Skocz do zawartości
zuy_zgred

Win32/adware.virtumonde I Win32/privacyremover.m64

Przez zuy_zgred, w Centrum Bezpieczeństwa

Rekomendowane odpowiedzi

zuy_zgred Newbie

zuy_zgred

Opublikowano
Opublikowano (edytowane)
» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "hijack this"
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:31:28, on 2008-08-25
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\Raxco\PerfectDisk\PDSched.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Instalki\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [skyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - E:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - E:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 3626 bytes

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "silent runners"
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"avast!" = "E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{500BCA15-57A7-4eaf-8143-8C619470B13D}\(Default) = "XML module"
-> {HKLM...CLSID} = "XML Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\msxml71.dll" [null data]
{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}\(Default) = "Ask Toolbar BHO"
-> {HKLM...CLSID} = "Ask Toolbar BHO"
\InProcServer32\(Default) = "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" ["Ask.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"
-> {HKLM...CLSID} = "IE Microsoft AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "E:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "E:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "PDBoot.exe" ["Raxco Software, Inc."]|"autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "E:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "E:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "E:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "E:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"NoDispBackgroundPage" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Control Panel|Display|
Hide Desktop tab}

"NoDispScrSavPage" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\system32\phc9e9j0ec0l.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\blphc9e9j0ec0l.scr" [file not found]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSPlayCDAudioOnArrival\
"Provider" = "ALLPlayer"
"InvokeProgID" = "AllPlayerFile"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\AllPlayerFile\shell\play\command\(Default) = ""E:\Program Files\MarBit\ALLPlayer\ALLPlayer.exe" "%1"" ["MarBit"]

SonyDVConnectvegas8\
"Provider" = "Sony Vegas Pro 8.0"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""E:\Program Files\Sony\Vegas Pro 8.0\vegas80.exe""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "E:\Program Files\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""E:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""E:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"
-> {HKLM...CLSID} = "Ask Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" ["Ask.com"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}" = (no title provided)
-> {HKLM...CLSID} = "Ask Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" ["Ask.com"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""E:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Lavasoft Ad-Aware Service, aawservice, ""E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe"" ["Lavasoft"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PDScheduler, PDSched, ""E:\Program Files\Raxco\PerfectDisk\PDSched.exe"" ["Raxco Software, Inc."]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


---------- (launch time: 2008-08-25 09:34:22)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 45 seconds.
---------- (total run time: 107 seconds)

Wydaje mi się że udało mi się usunąć wirusa ale nie jestem pewny. Wirus zostawił po sobie jeszcze jeden problem: nie da się zmienić tapety
Dołączona grafika

edit: combofix naprawił mi tapetę.

