cudotworca Napisano 28 Kwietnia 2009 Zgłoś Napisano 28 Kwietnia 2009 Witam Postanowiłem w końcu powklejać logi, ponieważ nie mogę odkryć plików ukrytych, systemowych itd. Możliwe, że trojan ten powoduje również lagi, których mi nie potrzeba... » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - log hijack Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:35:26, on 2009-04-28 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\LEXBCES.EXE D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\system32\LEXPPS.EXE D:\WINDOWS\Explorer.EXE E:\CFosSpeed\cFosSpeed.exe D:\WINDOWS\win32up.exe D:\Documents and Settings\cudotworca\Dane aplikacji\SanDisk\Sansa Updater\SansaDispatch.exe C:\ActiveSync\wcescomm.exe D:\Documents and Settings\cudotworca\Pulpit\Catcher.exe C:\ACTIVE~1\rapimgr.exe E:\Cashext\Cashext.exe E:\CFosSpeed\spd.exe D:\Program Files\Java\jre6\bin\jqs.exe D:\WINDOWS\system32\PSIService.exe D:\spm\spmdib.exe D:\WINDOWS\system32\Tablet.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\system32\WTablet\TabUserW.exe D:\WINDOWS\system32\Tablet.exe E:\Firefox 3\firefox.exe C:\ActiveSync\WCESMgr.exe D:\Program Files\Winamp\winamp.exe C:\Konnekt\konnekt.exe C:\Logi\HiJack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\BitComet\tools\BitCometBHO_1.2.1.2.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [cFosSpeed] E:\CFosSpeed\cFosSpeed.exe O4 - HKLM\..\Run: [Windows Updates] D:\WINDOWS\win32up.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "D:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin O4 - HKCU\..\Run: [Paseczek] E:\Paseczek\Paseczek.exe O4 - HKCU\..\Run: [Konnekt_3313f61f] "C:\Konnekt\konnekt.exe" /autostart -profile=? O4 - HKCU\..\Run: [sansaDispatch] D:\Documents and Settings\cudotworca\Dane aplikacji\SanDisk\Sansa Updater\SansaDispatch.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [Catcher] D:\Documents and Settings\cudotworca\Pulpit\Catcher.exe O4 - HKCU\..\Run: [amva] D:\WINDOWS\system32\amvo.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Cashext (2).lnk = E:\Cashext\Cashext.exe O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ACTIVE~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ACTIVE~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ACTIVE~1\INetRepl.dll O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - E:\CFosSpeed\spd.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - D:\WINDOWS\system32\PSIService.exe O23 - Service: SPM License Server (spmd) - mental images GmbH - D:\spm\spmdib.exe O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINDOWS\system32\Tablet.exe -- End of file - 5432 bytes » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - log silentrunners "Silent Runners.vbs", revision 59, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Paseczek" = "E:\Paseczek\Paseczek.exe" ["Codeton Software"] "Konnekt_3313f61f" = ""C:\Konnekt\konnekt.exe" /autostart -profile=?" ["Stamina"] "SansaDispatch" = "D:\Documents and Settings\cudotworca\Dane aplikacji\SanDisk\Sansa Updater\SansaDispatch.exe" ["SanDisk Corporation"] "H/PC Connection Agent" = ""C:\ActiveSync\wcescomm.exe"" [MS] "Catcher" = "D:\Documents and Settings\cudotworca\Pulpit\Catcher.exe" [null data] "amva" = "D:\WINDOWS\system32\amvo.exe" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "cFosSpeed" = "E:\CFosSpeed\cFosSpeed.exe" ["cFos Software GmbH"] "Windows Updates" = "D:\WINDOWS\win32up.exe" [empty string] "NvCplDaemon" = "RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "NvMediaCenter" = "RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS] "AdobeCS4ServiceManager" = ""D:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin" ["Adobe Systems Incorporated"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture" -> {HKLM...CLSID} = "BitComet Helper" \InProcServer32\(Default) = "C:\BitComet\tools\BitCometBHO_1.2.1.2.dll" ["BitComet"] {DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided) -> {HKLM...CLSID} = "Java