Nowy Office 2013

Komunikat

Icon
Error

franko Offline
#1 Wysłane : 23 października 2007 14:18:57(UTC)
franko

Ranga: Użytkownik
Reputacja:

Przyłączony: 2004-09-10(UTC)
Posty: 3
Lokalizacja: Trzcianka – kolo Pily

Mam problem, gdyż po próbie włamu na mój komputer nie mogę otworzyć któregokolwiek z dysków. Po dwukrotnym kliknięciu na niego pojawia się okienko "Otwieranie pliku za pomocą"i win chce abym podał mu program dzięki któremu ma otworzyć folder dysku. Po wybraniu explorera otwiera sie ten folder ale nie mogę ustawić aby była to domyślna akcja do otwierania dysku. Po Kliknięciu na Start->uruchom: "c:\" też działa. Ale jak ustawić żeby domyślnie wykonywał akcję otwarcia dysku przez explorera. Problem jest jak mi sie wydaje trywialny ale nie mogę znaleźć żadnych opcji w win xp które by rozwiązały ten problem. Proszę więc o pomoc bardziej doświadczonych użytkowników i pozdrawiam
Seeker Offline
#2 Wysłane : 23 października 2007 15:56:06(UTC)
Seeker

Ranga: Moderator
Reputacja:

Przyłączony: 2003-10-16(UTC)
Posty: 4,133
Mężczyzna
Lokalizacja: Wielkopolska

Mój komputer>zakładka narzędzia>opcje folderów> typy plików .
Nazwa "dysk" - ustaw domyślnie.
Możesz jeszcze spróbować polecenia :
Start > Uruchom > regsvr32 /i shell32

Bardzo możliwe , że złapałeś rootkita lub trojana.

Edytowano przez użytkownika 23 października 2007 15:58:31(UTC)  | Powód: Nie określono

"Ogólnie zaś chodzi o to, żeby nie być idiotą "_____________________________________
odi profanum vulgus et arceo
Leon$ Offline
#3 Wysłane : 23 października 2007 18:51:44(UTC)
Leon$

Ranga: Użytkownik
Reputacja:

Przyłączony: 2006-03-15(UTC)
Posty: 217

Prawdopodobnie w prawokliku masz opcje Autoodtwarzanie.

Pobierz ComboFixa instalka wraz z opisem
przeskanuj nim system ,zrób loga i daj na forum

daj również loga HijackThisa instalka wraz z opisem

neutral
franko Offline
#4 Wysłane : 24 października 2007 16:50:30(UTC)
franko

Ranga: Użytkownik
Reputacja:

Przyłączony: 2004-09-10(UTC)
Posty: 3
Lokalizacja: Trzcianka – kolo Pily

Oka wrzucam logi z tych programów i jak ktoś coś z nich wyczyta to proszę o odpowiedź.

ComboFix:
Kod:

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\Kamila\Dane aplikacji\macromedia\Flash Player\#SharedObjects\5VLK6V6X\iforex.com
C:\Documents and Settings\Kamila\Dane aplikacji\macromedia\Flash Player\#SharedObjects\5VLK6V6X\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Kamila\Dane aplikacji\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Kamila\Dane aplikacji\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Program Files\internet explorer\iekey.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-24 15:39    51,200    --a------    C:\WINDOWS\NirCmd.exe
2007-10-23 11:55    <DIR>    d--------    C:\WINDOWS\system32\NtmsData
2007-10-17 20:03    180,224    --a------    C:\WINDOWS\system32\Ijl11.dll
2007-10-17 20:03    24,626    --a------    C:\WINDOWS\system32\scrrntr.dll
2007-10-17 20:03    19,456    --a------    C:\WINDOWS\system32\KTKBDHK3.DLL
2007-10-17 20:03    52    --a------    C:\WINDOWS\system\ACD2.CMD
2007-10-17 20:03    52    --a------    C:\WINDOWS\system\ACD.CMD
2007-10-10 09:44    584,192    ---------    C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 16:45    <DIR>    d--------    C:\Documents and Settings\NetworkService\Dane aplikacji
2007-10-09 13:51    <DIR>    d--------    C:\Documents and Settings\LocalService\Dane aplikacji
2007-10-05 13:38    <DIR>    d--------    C:\Program Files\WeatherCast
2007-10-05 13:38    <DIR>    d--------    C:\Program Files\Save
2007-10-04 16:40    2,560    --a------    C:\WINDOWS\system32\bitcometres.dll
2007-10-02 17:29    <DIR>    d--------    C:\Documents and Settings\Kamila\Dane aplikacji\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-22 13:19    96,768    ------w    C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:19    661,504    ------w    C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:19    616,448    ------w    C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:19    55,808    ------w    C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:19    532,480    ------w    C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:19    474,112    ------w    C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:19    449,024    ------w    C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:19    39,424    ------w    C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:19    357,888    ------w    C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:19    3,079,168    ------w    C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:19    251,392    ------w    C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:19    205,312    ------w    C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:19    16,384    ------w    C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:19    151,552    ------w    C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:19    146,432    ------w    C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:19    1,494,528    ------w    C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:19    1,055,744    ------w    C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:19    1,022,976    ------w    C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30    18,432    ------w    C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:18    683,520    ----a-w    C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:18    683,520    ------w    C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-07-30 17:19    92,504    ----a-w    C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 17:19    92,504    ----a-w    C:\WINDOWS\system32\cdm.dll
2007-07-30 17:19    549,720    ----a-w    C:\WINDOWS\system32\wuapi.dll
2007-07-30 17:19    549,720    ----a-w    C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 17:19    53,080    ----a-w    C:\WINDOWS\system32\wuauclt.exe
2007-07-30 17:19    53,080    ----a-w    C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 17:19    43,352    ----a-w    C:\WINDOWS\system32\wups2.dll
2007-07-30 17:19    325,976    ----a-w    C:\WINDOWS\system32\wucltui.dll
2007-07-30 17:19    325,976    ----a-w    C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 17:19    271,224    ----a-w    C:\WINDOWS\system32\mucltui.dll
2007-07-30 17:19    207,736    ----a-w    C:\WINDOWS\system32\muweb.dll
2007-07-30 17:19    203,096    ----a-w    C:\WINDOWS\system32\wuweb.dll
2007-07-30 17:19    203,096    ----a-w    C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 17:19    1,712,984    ----a-w    C:\WINDOWS\system32\wuaueng.dll
2007-07-30 17:19    1,712,984    ----a-w    C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 17:18    33,624    ----a-w    C:\WINDOWS\system32\wups.dll
2007-07-30 17:18    33,624    ----a-w    C:\WINDOWS\system32\dllcache\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe" [2005-01-12 03:01]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 02:27]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 17:13]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 14:25]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" []
"Komunikator"="C:\Program Files\Tlen.pl\tlen.exe" [2006-12-29 12:49]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" []
"WeatherCast"="C:\Program Files\WeatherCast\Weather.exe" [2003-01-08 11:47]
"WhenUSave"="C:\Program Files\Save\Save.exe" [2006-08-25 14:45]
"avpa"="C:\WINDOWS\system32\avpo.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kamila^Menu Start^Programy^Autostart^OpenOffice.ux.pl 2.0.lnk]
path=C:\Documents and Settings\Kamila\Menu Start\Programy\Autostart\OpenOffice.ux.pl 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.ux.pl 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABLKSR]
C:\WINDOWS\ABLKSR\ABLKSR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update]
C:\Program Files\ASUS\ASUS Live Update\ALU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EOUApp]
"C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HControl]
C:\WINDOWS\ATK0100\HControl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
"C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wireless Console 2]
C:\Program Files\Wireless Console 2\wcourier.exe

R3 SynMini;USB2.0 1.3M Web Cam;C:\WINDOWS\system32\Drivers\SynMini.sys
R3 SynScan;USB2.0 1.3M Web Cam Still Image;C:\WINDOWS\system32\Drivers\SynScan.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23844ed7-9417-11db-8fde-0018de309ab5}]
AutoRun\command - G:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27a354be-ac66-11db-9026-0018f3af4c19}]
AutoRun\command - ie.exe
explore\Command - ie.exe
open\Command - ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e2ba688-d7e4-11db-908a-0018f3af4c19}]
Auto\command - F:\RavMonE.exe e
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a7d3fbc-d0e3-11db-9079-0018f3af4c19}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command - F:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71550b01-1298-11dc-90fa-0018f3af4c19}]
Auto\command - F:\RavMonE.exe e
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71a83f80-ed06-11db-90b9-0018f3af4c19}]
Auto\command - RavMonE.exe e
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d33f53a-1ced-11dc-9109-0018f3af4c19}]
AutoRun\command - F:\ie.exe
explore\Command - F:\ie.exe
open\Command - F:\ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d33f53b-1ced-11dc-9109-0018f3af4c19}]
AutoRun\command - F:\ie.exe
explore\Command - F:\ie.exe
open\Command - F:\ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d33f53c-1ced-11dc-9109-0018f3af4c19}]
AutoRun\command - F:\ie.exe
explore\Command - F:\ie.exe
open\Command - F:\ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4ea3e04-e80e-11db-90ae-0018f3af4c19}]
AutoRun\command - ie.exe
explore\Command - ie.exe
open\Command - ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5e0457c-2350-11dc-9110-0018f3af4c19}]
1\Command - .\recycled\info.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5e0457d-2350-11dc-9110-0018f3af4c19}]
AutoRun\command - G:\USBNB.exe
AutoRun\command - F:\ie.exe
explore\Command - F:\ie.exe
open\Command - F:\ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbbebc61-23e0-11dc-9112-0018f3af4c19}]
Auto\command - F:\activexdebugger32.exe f
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
explore\Command - F:\activexdebugger32.exe f
open\Command - F:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd768edc-a4b7-11db-9011-0018f3af4c19}]
AutoRun\command - ntde1ect.com
explore\Command - ntde1ect.com
open\Command - ntde1ect.com

