Liczba postów: 2
Liczba wątków: 1
Dołączył: 07.07.2008
Reputacja:
0
Witam
Mam podobny problem co kolega wcześniej w tym wirusem. Zakładam że muszę dołączyć te same logi, oto one :
Cytat:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:36:50, on 2008-07-07
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C rogram FilesJavajre1.6.0_05binjusched.exe
Crogram FilesAntiVir PersonalEdition Classicsched.exe
Crogram FilesWhatPulseWhatPulse.exe
Crogram FilesAntiVir PersonalEdition Classicavguard.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32PSIService.exe
C:WINDOWSsystem32svchost.exe
Crogram FilesHHVcdV5SysVC5SecS.exe
C:WINDOWSsystem32wscntfy.exe
Crogram FilesPC Connectivity SolutionServiceLayer.exe
Crogram FilesPC Connectivity SolutionTransportsNclUSBSrv.exe
Crogram FilesPC Connectivity SolutionTransportsNclRSSrv.exe
C:WINDOWSexplorer.exe
Crogram FilesMozilla Firefoxfirefox.exe
Crogram FilesAntiVir PersonalEdition Classicavgnt.exe
Crogram FilesTrend MicroHijackThisHijackThis.exe
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = [Aby zobaczyć linki, zarejestruj się tutaj]
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = [Aby zobaczyć linki, zarejestruj się tutaj]
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = [Aby zobaczyć linki, zarejestruj się tutaj]
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = [Aby zobaczyć linki, zarejestruj się tutaj]
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 5.0 CEReaderActiveXAcroIEHelper.ocx
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - CROGRA~1FLASHGETjccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - Crogram FilesBitComettoolsBitCometBHO_1.1.11.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - Crogram FilesJavajre1.6.0_05binssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - CROGRA~1FLASHGETfgiebar.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM..Run: [avgnt]"Crogram FilesAntiVir PersonalEdition Classicavgnt.exe" /min
O4 - HKLM..Run: [SunJavaUpdateSched]"Crogram FilesJavajre1.6.0_05binjusched.exe"
O4 - HKLM..Run: [NvCplDaemon]RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz]nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter]RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [SoundMan]SOUNDMAN.EXE
O4 - HKCU..Run: [WhatPulse]Crogram FilesWhatPulseWhatPulse.exe
O4 - HKCU..Run: [Gadu-Gadu]"Crogram FilesGadu-Gadugg.exe" /tray
O4 - HKCU..Run: [AdobeUpdater]Crogram FilesCommon FilesAdobeUpdaterAdobeUpdater.exe
O4 - HKCU..Run: [Mailbox Digger]Crogram FilesDiggerdigger.exe -startup
O4 - HKCU..Run: [Nokia.PCSync]"Crogram FilesNokiaNokia PC Suite 7PCSync2.exe" /NoDialog
O4 - HKCU..Run: [PC Suite Tray]"Crogram FilesNokiaNokia PC Suite 7PCSuite.exe" -onlytray
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA LOKALNA'')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA SIECIOWA'')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''SYSTEM'')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''Default user'')
O8 - Extra context menu item: &D&ownload &with BitComet - [Aby zobaczyć linki, zarejestruj się tutaj] FilesBitCometBitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [Aby zobaczyć linki, zarejestruj się tutaj] FilesBitCometBitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [Aby zobaczyć linki, zarejestruj się tutaj] FilesBitCometBitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet''a - Crogram FilesFlashGetjc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet''a - Crogram FilesFlashGetjc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Crogram FilesJavajre1.6.0_05binssv.dll
O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Crogram FilesJavajre1.6.0_05binssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [Aby zobaczyć linki, zarejestruj się tutaj] FilesBitComettoolsBitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - CROGRA~1FLASHGETflashget.exe
