwareMicrosoftInternet ExplorerExtensions
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"
InProcServer32(Default) = "Crogram FilesJavajre1.6.0_01binssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
InProcServer32(Default) = "Crogram FilesJavajre1.6.0_01binnpjpi160_01.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "Crogram FilesMessengermsmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Guard, AntiVirService, ""Crogram FilesAntiVir PersonalEdition Classicavguard.exe"" ["Avira GmbH"]
AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, ""Crogram FilesAntiVir PersonalEdition Classicsched.exe"" ["Avira GmbH"]
lxcg_device, lxcg_device, "C:WINDOWSsystem32lxcgcoms.exe -service" [empty string]
NVIDIA Display Driver Service, NVSvc, "C:WINDOWSSystem32nvsvc32.exe" ["NVIDIA Corporation"]
Odbiornik RIP, Iprip, "C:WINDOWSSystem32svchost.exe -k netsvcs" {"C:WINDOWSSystem32iprip.dll" [MS] }
TrueVector Internet Monitor, vsmon, "C:WINDOWSsystem32ZoneLabsvsmon.exe -service" ["Zone Labs, LLC"]
Usługa Pomocnik IPv6, 6to4, "C:WINDOWSsystem32svchost.exe -k netsvcs" {"C:WINDOWSSystem326to4svc.dll" [MS] }
Usługi Simple TCP/IP, SimpTcp, "C:WINDOWSSystem32tcpsvcs.exe" [MS]
Windows User Mode Driver Framework, UMWdf, "C:WINDOWSsystem32wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLMSystemCurrentControlSetControlPrintMonitors
2300 Series PortDriver = "lxcglmpm.DLL" [empty string]
Lexmark Print-2-Fax PortDriver = "LXPRMON.DLL" [null data]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 70 seconds.
---------- (total run time: 149 seconds)

[Maciej13]

Przeczyść Rejestrprogramem jv16 Power Tools .

C:WINDOWSsystem32 soundvol32.exe

Plik na czerwono przeskanuj na stronie Virustotal.comi podaj wyniki na Forum.

Pokaż log z ComboFix .

[inzaghi89]

jv16...:wpisy których w 100% byłem pewien że być nie powinno usunąłem

skan soundvol32.exe:prawdopodobnie jego wina:

Complete scanning result of "soundvol32.exe", received in VirusTotal at 05.31.2007, 20:48:37 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 05.31.2007 no virus found
AntiVir 7.4.0.29 05.31.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.30.2007 Win32:Rbot-CSN
AVG 7.5.0.467 05.31.2007 IRC/BackDoor.SdBot3.BCY
BitDefender 7.2 05.31.2007 Backdoor.Spybot.DLN
CAT-QuickHeal 9.00 05.31.2007 no virus found
ClamAV devel-20070416 05.31.2007 Trojan.SdBot-5925
DrWeb 4.33 05.31.2007 no virus found
eSafe 7.0.15.0 05.31.2007 Win32.Spybot
eTrust-Vet 30.7.3679 05.31.2007 no virus found
Ewido 4.0 05.31.2007 Backdoor.Rbot.cij
FileAdvisor 1 05.31.2007 High threat detected
Fortinet 2.85.0.0 05.31.2007 PossibleThreat
F-Prot 4.3.2.48 05.30.2007 W32/Backdoor.AQWD
F-Secure 6.70.13030.0 05.31.2007 Backdoor.Win32.Rbot.cij
Ikarus T3.1.1.8 05.31.2007 Backdoor.Win32.Rbot.cij
Kaspersky 4.0.2.24 05.31.2007 Backdoor.Win32.Rbot.cij
McAfee 5043 05.31.2007 no virus found
Microsoft 1.2503 05.31.2007 Trojan:Win32/Ircbrute!DC17
NOD32v2 2301 05.31.2007 no virus found
Norman 5.80.02 05.31.2007 no virus found
Panda 9.0.0.4 05.31.2007 W32/IRCbot.ATZ.worm
Prevx1 V2 05.31.2007 Covert.Sys.Exec
Sophos 4.18.0 05.31.2007 no virus found
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 05.31.2007 W32.Spybot.Worm
TheHacker 6.1.6.128 05.31.2007 no virus found
VBA32 3.12.0 05.30.2007 Backdoor.Win32.Rbot.qf
VirusBuster 4.3.23:9 05.31.2007 no virus found
Webwasher-Gateway 6.0.1 05.31.2007 Virus.Win32.FileInfector.gen!94 (suspicious)