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-08-17 19:45:18 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Kamila.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2007-10-19 06:48:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 15:43:07
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-24 15:43:33 - machine was rebooted
.
    --- E O F ---




HiJackThis:
Kod:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:45:14, on 2007-10-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WeatherCast\Weather.exe
C:\Program Files\Save\Save.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\Kamila\Pulpit\Nowy folder\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166553332678
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166553306570
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_43.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11DB2466-68E2-4D4C-A4BB-FD287870AC6E}: NameServer = 150.254.5.4,150.254.5.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{73D6A6D7-1CFA-4B4E-B36E-FA844FA6A01C}: NameServer = 150.254.5.4,150.254.5.110
O17 - HKLM\System\CS1\Services\Tcpip\..\{11DB2466-68E2-4D4C-A4BB-FD287870AC6E}: NameServer = 150.254.5.4,150.254.5.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9581 bytes

Leon$ Offline
#5 Wysłane : 24 października 2007 17:28:16(UTC)
Leon$

Ranga: Użytkownik
Reputacja:

Przyłączony: 2006-03-15(UTC)
Posty: 217

Wpisy
Cytat:
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll (file missing)
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll (file missing)
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_43.cab

usuń HijackThisem >> Fix checked

Otwórz notatnik i wklej
Cytat:
File::
C:\Program Files\Save\Save.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhenUSave"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23844ed7-9417-11db-8fde-0018de309ab5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27a354be-ac66-11db-9026-0018f3af4c19}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e2ba688-d7e4-11db-908a-0018f3af4c19}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a7d3fbc-d0e3-11db-9079-0018f3af4c19}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71550b01-1298-11dc-90fa-0018f3af4c19}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71a83f80-ed06-11db-90b9-0018f3af4c19}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d33f53a-1ced-11dc-9109-0018f3af4c19}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d33f53b-1ced-11dc-9109-0018f3af4c19}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d33f53c-1ced-11dc-9109-0018f3af4c19}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4ea3e04-e80e-11db-90ae-0018f3af4c19}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5e0457c-2350-11dc-9110-0018f3af4c19}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5e0457d-2350-11dc-9110-0018f3af4c19}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbbebc61-23e0-11dc-9112-0018f3af4c19}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd768edc-a4b7-11db-9011-0018f3af4c19}]

zapisz jako CFScript (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe
na pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER
Powinno rozpocząć się usuwanie
Po restarcie usuń ręcznie folder C: \Qoobox

Po wszystkim nowe logi Combo i HijackThis

neutral
Żółty Offline
#6 Wysłane : 24 października 2007 19:04:00(UTC)
Żółty

Ranga: Moderator
Reputacja:

Przyłączony: 2005-03-21(UTC)
Posty: 6,293
Mężczyzna

O16 wskazany prez Leon$a jest OK
Klucz HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23844ed7-9417-11db-8fde-0018de309ab5} jest OK
Jeszcze pliki spod mountpointsów są do usunięcia.
Cytat:
RavMonE.exe
.\recycled\info.exe
F:\ie.exe
F:\Recycled\ctfmon.exe
ntde1ect.com
F:\activexdebugger32.exe


Jeśli masz jakieś pendrivy to z nich pliki autorun.inf skasować należy i tych plików co wymieniłem wyżej poszukać i skasować. Zwracaj uwage na ścieżki i na niuanse w nazwach (np systemowy plik ntdeTect.com - syf do usunięcia - ntde1ect.com)

Dodatkowo do zafixowania wpis
Cytat:
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
a plik do usunięcia
Z tym mogą byc jaja - poszukaj i skasuj jeszcze plik C:\WINDOWS\system32\avpo0.dll

Jak będą problemy z kasacja plików to kasuj Killboxem albo uruchom konsolę odzyskiwania i poleceniem del kasuj.