O9 - Extra ''Tools'' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - CROGRA~1FLASHGETflashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra ''Tools'' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - [Aby zobaczyć linki, zarejestruj się tutaj]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - CROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - Crogram FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - Crogram FilesAntiVir PersonalEdition Classicsched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - Crogram FilesAntiVir PersonalEdition Classicavguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - Crogram FilesCommon FilesMacromedia SharedServiceMacromedia Licensing.exe
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:WINDOWSsystem32msupdsvc32.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:WINDOWSsystem32PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - Crogram FilesSpyware DoctorpctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - Crogram FilesSpyware DoctorpctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - Crogram FilesPC Connectivity SolutionServiceLayer.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:WINDOWSSystem32ups.exe (file missing)
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - Crogram FilesHHVcdV5SysVC5SecS.exe
--
End of file - 6943 bytes
Cytat:
ComboFix 08-07-05.1 - Administrator 2008-07-071:22:32.1 - FAT32 x86
Microsoft Windows XP Professional5.1.2600.2.1250.1.1045.18.507 [GMT 2:00]
Running from: C ocuments and SettingsAdministrator.ALPISZONPulpitComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:autorun.inf
Crogram Filesmyglobalsearch
Crogram Filesmyglobalsearchbar1.binM9FFXTBR.JAR
Crogram Filesmyglobalsearchbar1.binM9FFXTBR.MANIFEST
Crogram Filesmyglobalsearchbar1.binM9NTSTBR.JAR
Crogram Filesmyglobalsearchbar1.binM9NTSTBR.MANIFEST
Crogram Filesmyglobalsearchbar1.binM9PLUGIN.DLL
Crogram Filesmyglobalsearchbar1.binNPMYGLSH.DLL
Crogram FilesmyglobalsearchbarCache 0 00177FA
Crogram FilesmyglobalsearchbarCache 0 00186A0
Crogram FilesmyglobalsearchbarCache 0 0018836.bin
Crogram FilesmyglobalsearchbarCache 0 00B94A9.bin
Crogram FilesmyglobalsearchbarCache 0 00B9C69.bin
Crogram FilesmyglobalsearchbarCachefiles.ini
Crogram FilesmyglobalsearchbarHistorysearch
Crogram FilesmyglobalsearchbarSettingsprevcfg.htm
C:WINDOWSg32.txt
C:WINDOWSsystem32amvo.exe
C:WINDOWSsystem32amvo0.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06)))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 23:24 262,144 ---ha-w Cocuments and SettingsNetworkService.ZARZąDZANIE NTNTUSER.DAT
2008-07-06 23:24 262,144 ---ha-w Cocuments and SettingsNetworkService.ZARZąDZANIE NTNTUSER.DAT
2008-07-06 23:24 262,144 ---ha-w Cocuments and SettingsLocalService.ZARZąDZANIE NTNTUSER.DAT
2008-07-06 23:24 262,144 ---ha-w Cocuments and SettingsLocalService.ZARZąDZANIE NTNTUSER.DAT
2008-06-21 07:03 110,179 --sh--r C:udr.com
2008-06-06 07:24 8,064 ----a-w C:WINDOWSsystem32driversusbser_lowerflt.sys
2008-05-30 12:19 507,400 ----a-w C:WINDOWSsystem32XAudio2_1.dll
2008-05-30 12:18 238,088 ----a-w C:WINDOWSsystem32xactengine3_1.dll
2008-05-30 12:17 65,032 ----a-w C:WINDOWSsystem32XAPOFX1_0.dll
2008-05-30 12:17 25,608 ----a-w C:WINDOWSsystem32X3DAudio1_4.dll
2008-05-30 12:11 467,984 ----a-w C:WINDOWSsystem32d3dx10_38.dll
2008-05-30 12:11 3,850,760 ----a-w C:WINDOWSsystem32D3DX9_38.dll
2008-05-30 12:11 1,491,992 ----a-w C:WINDOWSsystem32D3DCompiler_38.dll
2008-05-07 05:39 1,419,232 ----a-w C:WINDOWSsystem32wdfcoinstaller01005.dll
2008-05-07 05:38 90,624 ----a-w C:WINDOWSsystem32nmwcdcls.dll
2008-05-07 05:38 8,064 ----a-w C:WINDOWSsystem32driversusbser_lowerfltj.sys
2008-05-07 05:38 659,968 ----a-w C:WINDOWSsystem32nmwcdcocls.dll
2008-05-07 05:38 20,864 ----a-w C:WINDOWSsystem32driversccdcmbo.sys
2008-05-07 05:38 17,536 ----a-w C:WINDOWSsystem32driversccdcmb.sys
2008-04-28 14:53 805,400 ----a-r C:WINDOWSsystem32tmp161.tmp
2008-04-28 14:53 805,400 ----a-r C:WINDOWSsystem32tmp160.tmp
2007-06-02 16:55 1,352 ----a-w Crogram Filesustawienia TurMaestro.txt
