PhoeeeniX Napisano 11 Czerwca 2007 Zgłoś Napisano 11 Czerwca 2007 Witam, pare dni temu scigalem sobie cracka do gry i jakiegos shita sciagnolem. Od teog czasu mialem jakiegos syfa w kompie mianowicie czerwona tarcza z krzyzem w trayu, potem jakies konie trojanskie w tym !update.exe Wszytsko juz usunolem, przeczyscilem kompa wiec jestem czysty ale nie jestem pewny co do Loga. Dzwiek mi zjadlo tez wiec sciagnolem stery do mojej mobo ale to nie pomoglo bo jak wlaczalem winampa to plul sie ze zle stery. Nie chcemi sie instalowac drugi raz windy i chce to tak zalatwic. Wkrotce i tak na auroxa chyba sie przesiade 8O Bylbym wdzieczny gdyyby ktos tego loga przejrzal i cos poradzil co z tym dzwiekiem zrobic 8O Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe F:\Logitech\iTouch\iTouch.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe F:\FinePixViewer\QuickDCF2.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\bgsvcgen.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe C:\WINDOWS\system32\svchost.exe f:\pinnacle\shared files\programs\mediaserver\pmshost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe F:\Konnekt\konnekt.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\PhoeniX\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {B7593C1D-F58C-AB2D-8A06-F8ADD89529E5} - C:\WINDOWS\system32\wpm.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [zBrowser Launcher] F:\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [NBJ] "F:\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [Ortd] "C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt yazb O4 - HKCU\..\Run: [Hilg] C:\WINDOWS\?icrosoft\n?tdde.exe O4 - HKCU\..\Run: [Ofn] C:\WINDOWS\??mbols\??anregw.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Exif Launcher 2.lnk = ? O4 - Global Startup: Image Transfer.lnk = ? O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - F:\PACIFI~1\pacificpoker.exe O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5EE64A38-F284-44A1-AD61-EB19F1E1A595}: NameServer = 194.204.159.1,194.204.152.34 O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing) O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MSSQL$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing) O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - f:\pinnacle\shared files\programs\mediaserver\pmshost.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing) Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
CatchMe Napisano 12 Czerwca 2007 Zgłoś Napisano 12 Czerwca 2007 O2 - BHO: (no name) - {B7593C1D-F58C-AB2D-8A06-F8ADD89529E5} - C:\WINDOWS\system32\wpm.dll O4 - HKCU\..\Run: [Hilg] C:\WINDOWS\?icrosoft\n?tdde.exe O4 - HKCU\..\Run: [Ofn] C:\WINDOWS\??mbols\??anregw.exe O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing) O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing) Zacznij usuwać w-g tych 2 instrukcji: http://cybertrash.pl/images/tata/PurityScan.html + Użyj: SmitFraudFix z opcji 2 w trybie awaryjnym. - Log z pracy programu znajduje się tutaj: C:\raport.txt - wklej go na forum. Po zabiegach wklej logi z HijackThis, Silent Runners i ComboFix. Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
PhoeeeniX Napisano 13 Czerwca 2007 Zgłoś Napisano 13 Czerwca 2007 OK zrobilem co sie dalo lecz OIuinstaller nie chce mi sie zainstalowac z teog linka co dales i z innych raczej tez. Uruchomiłem SmitfraudFix w safemode: znalazł pliki ale przy usuwaniu nie mógł znalesc odpowiedniej sciezki, nie wiem dlaczego. Reszte zrobilem. Aha chciałem dodac ze I jak się 3yma ? Oto logi: Logfile of HijackThis v1.99.1 Scan saved at 16:25:47, on 2007-06-13 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe F:\Logitech\iTouch\iTouch.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe F:\FinePixViewer\QuickDCF2.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\bgsvcgen.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe C:\WINDOWS\system32\svchost.exe f:\pinnacle\shared files\programs\mediaserver\pmshost.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\PhoeniX\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {B7593C1D-F58C-AB2D-8A06-F8ADD89529E5} - C:\WINDOWS\system32\wpm.dll (file missing) O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [zBrowser Launcher] F:\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [spyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [NBJ] "F:\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [Ortd] "C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt ndrv O4 - HKCU\..\Run: [Hilg] C:\WINDOWS\?icrosoft\n?tdde.exe O4 - HKCU\..\Run: [Ofn] C:\WINDOWS\??mbols\??anregw.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Exif Launcher 2.lnk = ? O4 - Global Startup: Image Transfer.lnk = ? O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - F:\PACIFI~1\pacificpoker.exe O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5EE64A38-F284-44A1-AD61-EB19F1E1A595}: NameServer = 194.204.159.1,194.204.152.34 O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing) O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MSSQL$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing) O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - f:\pinnacle\shared files\programs\mediaserver\pmshost.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing) "Silent Runners.vbs", revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ "wlnlogon" = "C:\WINDOWS\System.exe" [file not found] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" [file not found] "NBJ" = ""F:\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"] "Ortd" = ""C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt ndrv" [file not found] "Hilg" = "C:\WINDOWS\*icrosoft\n*tdde.exe" (unwritable string) [file not found] "Ofn" = "C:\WINDOWS\**mbols\**anregw.exe" (unwritable string) [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "zBrowser Launcher" = "F:\Logitech\iTouch\iTouch.exe" ["Logitech Inc."] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."] "SpyHunter" = "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" ["Enigma Software Group Inc."] "MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."] {B7593C1D-F58C-AB2D-8A06-F8ADD89529E5}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\wpm.dll" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "F:\WinRAR\rarext.dll" [null data] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "F:\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook" \InProcServer32\(Default) = "F:\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "F:\Microsoft Office\OFFICE11\msohev.