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "log z combofix"
ComboFix 08-08-24.02 - Alstadi 2008-08-25 11:45:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.1695 [GMT 2:00]
Running from: E:\combofix\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-24 23:40 . 2003-03-18 22:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-08-24 23:31 . 2008-08-24 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-08-24 23:30 . 2008-08-24 23:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-24 23:29 . 2008-08-24 23:29 102,916 --a------ C:\WINDOWS\system32\msxml71.dll
2008-08-22 20:08 . 2008-08-22 20:08 <DIR> d-------- C:\Documents and Settings\Alstadi\Dane aplikacji\Command & Conquer 3 Tiberium Wars
2008-08-22 20:03 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-08-20 22:18 . 2008-08-20 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Last.fm
2008-08-17 17:47 . 2008-08-20 20:46 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-08-17 17:47 . 2008-08-17 17:51 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-08-17 17:47 . 2008-08-20 20:46 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-08-17 17:45 . 2008-08-17 17:45 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-17 17:45 . 2008-08-17 17:45 <DIR> dr-h----- C:\Documents and Settings\Alstadi\Dane aplikacji\SecuROM
2008-08-17 17:45 . 2008-08-17 17:45 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-08-17 09:59 . 2008-08-17 10:42 <DIR> d-------- C:\Documents and Settings\Alstadi\Dane aplikacji\Sony
2008-08-17 09:59 . 2008-08-17 09:59 <DIR> d-------- C:\Documents and Settings\Alstadi\Dane aplikacji\Publish Providers
2008-08-17 09:53 . 2008-08-17 09:53 <DIR> d-------- C:\Program Files\Vstplugins
2008-08-17 09:53 . 2008-08-17 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Sony
2008-08-17 09:52 . 2008-08-17 09:52 <DIR> d-------- C:\Program Files\MSBuild
2008-08-17 09:49 . 2008-08-17 09:49 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-08-17 09:49 . 2008-08-17 09:49 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-08-17 09:49 . 2006-06-29 13:07 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-17 09:49 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-08-17 09:34 . 2008-08-17 09:34 <DIR> d-------- C:\Documents and Settings\Alstadi\Dane aplikacji\Sony Setup
2008-08-16 18:00 . 2008-08-24 22:53 <DIR> d-------- C:\Documents and Settings\Alstadi\Dane aplikacji\Azureus
2008-08-16 18:00 . 2008-08-16 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Azureus
2008-08-16 17:59 . 2008-08-16 17:59 <DIR> d-------- C:\Program Files\AskSBar
2008-08-16 17:33 . 2008-08-22 18:29 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-08-15 22:48 . 2008-08-15 22:48 280 --a------ C:\WINDOWS\system32\PDBootState
2008-08-15 22:41 . 2008-08-15 22:41 <DIR> d-------- C:\Program Files\Common Files\Raxco
2008-08-15 22:41 . 2008-08-15 22:41 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Raxco
2008-08-15 22:30 . 2008-08-15 22:30 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2008-08-14 14:05 . 2008-08-14 14:05 262,144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-08-14 14:05 . 2008-08-14 14:05 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-08-14 14:04 . 2008-08-14 14:04 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2008-08-14 14:04 . 2007-09-07 14:55 27,672 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2008-08-14 14:04 . 2007-09-07 14:55 12,744 --a------ C:\WINDOWS\system32\drivers\Entech64.sys
2008-08-14 14:04 . 2007-09-07 14:55 6,173 --a------ C:\WINDOWS\system32\drivers\Entech.vxd
2008-08-14 14:04 . 2001-11-19 20:05 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2008-08-13 19:17 . 2008-08-13 19:18 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-08-13 19:17 . 2008-08-13 19:19 <DIR> d-------- C:\Documents and Settings\Alstadi\Dane aplikacji\Ahead
2008-08-13 18:11 . 2008-08-13 18:11 33,952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2008-08-13 17:19 . 2006-12-10 23:32 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-08-13 17:19 . 2006-12-10 23:32 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-08-13 17:19 . 2008-06-08 23:58 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-08-13 17:19 . 2008-06-12 20:36 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-08-13 17:19 . 2007-07-10 18:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-08-13 15:32 . 2008-08-13 15:32 <DIR> d-------- C:\Program Files\Gigabyte
2008-08-13 15:32 . 2008-08-13 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\InstallShield
2008-08-13 15:32 . 2005-02-17 07:15 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-08-13 15:29 . 2008-08-13 15:29 16,608 --a------ C:\WINDOWS\gdrv.sys
2008-08-13 12:55 . 2008-08-13 12:55 <DIR> d-------- C:\Logs
2008-08-13 12:01 . 2008-08-13 13:06 <DIR> d-------- C:\Documents and Settings\Alstadi\Dane aplikacji\Winamp
2008-08-13 11:03 . 2008-08-13 11:28 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-08-13 09:11 . 2008-08-13 09:11 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-08-13 09:11 . 2008-08-13 09:11 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-08-13 09:11 . 2008-08-13 09:11 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-08-13 09:09 . 2007-01-12 16:54 520,192 --a------ C:\WINDOWS\RtlExUpd.dll
2008-08-13 08:42 . 2008-08-13 10:06 <DIR> d-------- C:\Documents and Settings\Alstadi\Dane aplikacji\Miranda
2008-08-13 08:21 . 2008-08-13 08:21 <DIR> d-------- C:\Program Files\SigmaTel
2008-08-13 08:20 . 2008-08-13 08:20 <DIR> d-------- C:\Program Files\Intel Desktop Boards
2008-08-13 08:06 . 2008-08-13 08:06 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-08-13 06:27 . 2008-08-13 06:27 <DIR> d-------- C:\Program Files\xp-AntiSpy
2008-08-13 06:26 . 2008-08-13 06:26 <DIR> d-------- C:\Program Files\Adaptec ASPI Installer
2008-08-13 06:26 . 2002-07-17 06:50 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-08-13 06:26 . 2002-07-17 06:23 16,877 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-08-13 06:26 . 2002-07-17 13:52 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-08-13 06:26 . 2002-07-17 13:52 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-08-13 06:17 . 2008-08-13 06:17 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-08-13 06:17 . 2008-08-13 09:10 <DIR> d-------- C:\Program Files\Realtek
2008-08-13 06:17 . 2008-08-14 14:03 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-08-13 06:17 . 2008-08-13 06:17 <DIR> d-------- C:\Documents and Settings\Alstadi\Dane aplikacji\InstallShield
2008-08-13 06:17 . 2008-06-16 12:38 109,184 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys
2008-08-13 06:16 . 2008-04-13 19:45 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-08-13 06:08 . 2008-08-13 06:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-13 05:58 . 2008-08-13 05:58 <DIR> d-------- C:\WINDOWS\nview
2008-08-13 05:58 . 2008-08-13 23:47 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-08-13 05:58 . 2008-05-16 09:18 446,464 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-08-13 05:58 . 2008-05-16 11:31 446,464 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-08-13 05:58 . 2008-08-25 09:25 186,097 --a------ C:\WINDOWS\system32\nvapps.xml
2008-08-13 05:58 . 2008-05-16 11:31 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-08-13 05:57 . 2008-08-13 05:57 <DIR> d-------- C:\NVIDIA
2008-08-13 05:55 . 2008-08-13 05:55 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-13 05:55 . 2008-08-13 05:55 <DIR> d-------- C:\Program Files\Intel
2008-08-13 05:55 . 2008-05-01 14:05 53,248 --a------ C:\WINDOWS\system32\CSVer.dll
2008-08-13 05:54 . 2008-08-13 05:54 <DIR> d-------- C:\Intel
2008-08-13 05:04 . 2008-08-13 05:04 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-08-13 04:59 . 2008-08-13 04:59 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-11 23:32 . 2008-08-11 23:32 1,571,840 --a------ C:\WINDOWS\system32\sfcfiles.dll
2008-08-11 23:14 . 2008-08-11 23:14 203,136 --a------ C:\WINDOWS\system32\drivers\RMCast.sys
2008-08-11 23:14 . 2008-08-11 23:14 203,136 --a--c--- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-12 21:21 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-12 21:20 --------- d-----w C:\Program Files\Usługi online
2008-08-11 21:30 86,073 ----a-w C:\WINDOWS\system32\usrfaxa.dll
2008-08-11 21:15 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-08-11 21:15 273,024 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-08-11 21:15 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-08-11 21:15 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-08-11 21:15 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-08-11 21:15 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-08-11 21:15 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 22:51 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 11:31 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 11:31 86016]
"avast!"="E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 16:38 78008]
"nwiz"="nwiz.exe" [2008-05-16 11:31 1630208 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 22:51 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Miranda IM\\miranda32.exe"=
"E:\\Program Files\\Vuze\\Azureus.exe"=
"E:\\Program Files\\eMule\\emule.exe"=

