Liczba postów: 4
Liczba wątków: 1
Dołączył: 16.07.2008
Reputacja:
0
Kod: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:11:06, on 2008-07-16
Platform: Windows XP(WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilescFosSpeedspd.exe
C:WINDOWSSystem32nvsvc32.exe
C:Program FilesPC Tools AntiVirusPCTAVSvc.exe
C:Program FilesAnalog DevicesSoundMAXSMAgent.exe
C:WINDOWSExplorer.EXE
C:Program FilesPC Tools AntiVirusPCTAV.exe
C:Program FilesJavajre1.5.0_07binjusched.exe
C:Program FilescFosSpeedcFosSpeed.exe
C:WINDOWSSystem32RUNDLL32.EXE
C:WINDOWSSystem32ctfmon.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesVIARAIDraid_tool.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.5.0_07binssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:PROGRA~1FlashFXPIEFlash.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:Program FilesAskSBarbar1.binASKSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:Program FilesAskSBarbar1.binASKSBAR.DLL
O4 - HKLM..Run: [PCTAVApp] "C:Program FilesPC Tools AntiVirusPCTAV.exe" /MONITORSCAN
O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavajre1.5.0_07binjusched.exe
O4 - HKLM..Run: [cFosSpeed] C:Program FilescFosSpeedcFosSpeed.exe
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
O4 - HKLM..Run: [Windows] C:WINDOWSservices.exe
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [Gadu-Gadu] "C:Program FilesGadu-Gadugg.exe" /tray
O4 - HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized
O4 - HKUSS-1-5-18..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background (User ''SYSTEM'')
O4 - HKUS.DEFAULT..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background (User ''Default user'')
O4 - Startup: hamachi.lnk = C:Program FilesHamachihamachi.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:Program FilesVIARAIDraid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_07binssv.dll
O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_07binssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)
O9 - Extra ''Tools'' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:Program FilescFosSpeedspd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:Program FilesPC Tools AntiVirusPCTAVSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:Program FilesAnalog DevicesSoundMAXSMAgent.exe
--
End of file - 3989 bytes
Kod: "Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"CTFMON.EXE" = "C:WINDOWSSystem32ctfmon.exe" [MS]
"MSMSGS" = ""C:Program FilesMessengermsmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:Program FilesGadu-Gadugg.exe" /tray" ["Gadu-Gadu S.A."]
"Skype" = ""C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun {++}
"PCTAVApp" = ""C:Program FilesPC Tools AntiVirusPCTAV.exe" /MONITORSCAN" ["PC Tools Research Pty Ltd"]
"SunJavaUpdateSched" = "C:Program FilesJavajre1.5.0_07binjusched.exe" ["Sun Microsystems, Inc."]
"cFosSpeed" = "C:Program FilescFosSpeedcFosSpeed.exe" ["cFos Software GmbH"]
"NvCplDaemon" = "RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:WINDOWSSystem32NvMcTray.dll,NvTaskbarInit" [MS]
"KernelFaultCheck" = "C:WINDOWSsystem32dumprep 0 -k"
"Windows" = "C:WINDOWSservices.exe" [file not found]
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
InProcServer32(Default) = "C:Program FilesJavajre1.5.0_07binssv.dll" ["Sun Microsystems, Inc."]
{E5A1691B-D188-4419-AD02-90002030B8EE}(Default) = (no title provided)
-> {HKLM...CLSID} = "FlashFXP Helper for Internet Explorer"
InProcServer32(Default) = "C:PROGRA~1FlashFXPIEFlash.dll" ["IniCom Networks, Inc."]