Aditional Information
File size: 1347584 bytes
MD5: 17dc1fc62c1735beec82310bd7d1276d
SHA1: e8bceb901a2d7f4c3d9f76d4f76042f061dcddff
packers: Armadillo
Bit9 info:

[Aby zobaczyć linki, zarejestruj się tutaj]

Prevx info:

[Aby zobaczyć linki, zarejestruj się tutaj]

log z combofix

"Filip" - 2007-05-31 20:52:13Dodatek Service Pack 2
ComboFix 07-05.27.BV - Running from: "Cocuments and SettingsFilip"


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------LEGACY_IPRIP
-------Iprip


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-31))))))))))))))))))))))))))))))))))


2007-05-31 20:43 <DIR> d-------- Crogram Filesjv16 PowerTools
2007-05-31 17:20 <DIR> d-------- Crogram FilesIObit
2007-05-31 12:06 524,288 --ah----- COCUME~1ADMINI~1NTUSER.DAT
2007-05-31 12:06 <DIR> dr-h----- COCUME~1ADMINI~1Dane aplikacji
2007-05-31 12:06 <DIR> dr------- COCUME~1ADMINI~1Menu Start
2007-05-31 12:06 <DIR> d--h----- COCUME~1ADMINI~1Ustawienia lokalne
2007-05-31 12:06 <DIR> d--h----- COCUME~1ADMINI~1Szablony
2007-05-31 12:06 <DIR> d-------- COCUME~1ADMINI~1Ulubione
2007-05-31 12:06 <DIR> d-------- COCUME~1ADMINI~1Pulpit
2007-05-31 12:06 <DIR> d-------- COCUME~1ADMINI~1Moje dokumenty
2007-05-30 23:24 <DIR> d-------- COCUME~1FilipDANEAP~1gtk-2.0
2007-05-30 23:22 <DIR> d-------- COCUME~1FilipDANEAP~1.purple
2007-05-30 23:20 <DIR> d-------- Crogram FilesPidgin
2007-05-30 23:20 <DIR> d-------- Crogram FilesAspell
2007-05-30 23:19 <DIR> d-------- Crogram FilesCommon FilesGTK
2007-05-29 22:26 4,682 --a------ C:WINDOWSsystem32npptNT2.sys
2007-05-29 22:00 153,925 --a------ C:WINDOWSsystem32driversdump_wmimmc.sys
2007-05-25 21:33 <DIR> d----c--- C:WINDOWSsystem32DRVSTORE
2007-05-25 21:31 443,752 --a------ C:WINDOWSsystem32d3dx10_33.dll
2007-05-25 21:31 3,495,784 --a------ C:WINDOWSsystem32d3dx9_33.dll
2007-05-25 21:31 261,480 --a------ C:WINDOWSsystem32xactengine2_7.dll
2007-05-25 21:31 255,848 --a------ C:WINDOWSsystem32xactengine2_6.dll
2007-05-25 21:31 1,123,696 --a------ C:WINDOWSsystem32D3DCompiler_33.dll
2007-05-24 16:48 51,200 --a------ C:WINDOWSsystem32camcodec.dll
2007-05-23 22:27 <DIR> d-------- C:WINDOWSpss
2007-05-21 15:56 <DIR> d-------- Crogram FilesRADVideo
2007-05-20 14:31 1,024,000 --a------ C:WINDOWSsystem323ivx.dll
2007-05-20 14:31 <DIR> d-------- Crogram FilesAcala 3GP Movies Free
2007-05-19 12:04 <DIR> d-------- Crogram FilesJoost
2007-05-19 12:04 <DIR> d-------- COCUME~1FilipDANEAP~1Joost
2007-05-18 22:47 <DIR> d-------- COCUME~1ALLUSE~1DANEAP~1AntiVir PersonalEdition Classic
2007-05-13 20:29 <DIR> d-------- COCUME~1MagdaDANEAP~1MusicIP
2007-05-11 21:51 0 -ra------ C:logwmemory.bin
2007-05-09 20:02 <DIR> d-------- Crogram FilesSkype
2007-05-09 20:02 <DIR> d-------- Crogram FilesCommon FilesSkype
2007-05-09 13:58 <DIR> d-------- Crogram FilesMicrosoft CAPICOM 2.1.0.2
2007-04-27 15:24 44,544 --a------ C:WINDOWSsystem32msxml4a.dll
2007-04-27 15:23 420,240 --a------ C:WINDOWSsystem32mpg4c32.dll
2007-04-27 15:23 <DIR> d-------- COCUME~1ALLUSE~1DANEAP~1MAGIX