R0 Defrag32b;Defrag32Boot;C:\WINDOWS\system32\drivers\Defrag32b.sys [2005-11-22 11:33]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-08-13 18:11]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R2 Defrag32;Defrag32;C:\WINDOWS\system32\drivers\Defrag32.sys [2005-11-22 11:33]
R2 PDSched;PDScheduler;E:\Program Files\Raxco\PerfectDisk\PDSched.exe [2005-11-29 11:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fee98650-7073-11dd-af26-001d7dcc6578}]
\Shell\AutoRun\command - I:\autorun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-lphc9e9j0ec0l - C:\WINDOWS\system32\lphc9e9j0ec0l.exe
MSConfigStartUp-Somefox - C:\DOCUME~1\Alstadi\USTAWI~1\Temp\70.tmp.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Alstadi\Dane aplikacji\Mozilla\Firefox\Profiles\i8hpxvsg.default\
FF -: plugin - E:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - E:\Program Files\Mozilla Firefox\plugins\npnul32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 11:46:40
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-25 11:47:00
ComboFix-quarantined-files.txt 2008-08-25 09:46:58

Pre-Run: 5,875,064,832 bajtów wolnych
Post-Run: 5,876,142,080 bajtów wolnych

172

Chyba wszystko juz jest czyste? Edytowane przez koloboss

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi
Udostępnij na innych stronach
Gość
Ten temat został zamknięty. Brak możliwości dodania odpowiedzi.
Tematy
×
×
  • Dodaj nową pozycję...