{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}(Default) = "Ask Toolbar BHO"
-> {HKLM...CLSID} = "Ask Toolbar BHO"
InProcServer32(Default) = "C:Program FilesAskSBarbar1.binASKSBAR.DLL" ["Ask.com"]
HKLMSOFTWAREMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
InProcServer32(Default) = "C:WINDOWSSystem32hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
InProcServer32(Default) = "C:WINDOWSSystem32nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
InProcServer32(Default) = "C:WINDOWSSystem32nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
InProcServer32(Default) = "C:WINDOWSSystem32nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:WINDOWSSystem32nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
InProcServer32(Default) = "C:WINDOWSSystem32nvshell.dll" ["NVIDIA Corporation"]
HKLMSOFTWAREClasses*shellexContextMenuHandlers
PCTAVShellExtension(Default) = "{AEEAEC2D-7EE9-4C66-937C-80BF8B03FD54}"
-> {HKLM...CLSID} = "PCTAVShlExt Class"
InProcServer32(Default) = "C:Program FilesPC Tools AntiVirusPCTAVShellExtension.dll" ["PC Tools Research Pty Ltd"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]
HKLMSOFTWAREClassesDirectoryshellexContextMenuHandlers
PCTAVShellExtension(Default) = "{AEEAEC2D-7EE9-4C66-937C-80BF8B03FD54}"
-> {HKLM...CLSID} = "PCTAVShlExt Class"
InProcServer32(Default) = "C:Program FilesPC Tools AntiVirusPCTAVShellExtension.dll" ["PC Tools Research Pty Ltd"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]
HKLMSOFTWAREClassesFoldershellexContextMenuHandlers
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral
"Wallpaper" = "C:WINDOWSWebWallpaperIdylla.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCUControl PanelDesktop
"Wallpaper" = "C:WINDOWSWebWallpaperIdylla.bmp"
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAutoplayHandlersHandlers
ASHAshampoo_Burning_Studio_7BURNONARRIVAL
"Provider" = "Ashampoo Burning Studio 7"
"InvokeProgID" = "Ashampoo.BurningStudio7"
"InvokeVerb" = "autoplay-burn"
HKLMSOFTWAREClassesAshampoo.BurningStudio7shellautoplay-burnCommand(Default) = ""C:Program FilesAshampooAshampoo Burning Studio 7burningstudio.exe" -autoplay -selectdrive "%l"" ["ashampoo Technology GmbH & Co. KG"]
ASHAshampoo_Burning_Studio_7COPYONARRIVAL
"Provider" = "Ashampoo Burning Studio 7"
"InvokeProgID" = "Ashampoo.BurningStudio7"
"InvokeVerb" = "autoplay-copy"
HKLMSOFTWAREClassesAshampoo.BurningStudio7shellautoplay-copyCommand(Default) = "C:Program FilesAshampooAshampoo Burning Studio 7burningstudio.exe" -autoplay -selectdrive "%l" -copy" [file not found]
ASHAshampoo_Burning_Studio_7RIPONARRIVAL
"Provider" = "Ashampoo Burning Studio 7"
"InvokeProgID" = "Ashampoo.BurningStudio7"
"InvokeVerb" = "autoplay-rip"
HKLMSOFTWAREClassesAshampoo.BurningStudio7shellautoplay-ripCommand(Default) = ""C:Program FilesAshampooAshampoo Burning Studio 7burningstudio.exe" -autoplay -selectdrive "%l" -rip" ["ashampoo Technology GmbH & Co. KG"]
MSPlayMusicFilesOnArrival
"Provider" = "@wmploc.dll,-6502"
"ProgID" = "WMPShell.HWEventHandler.1"
HKLMSOFTWAREClassesWMPShell.HWEventHandler.1CLSID(Default) = "{9B186A8F-F520-4eeb-B553-118304AC46C5}"
-> {HKLM...CLSID} = "WMP HWEventHandler"
LocalServer32(Default) = "C:WINDOWSSystem32wmpstub.exe" [MS]
MSPlayVideoFilesOnArrival
"Provider" = "@wmploc.dll,-6502"
"ProgID" = "WMPShell.HWEventHandler.1"
HKLMSOFTWAREClassesWMPShell.HWEventHandler.1CLSID(Default) = "{9B186A8F-F520-4eeb-B553-118304AC46C5}"
-> {HKLM...CLSID} = "WMP HWEventHandler"
LocalServer32(Default) = "C:WINDOWSSystem32wmpstub.exe" [MS]
WinampMTPHandler
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:Program FilesWinampwinamp.exe"
HKLMSOFTWAREClassesShell.HWEventHandlerShellExecuteCLSID(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
LocalServer32(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
WinampPlayMediaOnArrival
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLMSOFTWAREClassesWinamp.FileshellPlaycommand(Default) = ""C:Program FilesWinampwinamp.exe" "%1"" ["Nullsoft"]