2007-04-27 15:21 94,208 --a------ C:WINDOWSsystem32DLLCPY32.dll
2007-04-27 15:21 65,536 --a------ C:WINDOWSsystem32DLLPTL32.dll
2007-04-27 15:21 61,440 --a------ C:WINDOWSsystem32DLLCDF32.dll
2007-04-27 15:21 57,344 --a------ C:WINDOWSsystem32DLLTPO32.dll
2007-04-27 15:21 53,248 --a------ C:WINDOWSsystem32DLLPRJ32.dll
2007-04-27 15:21 49,152 --a------ C:WINDOWSsystem32mgxasio2.dll
2007-04-27 15:21 49,152 --a------ C:WINDOWSsystem32DLLPRF32.dll
2007-04-27 15:21 49,152 --a------ C:WINDOWSsystem32DLLIO32.dll
2007-04-27 15:21 462,848 --a------ C:WINDOWSsystem32DLLAV32.dll
2007-04-27 15:21 45,056 --a------ C:WINDOWSsystem32DLLIMG32.dll
2007-04-27 15:21 430,080 --a------ C:WINDOWSsystem32MXRestore.exe
2007-04-27 15:21 40,960 --a------ C:WINDOWSsystem32DLLRD32.dll
2007-04-27 15:21 36,864 --a------ C:WINDOWSsystem32DLLPNT32.dll
2007-04-27 15:21 32,768 --a------ C:WINDOWSsystem32STRING32.dll
2007-04-27 15:21 32,768 --a------ C:WINDOWSsystem32DLLMSC32.dll
2007-04-27 15:21 32,768 --a------ C:WINDOWSsystem32DLLISO32.dll
2007-04-27 15:21 32,768 --a------ C:WINDOWSsystem32DLLDIR32.dll
2007-04-27 15:21 24,576 --a------ C:WINDOWSsystem32TTIC32.dll
2007-04-27 15:21 24,576 --a------ C:WINDOWSsystem32TTI32.dll
2007-04-27 15:21 24,576 --a------ C:WINDOWSsystem32DLLIX.dll
2007-04-27 15:21 188,416 --a------ C:WINDOWSsystem32DLLRES32.dll
2007-04-27 15:21 163,840 --a------ C:WINDOWSsystem32DLLDEV32.dll
2007-04-27 15:21 151,552 --a------ C:WINDOWSsystem32DLLDRV32.dll
2007-04-27 15:21 114,688 --a------ C:WINDOWSsystem32DLLCDA32.dll
2007-04-27 15:21 <DIR> d-------- Crogram FilesCommon FilesMAGIX Shared
2007-04-27 15:20 85,504 --a------ C:WINDOWSsystem32HtmlWH.dll
2007-04-27 15:20 643,072 --a------ C:WINDOWSsystem32mgxoschk.dll
2007-04-27 15:20 49,152 --a------ C:WINDOWSsystem32INETWH32.dll
2007-04-27 15:20 1,089,536 --a------ C:WINDOWSsystem32ROBOEX32.DLL
2007-04-27 15:20 <DIR> d-------- C:WINDOWSsystem32MAGIX
2007-04-27 15:20 <DIR> d-------- C:MAGIX
2007-04-25 21:44 <DIR> d-------- Crogram FilesSkanerOnline
2007-04-25 21:36 69,632 --a------ C:WINDOWSAlcmtr.exe
2007-04-25 21:34 147,456 --a------ C:WINDOWSsystem32RtlCPAPI.dll
2007-04-25 21:34 10,528,768 --a------ C:WINDOWSsystem32RTLCPL.exe
2007-04-25 21:34 <DIR> d-------- Crogram FilesRealtek AC97
2007-04-24 17:21 <DIR> d-------- COCUME~1FilipDANEAP~1MusicIP
2007-04-21 12:05 280 --a------ C:WINDOWSxxxx.bat
2007-04-20 21:05 <DIR> d-------- COCUME~1MagdaDANEAP~1DivX
2007-04-19 16:53 <DIR> d-------- Cocuments and SettingsFilip.mysqlcc
2007-04-19 16:53 <DIR> d-------- COCUME~1Filip.mysqlcc
2007-04-17 19:09 <DIR> d-------- COCUME~1MagdaDANEAP~1Ahead
2007-04-17 13:43 <DIR> d-------- COCUME~1ALLUSE~1DANEAP~1Spybot - Search & Destroy
2007-04-17 12:52 <DIR> d-------- Crogram FilesNeoKwinto
2007-04-13 15:34 81,768 --a------ C:WINDOWSsystem32xinput1_3.dll
2007-04-13 15:34 62,744 --a------ C:WINDOWSsystem32xinput1_2.dll
2007-04-13 15:34 3,426,072 --a------ C:WINDOWSsystem32d3dx9_32.dll