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Program Files\Real Player\rpshell.dll" ["RealNetworks, Inc."] "{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell" -> {HKLM...CLSID} = "Studio.Project" \InProcServer32\(Default) = "F:\Pinnacle\Studio 10\programs\BlueShellExt.dll" [null data] ComboFix 07-06-11.3 - C:\Documents and Settings\PhoeniX\Pulpit\ComboFix.exe "PhoeniX" - 2007-06-13 16:26:16 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 ))))))))))))))))))))))))))))))) 2007-06-13 16:20 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-06-13 16:20 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-06-13 16:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-06-13 16:20 2,138 --a------ C:\WINDOWS\system32\tmp.reg 2007-06-12 17:50 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-12 17:46 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-06-11 20:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-06-11 20:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DANEAP~1\Talkback 2007-06-11 20:22 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji 2007-06-11 20:22 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start 2007-06-11 20:22 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony 2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione 2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit 2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty 2007-06-11 20:21 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-06-11 20:21 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne 2007-06-11 19:05 <DIR> d-------- C:\WINDOWS\system32\Lang 2007-06-10 15:21 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe 2007-06-10 15:21 <DIR> d-------- C:\Program Files\Realtek Sound Manager 2007-06-10 15:21 <DIR> d-------- C:\Program Files\AvRack 2007-06-10 15:20 577,536 --a------ C:\WINDOWS\soundman.exe 2007-06-10 15:20 4,019,072 --a------ C:\WINDOWS\system32\drivers\alcxwdm.sys 2007-06-10 15:20 315,392 --a------ C:\WINDOWS\alcupd.exe 2007-06-10 15:20 217,088 --a------ C:\WINDOWS\Alcrmv.exe 2007-06-10 15:20 143,360 --a------ C:\WINDOWS\system32\RtlCPAPI.dll 2007-06-10 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe 2007-06-10 15:20 <DIR> d-------- C:\Program Files\Realtek AC97 2007-06-09 17:52 12,800 -ra------ C:\WINDOWS\system32\WING32.DLL 2007-06-08 12:57 75,264 --a------ C:\WINDOWS\system32\unacev2.dll 2007-06-08 12:57 3,440 --a------ C:\WINDOWS\undo.reg 2007-06-08 12:57 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2007-06-07 14:58 81,920 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\ezpinst.exe 2007-06-07 14:58 <DIR> d-------- C:\Program Files\vso 2007-06-07 14:07 92,208 -ra------ C:\WINDOWS\system32\WING.DLL 2007-06-07 13:53 87,608 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\inst.exe 2007-06-07 13:53 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-06-07 13:53 47,360 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\pcouffin.sys 2007-06-07 13:53 <DIR> d-------- C:\DOCUME~1\PhoeniX\DANEAP~1\Vso 2007-06-07 12:07 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2007-06-03 20:51 71,680 --a------ C:\WINDOWS\g21546875.exe 2007-06-03 20:29 71,680 --a------ C:\WINDOWS\g20218875.exe 2007-06-03 20:07 71,680 --a------ C:\WINDOWS\g18907718.exe 2007-06-03 19:45 71,680 --a------ C:\WINDOWS\g17579984.exe 2007-06-03 19:23 71,680 --a------ C:\WINDOWS\g16257156.exe 2007-06-03 19:03 71,680 --a------ C:\WINDOWS\g15056671.exe 2007-06-03 15:25 71,680 --a------ C:\WINDOWS\g1972609.exe 2007-06-03 14:55 71,680 --a------ C:\WINDOWS\g172625.exe 2007-06-03 10:41 71,680 --a------ C:\WINDOWS\g293906.exe 2007-06-02 21:20 71,680 --a------ C:\WINDOWS\g22524062.exe 2007-06-02 19:50 71,680 --a------ C:\WINDOWS\g17112234.exe 2007-06-02 19:28 71,680 --a------ C:\WINDOWS\g15791984.exe 2007-06-02 19:08 71,680 --a------ C:\WINDOWS\g14591968.exe 2007-06-02 18:46 71,680 --a------ C:\WINDOWS\g13268812.exe 2007-06-02 18:24 71,680 --a------ C:\WINDOWS\g11947546.exe 2007-06-02 18:02 71,680 --a------ C:\WINDOWS\g10625703.exe 2007-06-02 17:40 71,680 --a------ C:\WINDOWS\g9307359.exe 2007-06-02 17:18 206 --a------ C:\WINDOWS\g7982234.exe 2007-06-02 14:12 206 --a------ C:\WINDOWS\g5490046.exe 2007-06-02 13:50 206 --a------ C:\WINDOWS\g4169718.exe 2007-06-02 13:28 206 --a------ C:\WINDOWS\g2849437.exe 2007-06-02 13:06 206 --a------ C:\WINDOWS\g1529093.exe 2007-06-02 12:44 206 --a------ C:\WINDOWS\g208734.exe 2007-06-01 19:43 206 --a------ C:\WINDOWS\g14707406.exe 2007-06-01 15:41 206 --a------ C:\WINDOWS\g175125.exe 2007-06-01 12:07 206 --a------ C:\WINDOWS\g1973812.exe 2007-06-01 11:37 206 --a------ C:\WINDOWS\g174015.exe 2007-05-31 20:51 206 --a------ C:\WINDOWS\g174828.exe 2007-05-31 15:25 206 --a------ C:\WINDOWS\g296171.exe 2007-05-30 17:45 206 --a------ C:\WINDOWS\g7084203.exe 2007-05-30 13:43 206 --a------ C:\WINDOWS\g1853062.exe 2007-05-30 13:15 206 --a------ C:\WINDOWS\g173000.exe 2007-05-29 22:22 206 --a------ C:\WINDOWS\g6915515.exe 2007-05-29 18:03 206 --a------ C:\WINDOWS\g1735765.exe 2007-05-29 13:43 206 --a------ C:\WINDOWS\g1853140.exe 2007-05-29 13:15 206 --a------ C:\WINDOWS\g172828.exe 2007-05-28 20:13 206 --a------ C:\WINDOWS\g297312.exe 2007-05-28 14:37 206 --a------ C:\WINDOWS\g294265.exe 2007-05-27 23:00 206 --a------ C:\WINDOWS\g1861140.exe 2007-05-27 14:10 206 --a------ C:\WINDOWS\g14720468.exe 2007-05-27 11:02 <DIR> d-------- C:\Program Files\WinPcap 2007-05-27 10:38 206 --a------ C:\WINDOWS\g1972546.exe 2007-05-27 10:08 206 --a------ C:\WINDOWS\g172593.exe 2007-05-26 20:45 206 --a------ C:\WINDOWS\g2709296.exe 2007-05-26 20:25 206 --a------ C:\WINDOWS\g1498359.exe 2007-05-26 20:05 206 --a------ C:\WINDOWS\g292562.exe 2007-05-26 16:11 206 --a------ C:\WINDOWS\g2431906.exe 2007-05-26 15:43 206 --a------ C:\WINDOWS\g751359.exe 2007-05-26 15:22 206 --a------ C:\WINDOWS\g153156.exe 2007-05-26 15:08 206 --a------ C:\WINDOWS\g3656906.exe (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-13 14:26:44 74,694 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-06-13 14:26:44 453,808 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-06-13 13:54:26 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-06-12 15:40:20 -------- d-----w C:\Program Files\Yahoo! 2007-06-10 21:08:58 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\Skype 2007-06-10 13:20:47 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-05-05 09:16:35 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-04-27 16:35:05 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\AdobeUM 2007-04-21 12:25:34 -------- d-----w C:\Program Files\SkanerOnline 2007-04-21 11:57:02 6,144 ----a-w C:\WINDOWS\vbstub.exe 2007-04-21 11:57:01 9,728 ----a-w C:\WINDOWS\libHide.dll 2007-04-14 11:08:17 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\FUJIFILM 2007-04-14 10:54:11 -------- d-----w C:\Program Files\REGSHAVE 2007-03-19 18:13:10 6,422,611 ----a-w C:\Program Files\frostwire-4.13.1.6.windows.exe 2007-03-15 10:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll 2007-03-15 10:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll 2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll 2006-10-27 12:00:34 24,576 --sha-r C:\WINDOWS\system32\inetsrv.exe~ ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {B7593C1D-F58C-AB2D-8A06-F8ADD89529E5}=C:\WINDOWS\system32\wpm.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AtiPTA"="atiptaxx.exe" [2005-11-23 02:05 C:\WINDOWS\system32\atiptaxx.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-06 11:31] "zBrowser Launcher"="F:\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33] "SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 C:\WINDOWS\soundman.exe] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-05-30 14:30] "SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [] "NBJ"="F:\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25] "Ortd"="C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" [] "Hilg"="C:\WINDOWS\?icrosoft\n?tdde.exe" [] "Ofn"="C:\WINDOWS\??mbols\??anregw.exe" [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] "wlnlogon"=C:\WINDOWS\System.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingdm32] wingdm32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wudb] C:\WINDOWS\system32\wudb.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^PhoeniX^Menu Start^Programy^Autostart^Adobe Gamma.lnk] path=C:\Documents and Settings\PhoeniX\Menu Start\Programy\Autostart\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] "F:\D-Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav] "F:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner] F:\Trojan Remover\Trjscan.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aace37e-0e15-11dc-b7c0-000e2e8c2dde}] AutoRun\command- K:\.\Recycled\Driveinfo.exe Open\Command- K:\.\Recycled\Driveinfo.exe ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-13 16:27:36 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-13 16:28:06 C:\ComboFix-quarantined-files.txt ... 2007-06-13 16:28 C:\ComboFix2.txt ... 2007-06-12 17:57 --- E O F --- Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
CatchMe Napisano 13 Czerwca 2007 Zgłoś Napisano 13 Czerwca 2007 1. Ściągnij: WWDC - Zmień wszystkie opcje z disable na enable i uruchom ponownie komputer. - Prawidłowy układ portów przedstawia zdjęcie: http://www.firewallleaktester.com/images_site/wwdc.jpg * NetBIOS może być żółty. Pobierz i uruchom narzędzie : The Avenger Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz: Files to delete: C:\WINDOWS\System.exe C:\WINDOWS\**mbols\**anregw.exe C:\WINDOWS\*icrosoft\n*tdde.exe C:\WINDOWS\system32\wpm.dll C:\WINDOWS\system32\Process.exe C:\WINDOWS\system32\dumphive.exe C:\WINDOWS\system32\SrchSTS.exe C:\WINDOWS\system32\tmp.reg C:\WINDOWS\nircmd.exe C:\WINDOWS\g21546875.exe C:\WINDOWS\g20218875.exe C:\WINDOWS\g18907718.exe C:\WINDOWS\g17579984.exe C:\WINDOWS\g16257156.exe C:\WINDOWS\g15056671.exe C:\WINDOWS\g1972609.exe C:\WINDOWS\g172625.exe C:\WINDOWS\g293906.exe C:\WINDOWS\g22524062.exe C:\WINDOWS\g17112234.exe C:\WINDOWS\g15791984.exe C:\WINDOWS\g14591968.exe C:\WINDOWS\g13268812.exe C:\WINDOWS\g11947546.exe C:\WINDOWS\g10625703.exe C:\WINDOWS\g9307359.exe C:\WINDOWS\g7982234.exe C:\WINDOWS\g5490046.exe C:\WINDOWS\g4169718.exe C:\WINDOWS\g2849437.exe C:\WINDOWS\g1529093.exe C:\WINDOWS\g208734.exe C:\WINDOWS\g14707406.exe C:\WINDOWS\g175125.exe C:\WINDOWS\g1973812.exe C:\WINDOWS\g174015.exe C:\WINDOWS\g174828.exe C:\WINDOWS\g296171.exe C:\WINDOWS\g7084203.exe C:\WINDOWS\g1853062.exe C:\WINDOWS\g173000.exe C:\WINDOWS\g6915515.exe C:\WINDOWS\g1735765.exe C:\WINDOWS\g1853140.exe C:\WINDOWS\g172828.exe C:\WINDOWS\g297312.exe C:\WINDOWS\g294265.exe C:\WINDOWS\g1861140.exe C:\WINDOWS\g14720468.exe C:\WINDOWS\g1972546.exe C:\WINDOWS\g172593.exe C:\WINDOWS\g2709296.exe C:\WINDOWS\g1498359.exe C:\WINDOWS\g292562.exe C:\WINDOWS\g2431906.exe C:\WINDOWS\g751359.exe C:\WINDOWS\g153156.exe C:\WINDOWS\g3656906.exe C:\WINDOWS\vbstub.exe C:\WINDOWS\libHide.dll C:\Program Files\frostwire-4.13.1.6.windows.exe C:\WINDOWS\system32\inetsrv.exe~ Folders to delete: C:\WINDOWS\?icrosoft C:\WINDOWS\??mbols Klikasz Done, a następnie zielone światełko i zgadzasz się na restart klikając OK. Po restarcie w HijackThis usuwasz wpis/wpisy: O2 - BHO: (no name) - {B7593C1D-F58C-AB2D-8A06-F8ADD89529E5} - C:\WINDOWS\system32\wpm.dll (file missing) O4 - HKCU\..\Run: [Hilg] C:\WINDOWS\?icrosoft\n?tdde.exe O4 - HKCU\..\Run: [Ofn] C:\WINDOWS\??mbols\??anregw.exe O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing) O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing) Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt + log z HijackThis + log z Silent Runners + log z ComboFix. Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
PhoeeeniX Napisano 13 Czerwca 2007 Zgłoś Napisano 13 Czerwca 2007 ojj widze że pełno syfu miałem, dzięki za twój czas z góry 8O Wsyztsko zrobiłem, ale po usunięciu plików a Avenger, dałem to zielone swiatelko nad lupą lecz wystapil nastepujacy bład: Selected file does not appear to be a valid script. Co jest źle ? LOGI: Logfile of HijackThis v1.99.1 Scan saved at 22:10:12, on 2007-06-13 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe F:\Logitech\iTouch\iTouch.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\ctfmon.exe F:\FinePixViewer\QuickDCF2.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\bgsvcgen.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe C:\WINDOWS\system32\svchost.exe f:\pinnacle\shared files\programs\mediaserver\pmshost.exe F:\Konnekt\konnekt.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\PhoeniX\Pulpit\wwdc.exe C:\Documents and Settings\PhoeniX\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [zBrowser Launcher] F:\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [spyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [NBJ] "F:\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [Ortd] "C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt ndrv O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Exif Launcher 2.lnk = ? O4 - Global Startup: Image Transfer.lnk = ? O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - F:\PACIFI~1\pacificpoker.exe O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5EE64A38-F284-44A1-AD61-EB19F1E1A595}: NameServer = 194.204.159.1,194.204.152.34 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MSSQL$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing) O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - f:\pinnacle\shared files\programs\mediaserver\pmshost.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing) "Silent Runners.vbs", revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ "wlnlogon" = "C:\WINDOWS\System.exe" [file not found] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" [file not found] "NBJ" = ""F:\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"] "Ortd" = ""C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt ndrv" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "zBrowser Launcher" = "F:\Logitech\iTouch\iTouch.exe" ["Logitech Inc."] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."] "SpyHunter" = "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" ["Enigma Software Group Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "F:\WinRAR\rarext.dll" [null data] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "F:\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook" \InProcServer32\(Default) = "F:\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "F:\Microsoft Office\OFFICE11\msohev.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Program Files\Real Player\rpshell.dll" ["RealNetworks, Inc."] "{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell" -> {HKLM...CLSID} = "Studio.Project" \InProcServer32\(Default) = "F:\Pinnacle\Studio 10\programs\BlueShellExt.dll" [null data] "{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager" -> {HKLM...CLSID} = "Sony Ericsson File Manager" \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"] "{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension" -> {HKLM...CLSID} = "Trojan Remover Shell Extension" \InProcServer32\(Default) = "F:\TROJAN~1\Trshlex.dll" ["Simply Super Software"] "{46E22146-59C0-4136-9233-FB7720E777B2}" = "EzCddax extension" -> {HKLM...CLSID} = "EzCddax Class" \InProcServer32\(Default) = "F:\Easy CD-DA Extractor 10\ezcddax10.dll" [null data] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\Software\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] EzCddax\(Default) = "{46E22146-59C0-4136-9233-FB7720E777B2}" -> {HKLM...CLSID} = "EzCddax Class" \InProcServer32\(Default) = "F:\Easy CD-DA Extractor 10\ezcddax10.dll" [null data] MyPhoneExplorer\(Default) = "{2D30AAA2-9084-4686-B8B9-B9B62EEFFD4E}" -> {HKLM...CLSID} = "MyPhoneExplorer_ShellEx.ShellExt" \InProcServer32\(Default) = "F:\MyPhoneExplorer\DLL\ShellMgr.dll" ["F.J. Wechselberger"] Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}" -> {HKLM...CLSID} = "Trojan Remover Shell Extension" \InProcServer32\(Default) = "F:\TROJAN~1\Trshlex.dll" ["Simply Super Software"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "F:\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "F:\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}" -> {HKLM...CLSID} = "Trojan Remover Shell Extension" \InProcServer32\(Default) = "F:\TROJAN~1\Trshlex.dll" ["Simply Super Software"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "F:\WinRAR\rarext.dll" [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "DisableRegistryTools" = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\PhoeniX\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Startup items in "PhoeniX" & "All Users" startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "Exif Launcher 2" -> shortcut to: "F:\FinePixViewer\QuickDCF2.exe" ["FUJI PHOTO FILM CO., LTD."] "Image Transfer" -> shortcut to: "F:\Sony Corporation\Image Transfer\SonyTray.exe" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "F:\MICROS~1\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_01" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_01" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."] {94EDF7B4-4272-4AF3-8F8B-4E2F68E225B7}\ "ButtonText" = "PacificPoker" "Exec" = "F:\PACIFI~1\pacificpoker.exe" ["Cassava Ent."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."] B's Recorder GOLD Library General Service, bgsvcgen, "C:\WINDOWS\system32\bgsvcgen.exe" ["B.H.A Corporation"] LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"] MSSQL$PINNACLESYS, MSSQL$PINNACLESYS, ""F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS" [MS] Pinnacle Systems Media Service, PinnacleSys.MediaServer, "f:\pinnacle\shared files\programs\mediaserver\pmshost.exe" [null data] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt05\Driver = "hpzlnt05.dll" ["HP"] Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] ---------- <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 47 seconds, including 4 seconds for message boxes) ComboFix 07-06-11.3 - C:\Documents and Settings\PhoeniX\Pulpit\ComboFix.exe "PhoeniX" - 2007-06-13 22:17:56 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 ))))))))))))))))))))))))))))))) 2007-06-13 16:20 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-06-13 16:20 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-06-13 16:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-06-13 16:20 2,138 --a------ C:\WINDOWS\system32\tmp.reg 2007-06-12 17:50 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-12 17:46 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-06-11 20:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-06-11 20:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DANEAP~1\Talkback 2007-06-11 20:22 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji 2007-06-11 20:22 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start 2007-06-11 20:22 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony 2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione 2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit 2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty 2007-06-11 20:21 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-06-11 20:21 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne 2007-06-11 19:05 <DIR> d-------- C:\WINDOWS\system32\Lang 2007-06-10 15:21 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe 2007-06-10 15:21 <DIR> d-------- C:\Program Files\Realtek Sound Manager 2007-06-10 15:21 <DIR> d-------- C:\Program Files\AvRack 2007-06-10 15:20 577,536 --a------ C:\WINDOWS\soundman.exe 2007-06-10 15:20 4,019,072 --a------ C:\WINDOWS\system32\drivers\alcxwdm.sys 2007-06-10 15:20 315,392 --a------ C:\WINDOWS\alcupd.exe 2007-06-10 15:20 217,088 --a------ C:\WINDOWS\Alcrmv.exe 2007-06-10 15:20 143,360 --a------ C:\WINDOWS\system32\RtlCPAPI.dll 2007-06-10 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe 2007-06-10 15:20 <DIR> d-------- C:\Program Files\Realtek AC97 2007-06-09 17:52 12,800 -ra------ C:\WINDOWS\system32\WING32.DLL 2007-06-08 12:57 75,264 --a------ C:\WINDOWS\system32\unacev2.dll 2007-06-08 12:57 3,440 --a------ C:\WINDOWS\undo.reg 2007-06-08 12:57 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2007-06-07 14:58 81,920 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\ezpinst.exe 2007-06-07 14:58 <DIR> d-------- C:\Program Files\vso 2007-06-07 14:07 92,208 -ra------ C:\WINDOWS\system32\WING.DLL 2007-06-07 13:53 87,608 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\inst.exe 2007-06-07 13:53 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-06-07 13:53 47,360 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\pcouffin.sys 2007-06-07 13:53 <DIR> d-------- C:\DOCUME~1\PhoeniX\DANEAP~1\Vso 2007-06-07 12:07 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2007-06-03 20:51 71,680 --a------ C:\WINDOWS\g21546875.exe 2007-06-03 20:29 71,680 --a------ C:\WINDOWS\g20218875.exe 2007-06-03 20:07 71,680 --a------ C:\WINDOWS\g18907718.exe 2007-06-03 19:45 71,680 --a------ C:\WINDOWS\g17579984.exe 2007-06-03 19:23 71,680 --a------ C:\WINDOWS\g16257156.exe 2007-06-03 19:03 71,680 --a------ C:\WINDOWS\g15056671.exe 2007-06-03 15:25 71,680 --a------ C:\WINDOWS\g1972609.exe 2007-06-03 14:55 71,680 --a------ C:\WINDOWS\g172625.exe 2007-06-03 10:41 71,680 --a------ C:\WINDOWS\g293906.exe 2007-06-02 21:20 71,680 --a------ C:\WINDOWS\g22524062.exe 2007-06-02 19:50 71,680 --a------ C:\WINDOWS\g17112234.exe 2007-06-02 19:28 71,680 --a------ C:\WINDOWS\g15791984.exe 2007-06-02 19:08 71,680 --a------ C:\WINDOWS\g14591968.exe 2007-06-02 18:46 71,680 --a------ C:\WINDOWS\g13268812.exe 2007-06-02 18:24 71,680 --a------ C:\WINDOWS\g11947546.exe 2007-06-02 18:02 71,680 --a------ C:\WINDOWS\g10625703.exe 2007-06-02 17:40 71,680 --a------ C:\WINDOWS\g9307359.exe 2007-06-02 17:18 206 --a------ C:\WINDOWS\g7982234.exe 2007-06-02 14:12 206 --a------ C:\WINDOWS\g5490046.exe 2007-06-02 13:50 206 --a------ C:\WINDOWS\g4169718.exe 2007-06-02 13:28 206 --a------ C:\WINDOWS\g2849437.exe 2007-06-02 13:06 206 --a------ C:\WINDOWS\g1529093.exe 2007-06-02 12:44 206 --a------ C:\WINDOWS\g208734.exe 2007-06-01 19:43 206 --a------ C:\WINDOWS\g14707406.exe 2007-06-01 15:41 206 --a------ C:\WINDOWS\g175125.exe 2007-06-01 12:07 206 --a------ C:\WINDOWS\g1973812.exe 2007-06-01 11:37 206 --a------ C:\WINDOWS\g174015.exe 2007-05-31 20:51 206 --a------ C:\WINDOWS\g174828.exe 2007-05-31 15:25 206 --a------ C:\WINDOWS\g296171.exe 2007-05-30 17:45 206 --a------ C:\WINDOWS\g7084203.exe 2007-05-30 13:43 206 --a------ C:\WINDOWS\g1853062.exe 2007-05-30 13:15 206 --a------ C:\WINDOWS\g173000.exe 2007-05-29 22:22 206 --a------ C:\WINDOWS\g6915515.exe 2007-05-29 18:03 206 --a------ C:\WINDOWS\g1735765.exe 2007-05-29 13:43 206 --a------ C:\WINDOWS\g1853140.exe 2007-05-29 13:15 206 --a------ C:\WINDOWS\g172828.exe 2007-05-28 20:13 206 --a------ C:\WINDOWS\g297312.exe 2007-05-28 14:37 206 --a------ C:\WINDOWS\g294265.exe 2007-05-27 23:00 206 --a------ C:\WINDOWS\g1861140.exe 2007-05-27 14:10 206 --a------ C:\WINDOWS\g14720468.exe 2007-05-27 11:02 <DIR> d-------- C:\Program Files\WinPcap 2007-05-27 10:38 206 --a------ C:\WINDOWS\g1972546.exe 2007-05-27 10:08 206 --a------ C:\WINDOWS\g172593.exe 2007-05-26 20:45 206 --a------ C:\WINDOWS\g2709296.exe 2007-05-26 20:25 206 --a------ C:\WINDOWS\g1498359.exe 2007-05-26 20:05 206 --a------ C:\WINDOWS\g292562.exe 2007-05-26 16:11 206 --a------ C:\WINDOWS\g2431906.exe 2007-05-26 15:43 206 --a------ C:\WINDOWS\g751359.exe 2007-05-26 15:22 206 --a------ C:\WINDOWS\g153156.exe 2007-05-26 15:08 206 --a------ C:\WINDOWS\g3656906.exe (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-13 20:07:01 74,694 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-06-13 20:07:01 453,808 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-06-13 19:42:29 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-06-12 15:40:20 -------- d-----w C:\Program Files\Yahoo! 2007-06-10 21:08:58 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\Skype 2007-06-10 13:20:47 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-05-05 09:16:35 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-04-27 16:35:05 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\AdobeUM 2007-04-21 12:25:34 -------- d-----w C:\Program Files\SkanerOnline 2007-04-21 11:57:02 6,144 ----a-w C:\WINDOWS\vbstub.exe 2007-04-21 11:57:01 9,728 ----a-w C:\WINDOWS\libHide.dll 2007-04-14 11:08:17 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\FUJIFILM 2007-04-14 10:54:11 -------- d-----w C:\Program Files\REGSHAVE 2007-03-19 18:13:10 6,422,611 ----a-w C:\Program Files\frostwire-4.13.1.6.windows.exe 2007-03-15 10:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll 2007-03-15 10:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll 2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll 2006-10-27 12:00:34 24,576 --sha-r C:\WINDOWS\system32\inetsrv.exe~ ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AtiPTA"="atiptaxx.exe" [2005-11-23 02:05 C:\WINDOWS\system32\atiptaxx.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-06 11:31] "zBrowser Launcher"="F:\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33] "SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 C:\WINDOWS\soundman.exe] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-05-30 14:30] "SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [] "NBJ"="F:\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25] "Ortd"="C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] "wlnlogon"=C:\WINDOWS\System.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^PhoeniX^Menu Start^Programy^Autostart^Adobe Gamma.lnk] path=C:\Documents and Settings\PhoeniX\Menu Start\Programy\Autostart\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] "F:\D-Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav] "F:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner] F:\Trojan Remover\Trjscan.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aace37e-0e15-11dc-b7c0-000e2e8c2dde}] AutoRun\command- K:\.\Recycled\Driveinfo.exe Open\Command- K:\.\Recycled\Driveinfo.exe ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-13 22:18:48 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-13 22:19:09 C:\ComboFix-quarantined-files.txt ... 2007-06-13 22:19 --- E O F --- Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
CatchMe Napisano 14 Czerwca 2007 Zgłoś Napisano 14 Czerwca 2007 Wszystko siedzi nadal... źle wkleiłeś skrypt. Masz wkleić tylko to do okienka: Files to delete: C:\WINDOWS\System.exe C:\WINDOWS\**mbols\**anregw.exe C:\WINDOWS\*icrosoft\n*tdde.exe C:\WINDOWS\system32\wpm.dll C:\WINDOWS\system32\Process.exe C:\WINDOWS\system32\dumphive.exe C:\WINDOWS\system32\SrchSTS.exe C:\WINDOWS\system32\tmp.reg C:\WINDOWS\nircmd.exe C:\WINDOWS\g21546875.exe C:\WINDOWS\g20218875.exe C:\WINDOWS\g18907718.exe C:\WINDOWS\g17579984.exe C:\WINDOWS\g16257156.exe C:\WINDOWS\g15056671.exe C:\WINDOWS\g1972609.exe C:\WINDOWS\g172625.exe C:\WINDOWS\g293906.exe C:\WINDOWS\g22524062.exe C:\WINDOWS\g17112234.exe C:\WINDOWS\g15791984.exe C:\WINDOWS\g14591968.exe C:\WINDOWS\g13268812.exe C:\WINDOWS\g11947546.exe C:\WINDOWS\g10625703.exe C:\WINDOWS\g9307359.exe C:\WINDOWS\g7982234.exe C:\WINDOWS\g5490046.exe C:\WINDOWS\g4169718.exe C:\WINDOWS\g2849437.exe C:\WINDOWS\g1529093.exe C:\WINDOWS\g208734.exe C:\WINDOWS\g14707406.exe C:\WINDOWS\g175125.exe C:\WINDOWS\g1973812.exe C:\WINDOWS\g174015.exe C:\WINDOWS\g174828.exe C:\WINDOWS\g296171.exe C:\WINDOWS\g7084203.exe C:\WINDOWS\g1853062.exe C:\WINDOWS\g173000.exe C:\WINDOWS\g6915515.exe C:\WINDOWS\g1735765.exe C:\WINDOWS\g1853140.exe C:\WINDOWS\g172828.exe C:\WINDOWS\g297312.exe C:\WINDOWS\g294265.exe C:\WINDOWS\g1861140.exe C:\WINDOWS\g14720468.exe C:\WINDOWS\g1972546.exe C:\WINDOWS\g172593.exe C:\WINDOWS\g2709296.exe C:\WINDOWS\g1498359.exe C:\WINDOWS\g292562.exe C:\WINDOWS\g2431906.exe C:\WINDOWS\g751359.exe C:\WINDOWS\g153156.exe C:\WINDOWS\g3656906.exe C:\WINDOWS\vbstub.exe C:\WINDOWS\libHide.dll C:\Program Files\frostwire-4.13.1.6.windows.exe C:\WINDOWS\system32\inetsrv.exe~ Folders to delete: C:\WINDOWS\?icrosoft C:\WINDOWS\??mbols Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
PhoeeeniX Napisano 15 Czerwca 2007 Zgłoś Napisano 15 Czerwca 2007 Avenger pliki usunął a folderów nie. ZMienil sie log bo potem dałem jescze raz zeby usunał tylko foldery. Jescze co z tymy folderami zrobic ? LOGI: Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\npvckdec ******************* Script file located at: \??\C:\lgjkjchp.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Could not open folder C:\WINDOWS\?icrosoft for deletion Deletion of folder C:\WINDOWS\?icrosoft failed! Could not process line: C:\WINDOWS\?icrosoft Status: 0xc0000033 Could not open folder C:\WINDOWS\??mbols for deletion Deletion of folder C:\WINDOWS\??mbols failed! Could not process line: C:\WINDOWS\??mbols Status: 0xc0000033 Completed script processing. ******************* Finished! Terminate. ComboFix 07-06-11.3 - C:\Documents and Settings\PhoeniX\Pulpit\ComboFix.exe "PhoeniX" - 2007-06-15 18:27:22 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 ))))))))))))))))))))))))))))))) 2007-06-15 18:27 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-12 17:46 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-06-11 20:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-06-11 20:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DANEAP~1\Talkback 2007-06-11 20:22 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji 2007-06-11 20:22 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start 2007-06-11 20:22 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony 2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione 2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit 2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty 2007-06-11 20:21 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-06-11 20:21 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne 2007-06-11 19:05 <DIR> d-------- C:\WINDOWS\system32\Lang 2007-06-10 15:21 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe 2007-06-10 15:21 <DIR> d-------- C:\Program Files\Realtek Sound Manager 2007-06-10 15:21 <DIR> d-------- C:\Program Files\AvRack 2007-06-10 15:20 577,536 --a------ C:\WINDOWS\soundman.exe 2007-06-10 15:20 4,019,072 --a------ C:\WINDOWS\system32\drivers\alcxwdm.sys 2007-06-10 15:20 315,392 --a------ C:\WINDOWS\alcupd.exe 2007-06-10 15:20 217,088 --a------ C:\WINDOWS\Alcrmv.exe 2007-06-10 15:20 143,360 --a------ C:\WINDOWS\system32\RtlCPAPI.dll 2007-06-10 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe 2007-06-10 15:20 <DIR> d-------- C:\Program Files\Realtek AC97 2007-06-09 17:52 12,800 -ra------ C:\WINDOWS\system32\WING32.DLL 2007-06-08 12:57 75,264 --a------ C:\WINDOWS\system32\unacev2.dll 2007-06-08 12:57 3,440 --a------ C:\WINDOWS\undo.reg 2007-06-08 12:57 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2007-06-07 14:58 81,920 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\ezpinst.exe 2007-06-07 14:58 <DIR> d-------- C:\Program Files\vso 2007-06-07 14:07 92,208 -ra------ C:\WINDOWS\system32\WING.DLL 2007-06-07 13:53 87,608 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\inst.exe 2007-06-07 13:53 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-06-07 13:53 47,360 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\pcouffin.sys 2007-06-07 13:53 <DIR> d-------- C:\DOCUME~1\PhoeniX\DANEAP~1\Vso 2007-06-07 12:07 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2007-05-27 11:02 <DIR> d-------- C:\Program Files\WinPcap (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-15 16:21:06 74,694 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-06-15 16:21:06 453,808 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-06-15 16:09:26 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-06-12 15:40:20 -------- d-----w C:\Program Files\Yahoo! 2007-06-10 21:08:58 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\Skype 2007-06-10 13:20:47 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-05-05 09:16:35 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-04-27 16:35:05 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\AdobeUM 2007-04-21 12:25:34 -------- d-----w C:\Program Files\SkanerOnline 2007-03-15 10:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll 2007-03-15 10:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll 2007-03-15 10:00:36 466,432 ----a-w C:\WINDOWS\system32\SkanerOnline.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AtiPTA"="atiptaxx.exe" [2005-11-23 02:05 C:\WINDOWS\system32\atiptaxx.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-06 11:31] "zBrowser Launcher"="F:\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33] "SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 C:\WINDOWS\soundman.exe] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-15 18:18] "SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [] "NBJ"="F:\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25] "Ortd"="C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] "wlnlogon"=C:\WINDOWS\System.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^PhoeniX^Menu Start^Programy^Autostart^Adobe Gamma.lnk] path=C:\Documents and Settings\PhoeniX\Menu Start\Programy\Autostart\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] "F:\D-Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav] "F:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner] F:\Trojan Remover\Trjscan.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aace37e-0e15-11dc-b7c0-000e2e8c2dde}] AutoRun\command- K:\.\Recycled\Driveinfo.exe Open\Command- K:\.\Recycled\Driveinfo.exe ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-15 18:28:15 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-15 18:28:35 C:\ComboFix-quarantined-files.txt ... 2007-06-15 18:28 C:\ComboFix2.txt ... 2007-06-13 22:19 --- E O F --- "Silent Runners.vbs", revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ "wlnlogon" = "C:\WINDOWS\System.exe" [file not found] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" [file not found] "NBJ" = ""F:\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"] "Ortd" = ""C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt ndrv" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "zBrowser Launcher" = "F:\Logitech\iTouch\iTouch.exe" ["Logitech Inc."] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."] "SpyHunter" = "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" ["Enigma Software Group Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "F:\WinRAR\rarext.dll" [null data] Logfile of HijackThis v1.99.1 Scan saved at 18:26:57, on 2007-06-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe F:\Logitech\iTouch\iTouch.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe F:\FinePixViewer\QuickDCF2.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\bgsvcgen.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe F:\Konnekt\konnekt.exe C:\WINDOWS\system32\svchost.exe f:\pinnacle\shared files\programs\mediaserver\pmshost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\PhoeniX\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [zBrowser Launcher] F:\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [spyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [NBJ] "F:\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [Ortd] "C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" -vt ndrv O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Exif Launcher 2.lnk = ? O4 - Global Startup: Image Transfer.lnk = ? O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - F:\PACIFI~1\pacificpoker.exe O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5EE64A38-F284-44A1-AD61-EB19F1E1A595}: NameServer = 194.204.159.1,194.204.152.34 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MSSQL$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing) O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - f:\pinnacle\shared files\programs\mediaserver\pmshost.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing) Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
CatchMe Napisano 16 Czerwca 2007 Zgłoś Napisano 16 Czerwca 2007 Otwórz Notatnik i wklej w nim to: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] "wlnlogon"=- Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> Uruchom plik FIX.REG w trybie awaryjnym >>> Uruchom ponownie komputer. - Pokaż mi tylko log z ComboFix`a po tym zabiegu. Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
PhoeeeniX Napisano 17 Czerwca 2007 Zgłoś Napisano 17 Czerwca 2007 I jak już jestem healthy ?? Chamskie te syfy trojany widze że trzeba aż tak usuwać. Jeszcze raz dzięki że pomagasz bo sam bym nic nie zrobił raczej 8O ComboFix 07-06-11.3 - C:\Documents and Settings\PhoeniX\Pulpit\ComboFix.exe "PhoeniX" - 2007-06-17 10:48:07 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 ))))))))))))))))))))))))))))))) 2007-06-15 18:27 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-12 17:46 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-06-11 20:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-06-11 20:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DANEAP~1\Talkback 2007-06-11 20:22 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji 2007-06-11 20:22 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start 2007-06-11 20:22 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony 2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione 2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit 2007-06-11 20:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty 2007-06-11 20:21 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-06-11 20:21 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne 2007-06-11 19:05 <DIR> d-------- C:\WINDOWS\system32\Lang 2007-06-10 15:21 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe 2007-06-10 15:21 <DIR> d-------- C:\Program Files\Realtek Sound Manager 2007-06-10 15:21 <DIR> d-------- C:\Program Files\AvRack 2007-06-10 15:20 577,536 --a------ C:\WINDOWS\soundman.exe 2007-06-10 15:20 4,019,072 --a------ C:\WINDOWS\system32\drivers\alcxwdm.sys 2007-06-10 15:20 315,392 --a------ C:\WINDOWS\alcupd.exe 2007-06-10 15:20 217,088 --a------ C:\WINDOWS\Alcrmv.exe 2007-06-10 15:20 143,360 --a------ C:\WINDOWS\system32\RtlCPAPI.dll 2007-06-10 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe 2007-06-10 15:20 <DIR> d-------- C:\Program Files\Realtek AC97 2007-06-09 17:52 12,800 -ra------ C:\WINDOWS\system32\WING32.DLL 2007-06-08 12:57 75,264 --a------ C:\WINDOWS\system32\unacev2.dll 2007-06-08 12:57 3,440 --a------ C:\WINDOWS\undo.reg 2007-06-08 12:57 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2007-06-07 14:58 81,920 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\ezpinst.exe 2007-06-07 14:58 <DIR> d-------- C:\Program Files\vso 2007-06-07 14:07 92,208 -ra------ C:\WINDOWS\system32\WING.DLL 2007-06-07 13:53 87,608 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\inst.exe 2007-06-07 13:53 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-06-07 13:53 47,360 --a------ C:\DOCUME~1\PhoeniX\DANEAP~1\pcouffin.sys 2007-06-07 13:53 <DIR> d-------- C:\DOCUME~1\PhoeniX\DANEAP~1\Vso 2007-06-07 12:07 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2007-05-27 11:02 <DIR> d-------- C:\Program Files\WinPcap (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-17 08:34:03 74,694 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-06-17 08:34:03 453,808 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-06-17 08:30:32 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-06-12 15:40:20 -------- d-----w C:\Program Files\Yahoo! 2007-06-10 21:08:58 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\Skype 2007-06-10 13:20:47 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-05-05 09:16:35 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-04-27 16:35:05 -------- d-----w C:\DOCUME~1\PhoeniX\DANEAP~1\AdobeUM 2007-04-21 12:25:34 -------- d-----w C:\Program Files\SkanerOnline ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AtiPTA"="atiptaxx.exe" [2005-11-23 02:05 C:\WINDOWS\system32\atiptaxx.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-06 11:31] "zBrowser Launcher"="F:\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33] "SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 C:\WINDOWS\soundman.exe] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-15 18:18] "SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [] "NBJ"="F:\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25] "Ortd"="C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe" [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] "wlnlogon"=C:\WINDOWS\System.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^PhoeniX^Menu Start^Programy^Autostart^Adobe Gamma.lnk] path=C:\Documents and Settings\PhoeniX\Menu Start\Programy\Autostart\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] "F:\D-Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav] "F:\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner] F:\Trojan Remover\Trjscan.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aace37e-0e15-11dc-b7c0-000e2e8c2dde}] AutoRun\command- K:\.\Recycled\Driveinfo.exe Open\Command- K:\.\Recycled\Driveinfo.exe ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-17 10:49:04 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-17 10:49:31 C:\ComboFix-quarantined-files.txt ... 2007-06-17 10:49 C:\ComboFix2.txt ... 2007-06-15 18:28 C:\ComboFix3.txt ... 2007-06-13 22:19 --- E O F --- Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
Maciej13 Napisano 17 Czerwca 2007 Zgłoś Napisano 17 Czerwca 2007 (edytowane) Czy posiadasz najnowszą wersję narzędzia ComboFix? Użyj: => http://www.outerinfo.com/OiUninstaller.exe => http://www.spywareremove.com/SpywareScanner1325p2s2.exe Pobierz narzędzie The Avenger. Uruchom program w Trybie Awaryjnym i zaznacz opcję Input script manually. Następnie kliknij w "lupkę" po prawej stronie okna programu, a w okienku które Ci się otworzy wklej taki tekst: Files to delete:C:\WINDOWS\System.exeRegistry values to delete: "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run" | "wlnlogon" Kliknij klawisz Done, a następnie 'zielone światełko'. Na komunikat który się wyświetli odpowiadasz OK. C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe Plik na czerwono przeskanuj na Virustotal.com i podaj wyniki na Forum. Czy w Folderze C:\Program Files\Common Files znajduje się jakiś Folder z pytajnikami ("?")? Najlepiej by było jakbyś pokazał screen`a z zawartości Folderu Common Files. Edytowane 17 Czerwca 2007 przez Maciej13 Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
PhoeeeniX Napisano 18 Czerwca 2007 Zgłoś Napisano 18 Czerwca 2007 A więc tak. Nie wiem czy posiadam najnowszego Combofixa. Zastosowałem twoje instrukcje ale: Avenger przy usuwaniu wyrzucił taki bład ( to juz było w safemode, wczensiej zrobilem to w normlanym trybie i chyba usunął plik system.exe ) : Syntax error in line --- does not appear to be a valid registry path. Line will be ignored. Pliku C:\Windows\system.exe nie mam ale w rejestrze mam to co wskazałeś i moge usunąć ręcznie ale nie usuwałem. Nie rozumiem czemu mam to usuwać teraz jak wcześniej kolega mi zrobił wpis do rejestru właśnie z tym ? Pliku ati2evxx.exe w tym katalogu C:\PROGRA~1\COMMON~1\SSTEM3~1\ati2evxx.exe nie istnieje. Mam taki ale w katalogu sterowników Omega od karty więc to raczej w porządku jest plik. Aha szukałem tego pliku i znalazłem taki tylko że z rozszrzeniem VIR więc go usunołem. W common files nie mam żadnego folderu z ? ale dla pewności masz screena. CLICK ! Wszytsko OK ?No i co z tym dźwiękiem zrobić bo mnei powoli denerwuje słuchanie radiosatcji w kółko hehe 8O Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
CatchMe Napisano 19 Czerwca 2007 Zgłoś Napisano 19 Czerwca 2007 (edytowane) Prosiłem o wklejanie logów na www.wklej.org 8O ps. http://forum.purepc.pl/index.php?showtopic=235690 Edytowane 22 Czerwca 2007 przez CatchMe Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
PhoeeeniX Napisano 23 Czerwca 2007 Zgłoś Napisano 23 Czerwca 2007 OK dzięki, będe pamiętał na przyszłość. Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