HKLMSOFTWAREClassesWinamp.FileshellPlayDropTargetCLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
LocalServer32(Default) = ""C:Program FilesWinampwinamp.exe"" ["Nullsoft"]
Startup items in "Arti" & "All Users" startup folders:
------------------------------------------------------
C:Documents and SettingsAll UsersMenu StartProgramyAutostart
"VIA RAID TOOL" -> shortcut to: "C:Program FilesVIARAIDraid_tool.exe" ["VIA Technologies"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLMSYSTEMCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
Transport Service Providers
HKLMSYSTEMCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:Program FilesCommon FilesPC ToolsLspPCTLsp.dll ["PC Tools Research Pty Ltd."], 01 - 03, 09
%SystemRoot%system32mswsock.dll [MS], 04 - 06, 10 - 19
%SystemRoot%system32rsvpsp.dll [MS], 07 - 08
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLMSOFTWAREMicrosoftInternet ExplorerToolbar
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}" = (no title provided)
-> {HKLM...CLSID} = "Ask Toolbar"
InProcServer32(Default) = "C:Program FilesAskSBarbar1.binASKSBAR.DLL" ["Ask.com"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLMSOFTWAREMicrosoftInternet ExplorerExtensions
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
InProcServer32(Default) = "C:Program FilesJavajre1.5.0_07binssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_07"
InProcServer32(Default) = "C:Program FilesJavajre1.5.0_07binnpjpi150_07.dll" ["Sun Microsystems, Inc."]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
cFosSpeed System Service, cFosSpeedS, ""C:Program FilescFosSpeedspd.exe" -service" ["cFos Software GmbH"]
NVIDIA Display Driver Service, NVSvc, "C:WINDOWSSystem32nvsvc32.exe" ["NVIDIA Corporation"]
PC Tools AntiVirus Engine, PCTAVSvc, ""C:Program FilesPC Tools AntiVirusPCTAVSvc.exe"" ["PC Tools Research Pty Ltd"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:Program FilesAnalog DevicesSoundMAXSMAgent.exe" ["Analog Devices, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:WINDOWSSystem32wdfmgr.exe" [MS]
---------- (launch time: 2008-07-16 16:05:05)
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 501 seconds.
---------- (total run time: 3490 seconds)
Oto moje logi z Hijacka i Silenta. Wystawiłem je, ponieważ obawiam się, że pomimo moich prób usunięcia keyloggera z komputera chyba nadal tam został. (ponowna instalacja systemu, lecz nie wiem czy format coś dał bo gdy chciałem zainstalować system pisało, że już jest) Prosiłbym o sprawdzenie wyników i poinformowanie mnie czy pośród procesów nie ma podejrzanych rzeczy.
@edit
Wydaje mi się, że teraz jest już wszystko ok. W razie jakichkolwiek niedociągnięć proszę o powiadomienie.
Liczba postów: 850
Liczba wątków: 12
Dołączył: 15.07.2006
Reputacja:
0
Logi obejmujemy w tagach. Na początku dajemy log z Hijackthisi Silent runners . Zapoznaj się z [Aby zobaczyć linki, zarejestruj się tutaj] i popraw posta
Cytat: O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - Crogram Files AskSBar bar1.binASKSBAR.DLL
O4 - HKLM..Run: [KernelFaultCheck]%systemroot%system32dumprep 0 -k
O4 - HKLM..Run: [Windows]C:WINDOWS services.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)
O9 - Extra ''Tools'' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)
Usuń pogrubione pliki ręcznie z dysku w trybie awaryjnym i wyłączonym przywracaniem systemu. Wpisy kasujesz w hijacku.
Po zabiegach dajesz nowy log z hijacka i log z [Aby zobaczyć linki, zarejestruj się tutaj]
"Nie jestem konsumentem mieszczącym się w standardzie
Nie jestem gatunkiem skazanym na wymarcie
Nie jestem obiektem medialnego hałasu
Jestem nielegalnym zabójcą czasu"
Liczba postów: 4
Liczba wątków: 1
Dołączył: 16.07.2008
Reputacja:
0
No więc tego AskSBara wykasowałem, ale z plikiem services.exe nie moge sobie poradzić.
Szukałem go w C:WINDOWS ale go tam nie było za to był w C:WINDOWSsystem32 lecz nie moge go usunąć nawet w trybie awaryjnym. Prosiłbym o radę co z tym dalej zrobić.