2007-04-13 15:34 251,672 --a------ C:WINDOWSsystem32xactengine2_5.dll
2007-04-13 15:34 237,848 --a------ C:WINDOWSsystem32xactengine2_4.dll
2007-04-13 15:34 236,824 --a------ C:WINDOWSsystem32xactengine2_3.dll
2007-04-13 15:34 2,414,360 --a------ C:WINDOWSsystem32d3dx9_31.dll
2007-04-13 15:34 15,128 --a------ C:WINDOWSsystem32x3daudio1_1.dll
2007-04-13 15:33 2,297,552 --a------ C:WINDOWSsystem32d3dx9_26.dll
2007-04-13 13:59 <DIR> d-------- Crogram FilesDC++
2007-04-08 17:57 <DIR> d-------- COCUME~1MagdaDANEAP~1OpenOffice.org2
2007-04-07 15:24 <DIR> d-------- C:WINDOWSsystem32Panda Software
2007-04-05 19:19 <DIR> d-------- COCUME~1MagdaGadu-Gadu
2007-04-05 12:03 <DIR> d-------- COCUME~1FilipDANEAP~1Xfire
2007-04-04 23:33 <DIR> d-------- COCUME~1ALLUSE~1DANEAP~1Adobe Systems
2007-04-04 23:32 <DIR> d-------- Crogram FilesCommon FilesAdobe Systems Shared
2007-04-04 21:41 <DIR> d-------- Crogram FilesPSPad editor
2007-04-04 21:41 <DIR> d-------- COCUME~1FilipDANEAP~1PSpad
2007-04-04 16:17 <DIR> d-------- COCUME~1ALLUSE~1DANEAP~1Test Drive Unlimited
2007-04-04 16:14 108,144 --a------ C:WINDOWSsystem32CmdLineExt.dll
2007-04-04 16:14 <DIR> dr-h----- COCUME~1FilipDANEAP~1SecuROM
2007-04-01 15:57 <DIR> d-------- Crogram FilesDAEMON Tools
2007-04-01 15:55 646,392 --a------ C:WINDOWSsystem32driverssptd.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-31 18:31:51 664 ----a-w C:WINDOWSsystem32d3d9caps.dat
2007-05-31 14:36:16 -------- d-----w COCUME~1FilipDANEAP~1.purple
2007-05-31 08:40:20 -------- d-----w Crogram FilesAbbyy FineReader 6.0 Sprint
2007-05-30 17:06:13 -------- d-----w COCUME~1FilipDANEAP~1Skype
2007-05-30 07:16:49 -------- d-----w Crogram FilesLx_cats
2007-05-29 20:17:54 -------- d--h--w Crogram FilesInstallShield Installation Information
2007-05-29 12:02:20 -------- d-----w Crogram FilesPeerGuardian2
2007-05-29 12:02:09 -------- d-----w COCUME~1FilipDANEAP~1uTorrent
2007-05-28 15:18:50 -------- d-----w COCUME~1FilipDANEAP~1OpenOffice.org2
2007-05-24 20:38:05 -------- d-----w Crogram FilesKonnekt
2007-05-21 18:19:52 -------- d-----w Crogram FilesOpera
2007-05-16 14:44:37 -------- d-----w Crogram FilesWinamp
2007-04-25 19:35:18 -------- d-----w Crogram FilesRealtek
2007-04-18 16:14:32 2,854,400 ----a-w C:WINDOWSsystem32msi.dll
2007-04-10 17:04:40 4,397,568 ----a-w C:WINDOWSsystem32driversRtkHDAud.sys
2007-04-10 13:28:44 16,126,464 ----a-w C:WINDOWSRTHDCPL.exe
2007-04-08 11:47:49 74,450 ----a-w C:WINDOWSsystem32perfc015.dat
2007-04-08 11:47:49 448,348 ----a-w C:WINDOWSsystem32perfh015.dat
2007-04-06 20:08:57 -------- d-----w Crogram FilesGadu-Gadu
2007-04-04 15:22:46 1,822,720 ----a-w C:WINDOWSSkyTel.exe
2007-04-01 14:00:35 -------- d-----w Crogram FilesCommon FilesInstallShield
2007-04-01 10:14:03 -------- d-----w COCUME~1FilipDANEAP~1Ahead
2007-03-31 19:46:22 -------- d-----w Crogram FilesCommon FilesAhead
2007-03-31 19:42:34 -------- d-----w Crogram FilesNero
2007-03-31 19:18:58 -------- d-----w Crogram FilesSlySoft