Plug-In 2 SSV Helper" \InProcServer32\(Default) = "D:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."] {E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl" -> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class" \InProcServer32\(Default) = "D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{AD392E40-428C-459F-961E-9B147782D099}" = "UltraISO" -> {HKLM...CLSID} = "UIContextMenu Class" \InProcServer32\(Default) = "E:\UltraISO\isoshell.dll" ["EZB Systems, Inc."] "{2B3453E4-49DF-11D3-8229-0080BE509050}" = "GMail Drive" -> {HKLM...CLSID} = "GMail Drive" \InProcServer32\(Default) = "D:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"] "{2B3453E4-49DF-11D3-8229-0080BE509052}" = "GMailFS Property Sheet" -> {HKLM...CLSID} = "GMailFS Property Sheet" \InProcServer32\(Default) = "D:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"] "{2B3453E4-49DF-11D3-8229-0080BE509054}" = "GMailFS Drop Handler" -> {HKLM...CLSID} = "GMailFS Drop Handler" \InProcServer32\(Default) = "D:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"] "{2B3453E4-49DF-11D3-8229-0080BE509056}" = "GMailFS Context Menu" -> {HKLM...CLSID} = "GMailFS Context Menu" \InProcServer32\(Default) = "D:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "D:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "D:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device" -> {HKLM...CLSID} = "Urządzenie przenośne" \InProcServer32\(Default) = "C:\ACTIVE~1\Wcesview.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}" -> {HKLM...CLSID} = "MShellExtMenu Class" \InProcServer32\(Default) = "E:\MagicISO\misosh.dll" ["MagicISO, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}" -> {HKLM...CLSID} = "MShellExtMenu Class" \InProcServer32\(Default) = "E:\MagicISO\misosh.dll" ["MagicISO, Inc."] UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}" -> {HKLM...CLSID} = "UIContextMenu Class" \InProcServer32\(Default) = "E:\UltraISO\isoshell.dll" ["EZB Systems, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}" -> {HKLM...CLSID} = "MShellExtMenu Class" \InProcServer32\(Default) = "E:\MagicISO\misosh.dll" ["MagicISO, Inc."] UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}" -> {HKLM...CLSID} = "UIContextMenu Class" \InProcServer32\(Default) = "E:\UltraISO\isoshell.dll" ["EZB Systems, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ {C95FFEAE-A32E-4122-A5C4-49B5BFB69795}\(Default) = "{C95FFEAE-A32E-4122-A5C4-49B5BFB69795}" -> {HKLM...CLSID} = "Adobe Drive CS4" \InProcServer32\(Default) = "D:\Program Files\Common Files\Adobe\Adobe Drive CS4\ADFSMenu.dll" ["Adobe Systems Incorporated"] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ BridgeCS4ImportMediaOnArrival\ "Provider" = "Adobe Bridge CS4" "InvokeProgID" = "Adobe.adobebridgeCS4" "InvokeVerb" = "launch" HKLM\SOFTWARE\Classes\Adobe.adobebridgeCS4\shell\launch\command\(Default) = "C:\Adobe Photoshop CS4\Adobe Bridge CS4\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."] BridgeCS4NonVolumeHandler\ "Provider" = "Adobe Bridge CS4" "ProgID" = "Adobe.adobebridgeMTP_1" HKLM\SOFTWARE\Classes\Adobe.adobebridgeMTP_1\CLSID\(Default) = "{1E6C711B-6D70-4a65-8AB6-745DC19BE2A6}" -> {HKLM...CLSID} = "Adobe Bridge CS4" \LocalServer32\(Default) = "C:\Adobe Photoshop CS4\Adobe Bridge CS4\bridgeproxy.exe -m" ["Adobe Systems, Inc."] WinampMTPHandler\ "Provider" = "Winamp" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "D:\Program Files\Winamp\winamp.