Mam problem z virusem nesneler.exe ( w tym "pakiecie" jest między innymi pac.exe i ktkbdhk3.dll. jeszcze zanim poczytałam o nim w sieci próbowałam wywalić go po prostu wyrzucając ten plik do kosza jednak po kazdym ponownym uruchomieniu komputera był on w tym samym miejscu ( C:\Temp) a pac.exe i ktkbdhk3.dll znajdowały się w folderze C:\WINDOWS\system32. Z tego co dowiedziałam się grzebiąc w necie ten wirus między innymi udostępnia dyski C: i D: . Na jakimś forum w necie przeczytałam że jesli zmieni sie rozszerzenie z .exe na .txt i wywali cala zawartosc tekstowa tego pliku pozniej sie on nie odnawia. Próbowałam i tego ale jednak to nie podziałało. Aż pewnego razu spróbowałam jeszcze raz go wywalić(tak ostatecznie bo pozniej mialam szukać dalej innych rad) i tym razem sie nie odnowił. Nigdzie nie ma pliku nesneler.exe, pac.exe ani ktkbdhk3.dll jednak w Mój Komputer przy dyskach C: i D: dalej znajdują sie 'rączki oznaczające że dysk jest udostępniany. teraz nie wiem co zrobić bo rady na temat tego wirusa dotyczą tego jak go wywalić ale jego nie ma w tych lokalizacjach w jakich jest na forach. Załączam Logi:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:53, on 2007-08-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
I:\Program Files\aswUpdSv.exe
I:\Program Files\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
I:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
I:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe
I:\Program Files\Ares\Ares.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
I:\Program Files\ashMaiSv.exe
I:\Program Files\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vobis.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.vobis.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Tłumaczenie - {0D704FAD-66E9-4F0A-BFED-4F665770DDB3} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] "I:\Program Files\ashDisp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [H/PC Connection Agent] "I:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ares] "I:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - I:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - I:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103 - {B46B0919-62BA-4D99-A5C4-916B57A6805C} - C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.vobis.pl/
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169624249296
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - I:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - I:\Program Files\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - I:\Program Files\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - I:\Program Files\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - I:\Program Files\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC (UserAccess) - Unknown owner - C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe
--
End of file - 6644 bytes
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ComboFix 07-08-03.4 - "Piotrek" 2007-08-03 11:23:09.1 [GMT 2:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.Prawda
((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 )))))))))))))))))))))))))))))))
2007-08-03 11:22 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-03 11:04 <DIR> d-------- C:\Temp\{21DBBDD6-93A5-4326-9A04-C9A5C9148502}
2007-08-03 10:35 <DIR> d-------- C:\Temp\WPDNSE
2007-08-02 21:41 77,824 --a------ C:\Temp\swt-gdip-win32-3344.dll
2007-08-02 21:41 307,200 --a------ C:\Temp\swt-win32-3344.dll
2007-07-24 17:51 <DIR> d-------- C:\Temp\WER97bf.dir00
2007-07-24 13:20 <DIR> d-------- C:\Temp\DXB6.tmp
2007-07-24 13:04 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-07-24 13:04 118,784 --a------ C:\WINDOWS\system32\msstdfmt.dll
2007-07-24 13:04 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-07-12 18:15 73,728 --a------ C:\Temp\swt-gdip-win32-3325.dll
2007-07-12 18:14 303,104 --a------ C:\Temp\swt-win32-3325.dll
2007-07-12 15:35 <DIR> d-------- C:\!KillBox
2007-07-08 22:47 <DIR> d-------- C:\Program Files\Deluxe Ski Jump 3
2007-07-08 22:46 <DIR> d-------- C:\Temp\eJayInst
2007-07-08 22:45 28,672 --a------ C:\WINDOWS\eJreadme.exe