2007-03-31 14:10:11 -------- d-----w COCUME~1FilipDANEAP~1Media Player Classic
2007-03-31 14:08:29 -------- d-----w Crogram FilesK-Lite Codec Pack
2007-03-31 14:08:24 -------- d-----w COCUME~1FilipDANEAP~1Real
2007-03-31 11:31:54 -------- d-----w Crogram FilesuTorrent
2007-03-30 18:45:26 -------- d-----w COCUME~1FilipDANEAP~1FaxCtr
2007-03-30 13:09:24 -------- d-----w Crogram FilesLexmark Fax Solutions
2007-03-30 13:08:31 -------- d-----w Crogram FilesLexmark 2300 Series
2007-03-30 12:54:29 -------- d-----w Crogram FilesWindows NT
2007-03-30 12:39:57 -------- d-----w Crogram FilesWindows Media Connect 2
2007-03-30 12:25:59 -------- d-----w Crogram FilesCommon FilesLabtec
2007-03-30 12:25:31 -------- d-----w Crogram FilesCommon FilesLogiShrd
2007-03-30 12:25:26 -------- d-----w Crogram FilesLabtec
2007-03-30 12:09:25 -------- d-----w Crogram FilesCommon FilesLogitech
2007-03-30 12:00:01 -------- d-----w Crogram FilesMSXML 4.0
2007-03-30 11:37:07 -------- d-----w Crogram FilesAvRack
2007-03-30 10:52:54 -------- d-----w Crogram FilesMessenger
2007-03-30 10:15:46 -------- d-----w Crogram FilesMovie Maker
2007-03-29 20:59:33 -------- d-----w Crogram FilesOpenOffice.org 2.2
2007-03-29 20:45:17 -------- d-----w Crogram FilesStardock
2007-03-29 20:37:46 -------- d-----w COCUME~1FilipDANEAP~1Winamp
2007-03-29 20:26:16 -------- d-----w Crogram FilesSubEdit-Player
2007-03-29 19:35:10 -------- d-----w Crogram FilesA4Tech
2007-03-29 12:03:52 -------- d--h--w Crogram FilesWindowsUpdate
2007-03-29 11:23:28 -------- d-----w COCUME~1FilipDANEAP~1Opera
2007-03-29 11:19:57 4,212 ---h--w C:WINDOWSsystem32zllictbl.dat
2007-03-29 11:15:37 -------- d-----w Crogram FilesAlwil Software
2007-03-29 11:06:45 -------- d-----w Crogram FilesSEC
2007-03-29 10:55:33 -------- d-----w Crogram FilesRealtek Sound Manager
2007-03-29 10:55:12 -------- d-----w Crogram FilesGigabyte
2007-03-29 10:52:05 315,392 ----a-w C:WINDOWSHideWin.exe
2007-03-28 22:56:46 -------- d-----w Crogram Filesmicrosoft frontpage
2007-03-28 22:56:24 0 --sha-r C:MSDOS.SYS
2007-03-28 22:56:24 0 --sha-r C:IO.SYS
2007-03-28 22:56:24 0 ----a-w C:CONFIG.SYS
2007-03-28 22:56:24 0 ----a-w C:AUTOEXEC.BAT
2007-03-28 22:55:14 -------- d-----w Crogram FilesUsługi online
2007-03-28 22:54:16 -------- d-----w Crogram FilesCommon FilesMSSoap
2007-03-28 22:53:45 21,856 ----a-w C:WINDOWSsystem32emptyregdb.dat
2007-03-28 22:53:14 -------- d-----w Crogram FilesMSN Gaming Zone
2007-03-23 17:19:10 9,715,200 ----a-w C:WINDOWSRTLCPL.exe
2007-03-17 13:45:36 293,376 ----a-w C:WINDOWSsystem32winsrv.dll
2007-03-15 10:00:36 466,432 ----a-w C:WINDOWSsystem32SkanerOnline.dll
2007-03-08 22:02:00 75,512 ----a-w C:WINDOWSzllsputility.exe
2007-03-08 22:01:42 1,087,216 ----a-w C:WINDOWSsystem32zpeng24.dll
2007-03-08 15:38:47 579,072 ----a-w C:WINDOWSsystem32user32.dll
2007-03-08 15:38:47 40,960 ----a-w C:WINDOWSsystem32mf3216.dll
2007-03-08 15:38:47 281,600 ----a-w C:WINDOWSsystem32gdi32.dll
2007-03-08 15:37:33 1,843,840 ----a-w C:WINDOWSsystem32win32k.sys