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] WinampPlayMediaOnArrival\ "Provider" = "Winamp" "InvokeProgID" = "Winamp.File" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""D:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = ""D:\Program Files\Winamp\winamp.exe"" ["Nullsoft"] Startup items in "cudotworca" & "All Users" startup folders: ------------------------------------------------------------ D:\Documents and Settings\cudotworca\Menu Start\Programy\Autostart "Cashext (2)" -> shortcut to: "E:\Cashext\Cashext.exe" [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\ "ButtonText" = "Create Mobile Favorite" "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {HKLM...CLSID} = "Create Mobile Favorite" \InProcServer32\(Default) = "C:\ACTIVE~1\INetRepl.dll" [MS] {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\ "MenuText" = "Utwórz Ulubione dla urządzenia przenośnego..." "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {HKLM...CLSID} = "Create Mobile Favorite" \InProcServer32\(Default) = "C:\ACTIVE~1\INetRepl.dll" [MS] {D18A0B52-D63C-4ED0-AFC6-C1E3DC1AF43A}\ "ButtonText" = "BitComet" "Script" = "res://C:\BitComet\tools\BitCometBHO_1.2.1.2.dll/206" ["BitComet"] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] cFosSpeed System Service, cFosSpeedS, ""E:\CFosSpeed\spd.exe" -service" ["cFos Software GmbH"] Java Quick Starter, JavaQuickStarterService, ""D:\Program Files\Java\jre6\bin\jqs.exe" -service -config "D:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."] LexBce Server, LexBceS, "D:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."] ProtexisLicensing, ProtexisLicensing, "D:\WINDOWS\system32\PSIService.exe" [null data] SPM License Server, spmd, "D:\spm\spmdib.exe" ["mental images GmbH"] TabletService, TabletService, "D:\WINDOWS\system32\Tablet.exe" ["Wacom Technology, Corp."] Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."] ---------- (launch time: 2009-04-28 17:43:46) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 270 seconds. ---------- (total run time: 316 seconds) Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
Kolobos Napisano 28 Kwietnia 2009 Zgłoś Napisano 28 Kwietnia 2009 Podlacz zainfekowane nosniki i uzyj Flash Disinfector, nastepnie daj log z combofix. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
cudotworca Napisano 30 Kwietnia 2009 Zgłoś Napisano 30 Kwietnia 2009 » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - combofix "cudotworca" - 2009-04-30 13:54:46 - ComboFix 07-07-04.4 - Dodatek Service Pack 2 ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) D:\DOCUME~1\ALLUSE~1\DANEAP~1.\TEMP ((((((((((((((((((((((((( Files Created from 2009-03-28 to 2009-04-30 ))))))))))))))))))))))))))))))) 2009-04-30 13:54 51,200 --a------ D:\WINDOWS\nircmd.exe 2009-04-06 17:29 <DIR> d-------- D:\DOCUME~1\CUDOTW~1\DANEAP~1\com.onair.adobe.flump.F72717AFE33D104747EFA2864DDFAA9D568C67C7.1 2009-03-23 19:11 <DIR> d-------- D:\Program Files\Blue Point Studios 2009-03-17 16:51 4,296,704 -ra------ D:\WINDOWS\unasetup.exe 2009-03-15 19:11 420,240 --a------ D:\WINDOWS\system32\mpg4c32.dll 2009-03-15 19:11 309,616 --a------ D:\WINDOWS\system32\wmv8dmod.dll 2009-03-08 18:10 <DIR> d-------- D:\DOCUME~1\CUDOTW~1\DANEAP~1\HLSW (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2009-04-30 11:41:22 -------- d-----w D:\DOCUME~1\CUDOTW~1\DANEAP~1\WTablet 2009-04-30 11:40:59 54,784 --sh--w D:\WINDOWS\system32\amvo0.dll 2009-04-28 14:49:49 79,386 ----a-w D:\WINDOWS\system32\perfc015.dat 2009-04-28 14:49:49 457,230 ----a-w D:\WINDOWS\system32\perfh015.dat 2009-03-26 15:22:37 -------- d--h--w D:\Program Files\InstallShield Installation Information 2009-03-09 03:19:08 410,984 -c--a-w D:\WINDOWS\system32\deploytk.dll 2009-03-05 14:25:45 73,216 ----a-w D:\WINDOWS\ST6UNST.EXE 2009-03-05 14:25:45 249,856 ------w D:\WINDOWS\Setup1.exe 2008-03-08 15:46:29 88 -csh--r D:\WINDOWS\system32\CEDE404B3D.sys 2008-12-22 09:13:26 900 -csha-w D:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2006-01-12 21:38 63128 --a------ D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}] 2008-01-25 12:06 496952 --a------ C:\BitComet\tools\BitCometBHO_1.2.1.2.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] 2009-03-09 05:18 35840 --a------ D:\Program Files\Java\jre6\bin\jp2ssv.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}] 2009-03-09 05:18 73728 --a------ D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "cFosSpeed"="E:\CFosSpeed\cFosSpeed.exe" [2008-02-14 18:27] "AdobeCS4ServiceManager"="D:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 08:58] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Paseczek"="E:\Paseczek\Paseczek.exe" [2008-03-07 23:21] "Konnekt_3313f61f"="C:\Konnekt\konnekt.exe" [2005-05-24 23:41] "SansaDispatch"="D:\Documents and Settings\cudotworca\Dane aplikacji\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-04-02 22:31] "H/PC Connection Agent"="C:\ActiveSync\wcescomm.exe" [2006-11-13 16:57] "Catcher"="D:\Documents and Settings\cudotworca\Pulpit\Catcher.exe" [2008-12-28 01:00] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] "E:\Adobe Lightroom\apdproxy.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeBridge] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] ALCMTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva] D:\WINDOWS\system32\amvo.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AQQ] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA] atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] "C:\DAEMON Tools Lite\daemon.exe" -autorun [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gainward] D:\Program Files\VDOTool\TBPanel.exe /A [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] "C:\ActiveSync\wcescomm.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "E:\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch] D:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] SkyTel.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] "D:\Program Files\Steam\Steam.exe" -silent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WheelMouse] D:\Program Files\A4Tech\Mouse\Amoumain.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "D:\Program Files\Winamp\winampa.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32a49180-392f-11dd-891b-001c250fd028}] AutoRun\command- I:\2ifetri.cmd explore\Command- I:\2ifetri.cmd open\Command- I:\2ifetri.cmd [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{908f9836-003b-11de-8aa3-001c250fd028}] AutoRun\command- I:\2ifetri.cmd explore\Command- I:\2ifetri.cmd open\Command- I:\2ifetri.cmd ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-30 13:56:16 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run SansaDispatch = D:\Documents and Settings\cudotworca\Dane aplikacji\SanDisk\Sansa Updater\SansaDispatch.exe?latform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_content&?%25 scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\JavaQuickStarterService] "ImagePath"="\"D:\Program Files\Java\jre6\bin\jqs.exe\" -service -config \"D:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf\"" Completion time: 2009-04-30 13:56:32 --- E O F --- Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
Kolobos Napisano 1 Maja 2009 Zgłoś Napisano 1 Maja 2009 Nie widze w logu zebys uzyl Flash Disinfector, dlaczego tego nie zrobiles? Wklej do notatnika: REGEDIT4 [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32a49180-392f-11dd-891b-001c250fd028}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{908f9836-003b-11de-8aa3-001c250fd028}] Zapisz jako fix.reg i uruchom. Na koniec zablokuj dostep do klucza mountpoints2: http://www.searchengines.pl/Infekcje-z-pen...ych-t94761.html (punkt 3 z sekcji zapobieganie). Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
cudotworca Napisano 1 Maja 2009 Zgłoś Napisano 1 Maja 2009 użyłem tego Flash Disinfector'a i po tej operacji nie wyskakiwało już nic o amvo.exe, mogłem pokazać ukryte pliki i wszystko działało lepiej, nie wiem dlaczego w logach tego nie widać. Teraz zrobiłem to co piszesz, zfixowałem rejestr i ustawiłem udostępnianie. Pokazać jakieś logi jeszcze? Dzięki za pomoc. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
Kolobos Napisano 1 Maja 2009 Zgłoś Napisano 1 Maja 2009 Nie trzeba. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...