@edit
Jeszcze log z Silenta nie został sprawdzony przez nikogo. Jeśli ktoś mógłby go oglądnąć i wyciągnąć szkodliwe procesy byłbym wdzięczny.
Liczba postów: 850
Liczba wątków: 12
Dołączył: 15.07.2006
Reputacja:
0
Log z Silent runners pokazał mi to samo co log z hijackthis, tylko dokładniej. Chciałbym zobaczyć log z Combofix.
"Nie jestem konsumentem mieszczącym się w standardzie
Nie jestem gatunkiem skazanym na wymarcie
Nie jestem obiektem medialnego hałasu
Jestem nielegalnym zabójcą czasu"
Liczba postów: 4
Liczba wątków: 1
Dołączył: 16.07.2008
Reputacja:
0
Oczywiście, oto i on:
Kod: ComboFix 08-07-15.4 - Arti 2008-07-16 20:20:56.1 - NTFSx86
Microsoft Windows XP Professional5.1.2600.0.1250.1.1045.18.734 [GMT 2:00]
Running from: C:Documents and SettingsArtiPulpitComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:WINDOWSsystem32msssc.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16)))))))))))))))))))))))))))))))
.
2008-07-16 17:16 . 2008-07-16 20:23 <DIR> d--h----- C:Documents and SettingsAdministratorUstawienia lokalne
2008-07-16 17:16 . 2008-06-06 17:54 <DIR> d-------- C:Documents and SettingsAdministratorUlubione
2008-07-16 17:16 . 2008-06-06 17:01 <DIR> d--h----- C:Documents and SettingsAdministratorSzablony
2008-07-16 17:16 . 2008-06-06 17:54 <DIR> d-------- C:Documents and SettingsAdministratorPulpit
2008-07-16 17:16 . 2008-07-16 17:16 <DIR> d-------- C:Documents and SettingsAdministratorMoje dokumenty
2008-07-16 17:16 . 2008-06-06 17:54 <DIR> dr------- C:Documents and SettingsAdministratorMenu Start
2008-07-16 17:16 . 2008-06-06 17:54 <DIR> dr-h----- C:Documents and SettingsAdministratorDane aplikacji
2008-07-16 17:16 . 2008-07-16 17:16 <DIR> d-------- C:Documents and SettingsAdministrator
2008-07-15 15:37 . 2008-07-15 15:37 <DIR> d-------- C:Program FilesHamachi
2008-07-15 15:37 . 2008-07-16 11:41 <DIR> d-------- C:Documents and SettingsArtiDane aplikacjiHamachi
2008-07-15 15:37 . 2008-07-15 15:37 25,544 --a------ C:WINDOWSsystem32drivershamachi.sys
2008-07-14 15:09 . 2008-07-14 15:09 <DIR> d-------- C:Documents and SettingsArti.thumbnails
2008-07-14 15:09 . 2008-07-14 15:10 <DIR> d-------- C:Documents and SettingsArti.gimp-2.4
2008-07-08 22:48 . 2008-07-08 22:46 220 --a------ C:index.html
2008-07-07 23:40 . 2008-07-07 23:40 <DIR> d-------- C:WINDOWSSun
2008-07-06 13:51 . 2008-07-06 13:51 <DIR> d-------- C:Program FilesFlashFXP
2008-07-06 13:51 . 2008-07-06 13:51 <DIR> d-------- C:Documents and SettingsAll UsersDane aplikacjiFlashFXP
2008-07-06 13:45 . 2008-07-06 13:45 <DIR> d-------- C:Documents and SettingsArtiDane aplikacjiSmartFTP
2008-07-05 22:21 . 2008-07-05 22:21 <DIR> d-------- C:Program FilesHLTooLz
2008-07-05 22:19 . 2008-07-05 22:20 249,856 --------- C:WINDOWSSetup1.exe
2008-07-05 22:19 . 2008-07-05 22:20 73,216 --a------ C:WINDOWSST6UNST.EXE
2008-07-04 18:57 . 2008-07-04 19:35 <DIR> d-------- C:Program FilesTibia 7.6
2008-07-04 01:56 . 2008-07-10 14:45 <DIR> d-------- C:Program FilesSteam
2008-07-03 19:41 . 2008-07-03 19:41 <DIR> d-------- C:Program FilesAshampoo
2008-07-03 19:41 . 2008-07-03 19:41 <DIR> d-------- C:Documents and SettingsArtiDane aplikacjiAshampoo
2008-07-03 19:41 . 2008-07-03 19:41 <DIR> d-------- C:Documents and SettingsAll UsersDane aplikacjiashampoo
2008-07-03 19:16 . 2008-07-03 19:16 <DIR> d--hs---- C:WINDOWSftpcache
2008-07-03 00:53 . 2008-07-03 00:53 <DIR> d-------- C:Program FilesTibia 8.11