2007-07-07 23:23 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-07-07 23:23 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-07-07 23:23 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-07-07 23:23 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-07-07 23:23 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-07-07 23:23 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-07-07 23:23 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-07-07 23:23 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-07-07 23:23 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-07-07 23:22 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2007-07-07 23:22 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2007-07-07 19:14 143,872 --a------ C:\WINDOWS\system32\iacenc.dll
2007-07-07 19:14 <DIR> d-------- C:\Temp\pw1C~tmp
2007-07-07 19:12 <DIR> d-------- C:\Program Files\GSI
2007-07-07 19:02 643,072 --a------ C:\Temp\cres.dll
2007-07-07 19:02 45,056 --a------ C:\Temp\sres.dll
2007-07-07 19:02 2,007,040 --a------ C:\Temp\cshell.dll
2007-07-07 19:01 <DIR> d-------- C:\Program Files\Fox
2007-07-07 19:00 <DIR> d-------- C:\Temp\goinstall
2007-07-07 18:12 <DIR> d-------- C:\Program Files\Eidos Interactive
2007-07-07 18:09 <DIR> d-------- C:\Program Files\Arcade Mah Jongg
2007-07-07 17:21 <DIR> d-------- C:\Program Files\Soldier of Fortune II - SP Demo
2007-07-07 14:15 <DIR> d-------- C:\Avalon
2007-07-06 13:24 52 --a------ C:\WINDOWS\system\ACD2.CMD
2007-07-06 13:24 52 --a------ C:\WINDOWS\system\ACD.CMD
2007-07-06 13:23 24,626 --a------ C:\WINDOWS\system32\scrrntr.dll
2007-07-06 13:23 180,224 --a------ C:\WINDOWS\system32\Ijl11.dll
2007-07-06 00:15 207 --ah----- C:\DOCUME~1\Piotrek\APPLIC~1\hpothb07.dat
2007-07-06 00:01 792 --ah----- C:\hpothb07.dat
2007-07-06 00:01 1,510 --ah----- C:\DOCUME~1\Piotrek\hpothb07.dat
2007-07-05 23:56 <DIR> d-------- C:\DOCUME~1\Piotrek\APPLIC~1\Hewlett-Packard
2007-07-05 23:52 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-07-05 23:51 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-07-05 23:50 19,558 --a------ C:\WINDOWS\hpoins01.dat
2007-07-05 23:50 16,606 --------- C:\WINDOWS\hpomdl01.dat
2007-07-05 23:45 <DIR> d-------- C:\Temp\pft20C~tmp
2007-07-04 19:25 <DIR> d-------- C:\Temp\_av_proI.tm~a00636
2007-07-04 18:35 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-04 18:35 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-04 18:35 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-04 18:35 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-04 18:35 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-04 18:35 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-04 18:35 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-04 13:30 <DIR> d-------- C:\Temp\{F7A46D32-A2F4-49D1-B742-E291C00EC719}
2007-07-03 21:23 <DIR> d-------- C:\Temp\AVK_UpdateBase1
2007-07-03 21:23 <DIR> d-------- C:\Temp\AVK_UpdateBase0
2007-07-03 20:18 47,312 --a------ C:\WINDOWS\system32\drivers\MiniIcpt.sys
2007-07-03 20:16 <DIR> d-------- C:\Temp\{06B21B41-D8A3-47BC-AC94-226FB0AE0952}
2007-07-03 18:24 <DIR> d-------- C:\Temp\WER1631.dir00
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2060-08-18 19:02 1496064 --------- C:\WINDOWS\system32\Cc3250mt.dll
2060-08-18 18:40 909824 --------- C:\WINDOWS\system32\Cp3245mt.dll
2060-08-18 18:40 24064 --------- C:\WINDOWS\system32\Borlndmm.dll
2007-08-03 11:23 --------- d-------- C:\DOCUME~1\Piotrek\APPLIC~1\Azureus
2007-08-03 11:11 --------- d-------- C:\DOCUME~1\Piotrek\APPLIC~1\OpenOffice.ux.pl2
2007-08-02 21:41 --------- d-------- C:\Program Files\Azureus
2007-07-31 23:27 --------- d-------- C:\DOCUME~1\Piotrek\APPLIC~1\Skype
2007-07-24 13:04 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-08 22:44 1255 --a------ C:\WINDOWS\unins000.dat
2007-07-02 19:26 11973 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-28 18:43 85 -r------- C:\QUIZPG1.BAT
2007-06-28 16:30 --------- d-------- C:\Program Files\Electronic Arts
2007-06-25 16:07 --------- d-------- C:\Program Files\Common Files\YDP
2007-06-25 16:06 --------- d-------- C:\Program Files\ViaVoice