Komplet logów po robocie.
Temet wędruje do Bezpieczeństwa.

Edytowano przez użytkownika 24 października 2007 19:04:55(UTC)  | Powód: Nie określono

Leon$ Offline
#7 Wysłane : 24 października 2007 19:47:38(UTC)
Leon$

Ranga: Użytkownik
Reputacja:

Przyłączony: 2006-03-15(UTC)
Posty: 217

Skasowanie nawet całego klucza HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
nie ma skutków ubocznych.Po restarcie komputera klucz się samoczynnie odbuduje i rozpocznie się nowe mapowanie

neutral
Żółty Offline
#8 Wysłane : 24 października 2007 19:52:17(UTC)
Żółty

Ranga: Moderator
Reputacja:

Przyłączony: 2005-03-21(UTC)
Posty: 6,293
Mężczyzna

Odbuduje - przynajmniej powinien. Jestes pewny że po restarcie a nie po włożeniu pednriva ?? Ale ten jest akurat OK
massive Offline
#9 Wysłane : 14 czerwca 2008 11:53:47(UTC)
massive

Ranga: Użytkownik
Reputacja:

Przyłączony: 2008-06-14(UTC)
Posty: 1

Mam prośbę...może ktoś sprawdzić te logi?

ComboFix 08-06-12.2 - Administrator 2008-06-14 10:35:31.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1861 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
D:\Autorun.inf
.
---- Previous Run -------
.
C:\autorun.inf
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-06 15:17 . 2007-12-20 11:48 95,744 --a------ C:\WINDOWS\system32\drivers\Gt51Ip.sys
2008-06-06 15:17 . 2007-12-20 11:48 51,968 --a------ C:\WINDOWS\system32\drivers\gt72ubus.sys
2008-06-06 15:17 . 2007-12-20 11:48 8,064 --a------ C:\WINDOWS\system32\drivers\gtptser.sys
2008-06-06 11:45 . 2008-06-14 10:13 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-06 11:45 . 2008-06-06 12:38 <DIR> d-------- C:\Documents and Settings\TXP.89E42FF660424B9\Dane aplikacji\iPlus
2008-05-29 16:28 . 2008-06-06 12:03 147 --a------ C:\WINDOWS\NView16.dat
2008-05-29 16:25 . 2008-05-29 16:25 <DIR> d-------- C:\Program Files\DVR
2008-05-29 16:25 . 2008-05-29 16:25 <DIR> d-------- C:\Documents and Settings\TXP~1~89E\USTAWI~1
2008-05-29 16:25 . 2008-05-29 16:25 <DIR> d-------- C:\Documents and Settings\TXP~1~89E
2008-05-29 16:25 . 2006-01-20 18:53 512,000 --a------ C:\WINDOWS\system32\ndmpeg4v.dll
2008-05-29 16:25 . 2005-06-24 18:34 487,084 --a------ C:\WINDOWS\setup.bmp
2008-05-29 16:25 . 2006-04-01 12:47 61,440 --a------ C:\WINDOWS\system32\ndmpeg4v.ax
2008-05-29 16:24 . 2008-05-29 16:24 <DIR> d-------- C:\instalka
2008-05-22 15:20 . 2008-05-22 15:20 <DIR> d-------- C:\Documents and Settings\TXP.89E42FF660424B9\Dane aplikacji\LGSync
2008-05-22 15:19 . 2008-05-22 15:19 <DIR> d-------- C:\Program Files\LG Electronics
2008-05-22 15:18 . 2004-09-16 11:31 1,703,936 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-05-22 15:18 . 2005-09-26 22:55 419,240 --a------ C:\WINDOWS\system32\Vsflex7L.ocx
2008-05-22 15:18 . 2000-05-22 00:00 244,416 --a------ C:\WINDOWS\system32\MsflxgrAd.ocx
2008-05-22 15:18 . 2005-06-28 22:12 36,864 --a------ C:\WINDOWS\system32\CSDLGE1LIB.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 08:29 98,304 ----a-w C:\WINDOWS\DUMP60dc.tmp
2008-06-14 08:26 98,304 ----a-w C:\WINDOWS\DUMP88e6.tmp
2008-06-14 08:26 33,068 --sh--r C:\WINDOWS\system32\avpo0.dll
2008-06-14 08:23 98,304 ----a-w C:\WINDOWS\DUMP8702.tmp
2008-06-14 08:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-14 08:09 98,304 ----a-w C:\WINDOWS\DUMPd09e.tmp
2008-06-13 13:13 98,304 ----a-w C:\WINDOWS\DUMP7a31.tmp
2008-06-08 09:15 98,304 ----a-w C:\WINDOWS\DUMP8ee2.tmp
2008-06-07 09:59 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-06-07 09:59 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-06-07 09:57 98,304 ----a-w C:\WINDOWS\DUMP8f20.tmp
2008-06-07 09:34 98,304 ----a-w C:\WINDOWS\DUMP96a2.tmp
2008-06-07 09:26 98,304 ----a-w C:\WINDOWS\DUMP8fad.tmp
2008-06-07 09:23 98,304 ----a-w C:\WINDOWS\DUMPb267.tmp
2008-06-07 09:19 98,304 ----a-w C:\WINDOWS\DUMP8de8.tmp
2008-06-07 09:12 98,304 ----a-w C:\WINDOWS\DUMP8feb.tmp
2008-06-07 09:09 98,304 ----a-w C:\WINDOWS\DUMP8df7.tmp
2008-06-07 09:05 98,304 ----a-w C:\WINDOWS\DUMP8cbf.tmp
2008-06-07 09:02 98,304 ----a-w C:\WINDOWS\DUMP9039.tmp
2008-06-07 08:59 98,304 ----a-w C:\WINDOWS\DUMP8f4f.tmp
2008-06-07 08:55 98,304 ----a-w C:\WINDOWS\DUMP90a7.tmp
2008-06-07 08:52 98,304 ----a-w C:\WINDOWS\DUMP93c4.tmp
2008-06-07 08:49 98,304 ----a-w C:\WINDOWS\DUMP91c0.tmp
2008-06-07 08:46 98,304 ----a-w C:\WINDOWS\DUMP9402.tmp
2008-06-07 08:43 98,304 ----a-w C:\WINDOWS\DUMP92f9.tmp
2008-05-16 15:41 --------- d-----w C:\Program Files\eMule
2008-04-26 18:42 --------- d-----w C:\Program Files\NAPI-PROJEKT
2008-04-24 18:26 --------- d-----w C:\Program Files\Kaspersky Lab
2008-04-24 18:26 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Kaspersky Lab
2008-04-04 16:37 98,304 ----a-w C:\WINDOWS\DUMP9b36.tmp
2008-03-17 13:27 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-03-17 13:22 22,328 ----a-w C:\Documents and Settings\TXP.89E42FF660424B9\Dane aplikacji\PnkBstrK.sys
2007-01-03 16:29 1,179 ----a-w C:\Documents and Settings\TXP\Licence.reg
2007-01-03 16:29 1,179 ----a-w C:\Documents and Settings\Administrator\Licence.reg
2007-01-03 15:29 1,179 ----a-w C:\Documents and Settings\TXP.89E42FF660424B9\Licence.reg
2007-10-17 14:57 94,945 --sh--r C:\WINDOWS\system32\avpo.exe
.

------- Sigcheck -------

2007-02-17 12:03 578560 6a93565be9b8422eb7538c66ac732d76 C:\WINDOWS\system32\user32.dll

2007-02-17 12:03 667648 b9cd00815effa790279a1d2f0d07323f C:\WINDOWS\ie7\wininet.dll
2007-01-12 10:27 822784 be43d00d802c92f01c8cc952c6f483f8 C:\WINDOWS\system32\wininet.dll

2007-02-17 12:33 360576 bd8686216e34e22c4ed45a2320b2bea1 C:\WINDOWS\system32\drivers\tcpip.sys

2007-02-17 12:02 2018816 54df9001110934c98ecff5691b332f5f C:\WINDOWS\system32\ntkrnlpa.exe

2007-02-17 12:02 2139136 22b96841df0b4186fce1498d8f695bdf C:\WINDOWS\system32\ntoskrnl.exe

2007-01-15 16:12 1549312 e5241037518f63e806dcf75f78dc84a8 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-13_16.12.39,67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 14:05:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-14 08:29:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-12-13 18:49 1185120 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-12-13 18:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-10-14 14:37 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 15:51 774233]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 13:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 12:12 16062464 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2006-05-16 19:04 2879488 C:\WINDOWS\SkyTel.exe]
"Vistadrv"="C:\Program Files\VistaDrives\vsdrv.exe" [2006-07-30 04:37 121089]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 12:29 49152]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 23:57 30208]
"Licence"="Licence.exe" [2007-01-08 20:49 101651 C:\WINDOWS\system32\Licence.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 07:24 286720]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-18 08:55 8523776]
"nwiz"="nwiz.exe" [2007-12-18 08:55 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-18 08:55 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-01-08 20:00 124928 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\TXP.89E42FF660424B9\Menu Start\Programy\Autostart\
Budzik.lnk - C:\Program Files\Budzik\budzik.exe [2008-01-23 04:15:30 24084]
Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMBalloonTip"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoExpandedNewMenu"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"NoTaskGrouping"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMBalloonTip"= 0 (0x0)
"StartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoExpandedNewMenu"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"NoTaskGrouping"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"VIDC.WMV3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"D:\\Soldat\\Soldat.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"D:\\dc\\moh_Breakthrough.exe"=
"D:\\KONAMI\\Winning Eleven 2007\\we2007.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"D:\\cod4\\rzr-cod4\\Setup\\Data\\iw3mp.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"D:\\Stronghold Crusader\\Stronghold Crusader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 dsnpfd;DeskSoft Service;C:\WINDOWS\system32\DRIVERS\dsnpfd.sys [2007-11-22 20:21]
S1 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2006-09-30 12:35]
S3 GT72NDISIPXP;GT 72 IP NDIS;C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys [2007-12-20 11:48]
S3 GT72UBUS;GT 72 U BUS;C:\WINDOWS\system32\DRIVERS\gt72ubus.sys [2007-12-20 11:48]
S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-12-20 11:48]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

*Newly Created Service* - PXHELP20
*Newly Created Service* - RICHVIDEO
*Newly Created Service* - SPEEDFAN
.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 05:01:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 10:37:16
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-14 10:37:45
ComboFix-quarantined-files.txt 2008-06-14 08:37:40
ComboFix2.txt 2008-06-13 14:12:57

Pre-Run: 11,100,897,280 bajtów wolnych
Post-Run: 11,094,106,112 bajtów wolnych

210

\






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:15, on 2008-06-14
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ulubione
O2 - BHO: IE7pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Vistadrv] C:\Program Files\VistaDrives\vsdrv.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Licence] Licence.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O13 - DefaultPrefix: http://click.vnn.bz/?hide=1&url=
O13 - WWW Prefix: http://click.vnn.bz/?hide=1&url=
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.33/g_bin/pl/poker_2_0_0_49.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macro.../cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7222A512-FABD-4A4B-9E40-DD05C831320E}: NameServer = 192.168.100.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 6523 bytes
Pshemko11 Offline
#10 Wysłane : 30 czerwca 2008 21:40:01(UTC)
Pshemko11

Ranga: Użytkownik
Reputacja:

Przyłączony: 2008-06-30(UTC)
Posty: 1

ComboFix 08-06-20.4 - Pshemko 2008-06-30 20:32:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1113 [GMT 2:00]
Running from: C:\Documents and Settings\Pshemko\Pulpit\ComboFix.exe.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-30 20:11 . 2008-06-30 20:11 13,646 --a------ C:\WINDOWS\system32\wpa.bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 17:44 --------- d-----w C:\Program Files\Alwil Software
2008-06-30 17:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-30 17:36 --------- d-----w C:\Program Files\MultiRes
2008-06-30 17:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-30 17:35 451,072 ----a-w C:\WINDOWS\Radeon Omega Drivers v3.8.252 Uninstall.exe
2008-06-30 17:35 --------- d-----w C:\Program Files\Radeon Omega Drivers
2008-06-30 17:22 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-30 17:20 --------- d-----w C:\Program Files\Usługi online
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2006-02-22 02:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 20:33:23
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-30 20:33:40
ComboFix-quarantined-files.txt 2008-06-30 18:33:38

Pre-Run: 5,147,992,064 bajtów wolnych
Post-Run: 5,142,966,272 bajtów wolnych

57
Naruto09 Offline
#11 Wysłane : 4 stycznia 2009 15:43:01(UTC)
Naruto09

Ranga: Użytkownik
Reputacja:

Przyłączony: 2009-01-03(UTC)
Posty: 12
Lokalizacja: -

Moim zdaniem na dysku obecny jest plik autorun.inf w głównym katalogu.
Należy go usunąć i wszystko powinno wrócić do normy.
mariusz12345 Offline
#12 Wysłane : 28 kwietnia 2009 09:00:12(UTC)
mariusz12345

Ranga: Użytkownik
Reputacja:

Przyłączony: 2005-10-05(UTC)
Posty: 70
Mężczyzna
Lokalizacja: Wrocław

odświeżam, gdyż mam ten sam problem

ComboFix 09-04-27.03 - D620 2009-04-28 7:54.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.502.226 [GMT 2:00]
Uruchomiony z: c:\documents and settings\D620\Pulpit\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090427-0] *On-access scanning disabled* (Updated)
* Utworzono nowy punkt przywracania

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
D:\Autorun.inf

.
((((((((((((((((((((((((( Pliki utworzone od 2009-05-28 do 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-20 15:02 . 2009-04-20 15:02 -------- d-----w c:\windows\system32\pl-pl
2009-04-20 15:02 . 2009-04-20 15:02 -------- d-----w c:\windows\l2schemas
2009-04-20 15:02 . 2009-04-20 15:02 -------- d-----w c:\windows\system32\pl
2009-04-20 15:02 . 2009-04-20 15:02 -------- d-----w c:\windows\system32\bits
2009-04-20 15:00 . 2009-04-20 15:00 -------- d-----w c:\windows\ServicePackFiles
2009-04-20 14:47 . 2009-04-20 14:47 -------- d-----w c:\windows\system32\NtmsData
2009-04-16 16:38 . 2008-04-21 21:16 218112 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 16:31 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 16:31 . 2009-02-09 11:26 2190336 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-16 16:31 . 2009-03-06 14:22 285696 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 16:31 . 2009-02-09 11:25 111104 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 16:31 . 2009-02-09 10:53 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 16:31 . 2009-02-09 10:53 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 16:31 . 2009-02-09 10:53 686592 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 16:31 . 2009-02-09 10:53 731136 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 16:31 . 2009-02-09 10:53 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 16:31 . 2009-02-09 10:53 722944 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 16:31 . 2009-02-09 11:26 2146816 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-16 16:31 . 2009-02-09 11:26 2025472 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-13 21:33 . 2008-06-14 17:36 273024 ------w c:\windows\system32\dllcache\bthport.sys
2009-04-13 21:27 . 2008-05-08 14:02 203136 ------w c:\windows\system32\dllcache\rmcast.sys
2009-04-13 21:27 . 2008-10-24 11:21 455296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-13 21:26 . 2008-12-11 10:57 333952 ------w c:\windows\system32\dllcache\srv.sys
2009-04-13 21:26 . 2008-04-11 19:06 691712 ------w c:\windows\system32\dllcache\inetcomm.dll
2009-04-13 21:25 . 2008-10-15 16:36 337408 ------w c:\windows\system32\dllcache\netapi32.dll
2009-04-13 21:24 . 2008-07-09 07:57 26488 ----a-w c:\windows\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 20:22 . 2007-05-10 10:50 12 ----a-w c:\windows\bthservsdp.dat
2009-04-20 15:05 . 2007-05-10 09:52 87263 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-03 13:46 . 2004-08-04 08:00 49910 ----a-w c:\windows\system32\perfc015.dat
2009-04-03 13:46 . 2004-08-04 08:00 356068 ----a-w c:\windows\system32\perfh015.dat
2009-03-16 14:45 . 2007-05-10 10:02 17928 ----a-w c:\documents and settings\D620\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2004-08-04 08:00 285696 ----a-w c:\windows\system32\pdh.dll
2009-03-05 18:09 . 2008-04-22 13:59 892928 ----a-w c:\windows\system32\iconv.dll
2009-03-05 18:09 . 2008-04-22 13:58 795648 ----a-w c:\windows\system32\xvidcore.dll
2009-03-05 18:09 . 2009-03-05 18:09 130048 ----a-w c:\windows\system32\xvidvfw.dll
2009-03-02 21:04 . 2009-03-02 21:04 -------- d-----w c:\program files\Last.fm
2009-02-20 08:12 . 2006-03-04 01:35 668672 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:12 . 2004-08-04 08:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-12 16:17 . 2009-02-12 16:17 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-12 16:11 . 2009-02-12 16:11 0 ----a-w c:\windows\nsreg.dat
2009-02-09 14:07 . 2004-08-04 08:00 1847040 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:26 . 2005-03-30 15:37 2025472 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:26 . 2005-03-30 15:37 2146816 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:25 . 2004-08-04 08:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:53 . 2004-08-04 08:00 731136 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:53 . 2004-08-04 08:00 722944 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:53 . 2004-08-04 08:00 686592 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:53 . 2004-08-04 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-06 10:39 . 2004-08-04 08:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:58 . 2004-08-04 08:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-12 148888]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-05-25 35328]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 memcard;Sterownik karty pamięci PCMCIA;c:\windows\system32\DRIVERS\memcard.sys [2001-08-17 8320]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 KBDriverService;Knorr Bremse Driver Service;c:\16t\KnorrBremse\ST03A V2.4.07\Lib\KbDriverService.exe [2007-05-15 45056]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f7e8134-4f51-11dd-bc75-00188bd96251}]
\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b3812dc-718b-11dc-bc2a-806d6172696f}]
\Shell\AutoRun\command - g1ljsm.com
\Shell\open\Command - g1ljsm.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e677af42-fee9-11db-b87a-806d6172696f}]
\Shell\AutoRun\command - g1ljsm.com
\Shell\open\Command - g1ljsm.com
.
Zawartość folderu 'Zaplanowane zadania'
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\D620\Dane aplikacji\Mozilla\Firefox\Profiles\buzv6fxa.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (pl)
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 07:56
Windows 5.1.2600 Dodatek Service Pack 3 FAT NTAPI

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
Czas ukończenia: 2009-04-28 7:56
ComboFix-quarantined-files.txt 2009-04-28 05:56

Przed: 6 531 244 032 bajtów wolnych
Po: 6 526 156 800 bajtów wolnych

138 --- E O F --- 2009-04-21 22:21










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:58:36, on 2009-04-28
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\16T\KnorrBremse\ST03A V2.4.07\Lib\KbDriverService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
D:\hjt\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?linkid=3274
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Knorr Bremse Driver Service (KBDriverService) - Unknown owner - C:\16T\KnorrBremse\ST03A V2.4.07\Lib\KbDriverService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5659 bytes
cloudwithabow Offline
#13 Wysłane : 16 lutego 2010 14:49:56(UTC)
cloudwithabow

Ranga: Użytkownik
Reputacja:

Przyłączony: 2010-02-16(UTC)
Posty: 1

Witam, miałem ten sam problem z otwieraniem partycji dysków. Byl to jakis syf pochodzący z dysku flash. po potraktowaniu go ComboFixem, zostaly usuniete pliki autorun.inf i problem się skonczyl. Przypuszczam jednak,ze nalezy tez wyczyscic cos w rejestrze, bardzo proszę, czy ktos moglby rzucic okiem na moj log z ComboFixa i podać mi co zrobic w rejestrze jesli to konieczne? Będę bardzo wdzieczny:) pozdrawiam!

Edytowano przez użytkownika 16 lutego 2010 23:39:00(UTC)  | Powód: Nie określono

XanTyp Offline
#14 Wysłane : 16 lutego 2010 23:42:50(UTC)
XanTyp

Ranga: Moderator
Reputacja:

Przyłączony: 2005-01-04(UTC)
Posty: 3,877
Mężczyzna
Lokalizacja: Pabianice

Proszę o nie dopisywanie się do wygasłych wątków!
Proszę założyć nowy, podać ew. link nawiązujący do tego, czy innego z już istniejących.
Wszelkie logi proszę wstawiać na wklejto.pl (lub podone) i tutaj doklejać tylko linki do wstawek.

A jak się nie wie, co zrobić z rejestrem - proszę go przeczyścić odpowiednim programem, który będzie lepiej wiedział, co można a co nie. (RegCleaner, CCleaner, Odkurzacz itp.) Jest w czym wybierać.
Zamykam.

Edytowano przez użytkownika 16 lutego 2010 23:44:24(UTC)  | Powód: Nie określono

Precyzja odpowiedzi zależy od precyzji pytania.
Najpierw do źródła. Potem dopiero dzwoń po hydraulika.

Nie czytam w myślach.
Kanał RSS  Kanał Atom
Użytkownicy przeglądający ten temat
Guest
Skok do forum  
Nie możesz tworzyć nowych tematów w tym forum.
Nie możesz odpowiadać na tematy w tym forum.
Nie możesz usuwać swoich postów w tym forum.
Nie możesz edytować swoich postów w tym forum.
Nie możesz tworzyć ankiet w tym forum.
Nie możesz głosować w ankietach w tym forum.