2008-07-02 18:23 . 2008-07-02 18:23 <DIR> d-------- C:Automap
2008-07-02 15:44 . 2008-07-02 15:44 <DIR> d--h----- C:WINDOWSPIF
2008-06-30 03:17 . 2008-06-30 03:19 <DIR> d----c--- C:WINDOWSsystem32DRVSTORE
2008-06-30 03:17 . 2006-09-28 14:10 11,648 --a------ C:WINDOWSsystem32driversgggen.sys
2008-06-30 02:58 . 2008-06-30 02:58 <DIR> d-------- C:SterySE
2008-06-28 01:02 . 2008-06-28 01:02 11 -ra------ C:WINDOWSamunres.lsl
2008-06-25 11:37 . 2008-06-25 11:37 <DIR> d-------- C:Program FilesuTorrent
2008-06-25 11:37 . 2008-06-25 11:58 <DIR> d-------- C:Documents and SettingsArtiDane aplikacjiuTorrent
2008-06-25 02:03 . 2008-06-25 11:32 <DIR> d-------- C:Documents and SettingsArtiDane aplikacjiAzureus
2008-06-25 02:03 . 2008-06-25 02:03 <DIR> d-------- C:Documents and SettingsAll UsersDane aplikacjiAzureus
2008-06-25 02:02 . 2008-06-25 11:33 <DIR> d-------- C:Program FilesVuze
2008-06-22 22:57 . 2008-06-30 03:19 <DIR> d-------- C:Program FilesSony Ericsson
2008-06-22 21:26 . 2008-06-22 23:11 <DIR> d-------- C:Documents and SettingsSpidiDane aplikacjigtk-2.0
2008-06-22 21:26 . 2008-06-22 21:26 <DIR> d-------- C:Documents and SettingsSpidi.thumbnails
2008-06-22 21:25 . 2008-06-23 00:36 <DIR> d-------- C:Documents and SettingsSpidi.gimp-2.4
2008-06-22 21:24 . 2008-06-22 21:24 <DIR> d-------- C:Program FilesGIMP-2.0
2008-06-20 13:51 . 2008-06-20 13:52 <DIR> d-------- C:Documents and SettingsSpidiDane aplikacjiSkype
2008-06-19 14:51 . 2008-06-19 14:51 <DIR> d-------- C:Program FilesOrtalion Entertainment
2008-06-19 14:29 . 2008-06-19 16:17 <DIR> d-------- C:Program FilesSpring
2008-06-19 12:26 . 2008-06-19 12:26 <DIR> d-------- C:Program FilesLittleFighter2
2008-06-18 16:31 . 2008-06-18 16:31 10,752 --ahs---- C:WINDOWSThumbs.db
2008-06-18 16:31 . 2008-06-18 16:31 9,728 --ahs---- C:Thumbs.db
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-16 18:22 --------- d-----w C:Program FilesStepMania
2008-07-16 18:20 --------- d-----w C:Program FilescFosSpeed
2008-07-16 18:19 --------- d---a-w C:Documents and SettingsAll UsersDane aplikacjiTEMP
2008-07-16 18:16 --------- d-----w C:Program FilesPC Tools AntiVirus
2008-07-16 18:16 --------- d-----w C:Documents and SettingsArtiDane aplikacjiSkype
2008-07-09 18:49 --------- d-----w C:Program FilesGarena
2008-07-09 16:58 --------- d-----w C:Program FilesTibia
2008-07-07 20:53 --------- d-----w C:Documents and SettingsSpidiDane aplikacjiTibia
2008-07-05 07:53 --------- d-----w C:Documents and SettingsArtiDane aplikacjiTibia
2008-07-04 16:52 --------- d-----w C:Program FilesValve
2008-07-02 22:44 --------- d-----w C:Program FilesTibia 8.10
2008-06-18 11:46 --------- d-----w C:Program FilesworldTVRT
2008-06-16 13:52 --------- d-----w C:Program FilesCamStudio
2008-06-15 20:20 --------- d-----w C:Program FilesFraps
2008-06-14 09:45 --------- d-----w C:Documents and SettingsSpidiDane aplikacjiWinamp
2008-06-13 16:12 --------- d-----w C:WINDOWSsystem32configsystemprofileDane aplikacjiPC Tools
2008-06-09 16:57 --------- d-----w C:Program FilesTibiaBot NG
2008-06-09 13:58 --------- d-----w C:Program FilesUltraStar
2008-06-08 19:16 --------- d-----w C:Program FilesSopCast
2008-06-07 23:41 --------- d-----w C:Program FilesAsprate
2008-06-07 23:26 --------- d-----w C:Program FilesTibia 7.92
2008-06-07 23:21 --------- d-----w C:Documents and SettingsSpidiDane aplikacjiVentrilo
2008-06-07 13:18 --------- d-----w C:Program FilesVentrilo
2008-06-07 13:17 --------- d-----w C:Program FilesCommon FilesWise Installation Wizard
2008-06-07 11:57 --------- d-----w C:Documents and SettingsArtiDane aplikacjiVentrilo
2008-06-07 09:18 --------- d-----w C:Documents and SettingsArtiDane aplikacjiGadu-Gadu
2008-06-07 07:57 --------- d-----w C:Documents and SettingsAll UsersDane aplikacjiSpybot - Search & Destroy
2008-06-07 07:42 --------- d-----w C:Documents and SettingsArtiDane aplikacjiWinamp
2008-06-06 23:13 --------- d--h--w C:Program FilesInstallShield Installation Information
2008-06-06 21:44 --------- d-----w C:Documents and SettingsSpidiDane aplikacjiGadu-Gadu
2008-06-06 21:38 --------- d-----w C:Documents and SettingsSpidiDane aplikacjiPC Tools
2008-06-06 16:12 --------- d-----w C:Program FilesVIA
2008-06-06 16:12 --------- d-----w C:Program FilesCommon FilesInstallShield
2008-06-06 16:10 --------- d-----w C:Program FilesAnalog Devices
2008-06-06 15:31 --------- d-----w C:Program FilesSpybot - Search & Destroy
2008-06-06 15:31 --------- d-----w C:Program FilesK-Lite CodecPack
2008-06-06 15:30 --------- d-----w C:Program FilesSubEdit-Player
2008-06-06 15:30 --------- d-----w C:Program FilesK-Lite Codec Pack
2008-06-06 15:28 --------- d-----w C:Program FilesWinamp
2008-06-06 15:28 --------- d-----w C:Program FilesSkype
2008-06-06 15:28 --------- d-----w C:Documents and SettingsArtiDane aplikacjiPC Tools
2008-06-06 15:28 --------- d-----w C:Documents and SettingsAll UsersDane aplikacjiPC Tools
2008-06-06 15:18 --------- d-----w C:Program FilesGadu-Gadu
2008-06-06 15:17 --------- d-----w C:Program FilesJava
2008-06-06 15:16 --------- d-----w C:Program FilesCommon FilesJava
2008-06-06 15:15 --------- d-----w C:Program FilesCommon FilesPC Tools
2008-06-06 15:15 --------- d-----w C:Documents and SettingsArtiDane aplikacjiInstallShield
2008-06-06 15:14 --------- d-----w C:Program FilesTrend Micro
2008-06-06 15:14 --------- d-----w C:Program FilesStepMania CVS
2008-06-06 15:06 --------- d-----w C:Program Filesmicrosoft frontpage
2008-06-06 15:01 --------- d-----w C:Program FilesUsługi online
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"CTFMON.EXE"="C:WINDOWSSystem32ctfmon.exe" [2001-10-26 19:29 13312]
"MSMSGS"="C:Program FilesMessengermsmsgs.exe" [2001-08-02 07:14 1077277]
"Gadu-Gadu"="C:Program FilesGadu-Gadugg.exe" [2007-05-10 16:36 2111176]
"Skype"="C:Program FilesSkypePhoneSkype.exe" [2006-09-11 15:07 21840936]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"PCTAVApp"="C:Program FilesPC Tools AntiVirusPCTAV.exe" [2008-03-05 09:37 1238928]
"SunJavaUpdateSched"="C:Program FilesJavajre1.5.0_07binjusched.exe" [2006-05-03 02:56 36975]
"cFosSpeed"="C:Program FilescFosSpeedcFosSpeed.exe" [2007-10-29 18:02 850896]
"NvCplDaemon"="C:WINDOWSSystem32NvCpl.dll" [2005-05-12 00:34 6729728]
"NvMediaCenter"="C:WINDOWSSystem32NvMcTray.dll" [2005-05-12 00:34 86016]
"nwiz"="nwiz.exe" [2005-05-12 00:34 1519616 C:WINDOWSsystem32nwiz.exe]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"MSMSGS"="C:Program FilesMessengermsmsgs.exe" [2001-08-02 07:14 1077277]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
"vidc.XVID"= xvid.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"C:\Program Files\FlashFXP\FlashFXP.exe"=
R0 tffsport;M-Systems DiskOnChip 2000;C:WINDOWSSystem32DRIVERStffsport.sys [2001-08-17 21:52]