2007-03-28 20:11 555 --sha-w C:WINDOWSsystem32KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"WhatPulse"="Crogram FilesWhatPulseWhatPulse.exe" [2006-08-21 18:48 665600]
"Gadu-Gadu"="Crogram FilesGadu-Gadugg.exe" [2007-07-09 09:39 2119104]
"AdobeUpdater"="Crogram FilesCommon FilesAdobeUpdaterAdobeUpdater.exe" [2007-04-04 14:41 970752]
"Mailbox Digger"="Crogram FilesDiggerdigger.exe" [2007-05-02 21:25 3793920]
"Nokia.PCSync"="Crogram FilesNokiaNokia PC Suite 7PCSync2.exe" [2008-06-17 16:00 1249280]
"PC Suite Tray"="Crogram FilesNokiaNokia PC Suite 7PCSuite.exe" [2008-06-18 14:31 1122816]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"avgnt"="Crogram FilesAntiVir PersonalEdition Classicavgnt.exe" [2008-04-18 21:55 262401]
"SunJavaUpdateSched"="Crogram FilesJavajre1.6.0_05binjusched.exe" [2008-02-22 04:25 144784]
"NvCplDaemon"="C:WINDOWSsystem32NvCpl.dll" [2005-09-18 02:32 7204864]
"NvMediaCenter"="C:WINDOWSsystem32NvMcTray.dll" [2005-09-18 02:32 86016]
"nwiz"="nwiz.exe" [2005-09-18 02:32 1519616 C:WINDOWSsystem32nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 14:12 90112 C:WINDOWSsoundman.exe]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"CTFMON.EXE"="C:WINDOWSsystem32CTFMON.EXE" [2004-08-03 22:44 15360]
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
"NoSMHelp"= 1 (0x1)
[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
"NoSMHelp"= 1 (0x1)
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:WINDOWSsystem32NeroCheck.exe
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvCplDaemon]
--a------ 2005-09-18 02:32 7204864 C:WINDOWSsystem32nvcpl.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvMediaCenter]
--a------ 2005-09-18 02:32 86016 C:WINDOWSsystem32nvmctray.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregnwiz]
--a------ 2005-09-18 02:32 1519616 C:WINDOWSsystem32nwiz.exe
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%\system32\sessmgr.exe"=
"C:\Program Files\Gadu-Gadu\gg.exe"=
"C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe"=
"E:\Dokumenty\wincmd 4.51\WINCMD32.EXE"=
"C:\Program Files\BearShare\BearShare.exe"=
"C:\Program Files\Skype\Phone\Skype.exe"=
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"55235:TCP"= 55235:TCP:Azureus
"27468:TCP"= 27468:TCP:BitComet 27468 TCP
"27468:UDP"= 27468:UDP:BitComet 27468 UDP
R1 vbev5mp;vbev5mp;C:WINDOWSsystem32Driversvbev5mp.sys [2003-09-09 14:25]
S2 msupdsvc;Microsoft Update Service Helper;C:WINDOWSsystem32msupdsvc32.exe []
S3 w200bus;Sony Ericsson W200 driver (WDM);C:WINDOWSsystem32DRIVERSw200bus.sys [2006-11-07 09:42]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:WINDOWSsystem32DRIVERSw200mdfl.sys [2006-11-07 09:42]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:WINDOWSsystem32DRIVERSw200mdm.sys [2006-11-07 09:42]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:WINDOWSsystem32DRIVERSw200mgmt.sys [2006-11-07 09:42]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:WINDOWSsystem32DRIVERSw200obex.sys [2006-11-07 09:42]
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2I]
ShellAutoRuncommand - I:setup.exe
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{74958f90-d180-11dc-a190-001485e2305a}]
ShellAutoRuncommand - I:udr.com
ShellexploreCommand - I:udr.com
ShellopenCommand - I:udr.com
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-WhenUSave - Crogram FilesSaveSave.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Aby zobaczyć linki, zarejestruj się tutaj]
Rootkit scan 2008-07-07 01:24:52
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
Crogram FilesAntiVir PersonalEdition Classicsched.exe
Crogram FilesAntiVir PersonalEdition Classicavguard.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32PSIService.exe
Crogram FilesHHVcdV5SysVC5SecS.exe
C:WINDOWSsystem32wscntfy.exe
Crogram FilesPC Connectivity SolutionServiceLayer.exe
Crogram FilesCommon FilesNokiaMPAPIMPAPI3s.exe
Crogram FilesPC Connectivity SolutionTransportsNclUSBSrv.exe
Crogram FilesPC Connectivity SolutionTransportsNclRSSrv.exe
.
**************************************************************************
.
Completion time: 2008-07-071:26:26 - machine was rebooted
ComboFix-quarantined-files.txt2008-07-06 23:26:24
Pre-Run: 887,029,760 bajtów wolnych
Post-Run: 1,712,889,856 bajt˘w wolnych
152
Liczba postów: 2
Liczba wątków: 1
Dołączył: 07.07.2008
Reputacja:
0
Wykonałem kolejne zabiegi proponowane pierwszemu koledze i daje nowe logi :
Cytat:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:53:09, on 2008-07-07
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
Crogram FilesAntiVir PersonalEdition Classicsched.exe
Crogram FilesAntiVir PersonalEdition Classicavguard.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32PSIService.exe
C:WINDOWSsystem32svchost.exe
Crogram FilesHHVcdV5SysVC5SecS.exe
C:WINDOWSsystem32wscntfy.exe
C:WINDOWSsystem32notepad.exe
Crogram FilesAntiVir PersonalEdition Classicavgnt.exe
Crogram FilesJavajre1.6.0_05binjusched.exe
Crogram FilesWhatPulseWhatPulse.exe
C:WINDOWSsystem32wuauclt.exe
Crogram FilesPC Connectivity SolutionServiceLayer.exe
Crogram FilesCommon FilesNokiaMPAPIMPAPI3s.exe
Crogram FilesPC Connectivity SolutionTransportsNclUSBSrv.exe
Crogram FilesPC Connectivity SolutionTransportsNclRSSrv.exe
C:WINDOWSSystem32svchost.exe
Crogram FilesMozilla Firefoxfirefox.exe
Crogram FilesTrend MicroHijackThisHijackThis.exe
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = [Aby zobaczyć linki, zarejestruj się tutaj]
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = [Aby zobaczyć linki, zarejestruj się tutaj]
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = [Aby zobaczyć linki, zarejestruj się tutaj]
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = [Aby zobaczyć linki, zarejestruj się tutaj]
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 5.0 CEReaderActiveXAcroIEHelper.ocx
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - CROGRA~1FLASHGETjccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - Crogram FilesBitComettoolsBitCometBHO_1.1.11.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - Crogram FilesJavajre1.6.0_05binssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - CROGRA~1FLASHGETfgiebar.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM..Run: [avgnt]"Crogram FilesAntiVir PersonalEdition Classicavgnt.exe" /min
O4 - HKLM..Run: [SunJavaUpdateSched]"Crogram FilesJavajre1.6.0_05binjusched.exe"
O4 - HKLM..Run: [NvCplDaemon]RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz]nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter]RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [SoundMan]SOUNDMAN.EXE
O4 - HKCU..Run: [WhatPulse]Crogram FilesWhatPulseWhatPulse.exe
O4 - HKCU..Run: [Gadu-Gadu]"Crogram FilesGadu-Gadugg.exe" /tray
O4 - HKCU..Run: [AdobeUpdater]Crogram FilesCommon FilesAdobeUpdaterAdobeUpdater.exe
O4 - HKCU..Run: [Mailbox Digger]Crogram FilesDiggerdigger.exe -startup
O4 - HKCU..Run: [Nokia.PCSync]"Crogram FilesNokiaNokia PC Suite 7PCSync2.exe" /NoDialog
O4 - HKCU..Run: [PC Suite Tray]"Crogram FilesNokiaNokia PC Suite 7PCSuite.exe" -onlytray
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA LOKALNA'')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA SIECIOWA'')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''SYSTEM'')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE]C:WINDOWSsystem32CTFMON.EXE (User ''Default user'')
O8 - Extra context menu item: &D&ownload &with BitComet - [Aby zobaczyć linki, zarejestruj się tutaj] FilesBitCometBitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [Aby zobaczyć linki, zarejestruj się tutaj] FilesBitCometBitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [Aby zobaczyć linki, zarejestruj się tutaj] FilesBitCometBitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet''a - Crogram FilesFlashGetjc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet''a - Crogram FilesFlashGetjc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Crogram FilesJavajre1.6.0_05binssv.dll
O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Crogram FilesJavajre1.6.0_05binssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [Aby zobaczyć linki, zarejestruj się tutaj] FilesBitComettoolsBitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - CROGRA~1FLASHGETflashget.exe
O9 - Extra ''Tools'' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - CROGRA~1FLASHGETflashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra ''Tools'' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - [Aby zobaczyć linki, zarejestruj się tutaj]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - CROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - Crogram FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - Crogram FilesAntiVir PersonalEdition Classicsched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - Crogram FilesAntiVir PersonalEdition Classicavguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - Crogram FilesCommon FilesMacromedia SharedServiceMacromedia Licensing.exe
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:WINDOWSsystem32msupdsvc32.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:WINDOWSsystem32PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - Crogram FilesSpyware DoctorpctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - Crogram FilesSpyware DoctorpctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - Crogram FilesPC Connectivity SolutionServiceLayer.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:WINDOWSSystem32ups.exe (file missing)
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - Crogram FilesHHVcdV5SysVC5SecS.exe
--
End of file - 7097 bytes
Cytat: ComboFix 08-07-05.1 - Administrator 2008-07-071:54:02.2 - FAT32 x86
Microsoft Windows XP Professional5.1.2600.2.1250.1.1045.18.540 [GMT 2:00]
Running from: Cocuments and SettingsAdministrator.ALPISZONPulpitComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06)))))))))))))))))))))))))))))))
.
2008-07-07 01:45 . 2008-07-07 01:45 <DIR> d-------- C:WINDOWSERUNT
2008-07-07 01:43 . 2008-07-06 15:20 <DIR> d-------- C:SDFix
2008-07-07 01:36 . 2008-07-07 01:36 <DIR> d-------- Crogram FilesTrend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-21 07:03 110,179 --sh--r C:udr.com
2008-06-06 07:24 8,064 ----a-w C:WINDOWSsystem32driversusbser_lowerflt.sys
2008-05-30 12:19 507,400 ----a-w C:WINDOWSsystem32XAudio2_1.dll
2008-05-30 12:18 238,088 ----a-w C:WINDOWSsystem32xactengine3_1.dll
2008-05-30 12:17 65,032 ----a-w C:WINDOWSsystem32XAPOFX1_0.dll
2008-05-30 12:17 25,608 ----a-w C:WINDOWSsystem32X3DAudio1_4.dll
2008-05-30 12:11 467,984 ----a-w C:WINDOWSsystem32d3dx10_38.dll
2008-05-30 12:11 3,850,760 ----a-w C:WINDOWSsystem32D3DX9_38.dll
2008-05-30 12:11 1,491,992 ----a-w C:WINDOWSsystem32D3DCompiler_38.dll
2008-05-07 05:39 1,419,232 ----a-w C:WINDOWSsystem32wdfcoinstaller01005.dll
2008-05-07 05:38 90,624 ----a-w C:WINDOWSsystem32nmwcdcls.dll
2008-05-07 05:38 8,064 ----a-w C:WINDOWSsystem32driversusbser_lowerfltj.sys
2008-05-07 05:38 659,968 ----a-w C:WINDOWSsystem32nmwcdcocls.dll
2008-05-07 05:38 20,864 ----a-w C:WINDOWSsystem32driversccdcmbo.sys
2008-05-07 05:38 17,536 ----a-w C:WINDOWSsystem32driversccdcmb.sys
2008-04-28 14:53 805,400 ----a-r C:WINDOWSsystem32tmp161.tmp
2008-04-28 14:53 805,400 ----a-r C:WINDOWSsystem32tmp160.tmp
2007-06-02 16:55 1,352 ----a-w Crogram Filesustawienia TurMaestro.txt
2007-03-28 20:11 555 --sha-w C:WINDOWSsystem32KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-07_ 1.26.05.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-06 23:24:32 2,048 --s-a-w C:WINDOWSbootstat.dat
+ 2008-07-06 23:49:52 2,048 --s-a-w C:WINDOWSbootstat.dat
+ 2008-07-06 13:18:14 163,328 ----a-w C:WINDOWSERUNTSDFIXERDNT.EXE
+ 2008-07-06 23:46:06 8,593,408 ----a-w C:WINDOWSERUNTSDFIXUsers 0 0000001ntuser.dat
+ 2008-07-06 23:46:06 245,760 ----a-w C:WINDOWSERUNTSDFIXUsers 0 0000002UsrClass.dat
+ 2008-07-06 13:18:14 163,328 ----a-w C:WINDOWSERUNTSDFIX_First_RunERDNT.EXE
+ 2008-07-06 23:45:56 8,593,408 ----a-w C:WINDOWSERUNTSDFIX_First_RunUsers 0 0000001ntuser.dat
+ 2008-07-06 23:45:56 245,760 ----a-w C:WINDOWSERUNTSDFIX_First_RunUsers 0 0000002UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"WhatPulse"="Crogram FilesWhatPulseWhatPulse.exe" [2006-08-21 18:48 665600]
"Gadu-Gadu"="Crogram FilesGadu-Gadugg.exe" [2007-07-09 09:39 2119104]
"AdobeUpdater"="Crogram FilesCommon FilesAdobeUpdaterAdobeUpdater.exe" [2007-04-04 14:41 970752]
"Mailbox Digger"="Crogram FilesDiggerdigger.exe" [2007-05-02 21:25 3793920]
"Nokia.PCSync"="Crogram FilesNokiaNokia PC Suite 7PCSync2.exe" [2008-06-17 16:00 1249280]
"PC Suite Tray"="Crogram FilesNokiaNokia PC Suite 7PCSuite.exe" [2008-06-18 14:31 1122816]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"avgnt"="Crogram FilesAntiVir PersonalEdition Classicavgnt.exe" [2008-04-18 21:55 262401]
"SunJavaUpdateSched"="Crogram FilesJavajre1.6.0_05binjusched.exe" [2008-02-22 04:25 144784]
"NvCplDaemon"="C:WINDOWSsystem32NvCpl.dll" [2005-09-18 02:32 7204864]
"NvMediaCenter"="C:WINDOWSsystem32NvMcTray.dll" [2005-09-18 02:32 86016]
"nwiz"="nwiz.exe" [2005-09-18 02:32 1519616 C:WINDOWSsystem32nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 14:12 90112 C:WINDOWSsoundman.exe]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"CTFMON.EXE"="C:WINDOWSsystem32CTFMON.EXE" [2004-08-03 22:44 15360]
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
"NoSMHelp"= 1 (0x1)
[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
"NoSMHelp"= 1 (0x1)
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:WINDOWSsystem32NeroCheck.exe
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvCplDaemon]
--a------ 2005-09-18 02:32 7204864 C:WINDOWSsystem32nvcpl.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvMediaCenter]
--a------ 2005-09-18 02:32 86016 C:WINDOWSsystem32nvmctray.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregnwiz]
--a------ 2005-09-18 02:32 1519616 C:WINDOWSsystem32nwiz.exe
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%\system32\sessmgr.exe"=
"C:\Program Files\Gadu-Gadu\gg.exe"=
"C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe"=
"E:\Dokumenty\wincmd 4.51\WINCMD32.EXE"=
"C:\Program Files\BearShare\BearShare.exe"=
"C:\Program Files\Skype\Phone\Skype.exe"=
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"55235:TCP"= 55235:TCP:Azureus
"27468:TCP"= 27468:TCP:BitComet 27468 TCP
"27468:UDP"= 27468:UDP:BitComet 27468 UDP
R1 vbev5mp;vbev5mp;C:WINDOWSsystem32Driversvbev5mp.sys [2003-09-09 14:25]
S2 msupdsvc;Microsoft Update Service Helper;C:WINDOWSsystem32msupdsvc32.exe []