2007-06-25 16:06 --------- d-------- C:\Program Files\Common Files\GraphBoard 2.00
2007-06-25 16:05 4608 --a------ C:\WINDOWS\system32\w95inf32.dll
2007-06-25 16:05 2272 --a------ C:\WINDOWS\system32\w95inf16.dll
2007-06-25 10:24 --------- d-------- C:\Program Files\DaemonTools_WhenUSave_Installer
2007-06-25 10:21 682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-25 10:18 --------- d-------- C:\Program Files\Common Files\EZB Systems
2007-06-20 10:20 --------- d-------- C:\DOCUME~1\Piotrek\APPLIC~1\Lavasoft
2007-06-20 00:08 --------- d-------- C:\Program Files\QuickTime(2)
2007-06-20 00:08 --------- d-------- C:\Program Files\QuickTime
2007-06-12 19:50 --------- d-------- C:\Program Files\Apple Software Update
2007-06-03 23:53 --------- d-------- C:\Program Files\Skype
2007-06-03 23:53 --------- d-------- C:\Program Files\Common Files\Skype
2007-05-29 17:40 482 --a------ C:\Program Files\INSTALL.LOG
2007-05-16 17:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 17:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-15 20:57 524 --a------ C:\WINDOWS\bpfdat.dat
2007-05-13 22:45 809 --a------ C:\WINDOWS\unins001.dat
2007-05-04 14:59 3064320 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
1998-04-30 14:56 129024 --a------ C:\Program Files\UNWISE.EXE
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 18:39 C:\WINDOWS\SOUNDMAN.EXE]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-24 02:52]
"avast!"="I:\Program Files\ashDisp.exe" [2007-04-30 17:42]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-04-19 17:43]
"H/PC Connection Agent"="I:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44]
"ares"="I:\Program Files\Ares\Ares.exe" [2007-05-04 02:32]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
R1 ISODrive;ISO DVD/CD-ROM Device Driver;\??\I:\Program Files\UltraISO\drivers\ISODrive.sys
R1 nvport;NVIDIA PORT IO Control Driver;\??\C:\WINDOWS\system32\Drivers\nvport.sys
R1 PQNTDrv;PQNTDrv;C:\WINDOWS\system32\drivers\PQNTDrv.sys
R3 USBCM;Scientific Atlanta USB Cable Modem Driver;C:\WINDOWS\system32\DRIVERS\Sacm1K.sys
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 usb_rndisx;USB RNDIS Adapter;C:\WINDOWS\system32\DRIVERS\usb8023x.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b360cc1-1063-11dc-8422-bd2a8b85ea50}]
Auto\command- N:\activexdebugger32.exe f
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
explore\Command- N:\activexdebugger32.exe f
open\Command- N:\activexdebugger32.exe f
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea18e626-fadb-11db-83a8-8a7828eef270}]
Auto\command- activexdebugger32.exe f
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
explore\Command- activexdebugger32.exe f
open\Command- activexdebugger32.exe f
Contents of the 'Scheduled Tasks' folder
2007-07-31 17:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-07-05 21:56:24 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1183672531.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
2007-07-23 23:47:13 C:\WINDOWS\Tasks\WebReg 20070724014712.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-03 11:24:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
source file error: C:\Documents and Settings\Piotrek\ntuser.dat
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-03 11:24:56
--- E O F ---
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
"Silent Runners.vbs", revision R51, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"H/PC Connection Agent" = ""I:\Program Files\Microsoft ActiveSync\wcescomm.exe"" [MS]
"ares" = ""I:\Program Files\Ares\Ares.exe" -h" ["Ares Development Group"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"avast!" = ""I:\Program Files\ashDisp.exe"" ["ALWIL Software"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "I:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobile Device"
\InProcServer32\(Default) = "I:\Program Files\Microsoft ActiveSync\Wcesview.dll" [MS]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""I:\Program Files\OpenOffice.ux.pl 2.1.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""I:\Program Files\OpenOffice.ux.pl 2.1.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""I:\Program Files\OpenOffice.ux.pl 2.1.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""I:\Program Files\OpenOffice.ux.pl 2.1.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "I:\Program Files\WinRAR\rarext.dll" [null data]