R0 viasraid;viasraid;C:WINDOWSSystem32DRIVERSviasraid.sys [2003-10-31 05:22]
S3 gggen;Generic USB Flash Driver;C:WINDOWSSystem32DRIVERSgggen.sys [2006-09-28 14:10]
S3 vhack;vhack;C:Documents and SettingsSpidiPulpitvHack v4vhack.sys []
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 20:24:17
Windows 5.1.2600NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-07-16 20:26:58
ComboFix-quarantined-files.txt2008-07-16 18:25:56
Pre-Run: 12,940,828,672 bajtów wolnych
Post-Run: 13,090,230,272 bajtów wolnych
165
@edit
Chyba uporałem się z tym plikiem services.exe czytając na innych forach. Jest to koń trojański a dokładniej backdoor. Podaję jeszcze log z hijacka i prosiłbym o jego sprawdzenie (powyższy log z combofixa jest sprzed kasacji services.exe)
Kod: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:54:51, on 2008-07-17
Platform: Windows XP(WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesPC Tools AntiVirusPCTAV.exe
C:Program FilesJavajre1.5.0_07binjusched.exe
C:Program FilescFosSpeedcFosSpeed.exe
C:WINDOWSSystem32RUNDLL32.EXE
C:WINDOWSSystem32ctfmon.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesGadu-Gadugg.exe
C:Program FilesSkypePhoneSkype.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Program FilescFosSpeedspd.exe
C:WINDOWSSystem32nvsvc32.exe
C:Program FilesPC Tools AntiVirusPCTAVSvc.exe
C:Program FilesAnalog DevicesSoundMAXSMAgent.exe
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.5.0_07binssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:PROGRA~1FlashFXPIEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O4 - HKLM..Run: [PCTAVApp] "C:Program FilesPC Tools AntiVirusPCTAV.exe" /MONITORSCAN
O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavajre1.5.0_07binjusched.exe
O4 - HKLM..Run: [cFosSpeed] C:Program FilescFosSpeedcFosSpeed.exe
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NvMcTray.dll,NvTaskbarInit
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [Gadu-Gadu] "C:Program FilesGadu-Gadugg.exe" /tray
O4 - HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized
O4 - HKUSS-1-5-18..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background (User ''SYSTEM'')
O4 - HKUS.DEFAULT..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background (User ''Default user'')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_07binssv.dll
O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_07binssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)
O9 - Extra ''Tools'' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:Program FilescFosSpeedspd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:Program FilesPC Tools AntiVirusPCTAVSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:Program FilesAnalog DevicesSoundMAXSMAgent.exe
--
End of file - 3817 bytes
Liczba postów: 850
Liczba wątków: 12
Dołączył: 15.07.2006
Reputacja:
0
Cytat: O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)
O9 - Extra ''Tools'' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSwebrelated.htm (file missing)
Skasuj te wpisy w hijacku. Po za tym nic nie widać
"Nie jestem konsumentem mieszczącym się w standardzie
Nie jestem gatunkiem skazanym na wymarcie
Nie jestem obiektem medialnego hałasu
Jestem nielegalnym zabójcą czasu"
Liczba postów: 4
Liczba wątków: 1
Dołączył: 16.07.2008
Reputacja:
0
Też mam nadzieję, że to juz wszystko. Dzięki za pomoc.
|