S3 w200bus;Sony Ericsson W200 driver (WDM);C:WINDOWSsystem32DRIVERSw200bus.sys [2006-11-07 09:42]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:WINDOWSsystem32DRIVERSw200mdfl.sys [2006-11-07 09:42]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:WINDOWSsystem32DRIVERSw200mdm.sys [2006-11-07 09:42]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:WINDOWSsystem32DRIVERSw200mgmt.sys [2006-11-07 09:42]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:WINDOWSsystem32DRIVERSw200obex.sys [2006-11-07 09:42]
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2I]
ShellAutoRuncommand - I:setup.exe
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{74958f90-d180-11dc-a190-001485e2305a}]
ShellAutoRuncommand - I:udr.com
ShellexploreCommand - I:udr.com
ShellopenCommand - I:udr.com
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Aby zobaczyć linki, zarejestruj się tutaj]
Rootkit scan 2008-07-07 01:54:47
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-071:55:06
ComboFix-quarantined-files.txt2008-07-06 23:55:06
ComboFix2.txt2008-07-06 23:26:30
Pre-Run: 1,753,915,392 bajtów wolnych
Post-Run: 1,745,338,368 bajtów wolnych
122
Cytat:
SDFix: Version 1.202
Run by Administrator on 2008-07-07 at 01:47
Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Aby zobaczyć linki, zarejestruj się tutaj]
Rootkit scan 2008-07-07 01:50:39
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Gadu-Gadu\gg.exe"="C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program glowny"
"C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"E:\Dokumenty\wincmd 4.51\WINCMD32.EXE"="E:\Dokumenty\wincmd 4.51\WINCMD32.EXE:*:Enabled:Windows Commander 32 bit international version, file manager replacement for Windows"
"C:\Program Files\BearShare\BearShare.exe"="C:\Program Files\BearShare\BearShare.exe:*:Enabled:BearShare"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicydomainprofileauthorizedapplicationslist]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
Files with Hidden Attributes :
Sat 21 Jun 2008 110,179 ..SHR --- "C:udr.com"
Wed 28 Mar 2007 555 A.SH. --- "C:WINDOWSsystem32KGyGaAvL.sys"
Tue5 Dec 2006 401 ..SH. --- "Cocuments and SettingsAll Users.WINDOWSDRMDRMv14.bak"
Sat 22 Apr 2006 4,348 ..SH. --- "Cocuments and SettingsAll Users.WINDOWSDRMDRMv1.bak"
Sat 21 Jun 2003 377,344 A..H. --- "Crogram FilesSmart ProjectsIsoBusterHelpAHlp.exe"
Fri 15 Feb 2008 323,072 ...H. --- "Cocuments and SettingsAdministrator.ALPISZONDane aplikacjiMicrosoftWord~WRL1188.tmp"
Fri 15 Feb 2008 323,072 ...H. --- "Cocuments and SettingsAdministrator.ALPISZONDane aplikacjiMicrosoftWord~WRL0014.tmp"
Fri 15 Feb 2008 323,072 ...H. --- "Cocuments and SettingsAdministrator.ALPISZONDane aplikacjiMicrosoftWord~WRL1028.tmp"
Fri 15 Feb 2008 323,072 ...H. --- "Cocuments and SettingsAdministrator.ALPISZONDane aplikacjiMicrosoftWord~WRL3634.tmp"
Finished!
Mam nadzieję że ja także otrzymam rady co mam dalej zrobić.
Liczba postów: 850
Liczba wątków: 12
Dołączył: 15.07.2006
Reputacja:
0
Do wykonania w trybie awaryjnym i wyłączonym przywracaniem systemu:
Otwórz notatnik i wklej w nim to:
Kod: file::
C:udr.com
C:WINDOWSsystem32tmp161.tmp
C:WINDOWSsystem32tmp160.tmp
registry::
[-HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints 2I]
[-HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints 2{74958f90-d180-11dc-a190-001485e2305a}]
Plik>>>zapisz jako... CFScript .
Przenieś plik CFScript na ikonkę Combofixa i rozpocznie się proces usuwania podczas którego może wystąpić reset kompa
Kod: C:WINDOWSsystem32msupdsvc32.exe
Przeskanuj te plik na [Aby zobaczyć linki, zarejestruj się tutaj] lub [Aby zobaczyć linki, zarejestruj się tutaj]
"Nie jestem konsumentem mieszczącym się w standardzie
Nie jestem gatunkiem skazanym na wymarcie
Nie jestem obiektem medialnego hałasu
Jestem nielegalnym zabójcą czasu"
|