2007-03-07 23:51:00 129,784 ------w C:WINDOWSsystem32pxafs.dll
2007-03-06 14:05:52 323,624 ----a-w C:WINDOWSsystem32wiaaut.dll
2004-08-03 22:44:20 1,347,584 --sh--r C:WINDOWSsystem32soundvol32.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=Crogram FilesJavajre1.6.0_01binssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:WINDOWSsystem32nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 C:WINDOWSsystem32nvmctray.dll]
"ZoneAlarm Client"="Crogram FilesZone LabsZoneAlarmzlclient.exe" [2007-03-09 00:02]
"SunJavaUpdateSched"="Crogram FilesJavajre1.6.0_01binjusched.exe" [2007-03-14 03:43]
"WheelMouse"="Crogram FilesA4TechMouseAmoumain.exe" [2007-02-10 23:33]
"LogitechCommunicationsManager"="Crogram FilesCommon FilesLogiShrdLComMgrCommunications_Helper.exe" [2007-03-06 17:48]
"@"="" []
"LogitechQuickCamRibbon"="Crogram FilesLabtecWebCam10WebCam10.exe" [2007-03-06 17:58]
"lxcgmon.exe"="Crogram FilesLexmark 2300 Serieslxcgmon.exe" [2005-05-05 01:25]
"EzPrint"="Crogram FilesLexmark 2300 Seriesezprint.exe" [2005-06-08 18:19]
"FaxCenterServer"="Crogram FilesLexmark Fax Solutionsfm3032.exe" [2005-05-03 20:20]
"NeroFilterCheck"="Crogram FilesCommon FilesAheadLibNeroCheck.exe" [2006-01-12 16:40]
"SoundMan"="SOUNDMAN.EXE" []
"avgnt"="Crogram FilesAntiVir PersonalEdition Classicavgnt.exe" [2007-04-02 10:35]
"Microsoft"="soundvol32.exe" [2004-08-04 00:44 C:WINDOWSsystem32soundvol32.exe]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"CTFMON.EXE"="C:WINDOWSsystem32ctfmon.exe" [2004-08-04 00:44]
"Konnekt"="Crogram FilesKonnektkonnekt.exe" [2005-05-24 23:41]
"Steam"="" []

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrunservices]
"Microsoft"=soundvol32.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"EnableLUA"=1 (0x1)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyWBSrv]
CROGRA~1StardockOBJECT~1WINDOW~1wbsrv.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost *netsvcs*


********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer,

[Aby zobaczyć linki, zarejestruj się tutaj]

Rootkit scan 2007-05-31 20:56:57
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-31 20:59:36 - machine was rebooted
C:ComboFix-quarantined-files.txt ... 2007-05-31 20:59

--- E O F ---

[Maciej13]

Użyj Windows Worms Doors Cleaner . Wszystkie znaczki przestawiasz tak, aby były na zielono. Po użyciu resetujesz komputer!

Pobierz narzędzie The Avenger .

Uruchom program w Trybie Awaryjnymi zaznacz opcję Input script manually . Następnie kliknij w "lupkę"po prawej stronie okna programu, a w okienku które Ci się otworzy wklej taki tekst:

Kod:

Files to delete:

C:WINDOWSsystem32soundvol32.exe

Registry values to delete:

"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun" | "Microsoft"
"HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrunservices" | "Microsoft"

Kliknij klawisz Done , a następnie ''zielone światełko'' . Na komunikat który się wyświetli odpowiadasz OK .

Po pracy pokaż nowy log.