"{AD392E40-428C-459F-961E-9B147782D099}" = "UltraISO"
-> {HKLM...CLSID} = "UIContextMenu Class"
\InProcServer32\(Default) = "I:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "I:\Program Files\ashShell.dll" ["ALWIL Software"]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""I:\Program Files\OpenOffice.ux.pl 2.1.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "I:\Program Files\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "I:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"
-> {HKLM...CLSID} = "UIContextMenu Class"
\InProcServer32\(Default) = "I:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "I:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "I:\Program Files\ashShell.dll" ["ALWIL Software"]
UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"
-> {HKLM...CLSID} = "UIContextMenu Class"
\InProcServer32\(Default) = "I:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "I:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}
"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Piotrek\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Startup items in "Piotrek" & "All Users" startup folders:
---------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"hp psc 1000 series" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."]
"hpoddt01.exe" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
Enabled Scheduled Tasks:
------------------------
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
"FRU Task #Hewlett-Packard#hp psc 1200 series#1183672531" -> launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1183672531"" [empty string]
"WebReg 20070724014712" -> launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe /TaskName 20070724014712 /N "HP psc 1200 Series" /M Q1662A /S MY4AKG313FT0 /AP 303 /F /T " ["Hewlett-Packard Co."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0D704FAD-66E9-4F0A-BFED-4F665770DDB3}" = (no title provided)
-> {HKLM...CLSID} = "&Tłumaczenie"
\InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{175556B1-4D91-4E9A-9C4B-D6888D5DEE6C}\(Default) = ";&Ramka Tłumaczenia"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" [";Techland"]
HKLM\Software\Classes\CLSID\{D553F157-2AB0-4B46-98D2-7BA7CA418491}\(Default) = "&Słownik Podręczny"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_04"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "I:\Program Files\Microsoft ActiveSync\INetRepl.dll" [MS]
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "I:\Program Files\Microsoft ActiveSync\INetRepl.dll" [MS]
{B46B0919-62BA-4D99-A5C4-916B57A6805C}\
"MenuText" = "@C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll,-103"
"CLSIDExtension" = "{B46B0919-62BA-4D99-A5C4-916B57A6805C}"
-> {HKLM...CLSID} = "InternetTranslatorProperties Class"
\InProcServer32\(Default) = "C:\Program Files\Techland\Common\InternetTranslator\InternetTranslator.dll" ["Techland"]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.vobis.pl/
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""I:\Program Files\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""I:\Program Files\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""I:\Program Files\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""I:\Program Files\ashWebSv.exe" /service" ["ALWIL Software"]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC, UserAccess, "C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe" [null data]
Usługa Odbiornik Media Center, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Usługa Planowanie nagrywania, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
Usługa udostępniania w sieci programu Windows Media Player, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]
---------- (launch time: 2007-08-03 11:33:07)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 51 seconds, including 11 seconds for message boxes)
z góry dziekuję za odpowiedź
pozdrawiam[code][/code]
Załączam logi z ComboFix'a tak na zaś:
